So it looks like the state of the art of cracking is getting so sophisticated that the usefulness of conventional passwords and hashes is reaching it's limit. It's time for a new approach to the problem...
So it looks like the state of the art of cracking is getting so sophisticated that the usefulness of conventional passwords and hashes is reaching it's limit. It's time for a new approach to the problem...
Code:#include <cmath> #include <complex> bool euler_flip(bool value) { return std::pow ( std::complex<float>(std::exp(1.0)), std::complex<float>(0, 1) * std::complex<float>(std::atan(1.0) *(1 << (value + 2))) ).real() < 0; }
O_o
That is actually a year old; "state of the art" has come even further than the article may reference.
Anyway, I've always felt the problem with password security is idiots regurgitating bad advice (Oh, yeah, replacing 'S' with '$' is so hardcore secure.) and poorly implemented protections (Would you believe one of the sites I use still only allows 8 digit passwords?).
Don't get me wrong; I know a lot of people want to use their anniversary or whatever, but with novices forwarding bad advice even to people who would be happy with a good password I just can't really complain about the "password" crowd.
Soma
“Salem Was Wrong!” -- Pedant Necromancer
“Four isn't random!” -- Gibbering Mouther
I remember that AMEX only allowed up to 8 character passwords until just a year or two ago...ridiculous.
As the IT person for the small company I work for, I get quite a lot of resistance to using even simpler passwords (vs none), people just don't get the importance.
I recommend people do not use any identifiable words in their password.
my bank only allows 7, but they authenticate the computer from which you connect with a call to the phone number on file with the account. if I try to log in from a new computer/device, they call me and give me a code with which to authenticate.
but I agree that short passwords are very bad.
What can this strange device be?
When I touch it, it gives forth a sound
It's got wires that vibrate and give music
What can this thing be that I found?
Doesn't really matter how sophisticated these things get. They can't break my passwords because I tend to use 130 characters passwords with letters, big and small, numbers and special characters wherever possible (although some times do not allow this - can you imagine that?), and it's completely random. No words. Not rememberable. Unique to each site. Yeah, good luck cracking that.
130 is way overkill by any measure. https://www.grc.com/haystack.htm
It is. But you have to take into account that processing power increase every year and it should last my entire lifetime. Plus we have absolutely no idea how ridiculous processing power we'll have in the future, so add in a big uncertainty and make it last for 100 + 1 million years or so with only letters (big + small) because some sites disallow special characters and you get around 130 characters. I made some calculations on that some time ago.
Passwords aren't just meant to be safe today, but tomorrow, too.
At some point this becomes pointless because the passwords are hashed before being stored, which reduces their maximum entropy. A 256-bit hash (it doesn't matter if its salted) has only 256 bits of entropy no matter how many bits of entropy the password contained. Your 130 character password will have something like 800-1000 bits of entropy, most of which are irrelevant. The attacker doesn't have to find your password, they have to find some password that hashes to your hash. Having salt doesn't change this situation at all.
It's more likely that an attacker will physically steal the machine your data is stored on, than they could attack such a password.
Code://try //{ if (a) do { f( b); } while(1); else do { f(!b); } while(1); //}
Good point. But the idea here is to a password that reduces the likelihood that it will be cracked. Doesn't mean it can't. Always possibilities...
Yep, and that is why I avoid storing sensitive information in the accounts. I would love if a store doesn't actually force you to store sensitive information such as name, etc. But I never store any bank card details. Ever.It's more likely that an attacker will physically steal the machine your data is stored on, than they could attack such a password.
xkcd had a pretty good take on this situation. the ideal solution to the entropy reduction of hashing would be to use the password itself as the key in an encryption process. the length of the password is preserved, as is the entropy. the password is still unrecoverable, but can be matched when necessary.
What can this strange device be?
When I touch it, it gives forth a sound
It's got wires that vibrate and give music
What can this thing be that I found?
One way to strengthen collision-resistance would be to replace the publicly-known salt with one or more permutations of the password itself. So for instance, suppose the password is "foobarbaz". Append the reverse to obtain "foobarbazzabraboof" and then compute the hash. Now the attacker is forced to find a password that when concatenated it's reverse produces the correct hash, a much harder problem. The more "permutation constraints" imposed on the input, the better the security...
EDIT:
And note that this scheme could easily be applied to existing codebases without having to change the underlying hashing algorithm itself. So in the event that you're stuck with using something with known weaknesses, such as MD5, you could nonetheless improve overall security using "permutation salts".
Last edited by Sebastiani; 10-10-2013 at 10:15 AM.
Code:#include <cmath> #include <complex> bool euler_flip(bool value) { return std::pow ( std::complex<float>(std::exp(1.0)), std::complex<float>(0, 1) * std::complex<float>(std::atan(1.0) *(1 << (value + 2))) ).real() < 0; }