Java-Gaming.org    
Featured games (91)
games approved by the League of Dukes
Games in Showcase (578)
games submitted by our members
Games in WIP (499)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: 1 [2]
  ignore  |  Print  
  Bugs  (Read 3360 times)
0 Members and 1 Guest are viewing this topic.
Offline Regenuluz
« Reply #30 - Posted 2013-01-11 11:19:08 »

It enables a bunch of attacks. You must have a good poker face if you memorize passwords. And this is a thing now. And it makes rubberhose tactics more effective.

Crap! xD I'd better forget my passwords then! Tongue

"foobar333333333333" is a lot safer than "foobar", not only by length, but also because it now includes numbers, so it went from a character space of 26(a-z) to a character space of 36(a-z, 0-9) and it more than doubled it's length. 6^26 < 18^36(where ^ means to the power of), add in a capital letter and a symbol and the "strength" of the password explodes.

Even "p4ssw0rd" is safer than "password" if we're only talking bruteforce. (Though all variants of password is already in multiple rainbow tables, as is all strings of length <6, so meh.)
Offline Best Username Ever

Junior Member





« Reply #31 - Posted 2013-01-12 00:22:43 »

Length is still significant because brute force attacks still exist, and after the most common passwords and their "substitute zeros for the letter O" type of variants, they tend to go shortest first then append suffixes.  There is theory and there is what attackers actually do.

(but yes that's probably too many 3's to be practical, I just held the key down a bit too long)

People are not nearly as creative as they think. Brute force attacks are informed by the current password "culture". If you rely on creativity and obscurity to provide additional security on top of your password, you better factor in Moore's law. Otherwise current computer users and future generations need to become exponentially more creative with their password tricks.

Length does not mean much. I bet some password crackers already test "password123" sooner than just "password" or will soon. And without doubt, they test "password123" before testing "a", "b", "c", etc.

"foobar333333333333" is a lot safer than "foobar", not only by length, but also because it now includes numbers, so it went from a character space of 26(a-z) to a character space of 36(a-z, 0-9) and it more than doubled it's length. 6^26 < 18^36(where ^ means to the power of), add in a capital letter and a symbol and the "strength" of the password explodes.

Even "p4ssw0rd" is safer than "password" if we're only talking bruteforce. (Though all variants of password is already in multiple rainbow tables, as is all strings of length <6, so meh.)

Adding a digit adds 3-4 bits of entropy. Adding a symbol adds another 3 or four. Adding a capital letter adds a little more than 4 bits. Replacing a letter with a number adds at most one bit of entropy.

Keep in mind that even if no black hat hacker has ever considered that people might use repeated digits at the end of their password, you do not really have a 18^36 character space. Assuming "foobar" was truly selected a random and 333333333333 was a legitimately random number, then you actually have a 626*1210. That is still an unrealistic assumption.

Which of the following do you think is most secure?
pikachu, 1101000010010000101100010000000100010101011111, 1502205420042537, 57329965876575, 57329965876575, 1110000011010010110101101100001011000110110100001110101, 1603226554130664165, 31641107307915381, 70696B61636875, 34242C40455F.


People have been misled about password security. It's easy to understand; people respond better to stories than numbers and have been trained to choose passwords satisfying meaningless criteria thanks to most websites. Using "p4ssw0rd" instead of "password" or switching your keyboard to dvorak to enter your qwerty password sounds clever enough to foil a hacker if you think of it terms of outwitting someone. There is an XKCD comic about passwords that explains what makes a good password scheme, but people mock it as being wrong because they don't understand the math.

Also, a password is not weak because it is in a rainbow table. Any password of any length could be put in a table. Using a salt makes rainbow tables useless, so it is not something to worry about.
Pages: 1 [2]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (27 views)
2014-04-15 18:08:23

BurntPizza (23 views)
2014-04-15 03:46:01

UprightPath (38 views)
2014-04-14 17:39:50

UprightPath (21 views)
2014-04-14 17:35:47

Porlus (36 views)
2014-04-14 15:48:38

tom_mai78101 (61 views)
2014-04-10 04:04:31

BurntPizza (119 views)
2014-04-08 23:06:04

tom_mai78101 (219 views)
2014-04-05 13:34:39

trollwarrior1 (186 views)
2014-04-04 12:06:45

CJLetsGame (193 views)
2014-04-01 02:16:10
List of Learning Resources
by SHC
2014-04-18 03:17:39

List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!