<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 7 March 2015 at 15:33, Mike Pinkerton <span dir="ltr"><<a href="mailto:pselists@mindspring.com" target="_blank">pselists@mindspring.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><br>
On 7 Mar 2015, at 15:52, Stephen John Smoogen wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
<br>
On 7 March 2015 at 11:53, Mike Pinkerton <<a href="mailto:pselists@mindspring.com" target="_blank">pselists@mindspring.com</a>> wrote:<br>
<br>
On 7 Mar 2015, at 10:41, Björn Persson wrote:<br>
<br>
Mike Pinkerton wrote:<br>
On 6 Mar 2015, at 23:49, Adam Williamson wrote:<br>
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:<br>
I hope <a href="https://xkcd.com/936/will" target="_blank">https://xkcd.com/936/will</a> be among the inputs to that<br>
discussion.<br>
<br>
I'm fond of noting that pwquality has not yet blacklisted any variant<br>
of correcthorsebatterystaple. I've been using correcthorse as my stock<br>
anaconda testing password, since the strength check has been<br>
enforced...<br>
<br>
It won't stand up to a combinator attack:<br>
<br>
<<a href="https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html" target="_blank">https://www.schneier.com/<u></u>blog/archives/2013/06/a_<u></u>really_good_a.html</a>><br>
<br>
It's not entirely clear, but I guess you mean that a two-word<br>
combination like "correct horse" won't stand up. That appears to be<br>
true. A four-word phrase is an entirely different matter. Each<br>
additional word increases the complexity exponentially, so doubling the<br>
number of words squares the number of possible combinations.<br>
<br>
The "combinator" attack that is described in the Ars Technica article that Bruce Schneier quotes in the above link appears to be an attack that tries combinations of multiple words from one or more of the attacker's word lists. Certainly adding more words to the pass-phrase would make that more difficult. As I don't know the current state of the art in password cracking, I don't know whether attackers typically limit their attacks to only two words, or extend to three or more words.<br>
<br>
<br>
They limit it to 1-2 words because it takes a LONG time to crack SHA512crypt passwords. You can do on average 32k -> 128k hash crypt checks per second per password. A two word dictionary of diceware would have 2^25.85 passwords in it. A single system is going to take 256 seconds on 2 words. Add in 3 words (2^38.775) and it is 24 days. Add in a 4th word and it is 544 years. Add in a 5th word and it is 4.5 million years.<br>
</blockquote>
<br>
<br></span>
Apparently Diceware's creator is not as confident as you -- he nows recommends more than 5 words.<br>
<br>
<<a href="http://arstechnica.com/information-technology/2014/03/diceware-passwords-now-need-six-random-words-to-thwart-hackers/" target="_blank">http://arstechnica.com/<u></u>information-technology/2014/<u></u>03/diceware-passwords-now-<u></u>need-six-random-words-to-<u></u>thwart-hackers/</a>><br>
<br>
Perhaps improvements in graphics cards have changed the calculus in recent years.<span class=""><br>
<br></span></blockquote><div><br></div><div>Yes and no.</div><div><br></div><div>1) He has always wanted to make sure that an attack was going to take billions of years for the US government on. Thus his level of threat is the 100 billion dollar cluster... Which yes 6 or 7 words would be needed if not 8. Your password of completely random characters will also need to be a lot longer. </div><div><br></div><div>2) He is also aware that most of the hacks out there have not been SHA512crypt but MD5sum/SHAsum/NT password breaches. If you are lucky they used md5crypt or the original sha1crypt. Those are formats that yes millions of attacks per second can be done in an offline attempt. If you have no control over how the password is stored then using 4 or 5 words is not enough. </div><div><br></div><div>3) Yes graphic cards improve with more cores but they do not increase word size as often because there really isn't much need other than cracking large passwords (bitcoin which is the primary use for video cards doesn't get faster with a larger word so it isn't something people will pay for.) Without a larger word size the various code for doing a SHA512crypt gets slow. </div><div><br></div><div>Neither of the first two items are things which are going to be general users of Linux are needing to deal with. If you are having to worry about that sort of attack then you are going to need a lot more work than a 100+ bit entropy password. </div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
While writing this up I went and checked that the whole thing is outlined point for point in wikipedia<br>
<a href="http://en.wikipedia.org/wiki/Password_strength" target="_blank">http://en.wikipedia.org/wiki/<u></u>Password_strength</a><br>
<br>
To estimate the time just do the following:<br>
<br>
$15,000 computer -> 128k/sec = 2^17. Lets assume moore's law comes in and we have 2^20 by 2020.<br>
<br>
Take the possible entropy and subtract the 2^17 and that will give you the worst case. I believe it may be 1/4 of that so make it subtract 2^19 currently for one system and 2^29 for a cluster of 1024 computers (so 15 million dollars).<br>
<br>
2 words is going to be (25.85-19) 115 seconds for one system and 0.1 for big ass cluster.<br>
3 words is going to be (38.78-19) 236 hours ). <1 day for big ass cluster<br>
4 words is going to be (51.70-19) 221 years). < 1 year<br>
5 words is going to be (64.63-19) 1.7 million years) < 1700 years. (or 1.7 years for a 15 billion dollar investment).<br>
<br>
To get equivalent strength from say an all lower case password you are going to need 14 [a-z] characters.<br>
<br>
Now here is the funny thing. All that speed to get 128k is if the password is less than around 12 characters for most cracking software due to the way the hardware and algorithms have been optimized. If the string is longer than that the hardware drops in speed by orders of magnitude. So correctstaple is actually going to take longer than I said. In fact all the numbers I put for 3+ words is probably going to be 10-100 times longer.<br>
</blockquote>
<br>
<br></span>
All of this assumes that the attacker is trying to brute force the entire string -- character by character. In the Ars Technica article I linked to in my previous message, the attackers did not try to brute force anything over 6 characters. Instead, they used other strategies, including the combinator strategy that would have broken correcthorse.<span class=""><br>
<br></span></blockquote><div><br></div><div>I am going to assume that your definition of brute force is a, b, c, d, e, f,... all the way to ~~~~~~ . That is 95^6 735,091,890,625 things to test.</div><div><br></div><div>Second of all they were testing md5sum passwords That is a format which you can do hundreds of millions of attempts per second on a standard video card. The speed difference between md5sum and md5crypt is 3-4 orders of magnitude. The speed difference between md5sum and sha512crypt are much more. </div><div><br></div><div>Three the thing they took advantage of was that people are lazy. If a password set were from <a href="http://fedoraproject.org">fedoraproject.org</a> then I would start testing with</div><div><br></div><div>fedora</div><div>fedoraproject</div><div>redhat</div><div>linux</div><div>password</div><div>letmein</div><div>foobar</div><div>correct</div><div>correcthorse</div><div>correcthorsebattery</div><div>correcthorsebatterystaple</div><div>smartass</div><div>abcdefghijklmnopqrstuvwxyz</div><div>qwertyuiopasdfghjklzxcvbnm</div><div><br></div><div>as my main words. I would then test with capitalization and then add in the most common combinators. 4kids, 4life, 123456, other linux websites (slashdot, <a href="http://lwn.net">lwn.net</a>) plus various pre and other items. I would also do various other items. It is still bruteforcing, it just isn't a,b,c,d,e,f bruteforcing. The reason they stopped at 6 characters of ASCII is that you can do that on md5sum in a couple of hours (7 characters takes weeks, 8 months?). On md5crypt doing a brute force takes a couple of years (3 when I did it last.. if moore's law is in place for CUDA that should be 1 year now). On sha512crypt it was close to a decade (2 years now?). [Red Hat Linux and Fedora have never used md5sum. They used md5crypt for many years and now use sha512crypt]</div><div><br></div><div>So why did they pick up so many passwords? Because a TON of people just add 1, !, 123, 123456, and maybe the popular TV show of the time (bigbang is popular). You aren't testing all the combinations, you figure out the most common combinations and use that. The search space is completely different from a properly run diceware (or similar passphrase generator). It is also different from a completely random 12 character string.. it is more like a 6 character string with a high likelihood of 123456 added to the end. And that is how most of those passwords were gotten (I repeated the experiment after the article was out because I was accessing how hard it would be for Fedoraproject passwords to be 'gotten' . It took 3 months to go over 10,000 possible passwords. Of that only people who chose easily guessed passwords were found (the ones listed above as core words). Now if you had redhat987654 as your password it would have taken me years to get there linearly. </div><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
There are 2 caveats.<br>
<br>
1) Once again, Adam was being sarcastic. He knows the password isn't any good because well he TOLD everyone what it was. He was making fun of the fact that libpwquality does not blacklist it.. which means that correctstaple is the new password of choice (when the old one might have been 123456)<br>
</blockquote>
<br>
<br></span>
I saw your first note that Adam was being sarcastic -- although it probably doesn't matter what password he is using for offline testing of Anaconda and release candidates.<br>
<br>
I was responding to Björn Persson's suggestion that, in discussions of password quality, correcthorsebatterystaple would be an example of a safe password. My point is that, if attackers are using strategies other than brute forcing, which the Ars Technica article suggests is the case, then constructing long passwords out of known words is probably not a safe strategy.<br>
<br></blockquote><div><br></div><div>The problem with your conjecture is that there is a vast difference between if you just choose 2 words versus using a computer to choose 2 words. If you choose two words you are most likely going to choose ones with some sort of association. Or you will use your languages grammar to do some sort of association. That cuts down the search space incredibly. [A two word space instead of having say 60466176 combinations will only be 100-1000.] red hat, red beer, red car, red tomato, red dress. blue hat, blue boat, blue car, blue coat. If the passwords are really randomly selected via diceware or similar tools, then that number jumps back to 6 million (with a mean time of 1/2 of however long it would take to do 6 million.)</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Because the word lists used by attackers are lists of strings that they have scraped from various sources -- human language dictionaries, password strings found in previous attacks, passwords publicized by Adam on mailing lists, strings constructed on patterns (e.g., "7kids", "8kids"), etc. -- a string that one would normally think of as four words -- correcthorsebatterystaple -- once it has been discovered as a password once and added to the attacker's word list, becomes only one word for all future cracking attempts.<span class=""><br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
2) This is always true <a href="http://xkcd.com/538/" target="_blank">http://xkcd.com/538/</a><br>
<br>
And finally. If one were to take the top 1 million known passwords as the dictionary.. then each word would have about 20 bits of entropy. A password generator that outputted stuff like<br>
<br>
123456 password trustn01 letmein1<br>
<br>
would take 256 or more longer to brute force crack than using diceware. Actually that sounds like a nice project to add to my EN_RN translation project.<br>
</blockquote>
<br>
<br></span>
Except that the attackers aren't brute forcing long passwords. Apparently, they can successfully crack a ridiculously high percentage (90% in the Ars Technica experiment) in the space of a day using other techniques.<br>
<br>
How much entropy does "<u></u>rastafarianestablishmentarian" have? With the techniques attackers are using, I doubt it would take even one hour to crack it.<br></blockquote><div><br></div><div>It depends on a lot of things. If the password is stored as an md5sum then it will probably take a week or so because I have to work my way through the oxford dictionary and put all the words that match in a definition together. If you had put a word in the second part that wasn't associated with rastafarian... it would be a lot longer.</div><div><br></div><div><br></div><div><div>Rastafarian - Oxford Dictionaries</div><div><a href="http://www.oxforddictionaries.com/us/.../Rastafarian">www.oxforddictionaries.com/us/.../Rastafarian</a></div><div>OxfordDictionaries.com</div><div>Rastafarians have distinctive codes of behaviour and dress, including the ... Darien, disciplinarian, egalitarian, equalitarian, establishmentarian, fruitarian, ...</div></div><div><br></div><div>Then it is going to depend on the tools I use. For a long time most of the fast password crackers did not check anything after 15 characters for md5sum and tend to do this for some other formats. Thus rastafarianestablishmentarian would only be checked as rastafarianesta and would never match. This has been fixed with most tools but there is still a catch in that you are using glibc versus cuda version of the code and you are now at CPU speed versus video card speed. CPU speed on md5sum is in the low millions and md5crypt and sha512crypt are down in the thousands. </div><div><br></div><div>At that point, you have to be very smart in your forcing spending a lot of time ahead looking for word associations. It would take weeks even with fast md5sum to go through a brute force of 2 word combination in the oxford dictionary. It would take days if you have already worked out that word X is going to be associated with words A,B,C,D,E,F.... People like the experts in that article have done a LOT of homework on human psychology to make smart guesses. They are also the first to tell you that all that goes out the window if the passwords are truly randomly put together. </div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
That was my point.<div class=""><div class="h5"><br></div></div></blockquote><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">
<br>
-- <br>
Mike<br>
<br>
<br>
-- <br>
devel mailing list<br>
<a href="mailto:devel@lists.fedoraproject.org" target="_blank">devel@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel" target="_blank">https://admin.fedoraproject.<u></u>org/mailman/listinfo/devel</a><br>
Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct" target="_blank">http://fedoraproject.org/code-<u></u>of-conduct</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Stephen J Smoogen.<br><br></div></div>
</div></div>