Thread: The End of the Age of the Password

  1. #1
    Guest Sebastiani's Avatar
    Join Date
    Aug 2001
    Location
    Waterloo, Texas
    Posts
    5,708

    The End of the Age of the Password

    So it looks like the state of the art of cracking is getting so sophisticated that the usefulness of conventional passwords and hashes is reaching it's limit. It's time for a new approach to the problem...
    Code:
    #include <cmath>
    #include <complex>
    bool euler_flip(bool value)
    {
        return std::pow
        (
            std::complex<float>(std::exp(1.0)), 
            std::complex<float>(0, 1) 
            * std::complex<float>(std::atan(1.0)
            *(1 << (value + 2)))
        ).real() < 0;
    }

  2. #2
    Master Apprentice phantomotap's Avatar
    Join Date
    Jan 2008
    Posts
    5,108
    O_o

    That is actually a year old; "state of the art" has come even further than the article may reference.

    Anyway, I've always felt the problem with password security is idiots regurgitating bad advice (Oh, yeah, replacing 'S' with '$' is so hardcore secure.) and poorly implemented protections (Would you believe one of the sites I use still only allows 8 digit passwords?).

    Don't get me wrong; I know a lot of people want to use their anniversary or whatever, but with novices forwarding bad advice even to people who would be happy with a good password I just can't really complain about the "password" crowd.

    Soma
    “Salem Was Wrong!” -- Pedant Necromancer
    “Four isn't random!” -- Gibbering Mouther

  3. #3
    Make Fortran great again
    Join Date
    Sep 2009
    Posts
    1,413
    I remember that AMEX only allowed up to 8 character passwords until just a year or two ago...ridiculous.

    As the IT person for the small company I work for, I get quite a lot of resistance to using even simpler passwords (vs none), people just don't get the importance.

  4. #4
    [](){}(); manasij7479's Avatar
    Join Date
    Feb 2011
    Location
    *nullptr
    Posts
    2,657

  5. #5
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    I recommend people do not use any identifiable words in their password.

  6. #6
    Registered User
    Join Date
    Oct 2006
    Posts
    3,445
    Quote Originally Posted by phantomotap View Post
    Would you believe one of the sites I use still only allows 8 digit passwords?
    my bank only allows 7, but they authenticate the computer from which you connect with a call to the phone number on file with the account. if I try to log in from a new computer/device, they call me and give me a code with which to authenticate.

    but I agree that short passwords are very bad.
    What can this strange device be?
    When I touch it, it gives forth a sound
    It's got wires that vibrate and give music
    What can this thing be that I found?

  7. #7
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    Doesn't really matter how sophisticated these things get. They can't break my passwords because I tend to use 130 characters passwords with letters, big and small, numbers and special characters wherever possible (although some times do not allow this - can you imagine that?), and it's completely random. No words. Not rememberable. Unique to each site. Yeah, good luck cracking that.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  8. #8
    Lurking whiteflags's Avatar
    Join Date
    Apr 2006
    Location
    United States
    Posts
    9,613
    130 is way overkill by any measure. https://www.grc.com/haystack.htm

  9. #9
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    It is. But you have to take into account that processing power increase every year and it should last my entire lifetime. Plus we have absolutely no idea how ridiculous processing power we'll have in the future, so add in a big uncertainty and make it last for 100 + 1 million years or so with only letters (big + small) because some sites disallow special characters and you get around 130 characters. I made some calculations on that some time ago.
    Passwords aren't just meant to be safe today, but tomorrow, too.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  10. #10
    Lurking whiteflags's Avatar
    Join Date
    Apr 2006
    Location
    United States
    Posts
    9,613
    I just change mine.

  11. #11
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    Changing passwords is annoying and add to that I have around 375-ish passwords stored (some which I probably never use), and it becomes a pain to change every time.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  12. #12
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    Quote Originally Posted by Elysia View Post
    It is. But you have to take into account that processing power increase every year and it should last my entire lifetime.
    At some point this becomes pointless because the passwords are hashed before being stored, which reduces their maximum entropy. A 256-bit hash (it doesn't matter if its salted) has only 256 bits of entropy no matter how many bits of entropy the password contained. Your 130 character password will have something like 800-1000 bits of entropy, most of which are irrelevant. The attacker doesn't have to find your password, they have to find some password that hashes to your hash. Having salt doesn't change this situation at all.

    It's more likely that an attacker will physically steal the machine your data is stored on, than they could attack such a password.
    Code:
    //try
    //{
    	if (a) do { f( b); } while(1);
    	else   do { f(!b); } while(1);
    //}

  13. #13
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    Quote Originally Posted by brewbuck View Post
    At some point this becomes pointless because the passwords are hashed before being stored, which reduces their maximum entropy. A 256-bit hash (it doesn't matter if its salted) has only 256 bits of entropy no matter how many bits of entropy the password contained. Your 130 character password will have something like 800-1000 bits of entropy, most of which are irrelevant. The attacker doesn't have to find your password, they have to find some password that hashes to your hash. Having salt doesn't change this situation at all.
    Good point. But the idea here is to a password that reduces the likelihood that it will be cracked. Doesn't mean it can't. Always possibilities...

    It's more likely that an attacker will physically steal the machine your data is stored on, than they could attack such a password.
    Yep, and that is why I avoid storing sensitive information in the accounts. I would love if a store doesn't actually force you to store sensitive information such as name, etc. But I never store any bank card details. Ever.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  14. #14
    Registered User
    Join Date
    Oct 2006
    Posts
    3,445
    xkcd had a pretty good take on this situation. the ideal solution to the entropy reduction of hashing would be to use the password itself as the key in an encryption process. the length of the password is preserved, as is the entropy. the password is still unrecoverable, but can be matched when necessary.
    What can this strange device be?
    When I touch it, it gives forth a sound
    It's got wires that vibrate and give music
    What can this thing be that I found?

  15. #15
    Guest Sebastiani's Avatar
    Join Date
    Aug 2001
    Location
    Waterloo, Texas
    Posts
    5,708
    Quote Originally Posted by brewbuck View Post
    The attacker doesn't have to find your password, they have to find some password that hashes to your hash. Having salt doesn't change this situation at all.
    One way to strengthen collision-resistance would be to replace the publicly-known salt with one or more permutations of the password itself. So for instance, suppose the password is "foobarbaz". Append the reverse to obtain "foobarbazzabraboof" and then compute the hash. Now the attacker is forced to find a password that when concatenated it's reverse produces the correct hash, a much harder problem. The more "permutation constraints" imposed on the input, the better the security...

    EDIT:

    And note that this scheme could easily be applied to existing codebases without having to change the underlying hashing algorithm itself. So in the event that you're stuck with using something with known weaknesses, such as MD5, you could nonetheless improve overall security using "permutation salts".
    Last edited by Sebastiani; 10-10-2013 at 10:15 AM.
    Code:
    #include <cmath>
    #include <complex>
    bool euler_flip(bool value)
    {
        return std::pow
        (
            std::complex<float>(std::exp(1.0)), 
            std::complex<float>(0, 1) 
            * std::complex<float>(std::atan(1.0)
            *(1 << (value + 2)))
        ).real() < 0;
    }

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Replies: 2
    Last Post: 01-07-2009, 10:35 AM
  2. password box in c#
    By deviousdexter in forum C# Programming
    Replies: 2
    Last Post: 12-12-2008, 05:45 PM
  3. Password help
    By alexnb185 in forum C Programming
    Replies: 16
    Last Post: 08-10-2007, 05:31 PM
  4. Password help
    By Necrofear in forum C++ Programming
    Replies: 11
    Last Post: 01-05-2005, 09:03 PM
  5. password
    By Unregistered in forum A Brief History of Cprogramming.com
    Replies: 17
    Last Post: 03-15-2002, 02:38 PM