{It doesn't matter how good the following is... or is not. It does not serve a purpose. All the information contained within this rant has been said before... better... and likely by better people... or at least, experts. After all, where (and from whom) do you think I learned it?}
The Problem Statement
Upwards of a year ago, I downloaded a bunch of password databases from the Internet (but where else) onto my desktop (that increasingly cluttered space). I was thinking of making some sort of (password) cracker. Actually, I think (as it has been awhile) I was interested in seeing how secure my existing passwords were... and how fast I could crack any insecure passwords I might have... something which I will define (handily enough) as something that can be cracked in under an hour by an off-the-shelf software solution... or anything I can come up with.But a year has gone by and it is clear I have better things to do with my time than look into crackers (such as writing idiotic rants, perhaps, very much like this one). And that means it is time to delete the databases.
Um, yeah. I'm not very good at deleting things... anything, really. But luckily, I have an out. I downloaded those databases for a 'Password Project'. And a rant is a sort of project. So, why don't I just rant a bit about passwords and be done with it?
Problem Solved!
{I think I get carried away by my own keystrokes, the sound of my own voice, if you will. I mean, this isn't bad writing... nor is it technically incorrect. Of course, in that last, I may be wrong. But technical nitpicking aside, it is (most definitely) pointless writing. I mean, I do have one or two possible unique points further down the way. But for the most, this is recap. The world knows it. So, why bother saying it, yet again? It's not like there is anything special about my voice.}
User Names
Passwords are just one side of the coin. So, let me start by talking about the other.
admin
master
server
And so on, are all very common User Names. Want some cheap advice (from the cheap seats, no less)?Don't use common passwords.
Don't use common user names, either.
After all, a password is nothing more than a value (a technical term in this particular instance) in a key/value pair (what dictionaries are called in computer-speak), which can be expressed as
{user_name: password}
. And if they (whoever they are, I guess it's usually Alice and Bob in Security Papers, but I haven't got time for that nonsense) don't know the key, no value is ever going to do them any good.I mean, one needs a key (the value in computer-speak, ironically enough) to open a lock, but one also needs a lock (i.e. the key) to open in the first place or the key (the value) is completely worthless. After all, I can stand alone in the forest whispering 'The Great Goomba Sent Me' to the nearest tree and it will have absolutely no (noticeable) effect. I say 'noticeable', as clearly, the tree in question will try to quietly inch itself away, but trees are not known for their speed.
Got it?
Password security can be improved (sometimes, in some cases) by using better login names.
{Has that last been said before? If so, it has (likely) not been said enough... or failing that, way too many times. Still (either way), I bother to say it, yet again... for the first... or hundredth time... or more probably the thousandth... if not millionth time. And if that's the case (so I'm running with the hundred of millions of times option), I am clearly wasting my time... or not... or perhaps (yes, just perhaps), it is a question I am ill fitted to answer.
Recently, I came across an idea (which I will attribute to Zen Buddhism), which advocated doing only that which one is compelled to do. So, nothing is the base. And on top of that layer, add only that which one cannot help but to add, that which one cannot help but to do. Writing has become one of those things for me. Not writing would be a little death of sorts. But then, I write something like this (not bad, mind you, just not of any import) and I wonder about my hobby. That probably implies I find most of my writing important. I do not. This article (as I neared the completion of the first draft) simply struck me as particularly pointless, you know, so more pointless than life normally seems to me.}
Some Theory
In the set {a-z, A-Z, 0-9, *#!...} there are 100 odd digits. So, guessing randomly, a person has about a 1% chance of guessing the correct symbol (if a symbol is picked at random from that set). Throw six (or eight, or sixteen) of those symbols together in a row, and the chance of guessing the string correctly (in one go) becomes 1006 (or 1008, or 10016): i.e. it's not very likely.Of course, computers do about a billion things a second, so a computer would be guaranteed to cycle through all Trillion of those 1006 possibilities in 1,000 seconds... or about 15 minutes.
trillion = 1006 = 1,000,000,000,000
trillion / 60seconds = 15 minutes
But if one adds on another digit it takes 100x as long... and quickly becomes infeasible.On the other hand, few humans can memorize a six digit password of the appropriate format... as the appropriate format by definition is random and has no pattern. So, humans cheat and use passwords they can memorize like their birthday, a child's name, home address, lover's telephone number, and so on, and so forth.
Or they go for those extremely common (and therefore, bad) passwords, which include:
default
password
123456
{Rather than scrap a near pointless article (you do know 1+1=2, don't you, and for those interested in this subject (cryptology), the content of this page reduces to pretty much the same, it is basic stuff), I have decided to include these meta-asides. Unfortunately, these asides (however meta) suffer from inadequacies of their own. It becomes an endless circle (or battle, if you will).
One of the other new ideas I have been playing with as of late (which is only tangentially related to Zen, not that Zen is the mark of Truth or Quality) is that All is Ego. And Truth reduces to a Battle of Wills. Clearly, I loose this fight. But do I? After all, is courage not fighting (persevering, as it were) in the face of hopeless odds? The rant continues. Clearly, I have not given up all hope!}
Dictionaries
As I said, about a year ago, I downloaded several collections of passwords from the Internet (all above board, legitimate, and free). You see, every once in a while (as in, every few days, weeks, months, years, or whatever), some website gets compromised and (eventually) the password database gets released (one way or another). The Good Guys say they use the information for research (you know, for Good, as is their namesake) and the Bad Guys do whatever it is that Bad Guys do. I'm guessing it's Bad.A very popular password cracking technique is to simply list off a few (hundred, thousand, ten thousand, or whatever) popular user names (hence, the reason to steer clear of
admin
) and try a few (hundred, thousand, ten thousand, or whatever) commonly used passwords for each user name (so, don't use password
as your password). The implementation of the preceding takes very little code (i.e. an inner and an outer loop in your favorite programming language). But as simple (un-nuanced and straightforward) as such a strategy is, it will open a surprising number of doors (or so I am told), because most folks in user land still haven't figured out how to lock their doors (if you catch my drift).{Dictionaries and Hash Tables are one of the beautiful concepts in Computer Science. There are many beautiful concepts (i.e. beautiful solutions) in Computer Science. Writing may (or may not) be one of the beautiful solutions for my Existential Dilemma: i.e. Life is pointless, so why even try? Let us just say, a few moments ago, I was lying in bed, trying to find meaning, a reason to start the day. And I think it is reasonable to assume that I found it... meaning... in meaningful work... or at least, in busywork. In the end, that last is the big fear and the cause for these meta-asides.
Have I simply found busywork?
And if so, perhaps I should stop writing completely?
Would I be happier if I did?
For the moment, let us not concern ourselves with whether I actually could stop writing, even if I knew beyond a doubt it was totally pointless.}
Better Passwords
At some level, a human has to be able to memorize their password. Sure, one can use a password manager, which eliminates the need to memorize individual passwords. But one still has to memorize the password manager's password. It's just a reduction to a single point of failure.All the same, let's make that password (or better yet, all of our passwords) as secure as possible.
There are maybe 10,000 common English words, so a three (or four, or eight) word long sentence gives one the same security (1006, 1008, or 10016) we were talking about before (as I will take the easy way and ignore word separation solutions: ' ' vs '.' vs '-' and so on).
Of course, it's pretty easy to memorize long sentences (say the first few verses of one's wedding vows or favorite poem). And at a long enough length, custom word strings of this sort form a fairly good (I won't say indestructible) password.
{Note: This technique was popularized by a six word example that included both the word 'horse' and 'battery', so I would avoid using either. Also, because I use it here, I would not use the phrase 'window.panes. often .leak..during. .severe thunderstorms...' But while we are here, please note the diversity of word separation schemes. They are near endless in and of themselves.Add in a bit of misdirection and a word string (or nearly any other password) is as good as gold. Say, if from now on, I decided to use the 100 Digit Hash of this very webpage (or my favorite image, file, text string, or whatever) as my global password. It would be nearly unbreakable. And the fact that it is not a popular technique would make it even more secure.
But most people aren't going to plug in 100 Digits (even if those digits are limited to {0-9, A-F} -- for Hexadecimal) every time they want to unlock their phone, so it's more of a security parlor game than an actual implementation.
Most passwords are far shorter and have far more organization.
{There is a fair parallel to Art in all this. (I mean the page write-up. But it could apply to password generation techniques, as well.) In that most Art sucks... and so does most of my writing. But that last is a joke. What I really mean is that most Art is nothing more than a project. And this webpage is a project. I want to do something. I sit, doing nothing, and I want to stop thinking. I think that avoiding thought is more central to my desire to do something (anything) than anything else. I want to stop thinking... so, I write about my thoughts. How silly is that?
And when not doing that, I overwhelmingly read... feeding my mind, so I have more to think about.
But at the core, I question how much I want to think, anymore.
And rest assured, if alcohol worked for me (as a solution to the I Don't Want to Think Anymore Problem), I would be a drunk.}
Advanced Dictionaries
I believe my original intent in acquiring all those password databases was to compile a dictionary of syllables.You see, a simple dictionary might be composed of popular passwords (as covered previously) or by combining common words and/or syllables (john + 123 =
john123
), which is little more (being a bit more, but only a little bit more) secure than john, which isn't secure at all.The point being that 123 is a common password syllable (a common combination of characters used frequently in passwords). Lots of folks have used (in the wild) passwords that begin or end with 123 or xxx... and if forced to use a special character, folks overwhelmingly end their regular password with an extra shebang: to wit...
john123!
In short, my project was going to compile a listing of common syllables from Real Life Passwords, but I never bothered to do it.
{I may have destroyed this page (no loss really) by interspersing it with these italicized asides. But the reason they are here is to salvage the piece... turn it into Art or something. Sure, it sucks, sucks in its own way. But most Art sucks. Thus, how do we know something is Art? Because it sucks... sucks in its own way. And if you are not an Art Lover (or Hater), let me advise that in the preceding definition, uniqueness is key. Art doesn't just suck. It sucks in it's own way. Of course, some Art is very pleasing. But if you haven't been to an Art Museum in a while, please do go. And a few minutes into your visit, I think you will agree that most Art does, indeed, suck.
Probably, not any worse than the typical password, though.}
Some Simple Rules
- Names = 1 Digit
- Years = 1 Digit
- Words = 1 Digit
- @ instead of a, means next to nothing
- ! at the end, means nothing
- First letter capitalization, means nothing
- Numbers = 1 Digit
- 123
- 987
- Repeats = 1 Digit
- aaa
- 222
- Patterns = 1 Digit
- asdf
- keyboard pattern
- mhall
- mary had a little lamb
@lice
Al#ce
alic$
{These rules are helpful... in my opinion. For most normals (you know who you are), these rules are the meat and potatoes of this page. Avoiding a few basic mistakes (123456aaa and the like) and apply a few basic improvements (get those digits up) and security will be (I believe) improved. But there is more to life than Internet Security.}And since the previous might have been too condensed for most (some, all), let me reiterate: if a human can see the pattern (and most likely, if a human constructed the pattern), the pattern is already in the mix and a good password cracker will be taking it into account.
Still too complicated?
Assume any Human Detectable Pattern reduces to a Single Digit of encryption and will be among the first Trillion Combinations (15 minutes of protection) tried.
Please Note: That 15 minutes is for a Hobbyist Hacker. For reasons explained further below, that time is reduced to milliseconds for (as they say) Three Letter Agencies and Nation States.
'All your passwords are belong to us,' about sums it up.}
Unbreakable
In short, Dictionary Attacks try to duplicate standard Human Patterns.As such, the only solution is:
- Long Passwords
- Unique Patterns
- i.e. Randomness
Still, let me leave you with some little used patterns:
- Digits of π
- 314
- Mary Had A Little
- BECOMES: ryA
- The π Digits of π
- 314 of 31415926 = 416
- Mary Had A Little
- BECOMES: yHt
In short, one doesn't have to memorize their password to have their password memorized.
{Back when I said there might be one or two good ideas on this page. Well, this is one of them. That Zen do nothing, nothing that one cannot avoid doing is the other. Can you stop yourself from reading any further? If so, maybe you should stop? Or perhaps, you are attracted to train wrecks? Anyway, the other good idea is switching from Password Memorization to Algorithm Memorization. Thousand digit long passwords are easily constructed from a recipe of steps. Of course, the golden rule in Security is Secrecy. The algorithm used (much like the password) must be little used (preferable unique) or the solution set can be reduced arbitrarily (by trying all the combinations in the pattern, which by definition must always be a subset of all possible combinations). Still, I think the first 1000 Digits of π is a nice starting point, then take only the odd digits, slice off the first 32, take the next 169, and reverse. The result might as well be random. But then, let us be honest. Most humans will not bother to make such a complicated pattern. And as such, we are back where we started.
Note: In the above, I am the one who selected both 32 and 169. As such, they are hardly random. This is an important point as good Password Crackers have the ability to be customized for such idiosyncrasies: i.g. 32 and 169 for me, as I just mentioned them. In other words, everything ever posted is fair game. I will leave it for others to figure out what that means.}
Fool's Game
At some point, one should keep in mind what they are protecting and from whom (or should that be who from what). With a search warrant, it's pretty easy to tap a wire (and see what comes and goes), attach a key-logger (and record what nonsense strings seem to be typed over and over), install a camera (and photograph the lot, which can be done at distance), along with other ways that I don't want to get into (like the sound differential between different key-strokes on a key-board), or by simple torture (in America, it is rumored that the good guys do not torture, but they do lock folks up with other folks who enjoy the pastime, so I am not really clear on the distinction). And all of this pre-supposes the hard-drive (or memory chip) cannot be copied wholesale and the password brute-forced.{Brute-Forced: memory is removed from a device, a copy of the static memory is made, from that safe copy 10,000 (or however many) working copies are made, and 10,000 cores (computers) are fired up at once to crack that sucker open... and in a few easily described steps time is contracted and years become hours.}And with that as the final thought, I do believe it is time for me to go.
{As it is all a Fool's Game.}