Password security - the age of Pass Phrases

[Jo']

Already a while ago I came across the information that nowadays Duo and Quad Core CPUs can guess passwords through brute-force by generating any - I repeat ANY - combination of lower and upper case letters, number and symbols with a speed of several 10 Millions per second. In combination with dedicated GPUs (plural!) this number can go up by 50 to 100 times. Not to mention clustering dozens of such powerful systems.

Of course this will not work on a forum login or paypal account. The way is to steal the password file from a system.

http://www.lockdown.co.uk/?pg=combi (from 2009)
A password with a length of 7 (seven) characters from a pool of 96 characters (Mixed upper and lower case alphabet plus numbers and common symbols.) results in 75 Trillion possible combinations. According to Ivan Lucas a Pentium 100 would need (at a maximum!) about 2.5 years to "guess" a ZIP password. A lucky guess may take way less. However an above mentioned system, a little cluster, optimized with GPUs, processing 500 Millions combinations per second only takes a maximum of 10 hours!

This time goes DOWN rapidly if the entropy is much smaller. E.g. if you only have lower case letters in your password, the possible combination of 26 characters in an 8 (eight) characters password is merely 200 billion. Processing time for this amount is below 2 (two) minutes. Using a 96 characters alphabet raises this time to 42 days. Expect certain organisations to have a lot more processing power.

Conclusion: If you don't want the average hacker or script kiddy to "guess" your passwords from a stolen encrypted password list, use Pass Phrases of at least 15 characters length. Having seen webpages, where people are showing off PCs with upto 8 (eight) dedicated GPUs I am using now about 20+ characters. So I do not need to change those within the next 5 years

So instead of a hard to memorize "H46&z3hM" "ThisIsMySpiffyPassPhrase" is (might be!) more secure anyway.

[Bookworm]

For things of a private nature which I want to keep secure I normally use a password consisting of seventeen characters. For other things, like my my account on this board, the password has only nine characters. But in any case hacking passwords needs to be profitable for the hackers somehow - hacking into this board would be a waste of time and efforts, so I don't expect anybody to try it. And even if somebody managed to hack into my bank account, there wouldn't be much to steal.

[Jo']

@Bookworm - I was writing this down just as a general information. We never know from which Server a password file might be stolen and exploited. In this age of data-mining it's not entirely impossible that a seemingly harmless forum password is accidentally identical to the same person's paypal/bank/facebook/steam/apple password.

Even though I studied computer science and quickly understand the implications of an article like on "lockdown", I am still pretty naive (or "Mostly Harmless") and I am again and again surprised (in a negative way) what kind of utterly unthinkable exploits are possible. Like how browser data can be traced i norder to profile humans. Even the cache-ids of one's browser data can identify a person nowadays It's taken on rediculous forms.

[Bookworm]

Secret services or criminal organizations may be able to spy on us - but normally they won't do it, because we don't own riches or data that may be interesting to them. While the technology is already there, the necessary effort they would have to put in would be far too big for a meagre outcome. Of course it's still a good idea to be cautious and make it harder for data collectors to trace us down, even though there's not much reason why we should be targeted.

[Jo']

The sad thing is, that it seems like they simply collect any data they can get their hands on. Because one day you might be related to a "terrorist". It's more work to filter you out. The machines suck up, what they get.

[Bookworm]

That method isn't very effective, though. Nobody is able to check all those data, so they need to rely on machines to do it - for example, filter out messages containing specific expressions. And that way they still have to waste a huge amount of time and effort to check lots and lots of messages that are completely useless to them.

To keep your personal data personal, I'd recommend to avoid the free services offered by big American companies. For example, if you need a free e-mail account, you could use StartMail. If you want to use a search engine that doesn't record your search terms, there's StartPage. You still get the same results as you would by using Google, but you can't get tracked down. And for browsing the internet anonymously you can use Tor.

[Jo']

They do not seem to shy away from amounts in the range of PetaBytes (thousand Terabyte).
But you might be right. According to William Binney they collected too much data...

https://www.theguardian.com/uk/2013/jun ... ations-nsa
http://www.zdnet.com/article/nsa-whistl ... effective/

If you read about profiling people on the interwebs it's rediculous to which length they go. Tracking the files someone has in their browser cache with ids, checking if someone shows similar behaviour under different IPs. Even TOR can't protect you from being tracked if you do not change your behaviour and the way you make user names passwords, screen size, online-time. You need to switch off Javascript any Flash anything which might reveal more than you can possible imagine. In German that is called "Rasterfahndung".

They caught a hacker in Australia, because even he as a hacker forgot to remove a GPS tag in a photo he posted.

[Bookworm]

Even TOR can't protect you from being tracked if you do not change your behaviour and the way you make user names passwords, screen size, online-time.

Of course you mustn't change the window size when using TOR, and if you enter any kind of personal data while using it, you still can be tracked.

They caught a hacker in Australia, because even he as a hacker forgot to remove a GPS tag in a photo he posted.

That guy acted outright silly by posting photos about his hacking activities in the first place. It's obvious that you mustn't leave any traces that reveal your identity if you plan to engage in any kind of illegal activity.

I don't mind if they use any possible means to find child abusers or illegal arms dealers. But as long as you refrain from doing something illegal, the chances are low that any police department or secret service would bother to track you down - as it simply would be a waste of their time and resources.

[Jo']

Websites know a lot more than just a browsers window size, depending on how elaborate your browser communicates such data. Even if you switch the browser your actual screensize (monitor) and OS stays the same. This is a fingerprint. Even if you use a proxy, pretending you come from somewhere else. If your main profile fits, they instantly know who you are.

A lot of data completely unrelated to criminals is unnecessarily collected and there is indeed the potential that innocent people get "attention", because they are accidentally related to someone who might be a criminal - even if it's only because they have the same names. I read the NSA collected Yaho messenger webcam data. Some people do not believe, that if they induldge in intimate conversation, that some government agents record your private conversations. And I do not think "governments" should. Not to mention that it was against the US admentments.

https://www.ted.com/talks/glenn_greenwa ... #t-1225921

every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer.

[Bookworm]

It's not that I'm not concerned about possible breaches of privacy - quite the contrary. I regularly vote for a party that demands the abolition of secret services, after all. There needs to be more control of the activities of spies in general, and strict rules concerning any activities that may endanger the protection of privacy. And that's not restricted to any kind of online activities - it includes your telephone line, your personal letters, and so on. Until now our government does far too little to defend our personal rights and to protect us from that kind of surveillance.

And of course there are even police officers who don't abide the laws but act illegally themselves, for example by spying on people for their personal enjoyment instead of pursuing criminals. So there's one more reason for stricter controls concerning the activities of the people who have access to the means to control others.

So while there's no need to become paranoid, there are many good reasons to be cautious. For example, what do companies like Google or Facebook know about you? Far too many people expose themselves far too much, lacking the necessary awareness completely. If we share things online, even people we wouldn't like to take notice may see them.And whenever we can, we should make use of those means that are accessible to us to make it more difficult for anybody who may want to breach into our privacy. There's obviously no complete security available, but there's at least a chance to reach a higher degree of safety.