Increasing files ... ?!

Axios

brent When you make a password (if it is encrypted) depending on the method used
hashes out to a fixed length.
So if it is a short or long password the hash is the same length.
Using Long passwords is to keep the password crackers at bay.

Entropy chi etc is always a issue somewhere I got programs to test that stuff and it can really opens
ones eye on how good encryption is.

I have tested Truecrypt (back in the day ) and it was good As veracrypt is for encrypting stuff.

The trouble is hashing is usually ok but the generation of random passwords is not kinda like sticking your foot
in the door.

I myself have never tested any of the native linux encryption so dont know on it as I dont use it.
But I can say this alot encryption programs are not what they say mostly the free ones.

Good password practices are the best.

Sorry wasnt trying to barge in I got a thang for encryption..

BloodFeastMan

Axios

Axios I got a thang for encryption..

One of the things I made for myself is a graphical front end for symmetric file and text encryption, which makes use of OpenSSL, (part of every Linux distro) would you like to try it out?

brent

BloodFeastMan Additionally, your password will be mixed with a "salt" during keystream generation, a random bunch of characters created by the software that will make the use of rainbow tables almost useless; the same password will hash out to the same value, so a crappy password like "password", while it will create a long and impressive looking keystream, is still a crappy password

got it. "password" as a password get's a long stream, so as you said a crazy 300+ password would get a jetstream the circled the a preposterous amount of times.

Harvey Keeping in mind that graph is using 12x 4090s. You are not worth the effort.

17 lowercase letters (13 billion years???!!) is the key to digital immortality. I've been keeping the 9-11 length on the yellow orange side..in 33,000 years I will be hacked. 🙂.

Harvey but at a certain point you are increasing the difficulty to brute force way beyond what is reasonably possible.

I did not know the brute force tools had these limitations. Will White Hat vs Black be a game of narrowing the margin by a few decades a la a chess game? rhetorical. fantastic context.

Axios So if it is a short or long password the hash is the same length.
Using Long passwords is to keep the password crackers at bay

now I see that. 17 with a modest (lowercase) seems like the sweet spot for 10 lifetimes..

Axios Entropy chi etc is always a issue somewhere I got programs to test that stuff and it can really opens
ones eye on how good encryption is.

that stuff really interests me--entropy is basically past tense kind of. I found this at stack that blew my mind:
"We define the entropy as the value $S$ such the best guessing attack will require, on average, $S/2$ guesses. "Average" here is an important word. We assume that the "best attacker" knows all about what passwords are more probable to be chosen than others, and will do his guessing attack by beginning with the most probable passwords. The model is the following: we suppose that the password is generated with a program on a computer; the program is purely deterministic and uses a cryptographically strong PRNG as source of alea (e.g. /dev/urandom on a Linux system, or CryptGenRandom() on Windows). The attacker has a copy of the source code of the program; what the attacker does not have is a copy of the random bits that the PRNG actually produced."

the last 3 sentences way over my head. PRNG is the stream so to speak?
It gets far more mathematical than that I read Harvey's graph really spells it out as far as odds.
When I think of blackhat stuff too long I get a knot in my stomach.

But I think its safe to say that all the 12345 or 69apple or joeblow or 1985lumber or newyorkjets25----all that kind of stuff is the instant low-hanging fruit and people that guard their back accounts with this will get popped first...there is either a world of about-to-be-hacked ILOVETHESTONES because password-cracking has not seemed to keep up with 17 lowercase letters....
...by that metric 350 characters seems excessive, but not judging

@Harvey @Axios @BloodFeastMan you gents held a clinic and I'm enlightened for it.

BloodFeastMan

brent What Harvey said 🙂

Additionally, your password will be mixed with a "salt" during keystream generation, a random bunch of characters created by the software that will make the use of rainbow tables almost useless; if this is not done, the same password will hash out to the same value, so a crappy password like "password", while it will create a long and impressive looking keystream, is still a crappy password. (see Harvey's graphic) Computers are very fast, and more thought can be put into it. I made a generic keystream generator for myself, as an example, that will, among other things, do between five hundred and seven hundred thousand hashing iterations, which takes about a second. I think that OpenSSL's default iteration is ten thousand, which is still overkill, but SSL needs to take speed into consideration, but I, using symmetric file encryption, don't 🙂

Axios

BloodFeastMan Ya I will take a look at it when I get time.

BloodFeastMan

brent got it. "password" as a password get's a long stream, so as you said a crazy 300+ password would get a jetstream the circled the a preposterous amount of times.

No, a password, whether it be one character, or one million characters, is going to generate a keystream of the same fixed length. AES-256 as an example .. the "256" means that it needs a 256 bit keystream, typically represented in text as 64 hex characters. (Two hex characters representing one byte, 32 bytes each at 8 bit per byte = 256 bits)

So, the sha256 hash of "a":
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

The sha256 hash of "this is a much longer string, but will still hash to the same length":
e166568ef45cfb4c93ae233042b5e771248fe945572368924646ca8d9ea5ee7e

You can probably find a permutation website somewhere that will tell you how many gazillion combinations 256 bit can get you, it's pretty amazing.

brent

BloodFeastMan No, a password, whether it be one character, or one million characters, is going to generate a keystream of the same fixed length.

got that now

BloodFeastMan (Two hex characters representing one byte, 32 bytes each at 8 bit per byte = 256 bits)

yep

BloodFeastMan So, the sha256 hash of "a":
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

The sha256 hash of "this is a much longer string, but will still hash to the same length":
e166568ef45cfb4c93ae233042b5e771248fe945572368924646ca8d9ea5ee7e

ahhhh----this says it all. yes a gazillion permutations, probably easier guessing half lifes of elements.🙂

BloodFeastMan

brent probably easier guessing half lifes of elements

I'm pretty sure you're right about that! 🙂

[deleted]

Harvey

The important information is the more complex a password is the longer it takes to brute force

And length isn't the only measure of complexity, one factor to consider too is if the password contains dictionary words.

DirtyAngel

Harvey I read news about Quantum Computers that they are able to crack 400 chars in 90 Seconds ? ... But problem is, that they run hot ...

infinitymdm

DirtyAngel most classical encryption methods are theoretically vulnerable to attacks using Shor's algorithm (or slight variations). If you'd really like to learn more about it, here's a great video on how it basically works (against encryption schemes based around factoring large products of primes, at least):

The catch is that Shor's algorithm requires a quantum computer with many more qubits than we have available today. Today's largest quantum computers only have around 1000 qubits. That sounds like a lot, but consider that a modern smartphone has trillions of classical bits, and you realize it's not that many.

Plus, the qubits we're working with today aren't perfect - often they can only operate correctly under extreme conditions, such as near-absolute-zero temperatures. Because of this, today's quantum computers have to have some amount of redundancy built in, which will cut down the effective number of qubits available for compute.

At the end of the day, if someone wants to decrypt your data, they'll have to capture a copy of it and store it for many years -- until we have larger, more capable quantum computers available. Storing that data has obvious costs. Harvey put it best:

Harvey You are not worth the effort.

Edit: I also ought to add that modern encryption schemes are already seeking to counter this problem. Algorithms like NTRU or the CRYSTALS family of encryption schemes are considered "post-quantum" because they aren't based on problems vulnerable to Shor's algorithm. It's an exciting time.

brent

infinitymdm I always feel safe using something like pwgen (repo)

pwgen -cny 60 50
Oi!pie%ZooPh*eFeyee5ooXohQu,o9kohwoowi8eu5jaidae1af.e>ad3ow0
go{queequaeb&oodei2ooch8yeng3eN$oo4Eereeg2teexahtah8Vee0ohc4
Rae?g6foo0chexaewohghae0ahth9soovu9aufe3ia5Zeeyibe0Noo4feegh
bai>th6ooDe5Iengaezo$sah1the4aegiech7oju4uuz6dahng3Quaeyeilu
aoz"eefoo1ieJ2fothah)d{e3ahthahwoo6eeteu6wah2oejeiqu=eeting=
zeech4ahshoh`hohshaisai7ai&t'aitaewahKuP]oo8aec3ich7que9thoo
yi9AiKahbae6ea=ceiQuee'Gahxaeque5zai3aiph0Iesh1reu-vieshee>p
de8ook}ae6uiPhe&die8ohchai6sho1jeeth6gei3thaehui9Aixu_voh6ba

it made fifty 60-character passwords for me. But what you are saying it's just a matter of time.
Any discussions of numbers/capitals/uppercase/lc/special symbols etc etc is irrelevant because, as factors/variables that increase 'numerals' and make the computers work harder---for nothing?

In other words computing capabilities will make Harvey's diagram need a revision every year? and the best we can hope for is a 1000 year password. Will the 1000 year password exist in 5 years? 🙂

infinitymdm

brent Any discussions of numbers/capitals/uppercase/lc/special symbols etc etc is irrelevant because, as factors/variables that increase 'numerals' and make the computers work harder---for nothing?

I'm not certain I understand what you're saying here. More variety (caps, lowercase, numbers, special chars) improves security because an attacker has to choose from more possible options for each character when executing chosen plaintext attack (CPA).

A CPA works more or less like this:

An attacker steals the encrypted version of your password. We'll call this the ciphertext. Now the attacker knows what your password looks like when it's encrypted, but not what it looks like in plaintext form.
The attacker starts choosing random strings of plaintext characters as "potential passwords" and encrypting them, usually using their own hardware and software, but with the same encryption scheme.
Eventually the attacker finds a plaintext password that produces the same ciphertext as they captured in step 1. Now they know your password.

There's a little more to it than this, but I believe this is what Harvey's chart is talking about. You can see how more variety in your password means that an attacker has to choose from a lot more random characters, and that takes them much longer.

infinitymdm

brent In other words computing capabilities will make Harvey's diagram need a revision every year?

This is correct. Every year we have faster computing hardware to work with.

brent the best we can hope for is a 1000 year password.

Ultimately, all modern security is based on math problems that we haven't found easy ways to solve yet. We say those problems are "hard". Trouble is, we aren't 100% certain any properly hard problems exist - maybe we just haven't discovered the easy solutions yet. Security isn't a guarantee - it's fundamentally optimistic.

That said, I wouldn't stress about it. The smartest mathematicians have been looking at these problems for centuries, and we still haven't found major shortcuts. And your personal data probably isn't worth going after.

brent

infinitymdm More variety (caps, lowercase, numbers, special chars) improves security because an attacker has to choose from more possible options for each character when executing chosen plaintext attack (CPA).

that's what I was trying to say, poorly.

infinitymdm You can see how more variety in your password means that an attacker has to choose from a lot more random characters, and that takes them much longer.

then it's a good thing. CPA sounds complicated, I will not worry. In pwgen I will trust.
thanks for yr explanation

WetGeek

Harvey

For a long time I've been using LastPass to generate 16-character passwords using 4 character classes for new accounts. Although the resulting passwords are comfortingly complex, according to the chart you posted, that's clearly overkill. Generating 8-character passwords of the same type would require a hacker to tie up their computer for far more years than would be reasonable to hack my network. I'm just not worth it.

So, I'm going to change my password generation to 8 characters of 4 classes. On occasion, I need to "confirm" a new password by manually typing it into another field, and that would make it far easier for me to do that.

Thanks for posting that chart.

Axios

My goto for everyday going ons in security. https://www.schneier.com
Been lax and havent read for awhile can be dry reading but its all interesting.

Just a little tidbit I have a hash of one my computers login (Mac) set everything up on another average computer
Said ya going crack this password..lol Ya right after weeks of running I shut it off..rofl
I may have had something setup wrong dunno but not going take weeks or years to find out..

There are so many other issues with passwords than spending the time trying to brute force them.

BloodFeastMan

One of the things I've done with regard to passwords is to make my own password generator, but it is not in the traditional sense .. I have a personal system of very to remember, but lousy, passwords, and the generator will accept this lousy password as an input. The password is hashed by several algorithms thousands of times, and the resultant raw binary string will be Ascii85 encoded at whatever length I choose. (Ascii85 offers lots of special characters, but I actually have run into the situation where sites won't accept some of them) The same lousy password will always produce the same long and strong result, and that's what actually gets passed.

So basically I'm just introducing another level of password hashing before anything leaves the computer. Well, I thought it was a good idea, anyway 🙂

DirtyAngel

BloodFeastMan +++ So I wonder wildly if this is correct ? : In case Quantum Computer copes with cracking 400 chars in 90 seconds, then I need a wildly bigger password ? Assumed I want to secure privacy with one password for ten years-lasting security, then I would need a password which has size of 256 TB against a Quantum Computer ?! But Quantum Computer would melt already within hours or days ... This is satirically mentioned ... +++

DirtyAngel

This thread is not solved yet ...

System Solus is reporting, when logging into Gnome Desktop that root filesystem has no space left ?!
But I did bleachbit as sudo before and I de-installed Oracle Virtualbox, so that over 300 GB additional space of hard-disk are now free available ?! Despite of this, root filesystem is "full" ?!

How do I tidy up my hard-disk ?!

When I want to unpack a package (e.g. thunderbird as actual beta) ... then Solus refuses
because of "no space left" ?!

brent

DirtyAngel But I did bleachbit as sudo

those exact words have prefaced roughly 100 out of 100 system failure threads...

Data Drake, when she was on board, responded to a case like this where squashfs included, no space remained. I always remembered she said it's the way the numbers (space numbers) are being inaccurately reported to the system--and which app is reporting said numbers-- that was the problem. It was solved with some teeth pulling and OP got the space back. I will look for it in search. edit/could not find that thread.

Staudey

DirtyAngel de-installed Oracle Virtualbox

Note that just uninstalling VirtualBox won't delete leftover virtual machines, cache, etc. So you might want to do that too.

« Previous Page