Silk Road forums

Discussion => Security => Topic started by: thecrackhead on November 06, 2012, 11:08 am

Title: How to Choose a Secure/almost Hack-Proof password
Post by: thecrackhead on November 06, 2012, 11:08 am
Hello friends,

I thought I should share this because I love the community and you guys helped me directly and indirectly.

We know that the hackers,phishers, etc would love to hack into SR accounts and we know that there are many out there trying to do so. Choosing a easy password it's a high security risk.

Today I'm going to teach you a simple method of getting an complex and almost hack-proof password.

As you all know, in order for your password to be difficult to hack you need numbers, capital letters, and symbols.

As we are all doing drugs we know that the brain can be a bitch from time to time and we can forget things, especially a password that contains all the things mentioned.

The Method:

1)- Choose a sentence that you will never forger i.e: I love PUSSY. (keep shift pressed for "pussy").

2)- You're not going to type that in, you only have to remember it.

3)- Instead of typing normally you press the key above the letter you have to. i.e instead of "F" you press "R", instead of "O" you press "9" and so on.

Thets see what we get

I love PUSSY becomes *o9f3)&WW^

I recommend using longer sentences.

It works pretty easily as you don't have to remember the difficult password.

I hope it helps.

Enjoy!
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: Wazup7 on November 06, 2012, 04:58 pm
While having a strong password will not stop a phisher from uncovering that password.........

I personally intersperse two words letter by letter, putting !'s in between every 5 characters.  Then I append the number equivalent of the first and last letters (A=1, B=1, etc.) to the beginning and end repectively, and finally a # at the first and last character.  If I need to change my password, I pick two new words. 

E.g.  Trouble Brewing, would become #20TBrro!euwbi!lneg7#

The technique to type it is type the first word, then move your cursor to just after the first character and type the second word, letter by letter, pressing the right arrow key in between each letter, then put the !'s in, then the numbers and #'s.

But again, as soon as you enter that password into the phishing website, it is comprimised.  The only way to prevent phishing is to change your password often.

Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 06, 2012, 06:56 pm
That is the most secure way to choose a password. You should not use dictionary words, because all possible combinations of dictionary words are way fewer then all the possible combinations of random characters. It is relatively easy to do a dictionary attack, where you replace each letter with the letter above it. It's like a Caesar rotation (A becomes B, B becomes C, etc).

A good password should be as random as possible, 20+ characters and should contain a mix of upper and lower case letters, numbers and special characters.

The best would be just a completely random bunch garbage, but if you want to make it easier to remember, you can do some of the following things.

Don't use one exclusively, but mix up these elements.
- Use words from foreign languages, preferably exotic ones if you know any (for example Cherokee, Bantu or Neapolitan)
- Use fantasy words (xesero, habnew), the harder to pronounce the better
- Abbreviate shit (I like pussy, I'll take two = ilp,i'llt2)
- 'e' and 't' are the most used letters, throw in some rare characters: q, x, z and symbols $ % @
- Randomly capitalize and add numbers in between the "words".

Using the key left/right/above below is good for a part of the passphrase, not the entire phrase.

Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 06, 2012, 07:00 pm
While having a strong password will not stop a phisher from uncovering that password.........
This is true. Phishers try to make you enter your password in the wrong place, so it will get revealed to them.

All the above tips help to protect your password from a brute force attack (trying out all possibilities). No matter how strong your password is, if you give it to the wrong people it's worthless.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: awakened350 on November 06, 2012, 08:23 pm
That is the most secure way to choose a password. You should not use dictionary words, because all possible combinations of dictionary words are way fewer then all the possible combinations of random characters. It is relatively easy to do a dictionary attack, where you replace each letter with the letter above it. It's like a Caesar rotation (A becomes B, B becomes C, etc).

A good password should be as random as possible, 20+ characters and should contain a mix of upper and lower case letters, numbers and special characters.

The best would be just a completely random bunch garbage, but if you want to make it easier to remember, you can do some of the following things.

Don't use one exclusively, but mix up these elements.
- Use words from foreign languages, preferably exotic ones if you know any (for example Cherokee, Bantu or Neapolitan)
- Use fantasy words (xesero, habnew), the harder to pronounce the better
- Abbreviate shit (I like pussy, I'll take two = ilp,i'llt2)
- 'e' and 't' are the most used letters, throw in some rare characters: q, x, z and symbols $ % @
- Randomly capitalize and add numbers in between the "words".

Using the key left/right/above below is good for a part of the passphrase, not the entire phrase.

While the above would generate a very effective password it also becomes harder for humans to memorize it. There was a post on a blog about how the passwords we choose are extremely difficult for humans to memorize but becoming simpler and simpler for bruteforce attacks.

Go with a pass phrase several words long and you have an easy to remember password that is also hard to hack.

ex. stonedskittleleprechaun
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: greywhite on November 06, 2012, 10:15 pm

Quote
Go with a pass phrase several words long and you have an easy to remember password that is also hard to hack.

ex. stonedskittleleprechaun

Agreed. You can still always thrtow in a couple of random characters too.

It wouldn't let me attach it, so here's a *clearnet* link to a cartoon that helped me understand why

hxxp://imgs.xkcd.com/comics/password_strength.png
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 06, 2012, 11:18 pm
Go with a pass phrase several words long and you have an easy to remember password that is also hard to hack.

ex. stonedskittleleprechaun
That password is isn't very strong because it only contains lower case characters and words straight out the dictionary. If you use that as a passphrase for your hard disk encryption, the police will be able to crack it relatively easily.

A stronger password is harder to remember, but it's well worth the effort.

For your Silk Road account, you don't have to choose a password that's too fancy. However if you encrypt your HDD or have to give a passphrase for your PGP private key, it is recommended that you use a strong passphrase.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: kmfkewm on November 07, 2012, 08:17 am
I just make up and remember a random sentence and then a random word and number.

So many things to remember and do I will just make up a sentence then reptile7*

that is a good password.

stonedskittleleprechaun is also a good password though.

Quote
A stronger password is harder to remember, but it's well worth the effort.

That isn't actually true, you should read the previously linked XKCD for an explanation of why. I have read several times that English prose contains approximately one bit of entropy per character. That means the passphrase "So many things to remember and do I will just make up a sentence then reptile7*" contains at least 78 bits of entropy. Since it has a number and special character it is probably contains even more entropy. 2^78 isn't the best you can do (likely either 2^128 or 2^256 depending on the encryption algorithm being used), but it is strong enough that it can be considered as secure enough (I think 2^80 is the minimum suggested bit strength for a strong password to have though).

Honestly even 80 bits is a conservative estimate of the bit strength of that passphrase. One passphrase strength estimation algorithm that is regarded as being  accurate starts out with the initial characters adding more bits of estimated entropy to the overall passphrase than subsequent characters do, only leveling out to 1 extra bit per additional character after 20 or so characters. There are also math formulas for determining the amount of entropy in a given amount of data. I can only imagine that the highly mathematical algorithms for entropy estimation are more accurate than even the good password strength estimation algorithms (which may for example compare your passphrase to a dictionary as one of its criteria for strength estimation, a technique that I don't think would be used with the pure mathematical approach). I think somewhere on the XKCD site he describes the method he used to estimate the entropy of the presented passwords though.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 08, 2012, 11:57 am
kmfkewn, I have to respectfully disagree with you here.

Somebody who is a native speaker of the English language knows somewhere between 5000 (Joe average) and 12000 words (if you're a very highly educated person). Let's really stretch it and say there are 20000 words, which is about the contents of a pocket size dictionary.

Then, if you choose a password consisting of 3 English words (ex. stonedskittleleprechaun), then there are 20,000 to the power 3 possibilities (8x10^12). To calculate the bits of entropy, you have to take the 2 base logarithm of that number. That gives 42.9 bits of entropy, which isn't even close to the 80 we wanted.

And then I'm stretching it; in reality it's going to be even weaker. When you ask people to choose a random word, they tend to choose nouns (like you chose "reptile"). And if it's a cluster of words, then people tend to put adjectives before the nouns. Both "correct horse battery staple" and "stoned skittle leprechaun" follow this pattern.

A person's vocabulary isn't that big, and the type and order of the words you choose isn't all that random. So In the calculations I used above, I made some pretty optimistic assumptions for the number of possibilities.

However, if you make a password that consists of random characters, then for each character there are roughly 70 possibilities (26 lower case letters, 26 upper case, 10 numbers and 8 special characters). That means that for each random character, you get the 2Log70 = 6.1 bits of entropy.

This means that a password like:
8wF+2Gzb (7 random characters)
contains 42.7 bits of entropy, and which is just as strong as "stonedskittleleprechaun" (if not stronger).

If you have a password of 15 random characters, then you get 91.5 bits of entropy, which is reasonable. TrueCrypt recommends 20 characters, which gives you 122 bits of entropy in my calculations (it may be slightly more because there are more than 8 special characters). Then you are getting in the range of 128 bits of entropy, which is desirable.

For a service like Silk Road, where the amount of login attempts are limited, these things are not a concern. But if you choose a password for an encrypted volume, you need to take it into consideration.


TL;DR:

CoolGrey's golden rule: for a good password, avoid anything that looks like English.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: kmfkewm on November 08, 2012, 11:29 pm
kmfkewn, I have to respectfully disagree with you here.

Somebody who is a native speaker of the English language knows somewhere between 5000 (Joe average) and 12000 words (if you're a very highly educated person). Let's really stretch it and say there are 20000 words, which is about the contents of a pocket size dictionary.

Then, if you choose a password consisting of 3 English words (ex. stonedskittleleprechaun), then there are 20,000 to the power 3 possibilities (8x10^12). To calculate the bits of entropy, you have to take the 2 base logarithm of that number. That gives 42.9 bits of entropy, which isn't even close to the 80 we wanted.

And then I'm stretching it; in reality it's going to be even weaker. When you ask people to choose a random word, they tend to choose nouns (like you chose "reptile"). And if it's a cluster of words, then people tend to put adjectives before the nouns. Both "correct horse battery staple" and "stoned skittle leprechaun" follow this pattern.

A person's vocabulary isn't that big, and the type and order of the words you choose isn't all that random. So In the calculations I used above, I made some pretty optimistic assumptions for the number of possibilities.

However, if you make a password that consists of random characters, then for each character there are roughly 70 possibilities (26 lower case letters, 26 upper case, 10 numbers and 8 special characters). That means that for each random character, you get the 2Log70 = 6.1 bits of entropy.

This means that a password like:
8wF+2Gzb (7 random characters)
contains 42.7 bits of entropy, and which is just as strong as "stonedskittleleprechaun" (if not stronger).

If you have a password of 15 random characters, then you get 91.5 bits of entropy, which is reasonable. TrueCrypt recommends 20 characters, which gives you 122 bits of entropy in my calculations (it may be slightly more because there are more than 8 special characters). Then you are getting in the range of 128 bits of entropy, which is desirable.

For a service like Silk Road, where the amount of login attempts are limited, these things are not a concern. But if you choose a password for an encrypted volume, you need to take it into consideration.


TL;DR:

CoolGrey's golden rule: for a good password, avoid anything that looks like English.

Cool Grey, I can give sources backing my claims, can you give sources backing your claims:

http://unixhelp.ed.ac.uk/CGI/man-cgi?ssh-keygen+1

well actually I just did part of your job for you as this link says this

Quote
Good passphrases are 10-30 characters long, are not
     simple sentences or otherwise easily guessable (English prose has only
     1-2 bits of entropy per character, and provides very bad passphrases),
     and contain a mix of upper and lowercase letters, numbers, and non-
     alphanumeric characters.  The passphrase can be changed later by using
     the -p option.

1-2 bits of entropy per character in English prose, although they suggest not using it.

here is another source that estimates the entropy per bit of English (from wikipedia)
https://en.wikipedia.org/wiki/Entropy_%28information_theory%29
Quote
The entropy rate of English text is between 1.0 and 1.5 bits per letter,[6] or as low as 0.6 to 1.3 bits per letter, according to estimates by Shannon based on human experiments.[7]

Shannon, Claude E.: Prediction and entropy of printed English, The Bell System Technical Journal, 30:50–64, January 1951.

I believe that english only levels out to ~1 bit of entropy per character after several characters are used. According to this NIST (draft, although I used to have a non draft copy which was nearly the same if I recall correctly) paper on password strength estimation:

csrc.nist.gov/archive/pki-twg/y2003/presentations/twg-03-05.pdf

password length :: bits of entropy +=

1 - 4
2 - 6
3 - 8
4 - 10
5 - 12
6 - 14
7 - 16
8 - 18
10 - 21
12 - 24
14 - 27
16 - 30
18 - 33
20 - 36
30 - 46

Quote
1- 10 character passwords consistent with
curves in Fig. 4 of paper
♦ 10 – 20 character passwords assume that
entropy grows at 1.5 bits of entropy per
character
♦ Over 20 character passwords assume that
entropy grows at 1 bit per character


as you can see the first character gives more entropy than subsequent characters. Their estimator only adds += 2 bits of estimated entropy for having a number, += 2 bits for having a capital and += 2 bits for having a special character. So the difference between abc and A*8 is the second is 6 bits stronger, but between abcd and A##9 the difference is still 6 bits. This isn't the best entropy estimation system in the world, but I have compared outputs using this algorithm with outputs from more algorithms I have been told are more accurate, and really the difference between the outputs is minimal. Thus I consider this to be a good entropy ESTIMATOR whereas the other more complex algorithms are actually entropy calculators I suppose.

with this algorithm, the estimated strengths of the passwords:

8wF+2Gzb :: 36.0
stonedskittleleprechaun :: 41.0
So many things to remember and do I will just make up a sentence then reptile7*  :: 101.5

for an FDE or GPG key you will want to have at least 80 bits of entropy in your password, so only the long sentence would be suggested. For a web based password to a site like SR, you don't really need 80 bits of entropy imo. That NIST paper gives various suggestions of when to use which strength of password.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: kmfkewm on November 09, 2012, 12:08 am
Code: [Select]
/*
The following code implements a slightly modified version of the password entropy estimating
algorithm suggested by Bill Burr in the draft version of the NIST publication 'Estimating Password
Strength'
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>

#include "advstring.h"

static char password[1024];
static double entropy_bits = 0.0;


static int dictionary_test(char*, double*);
static int password_characters_test(char*, double*);

/*
Main is given the users password as input and outputs the estimated amount of entropy
that the password has.

change main to password_check when the time comes
*/

int main()
{
  fgets(password, sizeof(password), stdin);

chomp(password);

  password_characters_test(password, &entropy_bits);
  dictionary_test(password, &entropy_bits);
  printf("%f", entropy_bits);
  return 0;
}



static int x = 0;
static bool contains_digit, contains_lower, contains_upper, contains_special;

/*
password_characters_test checks the length of the password as well as the
sort of characters it contains, and accordingly adds to the amount of
estimated entropy.
*/

int password_characters_test(char* password, double* entropy_bits)
{

  while(x != strlen(password))
    {   
      if( isdigit(password[x]) && contains_digit == false)
        {
          contains_digit = true;
          *entropy_bits += 1.5;
        }
      else if( islower(password[x]) && contains_lower == false)
        {
          contains_lower = true;
          *entropy_bits += 1.5; 
        }
      else if( isupper(password[x]) && contains_upper == false )
        {
          contains_upper = true;
          *entropy_bits += 1.5;
        }
      else if( ispunct(password[x]) && contains_special == false)
        {
          contains_special = true;
          *entropy_bits += 1.5;
        }
      else if(isspace(password[x]) && contains_special == false)
        {
          contains_special = true;
          *entropy_bits += 1.5;
        }
     
      x++;

      if(x == 1)
        {
          *entropy_bits += 4;     
        }
      else if(x > 1 && x < 10)
        {
          *entropy_bits += 2;
        }
      else if(x >= 10 && x <= 20)
        {
          *entropy_bits += 1.5;
        }
      else
        {
          *entropy_bits += 1;
        }     

    }
return 0;
}


static FILE *dictionary_file;
static char dictionary_word[1024];

/*
dictionary_test compares strings from the dictionary file named 'dictionary'
and adds estimated entropy if the user provided password does not include
and of the words in the dictionary file.
*/

static int dictionary_test(char* password, double* entropy_bits)
{

  dictionary_file = fopen("dictionary", "r");
 
  if(strlen(password) > 6)
  {
    *entropy_bits += 6;
 

  while(fgets(dictionary_word, sizeof(dictionary_word), dictionary_file) != NULL)
    {
      chomp(dictionary_word);
      if(strcasestr(password, dictionary_word))
        {
          *entropy_bits -= 6;
          break;
        }
    }
   }

  return 0;
}
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: wretched on November 09, 2012, 12:38 am
just out of curiosity, how secure would a simple password like this be?   

A♠K♦Q♥J♣
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 10, 2012, 04:28 pm

Cool Grey, I can give sources backing my claims, can you give sources backing your claims:


All claims I made are backed up the the calculations I showed you.

The more possibilities there are for a password, the harder it is to guess, and therefore the stronger it is. Bits of Entropy is the number of bits you need to represent all the possibilities. You can calculate the BOE from the number of possibilities using the formula:

Bits of Entropy = ²Log n   (where n is the number of possibilities.)

For the outcome of a random coin flip you have two possibilities: heads or tails. So the uncertainty, expressed in bits of entropy is: ²Log 2 = 1 BOE. This is logical, because with two possibilities, it's either 0 or 1. You need only 1 bit to represent 2 options. When you play twister, you have 4 possible outcomes of spinning the wheel (red, blue, green, yellow). Then you have: ²Log 4 = 2 Bits of Entropy. This is also logical, because with two bits you can represent 4 possibilities: 00, 01, 10 and 11. For every extra bit of entropy, the number of possibilities doubles.

We can apply this same logic to our problem.

If we take a random ASCII character, I said there were 70, but I realize there are more, namely 95. (26 lower case letters, 26 upper case, 10 numbers and 33 special characters. Then for every random ASCII character there are 95 possibilities, which means

²Log 95 = 6.57 Bits of entropy.

If you have 10 random characters, there are 95^10 possibilities. If you calculate the bits of entropy from that, you get:

²Log( 95^10 ) = 10 x ²Log 95 =10 x 6.57 = 65.7 (basic logarithm operations; you can simply add up all the BOE from the individual characters).

This is how I calculated the bits of entropy for passwords containing random ASCII characters. So far there is no guessing, it is all just cold hard mathematics...


Now for the passwords that include complete English words. My  assumptions is that there are roughly 20 000 in the vocabulary of a speaker, which is something only the most educated people actually achieve. Still, using that assumption, the entropy of a random English word is:

²Log 20 000 = 14.3 BOE.
If you have a password consisting of 3 English words, then that would be: 3x14.3 = 42.9 BOE.

This is using my optimistic assumptions of a very rich vocabulary, and a total random pick from it. The reality is going to be a worse. Randall in his “correcthorsebatterystaple” comic used 11 BOE per word, which I think is more realistic because most people don't have such a huge vocabulary. We also saw that people don't really randomly pick words, but secretly are predisposed to selecting adjective+noun combinations.

So then when we go calculate and compare:

8wF+2Gzb (7 characters totally random): 7 x 6.57 = 45.99
aD3#n5=2pD@x?$9 (15 random characters): 15 x 6.57 = 98.55

stonedskittleleprechaun (3 english words), at best: 3 x 14.3 = 42.9, more realistically: 3 x 11= 33

I believe these numbers show pretty clearly that a password consisting of random gibberish is way better than one containing English words. You need a lot of English words (like your long phrase) to get just as much BOE as 10 to 20 random characters of ASCII.

The11 BOE per word roughly equals 1 to 1.5 BOE per character in English words. So I'm not contradicting those statements. I'm only saying that 1 to 1.5 BOE is very little per character is very little. Remember that every time you add a BOE, the possibilities double. So a random character (6.5 BOE) gives 2^5 = 32 times more entropy than a character in an English word.

I believe my claims are backed up with some very solid mathematics. If have a different opinion or detect mistakes in my math/logic, I'd love to hear it.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 10, 2012, 05:10 pm
just out of curiosity, how secure would a simple password like this be?   

A♠K♦Q♥J♣
Most software won't accept that password, because those symbols are not ASCII characters. (I'm also quite sure they aren't on your keyboard.) They cannot be used, just like accented letters like é and ç. So no French or Portuguese in  your passwords either.

The 95 printable ASCII characters are:

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
!@#$%^&*()
~`-_=+[]{}\|;:' ” , .<>/?
and the space, which you can't see.


But let's imagine that you could use those characters and you have them on the keyboard. It wouldn't be an extremely strong password.

All those characters belong together, they are related with each other. If somebody tries to guess your password by trying out all possibilities he can think of (something he would use a computer for), then it would be rather logical to that ♠, ♦, ♥ and ♣ go together. An attacker is likely to try out all combinations involving those symbols, before he tries out other combinations.

To the contrast, if you have a random password like “4pcG+z3x”, here there is no logic in the sequence. There is no reason why “4pcG” would go together with “+z3x”, they have nothing to do with each other. The only way to guess the password would be to attempt all possible combinations with 8 characters, for which there are more than a quadrillion possibilities, nearly impossible to do in a lifetime.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: abragoddamnya on November 10, 2012, 06:49 pm
just out of curiosity, how secure would a simple password like this be?   

A♠K♦Q♥J♣
Most software won't accept that password, because those symbols are not ASCII characters. (I'm also quite sure they aren't on your keyboard.) They cannot be used, just like accented letters like é and ç. So no French or Portuguese in  your passwords either.

The 95 printable ASCII characters are:

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
!@#$%^&*()
~`-_=+[]{}\|;:' ” , .<>/?
and the space, which you can't see.


But let's imagine that you could use those characters and you have them on the keyboard. It wouldn't be an extremely strong password.

All those characters belong together, they are related with each other. If somebody tries to guess your password by trying out all possibilities he can think of (something he would use a computer for), then it would be rather logical to that ♠, ♦, ♥ and ♣ go together. An attacker is likely to try out all combinations involving those symbols, before he tries out other combinations.

To the contrast, if you have a random password like “4pcG+z3x”, here there is no logic in the sequence. There is no reason why “4pcG” would go together with “+z3x”, they have nothing to do with each other. The only way to guess the password would be to attempt all possible combinations with 8 characters, for which there are more than a quadrillion possibilities, nearly impossible to do in a lifetime.

This forum will accept those characters. The password for this account uses one of them. I will test this on the store also whenever it is back working. I was curious if using characters NOT on the keyboard would make a password more secure by any measurable way.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: OneOfMany on November 10, 2012, 11:38 pm
It's difficult to judge the true entropy of a password that is made with any kind of human element, e.g. "pick a quote you like", but for purely random passwords, a good rule of thumb is that two printable ASCII characters are worth one English word. That assumes a list of 9025 words, which shouldn't be too hard to come by. I don't think you can say one is "better" than the other. It's a matter of personal preference and the specific use case. For example "cRW;<i!hmc" is obviously shorter, but I'm more confident I could remember "mix line veery rooky fume" for a long time if I had to.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 11, 2012, 12:04 am
This forum will accept those characters. The password for this account uses one of them. I will test this on the store also whenever it is back working. I was curious if using characters NOT on the keyboard would make a password more secure by any measurable way.
In that case I'd say yes. If the software accepts it (I know TrueCrypt won't, and I expect any full disk encryption software will also have troubles), then my guess is that it does add security if you add them in such a way that it doesn't form an easily guessable combination (i.e. throw one or two random symbols in the mix)


It's difficult to judge the true entropy of a password that is made with any kind of human element, e.g. "pick a quote you like", but for purely random passwords, a good rule of thumb is that two printable ASCII characters are worth one English word. That assumes a list of 9025 words, which shouldn't be too hard to come by. I don't think you can say one is "better" than the other. It's a matter of personal preference and the specific use case. For example "cRW;<i!hmc" is obviously shorter, but I'm more confident I could remember "mix line veery rooky fume" for a long time if I had to.
I agree with this. Either use 15+ random characters or get a _long_ English passphrase. 5 words is still on the short side, make it 10 and still add some symbols and numbers, for example:
"All prices 118% off, fishhooks and French hats now going for $2.98 each"
or
"At the shores of the C, watching the ~ waves ~ and the ^ birds ^ "

I guess you can be creative and come up with a good English passphrase, but make it long and random. I still prefer total randomness but I recognize that actual phrase is also possible if you do it right.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: mdmamail on November 11, 2012, 07:34 am
http://www.schneier.com/blog/archives/2012/09/recent_developm_1.html

Note the bottom sentence:
Finally, there are two basic schemes for choosing secure passwords: the Schneier scheme and the XKCD scheme.

Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: Redrum on November 11, 2012, 05:44 pm
Better to write your password down don't try an remember it imo, but yea your correct use upper and lowercase letters, symbols, and numbers. Like for instance 2>c*7L&Gb6=|j}rP~N%0¥d.f also make sure ur passwords atleast 15 characters long.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 11, 2012, 08:35 pm
Better to write your password down don't try an remember it imo, but yea your correct use upper and lowercase letters, symbols, and numbers. Like for instance 2>c*7L&Gb6=|j}rP~N%0¥d.f also make sure ur passwords atleast 15 characters long.
Most experts advise against writing down passphrases. However, I think it's better to write the password down, use it a few times until you remember it, then burn the note, than choosing a password that is easy to guess.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 11, 2012, 08:57 pm
One more thing, when I say write it down, I mean physically write it down, don't show it to anyone and then later burn it with actual fire. Don't ever type it in a document on your computer.

http://www.schneier.com/blog/archives/2012/09/recent_developm_1.html

Note the bottom sentence:
Finally, there are two basic schemes for choosing secure passwords: the Schneier scheme and the XKCD scheme.
That's a very good read. The article about the Schneier scheme is excellent.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: thecloser on November 12, 2012, 02:27 am
ive heard that putting in a space is a good idea  but i dont know if you can with all passwords, can you put spaces in most passwords?
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 12, 2012, 09:56 am
ive heard that putting in a space is a good idea  but i dont know if you can with all passwords, can you put spaces in most passwords?
It's an ASCII character and it's on every keyboard, so I see no technical reason why it shouldn't be possible. For example, TrueCrypt accepts the uses of spaces. I have seen some web services that block the usage of spaces for passwords, but I don't really see point in that. You'll have to try it to be sure.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: kmfkewm on November 12, 2012, 11:54 am
Two random ASCII characters have 14 bits of entropy, that is easy to determine. I have heard that zxcvbn is one of the best password entropy estimating algortihms, although that NIST algorithm I showed has similar results.

https://tech.dropbox.com/ 2012/ 04/ zxcvbn-realistic-password-strength-estimation/
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: kmfkewm on November 12, 2012, 12:06 pm
and allow me to quote from that zxcvbn writeup

Quote
Strength is best measured as entropy, in bits: it’s the number of times a space of possible passwords can be cut in half. A naive strength estimation goes like this:

# n: password length
# c: password cardinality: the size of the symbol space
#    (26 for lowercase letters only, 62 for a mix of lower+upper+numbers)
entropy = n * lg(c) # base 2 log

This brute-force analysis is accurate for people who choose random sequences of letters, numbers and symbols. But with few exceptions (shoutout to 1Password / KeePass), people of course choose patterns — dictionary words, spatial patterns like qwerty, asdf or zxcvbn, repeats like aaaaaaa, sequences like abcdef or 654321, or some combination of the above. For passwords with uppercase letters, odds are it’s the first letter that’s uppercase. Numbers and symbols are often predictable as well: l33t speak (3 for e, 0 for o, @ or 4 for a), years, dates, zip codes, and so on.

As a result, simplistic strength estimation gives bad advice. Without checking for common patterns, the practice of encouraging numbers and symbols means encouraging passwords that might only be slightly harder for a computer to crack, and yet frustratingly harder for a human to remember. xkcd nailed it:
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: kmfkewm on November 12, 2012, 12:15 pm
Better to write your password down don't try an remember it imo, but yea your correct use upper and lowercase letters, symbols, and numbers. Like for instance 2>c*7L&Gb6=|j}rP~N%0¥d.f also make sure ur passwords atleast 15 characters long.
Most experts advise against writing down passphrases. However, I think it's better to write the password down, use it a few times until you remember it, then burn the note, than choosing a password that is easy to guess.

except don't write it on a notepad because they can read impressions ;)
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: kmfkewm on November 12, 2012, 12:21 pm
I am happy with passwords like this:

One word to remember actually it is a phrase whatever 200%!

the chances of that being cracked are really minimal. And according to the NIST algorithm I showed, it has 81.5 bits of entropy. Only 1.5 bits above the bare minimum suggested for a secure passphrase , but it will do :).
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: kmfkewm on November 12, 2012, 12:27 pm
and as for correct horse battery staple? It estimates that it has 46 bits of entropy, 2 bits more than the XKCD comic would lead us to think but still close. As for Tr0ub4dor&3 it estimates 35.0 bits, a good deal higher than XKCDs estimate of 28 bits, but still less than correct horse battery staple.
Title: Re: How to Choose a Secure/almost Hack-Proof password
Post by: CoolGrey on November 12, 2012, 08:29 pm
It's important to realize that the difference between 40 and 80 is huge.

Every bit added doubles the strength. It's not like a password of 80 BOE is twice as hard to crack as a password of 40 BOE. The 80 BOE password is 1099511628000 (2^40) times harder to crack .

That's how much you lose in strength if you go for a password that is slightly easier to remember.

I don't think they'll ever spend the money to do a brute force on the computer of a simple drug buyer, but if you choose to do encryption, you might as well do it the right way: use a minimum of 7 words or 15 random characters.