HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Researchers are saying that bad grammar actually makes good passwords. If that is true, most of our passwords should be impossible to crack. 
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Bad Grammar Makes Good Passwords
- Thread starter HardOCP News
- Start date
Skripka
[H]F Junkie
- Joined
- Feb 5, 2012
- Messages
- 10,791
Oh god. Steve take this down NOW!
My IT dept. is now going to require new passwords every 180 days that not only are only 6-12 characters, have a caps char, a number, a special char, not a repeat of the last dozen passwords...but now poor grammar as well.
My IT dept. is now going to require new passwords every 180 days that not only are only 6-12 characters, have a caps char, a number, a special char, not a repeat of the last dozen passwords...but now poor grammar as well.
Astronomica
Gawd
- Joined
- Sep 18, 2008
- Messages
- 755
Wait..what. It takes several video cards and a 6x core intel to crack 9000 wpm just for WPA. What do they know that i don't.
I mean well, i have no idea what they're talking about.
Skripka
[H]F Junkie
- Joined
- Feb 5, 2012
- Messages
- 10,791
Sorry, the password you entered is over the 12-character limit for passwords. Please try again.
I have never understood the value of changing passwords often - unless someone is trying day after day to crack yours AND you know you are changing to something already tried.....
My passwords are gibberish combinations of letter, numbers and characters, typed randomly, then I go in and make specific changes to eliminate any standardization from that. Throw in a few capitals and an underscore or two and I have yet to have one be cracked.
I don't try to remember them - I keep them in a simple text files in a hidden, encrypted folder that closes by itself after a few minutes open. And that is just for common message board sites. Financial sites passwords are never saved on a computer.
Trepidati0n
[H]F Junkie
- Joined
- Oct 26, 2004
- Messages
- 9,269
This is why I don't understand why more sites don't have secondary confirmation. At a business they just need to call your desk phone with a confirmation you type in appended to your normal password. Worse yet they go to an RSA or test message method. Either one allows the user to have a unique and moderately complex password with something a hacker will RARELY have.
OldDeadOne
[H]ard|Gawd
- Joined
- Apr 10, 2001
- Messages
- 1,139
What computer will let you try passwords that often?
The only way they are ever going to get in is if the system is setup very insecurely. i.e., have a password that doesn't lock out. and even then, it is going to have to wait a second or two at the minimum between login attempts.
Sure for personal computers with just an admin account setup, they might be able to get it. It is still going to take a while if you have a decent password though.
As for web sites, message boards, etc. They only allow so many login attempts before locking out.
The only way they are ever going to get in is if the system is setup very insecurely. i.e., have a password that doesn't lock out. and even then, it is going to have to wait a second or two at the minimum between login attempts.
Sure for personal computers with just an admin account setup, they might be able to get it. It is still going to take a while if you have a decent password though.
As for web sites, message boards, etc. They only allow so many login attempts before locking out.
dirksquarejaw
[H]ard|Gawd
- Joined
- Oct 3, 2006
- Messages
- 2,003
But will it run Crysis?
Parja
[H]F Junkie
- Joined
- Oct 4, 2002
- Messages
- 12,670
Maybe try following the link?
http://whitepixel.zorinaq.com/
Quad 5970s brute forcing single hash MD5.
My last job required that. Crazy ass grammatical requirements on all passes. No two letters together, no similarly placed in the alphabet repeated x times, etc.
It took me 2 days to figure out a password that would fit the requirements.
The real problem is idiot developers still using general purpose hashing algorithms such as MD5 or SHA-1 for passwords. Hell, weaknesses in MD5 were discovered as far back as 1995. I use at minimum bcrypt for all passwords in my work. What's really sad though is developers not even bothering with password security at all. At my current job, I rebuilt a website that was storing passwords in plain text, and the login process was not SSL secured. Not to mention, all of the passwords were the persons last name plus a random 2 digit number. Whoever did that should never write a single line of code ever again. That's just flat out laziness.
Any decent website won't let you attempt passwords that often. Most of the brute force attacks I've seen are against the database itself, after someone has obtained a copy. Some would argue that once you have the database, knowing the passwords is pointless. True, depending on what the hacker is trying to gain access to. Considering most people reuse the same password for everything, if you have a database full of email addresses and passwords, you can attempt to log into their email accounts, and from there you can easily gain access to all of their accounts, including bank accounts. That's also why I use a unique password for my email that isn't shared anywhere else.
NKDietrich
Supreme [H]ardness
- Joined
- Jul 25, 2004
- Messages
- 5,442
I use CorrectHorseBatteryStaple for every PW since that comic.
Humans are actually very good at making names to assemble seemingly random letters; they're memorable and easily typed. But a computer will probably not crack them, unless I'm totally wrong.
If the software can crack VandenDriessche or Krzyzewski, then bravo, it wins. Or a place such as Ljubljana or Albuquerque.
Or do something easy for your mind to solve like Elvis_Baratheon, both kings, or two wizards, two Jedi knights, etc.
If the software can crack VandenDriessche or Krzyzewski, then bravo, it wins. Or a place such as Ljubljana or Albuquerque.
Or do something easy for your mind to solve like Elvis_Baratheon, both kings, or two wizards, two Jedi knights, etc.
VandenDriessche and Krzyewsky can indeed be easily cracked by a computer. They aren't long enough. You're assuming that the computer is only using a dictionary to try and crack the password, we have enough computing power today that you don't need to rely on a dictionary and can simply use the entire character set. Read the comic that Geryon posted and you'll understand why having a longer password is better than a short, but "complex" password.
Frankly, I hate lame max password length requirements. The minimum acceptable max length should be 32, so allowing 8-32 character passwords. I still see requirements of 8-12 and typically 8-16 at best.
Also, without a periodical password reset, all the dumbdumbs end up doing is using "password1" or "Password1" in place of the old standby of "password".
Ocean
Supreme [H]ardness
- Joined
- Oct 19, 2003
- Messages
- 4,927
I play piano, and my passwords are just 5 seconds of classical music played on a keyboard with unexpected finger positions.
I wouldn't recognize my passwords if i saw them, but they usually contain around 40 characters.
Too long for my bank
I wouldn't recognize my passwords if i saw them, but they usually contain around 40 characters.
Too long for my bank
Navilor
Limp Gawd
- Joined
- Jan 12, 2009
- Messages
- 193
There is also the option of using a URL as a password. I don't use this one but instead use one somewhat similar:
http://cheezburger.com/611104000
http://cheezburger.com/611104000