Increasing files ... ?!

[deleted]

The important information is the more complex a password is the longer it takes to brute force

And length isn't the only measure of complexity, one factor to consider too is if the password contains dictionary words.

DirtyAngel

Harvey I read news about Quantum Computers that they are able to crack 400 chars in 90 Seconds ? ... But problem is, that they run hot ...

infinitymdm

DirtyAngel most classical encryption methods are theoretically vulnerable to attacks using Shor's algorithm (or slight variations). If you'd really like to learn more about it, here's a great video on how it basically works (against encryption schemes based around factoring large products of primes, at least):

The catch is that Shor's algorithm requires a quantum computer with many more qubits than we have available today. Today's largest quantum computers only have around 1000 qubits. That sounds like a lot, but consider that a modern smartphone has trillions of classical bits, and you realize it's not that many.

Plus, the qubits we're working with today aren't perfect - often they can only operate correctly under extreme conditions, such as near-absolute-zero temperatures. Because of this, today's quantum computers have to have some amount of redundancy built in, which will cut down the effective number of qubits available for compute.

At the end of the day, if someone wants to decrypt your data, they'll have to capture a copy of it and store it for many years -- until we have larger, more capable quantum computers available. Storing that data has obvious costs. Harvey put it best:

Harvey You are not worth the effort.

Edit: I also ought to add that modern encryption schemes are already seeking to counter this problem. Algorithms like NTRU or the CRYSTALS family of encryption schemes are considered "post-quantum" because they aren't based on problems vulnerable to Shor's algorithm. It's an exciting time.

brent

infinitymdm I always feel safe using something like pwgen (repo)

pwgen -cny 60 50
Oi!pie%ZooPh*eFeyee5ooXohQu,o9kohwoowi8eu5jaidae1af.e>ad3ow0
go{queequaeb&oodei2ooch8yeng3eN$oo4Eereeg2teexahtah8Vee0ohc4
Rae?g6foo0chexaewohghae0ahth9soovu9aufe3ia5Zeeyibe0Noo4feegh
bai>th6ooDe5Iengaezo$sah1the4aegiech7oju4uuz6dahng3Quaeyeilu
aoz"eefoo1ieJ2fothah)d{e3ahthahwoo6eeteu6wah2oejeiqu=eeting=
zeech4ahshoh`hohshaisai7ai&t'aitaewahKuP]oo8aec3ich7que9thoo
yi9AiKahbae6ea=ceiQuee'Gahxaeque5zai3aiph0Iesh1reu-vieshee>p
de8ook}ae6uiPhe&die8ohchai6sho1jeeth6gei3thaehui9Aixu_voh6ba

it made fifty 60-character passwords for me. But what you are saying it's just a matter of time.
Any discussions of numbers/capitals/uppercase/lc/special symbols etc etc is irrelevant because, as factors/variables that increase 'numerals' and make the computers work harder---for nothing?

In other words computing capabilities will make Harvey's diagram need a revision every year? and the best we can hope for is a 1000 year password. Will the 1000 year password exist in 5 years? 🙂

infinitymdm

brent Any discussions of numbers/capitals/uppercase/lc/special symbols etc etc is irrelevant because, as factors/variables that increase 'numerals' and make the computers work harder---for nothing?

I'm not certain I understand what you're saying here. More variety (caps, lowercase, numbers, special chars) improves security because an attacker has to choose from more possible options for each character when executing chosen plaintext attack (CPA).

A CPA works more or less like this:

An attacker steals the encrypted version of your password. We'll call this the ciphertext. Now the attacker knows what your password looks like when it's encrypted, but not what it looks like in plaintext form.
The attacker starts choosing random strings of plaintext characters as "potential passwords" and encrypting them, usually using their own hardware and software, but with the same encryption scheme.
Eventually the attacker finds a plaintext password that produces the same ciphertext as they captured in step 1. Now they know your password.

There's a little more to it than this, but I believe this is what Harvey's chart is talking about. You can see how more variety in your password means that an attacker has to choose from a lot more random characters, and that takes them much longer.

infinitymdm

brent In other words computing capabilities will make Harvey's diagram need a revision every year?

This is correct. Every year we have faster computing hardware to work with.

brent the best we can hope for is a 1000 year password.

Ultimately, all modern security is based on math problems that we haven't found easy ways to solve yet. We say those problems are "hard". Trouble is, we aren't 100% certain any properly hard problems exist - maybe we just haven't discovered the easy solutions yet. Security isn't a guarantee - it's fundamentally optimistic.

That said, I wouldn't stress about it. The smartest mathematicians have been looking at these problems for centuries, and we still haven't found major shortcuts. And your personal data probably isn't worth going after.

brent

infinitymdm More variety (caps, lowercase, numbers, special chars) improves security because an attacker has to choose from more possible options for each character when executing chosen plaintext attack (CPA).

that's what I was trying to say, poorly.

infinitymdm You can see how more variety in your password means that an attacker has to choose from a lot more random characters, and that takes them much longer.

then it's a good thing. CPA sounds complicated, I will not worry. In pwgen I will trust.
thanks for yr explanation

WetGeek

Harvey

For a long time I've been using LastPass to generate 16-character passwords using 4 character classes for new accounts. Although the resulting passwords are comfortingly complex, according to the chart you posted, that's clearly overkill. Generating 8-character passwords of the same type would require a hacker to tie up their computer for far more years than would be reasonable to hack my network. I'm just not worth it.

So, I'm going to change my password generation to 8 characters of 4 classes. On occasion, I need to "confirm" a new password by manually typing it into another field, and that would make it far easier for me to do that.

Thanks for posting that chart.

Axios

My goto for everyday going ons in security. https://www.schneier.com
Been lax and havent read for awhile can be dry reading but its all interesting.

Just a little tidbit I have a hash of one my computers login (Mac) set everything up on another average computer
Said ya going crack this password..lol Ya right after weeks of running I shut it off..rofl
I may have had something setup wrong dunno but not going take weeks or years to find out..

There are so many other issues with passwords than spending the time trying to brute force them.

BloodFeastMan

One of the things I've done with regard to passwords is to make my own password generator, but it is not in the traditional sense .. I have a personal system of very to remember, but lousy, passwords, and the generator will accept this lousy password as an input. The password is hashed by several algorithms thousands of times, and the resultant raw binary string will be Ascii85 encoded at whatever length I choose. (Ascii85 offers lots of special characters, but I actually have run into the situation where sites won't accept some of them) The same lousy password will always produce the same long and strong result, and that's what actually gets passed.

So basically I'm just introducing another level of password hashing before anything leaves the computer. Well, I thought it was a good idea, anyway 🙂

DirtyAngel

BloodFeastMan +++ So I wonder wildly if this is correct ? : In case Quantum Computer copes with cracking 400 chars in 90 seconds, then I need a wildly bigger password ? Assumed I want to secure privacy with one password for ten years-lasting security, then I would need a password which has size of 256 TB against a Quantum Computer ?! But Quantum Computer would melt already within hours or days ... This is satirically mentioned ... +++

DirtyAngel

This thread is not solved yet ...

System Solus is reporting, when logging into Gnome Desktop that root filesystem has no space left ?!
But I did bleachbit as sudo before and I de-installed Oracle Virtualbox, so that over 300 GB additional space of hard-disk are now free available ?! Despite of this, root filesystem is "full" ?!

How do I tidy up my hard-disk ?!

When I want to unpack a package (e.g. thunderbird as actual beta) ... then Solus refuses
because of "no space left" ?!

brent

DirtyAngel But I did bleachbit as sudo

those exact words have prefaced roughly 100 out of 100 system failure threads...

Data Drake, when she was on board, responded to a case like this where squashfs included, no space remained. I always remembered she said it's the way the numbers (space numbers) are being inaccurately reported to the system--and which app is reporting said numbers-- that was the problem. It was solved with some teeth pulling and OP got the space back. I will look for it in search. edit/could not find that thread.

Staudey

DirtyAngel de-installed Oracle Virtualbox

Note that just uninstalling VirtualBox won't delete leftover virtual machines, cache, etc. So you might want to do that too.

DirtyAngel

Staudey +++ Before de-installing Virtualbox, you need to remove the virtual partitions inside Virtualbox. When Virtualbox is empty, then it can be de-installed. +++

DirtyAngel

DirtyAngel For to secure privacy sensibly I would need then a garage full of hard-disks ?!

BloodFeastMan

DirtyAngel I would need a password which has size of 256 TB against a Quantum Computer ?!

I could be very wrong about this, but it is my opinion that we are a long way from any sort of practical quantum computing. The technology involves collapsing wave functions; physicists haven't even figured out the double slit after a hundred years. Scientists are no different than anyone else when they're looking for funding.

infinitymdm

BloodFeastMan we are a long way from any sort of practical quantum computing.

Definitely agree here. You should not be seriously concerned about making your system quantum-hard. I outlined why in my earlier post. Even if you are concerned about making your system quantum-hard, a longer password isn't going to help; the quantum-hardness has to be built into to the encryption scheme.

But let's bring things back on topic: @DirtyAngel did you manage to recover your storage space?

DirtyAngel

infinitymdm +++ ... at present no trouble with storage space. I had to reboot after sudo bleachbit. virtualbox of Oracle is not present here on my hard-disk now.

Staudey

I guess you're trying to tell me that you did remove the virtual machines first? If so, cool.

DirtyAngel

Staudey +++ LOL ... in Linux you never stop learning ... !!!!

« Previous Page