/sci/ - Science & Math

I think >>>/g/

i guess they want shorter passwords to save memory?
complete guess, might be wrongo.

>>3543027
We have already had this thread.

>>3543027
>information security
>not a science

I am now finding it hard to avoid using "correct horse battery staple" for my new password.

>>3543036
>I am now finding it hard to avoid using "correct horse battery staple" for my new password.

That's the plan. You know a bunch of people are going to use it, and now that is one of the first passwords that will get tried.

I don't believe the cartoon.
I'm not a computer science guy; but I'll explain my train of thought.
Simply make a program like google, or any other search engine, maybe even a dictionary engine, that will cross reference every human known to man, and known to be used by man.
This will make it much, much easier to find words like horse, correct, battery and staple.
Don't know how effective this would actually be though.
It's just based on the principle of human, being the humans that they are, using simple words in order to remember them passwords easily.

>>3543036

horse staple battery correct

>>3543068
This guy is on the right track.

Also, character sets.

>>3543031
So what was the consensus on /g/? Did he reply to your email?

>>3543154
>>3543154
>consensus
>/g/

Our dumb brother doesn't like information, they rather troll gentoo loliwaifus.

>>3543068
A brute force password cracker still guesses based on a character-to-character basis, and lots of people still use random strings of characters for passwords. By throwing white spaces into the mix your password stops being alpha-numeric, so the only thing that really matters is the length of the password.

>>3543068
>that will cross reference every human known to man, and known to be used by man.
wat

>>3543195
He explained the case of a dictionary generated password without a dictionary

>>3543029
It is wrong, friendo.

>>3542982
what I want to know is where he pulls out the entropy figures

>>3543218
simple probability.

Couldnt you like, make it so that if you guess the password wrong 3 times, the computer refuses your attempts to login for like, 15 minutes?

>>3543230
You can, but most systems don't

>>3543222
what probability? Different length per word.

https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength

I don't see what those numbers coming from. Not that guy btw.

>>3543247
where*

>>3543222
then define the sample space and random variable

>>3543254
OOO

you can input abcABC123#%& and space in every single slot.

Count how many possibilities, i think it's 60 or 80.
Do your magic

>>3543265
OOO where supposed to be the "slots", 3 of them, I was going to show, but meh..

>>3543254
>https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength#Entropy_as_a_measure_of_passwor
d_strength.

any word from the dictionary is easy to guess, "correct horse battery staple" is several orders of magnitude more easy to guess than "0p 1$ 4 f46"

>>3543277
singular word from dictionary

multiple words are not easy.

2 passwords of equal length.


First is four dictionary words put together.
Second one is random gibberish.

Possible options for each password is:
1: Number of words in dictionary to the power of four.
2: Number of available letters to the power of the length.

e.g:
correcthorsebatterystaple
asdf9asdf789asdfu89asdf89

according to a sloppy search on google the Oxford English Dictionary contains full entries for 171,476 words in current use, and 47,156 obsolete words.
Let's just say there are 200,000 words?

number of variations of password type 1 is then:
200,000^4 =
1.6 x 10^21
1600000000000000000000

there are 26 letters and 10 numbers in the alphabet so let's say you can use 36 signs, and there are 25 letters in correcthorsebatterystaple. So, for your type 2 password the number of variations are:
36^25 =
8.08281277 × 10^38
80828127700000000000000000000

The conclusion is that the gibberish is harder to guess then.

You could continue this by calculating how many letters a type 2 password would be to be as safe as a type 1 password.
You can now discuss why it isn't really fair to compare the lenght of the password.
Since a type 1 password can vary greatly in length it can therefore be harder or easier to break with method 2 rather than method 1.
(Method 1 is combining words instead of combining signs as in method 2)

>>3543344
Sure, a super-long password of gibberish is better. But that's not what we're comparing - a human has little hope of remembering a long string of random characters.

We're comparing medium-length semi-gibberish with long word strings. To be really fair, we should compare the password strength of methods that are equally easy to remember.

>>3543334

Exactly. If there are 10^5 words in the English language (there's actually a lot more, but most you would never use), then guessing one word is just a matter of 10^5 tries. Guessing 4 words is (10^5)^4=10^20, or about 1 quadrillion times more difficult than guessing one word.

I don't give a fuck that's my new password.

But people dont only use short passwords because it's easiert to remember them, but also because it's faster when you need to use it maybe multiple times per day.

Hell, you could memorize a full peom and use it as a password, but who would want to type that in every time they log in?

>>3543395
It just takes time, after typing my old password so many times I could type it lightning fast

>>3543395
>>3543400
Another option is pattern-based passwords. Just follow some spatial pattern on the keyboard - though if you want non-alphanumeric characters you'll need to use the Shift modifier at some point.

>>3543358
This is an excellent point, some words are more commond than others.
If I were to try and break the password I wouldn't go:
a a a a
a a a aardvark
and so on...
I've never used aardvark, I've just now finally put a name to that creature I've seen in pictures.
Anyway, I would start of with a more common word;
fuckfuckfuckfuck
or maybe they have to be different, so the most used passwords are probably something like
fuckcuntdickshit

This is thrown on its ass if the passwords are randomly generated, which is a favourable approach, because the dictionaries would probably be readily available anyway.

only problem with this is that so many passwords are limited in length. and have silly requirements

>>3543413
and to add to this, you'd have to exclude all words shorter then say 4 letters,
aaaa would be easily broken
so the dictionary just became even shorter

>>3543428
True...

>>3543428
I think this is the point we are discussing, changing the requirements

> mfw an actual intellectual discussion on /sci/

Never thought I'd live to see this.

>>3543470
Never thought I'd live the day you were not a faggot. And I still have my doubts about whether I will.

If you implement this so that a service generates your password and you can't change it to your own, just generate a new one if you think it's hard to remember then your entire database of passwords would be safe.

The way to look at these passwords is as 4 letter passwords where each letter can be any word in the dictionary.

But I think you'd need more than 4 words to make it safe enough to compete even with an 8 letter gibberish password.

>>3543334
10000 words in 4 combinations, 10000^4=10^16
128 ascii characters in 11 combinations, 128^11=1.5*10^23

By simply remembering to replace a few letters with a few symbols you are 10 million times more effective.
op is a fag
0p 1$ 4 f46

Solved the password paradox ages ago. Why xkcd so slow?

Question from the author of this:
>>3543344 and some other post that says 200.000 words are a bit much and a lot are useless.

Can we agree on a length limit for gibberish password?
How many letters can be memorised by the everyday blue collar worker?
Even 8?
How much is X?

If so 36^X gives you the number of possible passwords

And, can we agree on a number of words in the dictionary?
50.000 too much or too wee?
What is Y?

If so we can calculate the required number of words (Z) from the answer above:

36^X = Y^Z
log base Y (36^X) = Z
so, start making up X's and Y's, let's find Z!

>>3543551
and also, if someone can point me to a calculator that can use any log base that would be nice, my student licence of matlab is expired I think

>>3543526 10000 words 10^16
yes but 200000 words is 3.2*10^26

>>3543559
no it isn't. you fail at math.

>>3543344
I could be wrong but it seems to me that :
a. you don't accout for spaces between the words
b. for the dictionary attack to be effective, you would actually need to know some things about the password, namely that it is made of 4 simple words, then try every four-words combination. But you can't know beforehand if the password is made of 2, or 3, or 4, or 5, or n words. Therefore I think it becomes harder to guess.

>>3543559
Correct horse battery staple are within the 10000 most commonly used words, no one can remember "hadaway wherrit apastron malgra".

>>3543578
and language. if you add in german and dutch and french etc.

>>3543583
no, but someone might remember hadaway what is love
or
wherrit rains or snows

not all 4 words have to be rare for those words to be included in a list.

>>3543578
I make an excellent point and maybe I haven't been clear:
a) I assumed the words would be written together, anyway, it's just 3 spaces so it's no biggie, adds three letters of complexity I suppose.

b) You could know if it was being employed based on the site you want to break. I'm assuming here that the OP wants this to become standard.

If this kind of password is superior then it would be employed everywhere.

But intially some would start using it, let's say facebook, and they wouldn't let you choose your words yourself. They'd let you play the 4 word roulette until you have a combination you like. So all facebook passwords would be generated like that so that there are no weak ones.

But until this is implemented in that way, you're right, there is no way of knowing that the 4 word method is useful or if it's indeed more than 4 words, so among those who just want a longer, safer password this is indeed a good idea to bring to passwordmaking already.

>>3543599
>not all 4 words have to be rare for those words to be included in a list
They have to be rare to be included in a 200000 word, though I suppose everyone knows a few rare words.

OP comic is still retarded for using 4 commonly used words.

>>3543650 i suppose everyone knows a few rare words.

Exactly.

agraffe paper or cork

easy to remember, but has a rare word. my spell check is even yelling at me.

Erase your traces and never get caught on the first place.

I think it's a rather good idea but will only be strong until it's implemented en mass. When people work out they just need <span class="math">dictionary^{4}[/spoiler] It'll be even faster than the current stuff we use.

Brotip: use a long word, or two. Substitue a letter for a number that's nothing like it, like "Faggo3Moo3"

>>3543675
Retard detected.
The point is that he's talking about entropy.
Assume that one knows what you do for your password, how safe is it then?
Not redoing the math, but for 4 arbitrary common words, there are 2^44 combinations.
For a single uncommon word, with the first letter being potientially a captial, some common substitutions, and two random appended charachters, it's appearently only 2^28 combo's.

Why would anyone even use words in their passwords anyway?

I originally memorized three randomly generated 8 letter and number strings with two capital letters and two numbers in each and alternated their use as passwords and security question answers back when I was 14. Since then I have added to them to include 2 symbols, 1 more number, and one more character.

>>3543701
If you're assuming every letter is possibly represented by a number, that's giving you 11 possibilities per letter. In a 15 character password, using a dictionary plus this and assuming the pass is unicode, you're looking at a <span class="math">11^{15}[/spoiler] increase in the amount of time you're going to take. that's the difference between a second and 132 million years.

>>3543707
I memorise strings of irrational constants a few hundred million characters in then write down the original reference number in hexatridecimal (Think that's the term) using all letters and numbers.

>>3543736
And I thought working up a date based code book encryption was going to be hard...

>>3543752
It isn't that difficult, all you need is a base 36 to base 10(or 16 if that's how you roll) converter. The result you get looks a lot like a random string, or even a pseudo-random string, and the actual meaning of it is all but impossible to decypher.

what the comic overlooks is that most services these days lock you out after n attempts

CORRECT HORSE IS NOW A MEME

Gonna bump this, can someone point me to a calculator that does logarithms of any base?

I want to do this:
>>3543551

OP's image is incorrect, isn't it?

It should be 28 (possible signs per position) to the 9th power (length of sequence). Maybe there are some other factors in play, but I can't help but feel it's more likely to be a screw-up.

Link is an introduction to cryptography
http://www.ciphersbyritter.com/LEARNING.HTM

I'm a little confused on how someone guessing your password is supposed to know that it is made up of 4 separate words in the first place?

>>3545112
They don't. That's the point

normally a password is 5-10 characters. all alphabetical, and a word. This makes dictionary attacks- trying every word that there is- pretty effective. If people start to use longer, multi word passwords, then crackers will realise what they're doing and try multi-word too. the idea with this is that it doesn't matter if they work it out or not, as they're going to be taking the amount of time you would otherwise times itself times itself times itself, which is is the difference between 10 seconds and 160 minutes.

I don't think it's a good idea, and Randall's missing the point that alternatives like making two letters substitutable for a number increases the time taken by <span class="math">n-1(2^{16})[/spoiler]
I'm no mathematician, but for a 10 character password that's 589,000 times more entropy as opposed to 10,000. Seems pretty conclusive.

>>3545181
Not necessarily when you factor in easy of recall.

We should be comparing password schemes that are equally easy to recall.

>>3543998
>He doesn't know of <span class="math">\log_b a = \frac{\log_c a}{\log_c b},[/spoiler]

>>3545186
I think it's very easy to remember a 10 character password with 2 substitutions, the passwords on my email, youtube, and facebook accounts are all more complex than that. Of course a combination of both is even better (5chr0dingerthegl0ri0u5fagg0t for example)

My personal favourite is still storing your passwords in base 36

>>3545207
Sure. The idea is that the same ease of recall can be had with a much longer password by making it more natural for human memory.

At any rate, just being a long password is usually enough. They're not going to bruteforce out to 20 characters.

ITT: High school underageb&

>>3545216
a dictionary attack for 20 characters isn't *that* hard. It's only about 47 trillion combinations :D

Seriously though, I can see that being possible. Given that my home PC is capable of trying 5M hashes a second that's just 115 days. I imagine a decent server can probably triple that, at least.

>>3545234
add a dozen zeros to the end of that

>>3545279
Dictionary attacks usually use 36,000 words, don't they?

Iono. I do.

My face when I already use this method.

>>3545181
The whole point is that the person trying to crack your password doesn't know if you are using alphanumericals or words. and even if they try words, they have no idea of how many words you used, if you typed it with or without spaces or even in what languages you typed them.

I use a five word password with words from three languages. If anyone wants to crack that they might just as well brute force it with letter to letter trials.
And since the words have meaning to me it is very easy to remember and to change it.

>>3545316
>The whole point is that the person trying to crack your password doesn't know if you are using alphanumericals or words. and even if they try words, they have no idea of how many words you used, if you typed it with or without spaces or even in what languages you typed them.
But they DO know. There are about a dozen commonly used schemes, and your typical dictionary attack will try them all.

How to make a decent password
1) Pick a phrase that means something to you
> give me a firm place to stand and I will move the earth
2) take the first/last/second/whatever letter from each word
> gmafptsaiwmte
3) consistently substitute some symbol for some letter, like 3 for 'T'(hree)
> gmafp3saiwm3e
4) enjoy

>>3545333
Really? I use two words in zulu, one in ancient coptic, and two in norwegian (not in that order). I find it really hard to believe that this would be included in any standard dictionary attack.

>>3545295
if average word is 5 characters long and there are 20 characters in password. dictionary would need to try 15000000000000000000 combinations.

If it had to be brute forced instead it would need to try 300000000000000000000000000000000000000000 combinations.

> my face when my password is 18 asterisks

>>3545390
But that is only correct assuming a english only password. Try the same calculation but using all words from all languages (both dead and current). I think you will find that the difference is much smaller.

>>3545424
no point in using a dictionary attack if the dictionary is that large.

>>3545390
ah, I'd assumed average word length was higher. My mistake.
>>3545316
At the moment people who use words alone will use one or two only, therefore most dictionary attacks won't be trying high numbers of words. Widespread adoption is going to drive people to do it significantly more.

Also, there are multilingual dictionaries, but they're not wide-spread. Unless you're using words like "senor" or "vin" then you've probably got something there

I still like my 50 character constant streams, though.
>>3545555
This. English alone has over a million words, if you were to try and test for every language you would take years to finish two word combos.

>spell 1 of the words slightly wrong
>unbreakable password through dictionary attack

>>3545676
Alternatively make your password the bytecode for
do{int i= false;}
while(int i=false);

>>3545112
If your password is a word it's easy to break.

If your password is a randomly generated sequence of signs then it is hard to break - it is also hard to remember.

If your password is a combination of words it will be a semi-random sequence of signs that is semi-hard to break, but it's easier to remember so it can be made longer.

So, if everyone is using the method described then it would be harder to break in because there would be no weak easy password.

But people are stupid, they would pick "vagina" as their password and that is easy to break.

So you'd have to force them to adapt by not letting them pick their own password, so what do you do?
A) Give them a long string of random and hard to memorize numbers?
B) Give them 4 random words out of a dictionary that form a longer string and is easier to remember?

So a site like facebook could change their system, then you'd know that the password is made up of real words, so we are arguing here wether or not this would be stronger even given this knowledge.

Your questions were already answered previously in this thread anyway.

I have something personal that I remember by heart, converted into a foreign language, and has numbers and letters. Even though it is structured, its effectively the same as a random string of numbers and letters.

At 45~ characters, the only thing I need to fear are keyloggers. Aside from the shortened convenience variations, of course.

>>3545424
You can't have non-english words, if I'm generating a password in japanese it might as well be random signs.

Guys guys guys, your missing a big point.

If you let people pick their own passwords they will still just pick "vagina".

The password has to be randomly generated for you if this is going to work. Else you just take over the vagina-account and walz through the door.

>>3545800
Natural selection much?
Banks should perform random dictionary attacks on all accounts, and refuse to insure any that are broken.

Basically, he's suggesting using shorter passwords made from a (much) larger set of "letters" -- the "letters" being entire English words.

>>3545809
You're looking at it from your own point of view:
"let's just protect my password, fuck everyone else".

But it's in your interest that other people have secure passwords aswell, if someone hijacks another persons account it affects you too.

>>3545771

I don't know much about compuiters but
how is picking apple any easier than pleap as a password?
from a probability point of view, it is just as likely to guess apple as it is pleap if you're using a brute force software, unless it's programmed to look for common words in english, but then again who would you know it's in english rather than any other language, so guessing words from any language is out of the question when trying to get a password since it's far more efficient to just think of it as a random combination of characters, now the only difference would be if I were to guess to password using intuition (birthday of the person I'm trying to hack or such things) but this isn't any good if you want to get into many accounts of many people who you might not even know

>>3545858
Well put. Even though he's wrong.
>>3545882
It's in everyone's interests to have an incentive to be secure, this would provide it. The requirement to use a better password would minimise the chance that you get your information stolen and have to go through the trouble of recovering it. Of course it's in my interest that they're using up to date security methods.

>>3545887
It's because brute forcing isn't always just systematically going through and attacking every letter combination, it's most of the time based on words. English is the most commonly used language on the planet, especially by rich inept people, making it an excellent target.

>>3545904
so having applex as a password makes me invincible to hackers? I don't think that's how it works

This is all cool and stuff, but in, say, 8 years any password can be bruteforced in a couple of minutes. Then again, in 8 years most security will probably be biological as in fingerprints or eyes, maybe even genetic.

XKCD is an idiot. People don't bruteforce passwords, they dictionary and common word that shit.

>>3545887
Also, basic information (like DOB) can easily be nicked by any site not being entirely honest with its data protection. It's possible to buy personal details (address, email, personal information)
>>3545917
It makes you a lot more difficult to attack, given the number of options is increased from about 36,000 to about 30,840,979,456

A bigger problem than having passwords easy to guess has got to be having all your passwords the same. Think about it, how many people do you think have the same password for facebook, email and everything else?

I showed this to my mum when she got me to install something on her computer. She gave me the admin password, I then logged into her email, facebook, bingo and even her bank account.

If you do this (and most people do), they just have to get your email password, they've got everything. And bundled with the email account is probably a load of emails that will tell people what you've signed up for with this generic password.

>>3545967

>>3545976
I love the fact that the first sentence is "Password entropy is rarely relevant".

>>3545933
is there any way to know if a password is made out of only letters or numbers or even it's number of characters?

if there isn't any way then just by assuming it's a word then you're losing way too many chances since one can have epple as password just for fun or maybe use an obscure word

and from what I've just looked up
http://www.wolframalpha.com/input/?i=number+of+words+in+english+language
if you're using a whole dictionary then the chances of guessing is still at least 1 in 600,000

>>3545994
This is a common problem in reasoning. (Not to pick on you, specifically.) Owning just *your* password might be moderately difficult. But when you're trying to get in something, you usually have several choices. Only one of them has to work.

The common thief has to be right every time. The cops only have to be right once. Same here. If you're one of twenty thousand people who "guard" the door, what's the difference if they get you or someone else?

>>3545994
Nope. The generally correct assumption is that a password is a single word, sometimes with a number at the end. It's only assumed because this is a lot more time efficient, and can dig up easy passwords fast.
It's possible to run a dictionary attack then move onto bruteforcing, which is what would happen in the epple vs apple situation. It's just that it's far more time/power hungry to do that first.

>>3545976

Even if you had seen that strip before, admit it, you moused over for the alt text, didn't you?

>>3543272
>>3543268
>>3543265
I don't think you actually know, either. You only THINK you know and point to references without verifying like a lazy fuck.

>>3546058
I have 1-750 saved offline actually, no alt text for me :/.

Some of the thumbnails for early comics are actually the pre- trimmed pictures of the whole piece of paper. True story.

i don't think people would just make their passwords be vagina vagina vagina vagina

really

>>3546264
if given the choice they vocabulary would be very limited. running a dictionary of a couple of thosand words would get quite a few passwords, that's what I think anyway.

>>3546264
The average person cannot be expected to put any effort into making a password.

What was that talk about the logarithm of 36? 36 does not seem particularly secure, so then it was probably picked for ease of memory?

>>3542982
Did nobody here understand the main concept?
XKCD is talking about the entropy of a certain password scheme.
That means: given a scheme, how many possibilities are there?
Of course, the scheme that has the highest entropy for input length n, is random bitstrings that yield n-character passwords. However, there is no fixed input length n; and the only real constraint for a password scheme is being memorizable. XKCD conjectures that of the schemes with entropy of 44 bits, 4 random common words is the easiest to remember.

>>3545928
lrn2entropy
a dictionary attack is an attack that leans on the notion of information entropy
not all passwords are equally likely, hence an existing word has a lower entropy then an equally lenghty random string
you can adopt your dictionary attack to do simple o->0, e->3 etc. substitutions, since there are not too many such substitutions, the entropy is still relatively low, and thus a modified dictionary attack will be relatively powerfull against such passwords
by picking 4 common words, it turns out you have a higher entropy, remember that for even 2 words, you need to run a whole dictionary attack, for every word, hence being quadratically slower; with 4 words, it is a power of 4 times slower

>>3548868
You pick a pseudorandom string of some constant, say pi, between 100 and 1000 million digits in. You then convert the start digit's position in whatever base you had the constant in into base 36. That way, you get a string of apparently random numbers and letters you can write down without anyone working out what the system is.

>>3549729
pseudorandomly located*

>>3549729
That works. But would be really timeconsuming.

Personally, I don't think good passwords are even a problem. It's more critical to remember a multitude of high-entropy passwords, which I currently can't.

An 11-character password made from a pool of 26 capital letters, 26 lowercase letters, 10 digits, and let's say 10 punctuation marks has <span class="math">72^11[/spoiler] combinations.

A four common word password made from a pool of W common words has <span class="math">W^4[/spoiler] combinations.

As long as there are more than approximately 128,000 common words to choose from, a four common word password will have more combinations.

How many common words are there?

>>3549984
OED 2nd ed has almost 300k entries in it.

>>3549932
yeah, but my method sounds more difficult and therefore has to be by implication.

I like it because it's possible to break it, but nobody is willing to go as far as computing a billion places of a constant even if they know what I did. FG9AF for example.

1. come up with a short sentence in English
2. translate into dead/obscure foreign language
3. ???
4. profit

IMO this is the best way to go since no dictionary attack will cover an obscure or dead language (except maybe Latin), so brute force is the only way to guess. plus you have an easy way to remember the password, the original English sentence.

>>3550181
Time to Sanskrit my passwords.

http://world.std.com/~reinhold/diceware.html fyi

plagiarism?

>>3550250
source?

>>3550268
First one from google, second from OP

how about a password like this?

http://_homepage_com

>>3550385
Then if someone steals your password, he knows not just one, but all your passwords.

>>3550208

Why would you narrow down the possible word-combinations to a known password list?

>>3550445
because the words in a dictionary are easier to memorize
you can then create a longer string than if you just try to memorize random signs