20 replies to this topic

[Captain Stiffy]

then just fix the password

dang

[TexAce]

well you can't argue with that lol

[Aym]

Some people put capitol letters into their passwords thinking it makes them more secure

[Taurick]

Yeh that helps the guy with an all caps password

[stjobe]

Aym, on 11 March 2013 - 02:41 AM, said:

Some people put capitol letters into their passwords thinking it makes them more secure

It does, to a degree.

It's all about search space; using only lower case letters halves the search space as compared to using mixed case. Of course, just mixing lower-case and upper-case letters is still a rather limited search space, so please use numbers and non-letter characters as well.

And don't make your password too short either; below eight to ten characters is easily cracked even with numbers and non-letter characters in there.

While we're at it, don't use a password based on a real word; those are so easy to crack it's laughable, even if you use leet-speak substitutions (Mechwarrior -> M3chw4rr!0r).

[T2k5]

[Captain Stiffy]

I love XKCD too but sometimes there is an extreme oversight in what he posts...

For example, that's a super razor sharp idea about passwords, until you factor in dictionary attacks.

(then it's 4-8 bits of entropy to a system that contains all the words)

Edited by Captain Stiffy, 11 March 2013 - 05:52 AM.

[ItsAPotato]

Captain Stiffy, on 10 March 2013 - 10:04 PM, said:

then just fix the password

dang

Ha. Caps-lock is my push-to-talk button, so I'm always failing login. It makes me sad =(

Edited by ItsAPotato, 11 March 2013 - 06:23 AM.

[MustrumRidcully]

Captain Stiffy, on 11 March 2013 - 05:51 AM, said:

I love XKCD too but sometimes there is an extreme oversight in what he posts...

For example, that's a super razor sharp idea about passwords, until you factor in dictionary attacks.

(then it's 4-8 bits of entropy to a system that contains all the words)

It's not that easy:
http://en.wikipedia.org/wiki/Diceware

[Phaesphoros]

@Captain Stiffy: I'd guess he included dictionary attacks in his scenario. How many "common" words are there in english? Dunno what this "entropy" thing is about, I normally use number of possibilities (as 8 bits = 1 byte = max 255 possibilities). Let's say the number of common words is of the order of 100,000 = 10^5. Then 4 words = (10^5)^4 = 10^20 possibilities. Consider 2*26+(special characters) approx. 100=10^2 possible characters, 10 character long pw: (10^2)^10 = 10^20 combinations.

[T2k5]

Captain Stiffy, on 11 March 2013 - 05:51 AM, said:

I love XKCD too but sometimes there is an extreme oversight in what he posts...

For example, that's a super razor sharp idea about passwords, until you factor in dictionary attacks.

(then it's 4-8 bits of entropy to a system that contains all the words)

That's why I combine both ways where some level security is needed. But more on the subject of this thread, you can't really "fix" the capslock except by telling the user to fix it himself. Unless, of course, you force everything to lowercase after input, which would be immensely stupid. If a service even hints that it might know my password without me writing it correctly, I'm out.

[MustrumRidcully]

Phaesphoros, on 11 March 2013 - 06:37 AM, said:

@Captain Stiffy: I'd guess he included dictionary attacks in his scenario. How many "common" words are there in english? Dunno what this "entropy" thing is about, I normally use number of possibilities (as 8 bits = 1 byte = max 255 possibilities). Let's say the number of common words is of the order of 100,000 = 10^5. Then 4 words = (10^5)^4 = 10^20 possibilities. Consider 2*26+(special characters) approx. 100=10^2 possible characters, 10 character long pw: (10^2)^10 = 10^20 combinations.

Entropy on Wikipedia: http://en.wikipedia....ation_theory%29
It's basically a measure of uncertainity about a variable.

For a dictonary attack, you don't consider individual characters, only the words, as that is what you are using to "guess". But of course, if you use a special sign as a seperator between each word (it could be a space, but also anything else), then it gets more complicated - and not necessarily any harder to memorize.

[xRatas]

Captain Stiffy, on 10 March 2013 - 10:04 PM, said:

then just fix the password

dang

Or maybe just say I have CAPS on, so I can use my keyboard as I see fit?

While it would not take too many hours to make a code that replaces upper and lower cases around, should the game also know if you typed your password originally with CAPS or not? If not, then it must accept 2 different passwords, or if you used CAPS first time you typed it, autofix would prevent using CAPS if you happen to have more upper case than lower. Also, maybe the time to write the replacement function for that would be much better spent by doing something else?

[Phaesphoros]

@MustrumRidcully: Yeah, I've basically done an estimation "use just normal words vs. dictionary attack" compared to "use character mess vs. brute force attack".

[Dishevel]

Captain Stiffy, on 11 March 2013 - 05:51 AM, said:

I love XKCD too but sometimes there is an extreme oversight in what he posts...

For example, that's a super razor sharp idea about passwords, until you factor in dictionary attacks.

(then it's 4-8 bits of entropy to a system that contains all the words)

Once you have decided that you are in fact looking for multiple random words.
In the real world you are just going to go after logins you know to be there and hit them with the 10,000 most popular passwords and when you do not get the hit you will move on to the next login.

[T2k5]

xRatas, on 11 March 2013 - 06:46 AM, said:

Or maybe just say I have CAPS on, so I can use my keyboard as I see fit?

While it would not take too many hours to make a code that replaces upper and lower cases around, should the game also know if you typed your password originally with CAPS or not? If not, then it must accept 2 different passwords, or if you used CAPS first time you typed it, autofix would prevent using CAPS if you happen to have more upper case than lower. Also, maybe the time to write the replacement function for that would be much better spent by doing something else?

From the programming standpoint, this could be done in less than five minutes by forcing everything to lowercase, but it would be terrible for password security. Sadly, I have had some clients suggest similar "user-friendly" features for log-in functions in the past. In password-based authentication, forcing the user to write everything correctly without any post-input aid is the only way to go.

[MustrumRidcully]

T2k5, on 11 March 2013 - 07:07 AM, said:

From the programming standpoint, this could be done in less than five minutes by forcing everything to lowercase, but it would be terrible for password security. Sadly, I have had some clients suggest similar "user-friendly" features for log-in functions in the past. In password-based authentication, forcing the user to write everything correctly without any post-input aid is the only way to go.

Seems "password schemes" run between extremes. There are "everything in lower case, and please don't allow so many special signs" extreme, and the "change your password every month and you need to use 16 letters at minimum, lower and upper case letters, numbers, and 2 special characters minimum" (so that you probably write it down somewhere you consider "safe", or make an extreme poor algorithm that simply counts the password upwards).

[Captain Stiffy]

Interesting discussion. I work in the IT industry and am very security minded (and regularly trained on it by my corporation) - more than anything I wanted to post this to see what people would say. It was almost a joke.

[Rofl]

HOW CAN YOU TELL IF YOU HAVE CAPS LOCK ON?

[Dishevel]

MustrumRidcully, on 11 March 2013 - 07:11 AM, said:

Seems "password schemes" run between extremes. There are "everything in lower case, and please don't allow so many special signs" extreme, and the "change your password every month and you need to use 16 letters at minimum, lower and upper case letters, numbers, and 2 special characters minimum" (so that you probably write it down somewhere you consider "safe", or make an extreme poor algorithm that simply counts the password upwards).

If you want good then you have to depend on the people.
All sites should allow (Not Require) Lower Case, Upper Case, Numbers and Special Characters. No minimum length and set the Max to 255.
This will allow those who want it difficult to crack and easy to remember passwords. Those who do not care about their security do not get it. Simple.