December 9th, 2003, 02:49 AM
In any given password, you can determine the number of possiblities that hide the correct answer with the simple formula n = (v^p) -1 ; where n is the number of possibilities, p is the number of characters in the password, and v is the number of possible values for each character.
Therefore, a good password needs to have lots of characters in it, and make full use of the possible values in each character. Now, how do you make a password which does this, is easy to remember, and doesn't use an obvious linguistic pattern that can be exploited with brute force? People don't like to remember huge complicated strings of letters and numbers, and no one puts up with the annoyance.
Here's my "How to make a password" tutorial:
Instead of using a "password", make a "passpattern". Take a look at how this password would be typed into your computer: qwSDcvGHyuJK7856 (it looks like a wave)
Instead of trying to memorize the string of characters, just remember the pattern your fingers made on the keyboard. To make the thing really hard to crack, add a flaw to the pattern.
Let's take a look at how hard it would be to crack:
26 letters in the alphabet, double that because you used caps, and add 10 for the numeric digits. There are 62 possibilities for each character. Our password is 16 digits long.
62^16 = 47672401706823533450263330815 possible wrong answers. Even if you could test a thousand million possibilities every second, you wouldn't be able to check every answer for billions of years. A dictionary-based attack fares even worse- you're not using words. Social Profiling doesn't work here... the password doesn't have a connection to your life in any way.
The downside: Passwords generated like this are much more vulnerable to "shoulder-surfers", since they operate visually.
Please post any other good password generation techniques you have.
December 9th, 2003, 03:49 AM
I've been thinking about trying to write a password cracker that relies on looking for patterns in a keyboard map. Thanks for adding about a thousand variables to it. the reason I've been looking into this is at work we have some stringent password requirements and I have noticed that instead of making a liget password people do things like this !QAZ2wsx (look at your keyboard). this may seem kind of hard to crack useing traditonal meathods but all it takes is a glance and I have there password. then they get a nice prompt to change there password the next time they logon. But all the user does is type there password as @WSX3edc so as you can see It turns into a huge waste of time.
any thoughts on this would be great.
[Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above
December 9th, 2003, 04:38 AM
December 9th, 2003, 10:36 PM
I prefer to take a sentance of a song, or from a quote or anything else you can easy remember.
I'll use the title of a song for this example.
Frank Sinatra - The best is yet to come
then take the 1st letter of each word and make that your pass.
my example would become: FS-Tbiytc
I could also add the track number to make it longer and harder to crack.
It would become 006.FS-Tbiytc
This is easy and effective
December 9th, 2003, 11:22 PM
For the person who said they are trying to write a keymap-based brute forcer....
When you test a pattern, run through the quick variations of it, then scramble the order in which the pattern appears. I would say there are more patterns to test (if they added a random char at some point during the pattern) than is feasible, but if you knew that the person had entered a pass that seemed like a pattern, it could narrow it. If I were a cracker, I might write a program that uses a GUI to let me quickly sketch an approximation of a pattern I saw the person type, and it could turn that to a keymap and try brute-forcing based on the inputted observation. Personally, I think that a pattern-based password is great for when you always enter it alone, but it is a lot easier to pick up on for a physical observer and shouldn't be used when you enter your password in another's presence/public place.
For the person who's having problems with pure-pattern passwords... Write a little program into your password-validation thing that does a quick check for obvious patterns on a keymap. Invalidate passwords that fail the test. If you're not really sure on how you'd go about writing such a program, PM me and I'll explain it in more detail (keep in mind I'm mostly a C/C++ person).
December 9th, 2003, 11:23 PM
I use the same method as Mcvay. Or I've used words and twisted them, battleship to bottlechop, for example. have also used the method suggested by Sunflare, in that when setting the pass, I've used symbols, and memorised the finger movements ? generally by saying the word ( original ) and typing the pattern. Biggest problem is that I want to have complex passwords, but that basic bone idleness kicks me in the ass everytime, and I end up setting the pass to run for 6 months ?
55 - I'm fiftyfeckinfive and STILL no wiser,
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone