[Tfug] Why would *anyone* leave a door open?

Bexley Hall bexley401 at yahoo.com
Fri Aug 28 15:29:51 MST 2009


> >>> s/does/did/
> >>
> >> OK...what the hell does that mean?
> >
> > Substitute 'does' with 'did'. Not a vi user, eh? ;-)
> 
> Ah.  Meaning he probably threw it in there now :).
> 
> Good news is, I deliberately used a passphrase that I've
> never actually used :).
> 
> I tend to use that sort of style though, and recommend it
> often.  It's the best way to memorize a long passphrase.
> 
> You can also create "families" of passwords with it. 
> In other words, both a longer and shorter version of the same
> concept.  Done right,
> each has meaning only to you, so that if one is compromised
> the other version isn't, or at least the search is only narrowed a
> little bit but still basically impossible.
> 
> Example...if the long phrase is
> "iseedeadpeopleinabadmovie", the short
> might be "ghostpoop".  To a human, one will remind you of the other,
> but to a computer there's no link.

But some cracking algorithms don't *care* about the significance
of the character sequence you choose!  E.g., "34fdY7g42" is just as
(insecure) as "ghostpoop"!  Dictionary based attacks rely on
the dictionary happening to contain the vulnerable password
in order to work.  So, using digits "4", "8", "2", etc. make
your password more likely to appear in such a list (dictionary).
E.g., born2run, iamgr8, ready4it, etc.

OTOH, other cracking techniques essentially try *all* of the
possible combinations of characters (in a less computationally
intensive approach).  So, passwords that wouldn't *tend* to
appear in a "dictionary" are just as likely to be discovered
as those that *would*.  As such, your best defense is a
longer (wider) password and/or using characters that *really* are
"never encountered" in passwords.

As I said, theory and practice are very different animals
in this world.  And, just because something *seems* secure,
doesn't mean someone hasn't found a way to *efficiently*
circumvent it!

Is someone going to crack your password if they have to gain
*physical* access to your machine (i.e., you keep it offline
as I do mine) *and* have to be motivated to *want* what's
on your machine?  Or, are they going to attack some account
of yours (banking account$ tend to be worth $omething to
$tranger$!) that is publicly accessible with little
*practical* hope of ever being "traced" to the attacker?

If I have to break into your home to tap into your wired
network, I put myself at considerable risk.  OTOH, if I
can sit down the end of the block -- or, in a neighbor's
house -- and do this "safely"...

Do the math.


      




More information about the tfug mailing list