Good Passwords

• How does john try to break passwords?
  • Items from /etc/passwd
  • Wordlists
  • Mangling rules
  • Successfully guessed passwords are crypted with all user hashes as salt.
  • Brute Force Attacks.
• How were the word lists formed?
• How long would a brute force attack take.
  • Copy this down and ask questions.
  • I will try to post the spreadsheet but ....
• Exceptional password crackers
  • A really good article
  • Discusses distributed password attacks.
  • With both GPU and CPU
  • Nice history/summary
  • An experiment
    • 8 nodes with NVIDIA GTX 1050 Ti GPU
    • 1.2GB to 8.3GB dictionaries
      • The password was at the end of the dictionary
      • 
      • Check this vs our computations!.
    • In another test they found that dictionary attacks are slower than brute force attempts
      • 
      • Time spent in loading words from dictionary.
      • But look at the speeds!
    • This is a good paper, I will probably read it in full.
• They give guidelines for good passwords
  • Make the alphabet large.
  • Long Passwords
  • Don't use words!
  • Probably not modified words either.
  • Use something you can remember.
  • Do not use the same password on different sites.
  • Change your passwords regularly
  • Don't write your passwords down.
  • Be careful of social engineering.
• Passphrases
  • 
  • Use a phrase of short words.
  • Mix in numbers
  • Weak example: IamtheCaptianofthePina4
  • Strong Example 3BeeorNotTobeTh4t1$The?
  • Can lead to very strong passwords that can be remembered.
• Passphrases might not be required for passwords.
• Guides for passphrases
  • Long enough
  • Not a famous quotation.
  • Not associated with you (hard to guess)
  • Something you can remember.
  • Not reused.
• We have sort of discussed security questions
  • This is somewhat unexplored.
  • But we have seen multiple examples of how unless the questions are carefully drafted they lead to less security.
  • And they have the same problems as passwords
    • What is your favorite food?
    • Will it be the same in 4 years?
    • Will you spell it the same way?
• Gestures and other such authentication methods are becoming more common.