Jump to content

FACE Passwords?!? Are you insane?!


Starwhip

What do you think?  

81 members have voted

  1. 1. What do you think?



Recommended Posts

Patterns and passwords can be secure enough if you put a bit of thought into it. My phone swipe pattern looks like a 7, I tell all my friends who ask for it "yeah just draw a 7", I've yet to see one of them succeed.

54pSI0U.png

Biometrics are of no use to everyday devices such as phones and laptops, they are better when applied to hierarchy level related access and such, not to protect stuff from external attacks. Anyways, someone who's worried about security would choose a complicated password instead of biometrics, they wouldn't mind the inconvenience of having to type 12+ chars to get to their valued stuff.

Link to comment
Share on other sites

The longest of my everyday passwords has a length of 23 characters. It's just a sequence of old passwords I used in the past.

Pro: Easy to remember, so easy I don't even have to think about it when typing it in; crackers usually give up before trying to brute-force 23 characters long passwords

Contra: Pretty low difficulty because it's made up of words you can find in a dictionary

Over the last years I slowly switched to using a password safe (KeePass 2). It has a lot of nice features and there's always an encrypted backup of the password database in the cloud. Just in case. And I can access that backup with my phone if I need a password on the go.

Link to comment
Share on other sites

Patterns and passwords can be secure enough if you put a bit of thought into it. My phone swipe pattern looks like a 7, I tell all my friends who ask for it "yeah just draw a 7", I've yet to see one of them succeed.

http://i.imgur.com/54pSI0U.png

Biometrics are of no use to everyday devices such as phones and laptops, they are better when applied to hierarchy level related access and such, not to protect stuff from external attacks. Anyways, someone who's worried about security would choose a complicated password instead of biometrics, they wouldn't mind the inconvenience of having to type 12+ chars to get to their valued stuff.

Yeah for a long time I had a "triangle" as my swipe, noone ever got it. Cute background (what char)

Thing that bugs me the most on password safety, is password "security questions" a pregenerated list of questions that can be answered by stalking most peoples facebook pages.

Whenever I get the chance, I make up my own security questions. Only 1 other kid in the world knows the answer to my "Cuando es tu cumpleanos?". And trust me it aint my age.

That and password lengths. Seriously between 8 and 12 characters. The hell. Is space that tight on your database that you cant splurge and give us 20 characters. I could at least make a statement with that much space. I remember 1 game I used to have subbed, they let you have a 256 char password, and a 256 char PW hint. If someone wanted to try and brute force that anagram symbols, more power to them. Theyd be better off coming and beating it out of me with a $5 wrench.

But hey, myself and most of my guild have all simultaneously had our WOW accounts "hacked" a few dozen times now. And thats been the source of the most of my recent password changes, so no matter how good a PW you make, doesnt really matter if the server you are connecting to has crap security.

Link to comment
Share on other sites

The longest of my everyday passwords has a length of 23 characters. It's just a sequence of old passwords I used in the past.

Pro: Easy to remember, so easy I don't even have to think about it when typing it in; crackers usually give up before trying to brute-force 23 characters long passwords

Contra: Pretty low difficulty because it's made up of words you can find in a dictionary

Over the last years I slowly switched to using a password safe (KeePass 2). It has a lot of nice features and there's always an encrypted backup of the password database in the cloud. Just in case. And I can access that backup with my phone if I need a password on the go.

"It's x words from the dictionairy" doesn't really make it any easier to guess a password. There are ALOT of words.

But yea, all those password 'rules' with characters, capitals, numbers, and crap are stupid. And they keep forcing more and more off it

Link to comment
Share on other sites

There are ALOT of words.
Indeed. But it's still only a small fraction of all possible character combinations. How many words (all languages with latin alphabet) with a length of 23 or less exists? 100 millions? 1 billion (as in 109)?

That's nothing compared to the possible complexity of a password which allows every combination of latin characters: 2623 = 3,5 * 1032

Assuming 10,000 guesses per second a complete search in the dictionary would take a bit more of a day. (Not counting substitution rules like "o" -> "0" and stuff like that.)

Crackers usually do dictionary attacks first, then rule-based attacks (substitutions, adding a number to the end or start of a word, etc.) before resorting to ineffcient methods like brute-force.

Edited by *Aqua*
Link to comment
Share on other sites

If you want to know how secure your password is then go to this website: https://howsecureismypassword.net/

It will tell you that something easy to remember like "Attempt no landing there" will take a desktop PC about 37 sextillion* years to crack.

And something like "3Gdw"#s\" will take a desktop PC about 20 days to crack.

*A 1 followed by 21 zeros.

Link to comment
Share on other sites

Tried one of my passwords, got 44 billion years. Obviously this doesn't calculate WHERE the password is used. If someone wanted to bruteforce a password, most services won't allow it (they either lock up or ask you to wait before trying again), that's why other methods exists too.

I use bruteforce mostly to deal with WPS or with captured handshakes over wifi where they can't ask me to wait before I try again.

Link to comment
Share on other sites

If you want to know how secure your password is then go to this website: https://howsecureismypassword.net/

It will tell you that something easy to remember like "Attempt no landing there" will take a desktop PC about 37 sextillion* years to crack.

And something like "3Gdw"#s\" will take a desktop PC about 20 days to crack.

*A 1 followed by 21 zeros.

9 quadrillion years

I obviosly used diferent words and special chars than my real password has, but the total amouth and combination (position of special chars and words) stayed the same.

Link to comment
Share on other sites

Indeed. But it's still only a small fraction of all possible character combinations. How many words (all languages with latin alphabet) with a length of 23 or less exists? 100 millions? 1 billion (as in 109)?

That's nothing compared to the possible complexity of a password which allows every combination of latin characters: 2623 = 3,5 * 1032

Assuming 10,000 guesses per second a complete search in the dictionary would take a bit more of a day. (Not counting substitution rules like "o" -> "0" and stuff like that.)

Crackers usually do dictionary attacks first, then rule-based attacks (substitutions, adding a number to the end or start of a word, etc.) before resorting to ineffcient methods like brute-force.

Sure, but it's still possible to REMEMBER your password. Unlike that crap with 2 numbers, a capital, and a special symbol that has to be changed every month. That just ends up being way shorter, and written down somewhere.

Link to comment
Share on other sites

Out of curosity, I tried out the "password" "WhatNow,BrownCow?" and got 234 trillion years.

Simple sentances of real words are easy to remember, and difficult to crack.

It all boils down to number of possible combinations with the string length and the amount of chars to test on each position (think 27 lowercase letters + 27 uppercase letters + 10 numbers + special chars for the comma). Obviously when choosing their password, most people assume it has to be a single word and they try to keep it as short as possible (so that's easy to remember for them). Top combinations are names, name+date, name+some id or telephone, telephone, id and those are the first options always tried by bruteforcers.

I don't know what does the test base the cracking speeds on, but my pc can test words at about 51k words per second, my notebook only manages 1.3k.

Link to comment
Share on other sites

@Sirrobert

The point is if there's a pattern the crackers will test for that. And using only words you can find in a dictionary is a pattern. The crackers rely on the laziness of people when they set a password. That's why they are so successful. As I said before:

There is always the trade-off between convenience and security. You can't get one without sacrificing the other.

People don't realize that they are not a good at picking random passwords. There's always a pattern. The first 10 letters he slams into the keyboard may appear random but the problem is that nearly everybody hits the keyboard in about the same style. That makes the 'randomness' predictable.

Link to comment
Share on other sites

@Sirrobert

The point is if there's a pattern the crackers will test for that. And using only words you can find in a dictionary is a pattern. The crackers rely on the laziness of people when they set a password. That's why they are so successful. As I said before:

People don't realize that they are not a good at picking random passwords. There's always a pattern. The first 10 letters he slams into the keyboard may appear random but the problem is that nearly everybody hits the keyboard in about the same style. That makes the 'randomness' predictable.

How does a cracker know there's a pattern? Is it going to take several days to test every possible combination of words out of all languages first, before concluding it's random, and than try out all possible random combinations?

There's nothing indicating to outside users that my password is a big sentence.

People are indeed unable to pick random passwords. They are ALSO unable to remember actual random passwords, which forces them to write down passwords that are forced to be 'random' with punctuation marks and stuf, which makes those 'secure' passwords horrible passwords

Link to comment
Share on other sites

Assuming a typical "random" password is 9 totally unrelated letters and numbers with no pattern (rare, but this is at the extreme end of what you'll typically find), there are 1.35e+16 combinations to test. This is a lot, but it is very rare to find people who use this, as 9 random figures with no identifiable pattern is hard to remember.

Taking a basic sentence password, with a dictionary of 100,000 words (this can be considered the very minimum number of common words a monolingual person knows in their own language). Assuming you already know all formatting details (punctuation, capitalisation, spacing, etc.) this will lead to already 1e+15 combinations from just 3 words - a fourth will bring it to 1e+20, or near ten thousand times harder to guess than the random combination, even using a dictionary attack. And, again, assuming that formatting is known, which will exponentially increase the number of combinations if it is not. As a bonus, weird sentences tend to stick in your mind - this is why mnemonics work, and so a short sentence of four random words is very easy for a human to remember, and very hard for a computer to guess.

If you throw in just one complex or foreign word that you know, you can explode the required dictionary size to well over 1 million very easily, which means the 3-word password matches the random for difficulty, and the four-word will take a million times longer to guess. Assuming, of course, that the hacker is aware you have used these - if not, they'll likely use a small common word dictionary, and literally never be able to guess your password. And who would bother brute-forcing a 4-word dictionary attack when in the same time, they could readily crack a million "secure" all-random passwords?

Link to comment
Share on other sites

Will this facial recognition password stuff work with my beard? Or will we have to have all facial hair removed with lasers? The tyranny of the smooth-skinned.....

It should still work, although if you go on holiday and come back with a beard and even put on a little holiday weight you might run into problems with some systems.

Some scanners combine facial recognition with weight scales.

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...