0. The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system. (Orgin: agilebits.com (http://agilebits.com))
- Only real Random Passwords are secure.
- If a Pattern occurs or you use common tips to create remindable passwords, then you don't have a random password at all.
- You should always look at http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/ to understand password security.
1. Take the 12 words password which are suggest from the NXT Client.
- This is far more secure to select a password of your self - in most cases.
- Don't generate passwords with an pattern, cause pw chrackter know such patters to.
2. Use a strong password generator in combination with an password manager
- 1password for example
3. If you need a strong passwords, which are easy to rember, for example Masterpassword of the Passwordmanager -> see www.diceware.com (http://www.diceware.com)
Philippians4:6-7
qeadzcwrsfxv1331
k1araj0hns0n
Sh1a-labe0uf
Apr!l221973
Qbesancon321
DG091101%
Example of a good password:
JA2pi$P0nWaVEM$rHCy9F%lJmr4vDlo47wWa&4@$b&6&Q&c3qJ8%dmuBBNR@g4b06pu%!FPRzis*rj@G9t1g4zp^ga5q9W4^x5k
Don't try to make a pass phrase/word which you can remember.
I was in a Google hangout a few days ago with a few people from here and one of them showed an easy to remember way of a secure password (his name is Silvio, I just found out).
I'll try to recreate what he did (roughly):
1. he had ANY plastic card from his wallet (his actual wallet) in his case an opera admittance card from which he used the barcode.
2. he used his "brothers" name
3. he used an introductory bit.
With all this he created: PW = Peter %84736293%!
According to Kaspersky that password would take more 10,000+ centuries to crack on a supercompter.
Guy from the Hangout: if you see this post, please post your video ;)
The thing is: I don't have my passwords with me all the time. It's a lot easier when you can remember your password.I was in a Google hangout a few days ago with a few people from here and one of them showed an easy to remember way of a secure password (his name is Silvio, I just found out).
I'll try to recreate what he did (roughly):
1. he had ANY plastic card from his wallet (his actual wallet) in his case an opera admittance card from which he used the barcode.
2. he used his "brothers" name
3. he used an introductory bit.
With all this he created: PW = Peter %84736293%!
According to Kaspersky that password would take more 10,000+ centuries to crack on a supercompter.
Guy from the Hangout: if you see this post, please post your video ;)
That is 21 characters which is pretty good but the number generally agreed on when it comes to NXT is 30+ characters. However, what you suggested would be great for a password manager.
20 is not enough! 29 is not enough!
20 is not enough! 29 is not enough!
Really? If anyone can break this 15 character password I will send them 50,000 Nxt
SHA256 Hash of the password: 3164898B4DEE3FD994BCEA75F2C06B22903A8F89D3708C3FA666BA75C6EFB593
Just to make it easy: there are no special characters -- just alphabets and numbers
The offer is open for an year. The largest successful publicly known brute force was against 64-bit (weaker than 12 char) , so I won't be losing sleep over this.
20 is not enough! 29 is not enough!
Really? If anyone can break this 15 character password I will send them 50,000 Nxt
SHA256 Hash of the password: 3164898B4DEE3FD994BCEA75F2C06B22903A8F89D3708C3FA666BA75C6EFB593
Just to make it easy: there are no special characters -- just alphabets and numbers
The offer is open for an year. The largest successful publicly known brute force was against 64-bit (weaker than 12 char) , so I won't be losing sleep over this.
Just be clear, this password looks similar to this: "Fp7fq7aHSRNupa5". This is exactly 15 characters (not 14, not 16, exact 15 characters, and no special characters). Easy.
SHA256 HASH IS : 3164898B4DEE3FD994BCEA75F2C06B22903A8F89D3708C3FA666BA75C6EFB593
I will pay 50,000 nxt plus one nemstake token to anyone who can break it in one year.
Just to put some sense in "29+ char password is not enough" , people have been trying to "crack" darknxt account here
https://nxtforum.org/general-discussion/nxt-account-miner-new-version/
There are 20 million darknxt (about $800,000)
No one has (yet) succeeded.
If someone builds a machine that can crack a darknxt account in just one second, (can even NSA do that?) , cracking this 15 char password would still take more than an year on that machine.
Another example: the entire bitcoin network (100k+ dollars in electricity per day?) has a hash rate of 125,000,000,000,000,000 hashes per second.
It will take the entire bitcoin network (at current rate) about 100 years (on average) to break this 15 character password.
So good luck to everyone who tries!
Fair enough. You know more about password security than I do, so what would you recommend as the minimum safe password length. Also, keep in mind that this doesn't have to do with cracking a hash, it has to do with precomputation attacks.
Fair enough. You know more about password security than I do, so what would you recommend as the minimum safe password length. Also, keep in mind that this doesn't have to do with cracking a hash, it has to do with precomputation attacks.
I don't know more, I just know basic math. Every password that appears in any kind of database is bad. It can be cracked instantly. These include leaked password databases (billion+ passwords) , quotes from books, poem, songs, movies, bitcoin address in bitcoin blockchain, a public key that exist in Nxt's blockchain, used as a password by someone else etc. A sentence picked from any book (no matter how obscure book) from the entire library only has 32 bit of entropy, as it's possible to scan every book ever published (isn't google already doing something like this?) and check if someone used a sentence from a book (or slight variant of the sentence) as a password. It's much harder (though possible) to crack random 12 char password. 20+ is pretty safe, as long it's not in some database.
Not all Nxt users read this forum, so people will never understand this and will continue losing money with a brain wallet. Brain wallet should NOT have been default option. It should have been "advanced option". Private keys should be generated by cryptographically secure random generator, then encrypted by user's password. HumanFractal is working on something like this to be implemented in Javascript client. Wesley should hide "brain wallet" in advanced option (not make it easy to use) combined with HumanFractal's deterministic wallet.
So the solution isn't to tell people to use strong passwords (as they are never going to read these articles, or read introduction, or even visit this forum) but make the software design as such that makes them difficult for users to make mistakes.
Fair enough. You know more about password security than I do, so what would you recommend as the minimum safe password length. Also, keep in mind that this doesn't have to do with cracking a hash, it has to do with precomputation attacks.
I don't know more, I just know basic math. Every password that appears in any kind of database is bad. It can be cracked instantly. These include leaked password databases (billion+ passwords) , quotes from books, poem, songs, movies, bitcoin address in bitcoin blockchain, a public key that exist in Nxt's blockchain, used as a password by someone else etc. A sentence picked from any book (no matter how obscure book) from the entire library only has 32 bit of entropy, as it's possible to scan every book ever published (isn't google already doing something like this?) and check if someone used a sentence from a book (or slight variant of the sentence) as a password. It's much harder (though possible) to crack random 12 char password. 20+ is pretty safe, as long it's not in some database.
Not all Nxt users read this forum, so people will never understand this and will continue losing money with a brain wallet. Brain wallet should NOT have been default option. It should have been "advanced option". Private keys should be generated by cryptographically secure random generator, then encrypted by user's password. HumanFractal is working on something like this to be implemented in Javascript client. Wesley should hide "brain wallet" in advanced option (not make it easy to use) combined with HumanFractal's deterministic wallet.
So the solution isn't to tell people to use strong passwords (as they are never going to read these articles, or read instructions, or even visit this forum) but make the software design as such that makes it difficult for users to make mistakes, but yet the software remains user friendly and easy to use (asking people to type 20+ char is not usable software).
0. The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system. (Orgin: agilebits.com)
- Only real Random Passwords are secure.
- If a Pattern occurs or you use common tips to create remindable passwords, then you don't have a random password at all.
- You should always look at http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/ to understand password security.
1. Take the 12 words password which are suggest from the NXT Client.
- This is far more secure to select a password of your self - in most cases.
- Don't generate passwords with an pattern, cause pw chrackter know such patters to.
2. Use a strong password generator in combination with an password manager
- 1password for example
3. If you need a strong passwords, which are easy to rember, for example Masterpassword of the Passwordmanager -> see www.diceware.com
Philippians4:6-7
qeadzcwrsfxv1331
k1araj0hns0n
Sh1a-labe0uf
Apr!l221973
Qbesancon321
DG091101%
Great post, especially that parts that I made bold. Now that's written by someone who truly understands the topic. I would suggest the OP should be replaced with these points.
16 (even 20) char passwords are easy to crack if they are not random.
By the way, if someone doesn't trust random generator (some random generators are bad -- for example, Javascript Math.random) , they can also use a 62 card deck. Assign an alphabet to each card (A to Z, a - z, and 0 - 9) with a marker. Shuffle it really good for 5-10 minutes. Pick the top card. That's first alphabet in your password. Mix the card back in the deck (that's important) and shuffle again, and pick another top card, mix t back, repeat, etc .. Do it 22 times, and there you have 22 char password with full 128 bits of entropy without any human bias or software glitches (like math.random())
Stickied. Next time please write me a PM. :)
Now that's written by someone who truly understands the topic. I would suggest the OP should be replaced with these points.
<html><h1><pre style="font-family:Consolas,Liberation Mono, monospace;" id="pass"></pre></h1><script>(function(){document.getElementById('pass').innerHTML=btoa(String.fromCharCode.apply(null,(function(){var buf = new Uint8Array(15); window.crypto.getRandomValues(buf); return buf } )()))})()</script></html>
If the devs would use the orign diceware list they would get an entropy of 129 bits with just 10 words passphrase.
Anyhow I think 128 bit are to much paranoid anyway. I suggest to use 8 words (out of 8k diceware list), that is easier to remember and still at 104 bit strenght.
I'll ckeck the source code to be sure about randomness. Since I'm not a real programmer it will take some time.
Yeah but still good to rember. But ...
Diceware words are a weird, include non pronounceable words like "a-z" . If we were to use larger dictionary, I like this one better
https://docs.google.com/file/d/0B7kbeA6whDvNMWJqNTQwcTBJM00
No, the problem is that if too many people use passwords made by nxt client, the entropy drops as the attacker has to find any random account. For example, if 10 million people used nxt client to generate password, and if the attacker needs to find any random account of 10 million accounts, his difficulty drops to 2^128 / 10 million, or about 2^104 difficulty. It's still pretty safe, but we should increase the strength of client generated password to about 2^150. The link I posted has 7150 words (2^153 with 12 words), and if the client was using that dictionary, that will be better in my opinion just in case we get 10 million Nxt users 5 years from now all of whom made their password with the client (unlikely but still it bothers me).
I'll ckeck the source code to be sure about randomness. Since I'm not a real programmer it will take some time.
Is it possible to remember till 30 words of the password? ::)
Is it possible to remember till 30 words of the password? ::)
30 words is too many, I think the NXT client generates 12 words passphrases for new accounts?
Use Keepass to store the passphrase if you can't remember it: http://keepass.info/
For double protection write it on a piece of paper, or carve on wood, metal and don't show it to anyone :)