Path: csiph.com!feeder.erje.net!2.eu.feeder.erje.net!newsreader4.netcologne.de!news.netcologne.de!peer02.ams1!peer.ams1.xlned.com!news.xlned.com!peer02.am4!peer.am4.highwinds-media.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!spln!extra.newsguy.com!newsp.newsguy.com!news1 From: Jean-David Beyer Newsgroups: comp.os.linux.misc Subject: Re: random passwords Date: Thu, 23 Aug 2018 10:39:17 -0400 Organization: NewsGuy.com Lines: 70 Message-ID: References: <878t4xgouh.fsf_-_@miko.siamics.net> NNTP-Posting-Host: p536a5958cfe4a761e0f0b9098de5fba86cfc787206b9bff2.newsdawg.com Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Openpgp: preference=signencrypt Autocrypt: addr=jeandavid8@verizon.net; keydata= xsBNBFC6BkUBCADjWI4CqM1+YopY3HwBmh7kRa0mpYYMaHgWRU+EptjEWm3h8Ol3hH2f90Uu hDk2Q4vo7DqKlHUhXZbB5srJkrBfWjrvgDm3kRQCs6zh3X4L1Fiun7FkpHZYyi7q08sKfD+M 4Wlh1c/N8LEI+MUy8BRpwm5hYIUuJBEfVGrRPfkfP2x1BpYANbbr1S6iO9bsSjavQZQuYAVI sPwY+FlTW/WiV+OmsaFGlmvogf54oxefw/mMcmga2cb5LAuCTOU1ZDd5CqTS4dQj6fVZMq66 iSLHZU5GPANdNQI0VQknEqtDygHWwEIoksOvZr5BBwtcYopi23gvycFn4zBJfcqveBL7ABEB AAHNTEplYW4tRGF2aWQgQmV5ZXIgKEluc3RpdHV0ZSBmb3IgUmVnaW1lbnRlZCBXaGltc2V5 KSA8amVhbmRhdmlkOEB2ZXJpem9uLm5ldD7CwHgEEwECACIFAlC6BkUCGwMGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAAAoJEBZthAoMYQyLZKwH/1hjJYTMYIsqCbh4/rycAbNwZo5+//IC U3K5A2PRqryy4iYYGPFGX6AP4LiliDHplm5iSMTfaJThWAev2yGJVqtVm4tXY8pG+CpOIuIl aJKhIRb866hZ3p1hW90mS5Ei8UDBh7LcSqiMW6ZrdWlQP+AXWYgZEihLyjANZMkVcYFebg0M 8hl8jyYgwGv1ui05C1thyjPHcHJl+VC2pX3vMoo5v1Cn9tWCD9oj3QOMq9fveowLOmVs+LAB ltvqS9xqTo8hlRG1uqMgHrI4oZwYPIi+bOb6wnu6a8KurJO0LWKbLGnlh8WrIWcKK2GvPcP+ ptAb5c9v4ZFnv7WcvvIK+ifOwE0EVui0YwEIANInFfnAdeVu1qaMwvZHce+XXkoD2POmCZ9H wlFOvMkKGkS0zF7YhDy2MWBguYgIuzeMlLPoN8HODoKJkSQI7iUDzpuhQL8xKlI2rc4ObChJ oqWhYu7n6hI3voQ4M2T4JQwLWP23y56x6eJ4xXNUvIEcy3u/a7PjmFRomxSbhLKLAr8CpVI1 dciJ7WWimJANAv9D4gtE1TGkFzfef8OixK/h3ZAdvPWEE/sh5IOvBIBebmS1kCzMVpZAkoJG kjUMS1TVBYBPrC90Eg82/qMtc2dbmp1pBWBkqv1WKSr2CoeeVAdAlj91B00oiDcC/ws/4ZPe 9U5s1juohrsF9nFgsaEAEQEAAcLAZQQYAQIADwUCVui0YwIbDAUJCWYBgAAKCRAWbYQKDGEM i0LlB/wI7kYGKIWR5JTTSurgUsjWDzrZ1QlqGvBEwo8ZRBnh205mEHYoo0xZUSj7nSOa2X5y AXsvJAXVedLbsv1TE7kGVkZdzmAEH8S7aebalVympv/uMSJBWDWYxhR1VBcMVe1Gk1Ncmt5X 7Kbx46viWDRfhpQgIB1g5VF6DSOI3lN+hAqWBYP8JXyyhiWh9I+7/l7crpIkD+cUYP+kJu83 7p/xm795KrQtjZ/iMaldcVHD/PUvqg2Fs9/GB8JIayE8+4khXD1+SKlGzwwZM+6rWcOrvZ9C +L9no/BfdGtJQfgDg5cqh+Ex3KyI4RvYXHUops06wNpv8lsq3Q2EK3MIjL/4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 In-Reply-To: <878t4xgouh.fsf_-_@miko.siamics.net> Content-Language: en-US X-Received-Bytes: 6067 X-Received-Body-CRC: 1363306859 Xref: csiph.com comp.os.linux.misc:24244 On 08/23/2018 10:05 AM, Ivan Shmakov wrote: >>>>>> Rich writes: > > > For password auth, if a proper length, properly random, password > > is utilized, the space of possible keys (passwords) is already large > > enough that even with knowledge of the username, an attacker will not > > guess the password in any reasonable timeframe. > > > Sadly, too many folks passwords are much too weak (not proper length, > > not randomly generated) > > I'm actually curious on what recent research says about the > amount of randomness that one should have in one's password? > (Or, to put it other way around, how simple one password has > to be for it to be possible to break it in reasonable time > under one threat model or another?) > > For instance, there's an entire class of passwords, such as > ghjDthrf1 and gf!Hjkm, which, while most certainly /not/ random, > would require some rather specific assumptions about the targeted > user to guess correctly in a reasonable number of attempts. I use passwords that look a little like that. For example, here is one I used to use to log into some place: BkdMifjRpkaLdX My guess is that it is pretty random. The way I produced it includes digits and many special characters. By chance, it did not use any for this one, but the attacker would have had to try them anyway because they might have been there. And now it is too late and I will not use that one again. > > The obvious problem with completely random passwords is that > they generally require some means to store them securely, and > these means in turn may become both an attack vector and a > single point of failure. Even passwords such as the one above can be memorized, though I have other backup means, since the memory device is certainly a point of failure: not of divulging the secret, but possibly being unable to retrieve it when necessary. Passwords can be exposed at three different places: at the location of the sender, during transmission, and at the destination. Now properly implemented destinations these days no longer store passwords, but a fixed piece of text encrypted with the password. When a proposed password is presented, the fixed text is encrypted with the password and the result compared. If this is done, there should be little risk if the black hats get access to those encrypted texts. As far as sniffing them during transmission is concerned, using means such as ssl should make getting the clear versions difficult. So the problem is only at the site of the sender. If the sender keeps the clear passwords in an ordinary file, it is surely exposed to risk, if the file ever falls into the hands of the black hats. But do not users these days keep their encrypted passwords in encrypted files, on encrypted thumb drives that are not just left plugged into their machines? I keep mine on post-it notes stuck to my monitor. (Just kidding.) -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jersey http://linuxcounter.net ^^-^^ 10:20:01 up 8 days, 2:38, 2 users, load average: 4.93, 5.08, 4.98