Why it's ridiculously dumb having a 100% random password

Topic: Why it's ridiculously dumb having a 100% random password (Read 8114 times) previous topic - next topic

0 Members and 3 Guests are viewing this topic.

Why it's ridiculously dumb having a 100% random password

20 October 2022, 17:51:31

So to prove my point i've used 12 letters (a-l) only low cap and only 12 for the ease of crunching numbers and we need to create a password only from 3 letters, same for simplicity.

Total number of possible arrangements with repetition are as follow:

12^3 = 1728   (12 total elements and 3 the length of the pass) see print screen.

Total variants can be ordered by their backbone pattern. This patterns form in respect with an arbitrarily chosen shape. So i've split those 12 (a-l) letters in 3 fields, first abcd second efgh and third ijkl so we'll have 4|4|4

Now having this we can deduce all backbone patterns that can derive from this. This is being called variant dispersion as follow:

4|4|4
   ---------
1    0|0|3
2    0|1|2
3    0|2|1
4    0|3|0
5    1|0|2
6    1|1|1
7    1|2|0
8    2|0|1
9    2|1|0
10   3|0|0
-----------------------
1728

Now to see which one of these patterns has the most combination we have to count how many variant for each pattern we have and after somewhat tedious work i've determined, see prnt screen

Now can be seen each pattern how many variants has behind it. The most numerous is by far that at nr (6) with 384 variants that can be formed in respect with its pattern.

Now imagine we're gonna use some random password generator to give us a random ' fairy tale supersecure password' out of the above example. Now you can see even if we have the chance to generate a password from the better pattern (111) that has a high probability of 1 in 4.5 cases to occur we more likely not going to have that kind of password and here's why.

Those 384 variants are not enough (probabilistic speaking) compared with the rest till 1728 meaning 1728-384=1344 and 1728/1344 gives roughly 1 in 1.28 cases which means has higher chances of occurrence than 1 in 4.5 therefor it means our "fairy tale supersecure password' belongs to a weaker than 111 pattern.

Also if we count those 3 one of the weakest patterns 003; 030 and 300 we have 1728/192 meaning 1 in 9 chances to have a pretty weak pass that can be broken in milliseconds.

So my proposal is that we need to calculate previously depending on the length and how many chars we use (so call search space depth) the backbone pattern in this case best would be 111 and generate exclusively those kind of passwords. For better hiding the pattern itself we can use either 111 or one of those 012 but never something like 003 or its variants.

Think i've nailed this time

See this better pass generator that respects everything we've talked above https://forum.artixlinux.org/index.php/topic,4320.msg28354.html#msg28354

Re: Why it's ridiculously dumb having a 100% random password

Reply #1 – 08 December 2022, 10:14:42

Quote from: Surf3r – on 20 October 2022, 17:51:31

So to prove my point i've used 12 letters (a-l) only low cap and only 12 for the ease of crunching numbers and we need to create a password only from 3 letters, same for simplicity.

3^12=531441

Re: Why it's ridiculously dumb having a 100% random password

Reply #2 – 08 December 2022, 12:05:38

That would be the case if pass length would be 12 but only 3 different chars. And yeah instead of adding a different char to the mix is always better to choose a longer pass.

So assuming we have a hacker with some good math level on board if he wanna crack passwords it would take each of those 10 possible patterns and would generate specific combinations for each. Instead of putting a huge supercomputer to go thru all those combinations it can just seek first thru those weaker patterns since we assume the victim generate his password via random generator.

A supercomputer can split it's processing power into 10, each generating like i said pattern specific variants. In general it's considered enough generating/searching only half of those variants to find the key.

We must stop suggesting people generate random passwords and use target randomness. Purely random passwords can make users vulnerable to this kind of attacks

Now there's also a need to determine what's the better arbitrary split. Above i showed splitting in 3 but that's not necessarily the best. I have a guess the best would be splitting into chunks of 7, 8 or 10 chars out of 94 total for example. When numbers go up things start to become a nightmare.

Re: Why it's ridiculously dumb having a 100% random password

Reply #3 – 10 December 2022, 11:04:19

Quote from: Surf3r – on 08 December 2022, 12:05:38

So assuming we have a hacker with some good math level on board if he wanna crack passwords it would take each of those 10 possible patterns and would generate specific combinations for each. Instead of putting a huge supercomputer to go thru all those combinations it can just seek first thru those weaker patterns since we assume the victim generate his password via random generator.

It is not that simple. See countermeasures .
While l letter frequency is fairly well researched and lists of known passwords are not necessarily short, I make it even simpler.

He gets from me not only the source code but also the output of it.
I can even print out the result and hang it on the wall next to the screen.

Code: [Select]

for ((i=1; i<=13; i++)); do echo -n "$i: " && cat /dev/urandom | tr -cd '[:print:]' | fold -w 39 | sed -e 's/.\{3\}/& /g' | head -n 1 && echo; done

No, my friend, it's not as easy as you suggest here, because the talented hacker doesn't even know what my real user name is.

Re: Why it's ridiculously dumb having a 100% random password

Reply #4 – 10 December 2022, 12:31:11

Not so fast

cos we can count/determine how much bits of entropy a string has. If it uses 63 unique elements the higher the Entropy. Also bigger space depth (total chars to choose from) results increased Entropy. And guess what the higher entropy the harder it can be guessed.

A 63 long string from a 94 space depth has to have around 412 bits of entropy see here math formula

A password generated exclusively via random generator (without targeting one of the best patterns and couple of other requirements) will have about 380, 370 or even lower 360 350 bits of entropy

A password generated via 'my standards' ensure 412 bits each and every time. It simply ensures your password belongs to the biggest pile of variants and with the highest possible entropy.

This kind of string would take billion years to be cracked with clusters of super computers, the numbers are really astronomical.

Now i don't wanna give the lame idea a random password 63 long is easy to crack, no, but it's significantly easier to crack compared to 'my standard' described in detail.

Re: Why it's ridiculously dumb having a 100% random password

Reply #5 – 10 December 2022, 18:01:41

Quote from: Surf3r – on 10 December 2022, 12:31:11

Now i don't wanna give the lame idea a random password 63 long is easy to crack, ....

But the thread title says something different.

My example clearly shows that he doesn't need a supercomputer, he just has to start typing.
To login, he needs not only the right string for the password but also the right string for the user name.
He has to try ALL strings (unlike you claim).

The chance that he will find two correct strings at the first attempt is, in my opinion, impossible.
Further attempts, both remotely and directly on the machine, will also be unsuccessful.

The calculation is quite simple.
I don't have to do anything more than restrict the number of login attempts, e.g. after 2 failed attempts, I have to force him to take a 4-hour break.

Assuming he doesn't need a new keyboard and the hardware won't crumble to dust and he himself does not die of old age while typing, when would he be done?

Theoretically, mankind can build intergalactic starships, but what about in reality?

Re: Why it's ridiculously dumb having a 100% random password

Reply #6 – 12 December 2022, 10:07:20

Username can be discovered thru social engineering. Some leaked/hacked password database can be in the hashed password form, meaning the hacker has only the hash needed to login but not the password that gave that particular hash. So he has all the time he wants to crack those real strings. Then he can use a split whatever he wants (in 2/3/4/5/etc) in order to break them down as much as possible, then use for each pattern powerful gpu's, 10/20/100, whatever he needs depending on the importance of the target.

The secret is to get as many patterns possible (in the above example it's split in 3, but he can split in such a way to have many more patterns not only 10 but 100 or 500 etc and the number for each will go down and it will become more digestible for the gpu's )

The time is compressed as you don't check 1 variant at a time but 500 or 1000 (the number of patterns) multiplied by the gpu tries/second

So if your split gives let's say 1000 patterns you can use 1000 gpu's targeting first those less numerous patterns. Then when finish with those weaker patterns you gonna target gradually those more numerous

This i would call parallel-brute-force because you are not counting like this 1,2,3...n^k but (1-1000)*gpu, (1001-2000)gpu, (2001-3000)gpu.... # where gpu means gpu tries/second.

To make a comparison instead of letting one guy counting till 7 billion (that would take 1 mil year) you put 7 billion count one and that will literally take 1 second. Of course i overly exaggerated things to describe what parallel-brute-force would mean.

So to summarize we need to kinda stop recommending random passwords unless are long enough (63 -64chars). A 15-20 long random password think is a highly qualified hacker's dream.

> But the thread title says something different.
Yep mathematically speaking is dumb because not everybody choose 63 long passwords but random only about 20 long and even if it's 63 long making it 100% random it's not a bright idea having in mind you choose that long pass in order to keep something pretty important, safe. So depending on the point of view can be or not that dumb. If you wanna protect 1000 bitcoin is dumb, if you login to facebook is ok

Re: Why it's ridiculously dumb having a 100% random password

Reply #7 – 17 December 2022, 02:27:51

There's also a trick forgot to tell about.

So for the best results if you have let's say 95 chars to choose from but you need your password to be just 20 long you have to get rid of 95-20=75, with targeted randomness.

So let's say your split is in 5 chunks => 95/5=19

so we will have 19|19|19|19|19

To establish the best pattern for your 20 long pass you need to remove 75 numbers out of 95 and so we need to subtract from each
those 19|19|19|19|19   =>   75/5=15 and therefor 19-15=4 so the best backbone pattern following this split will be 4|4|4|4|4
meaning from each of those 19|19|19|19|19 will 'remove' at random 15 and will get 4|4|4|4|4

We have to calculate it that way when we don't split even but for example like 17|19|25|16|18
And here we can't use an even 4|4|4|4|4 pattern but will get 2|4|10|1|3   (after subtracting 15 from each of those)

That can happen for example when we group symbols numbers letters or other special chars so we know the needed share of each in our string.

Another reason for that is to hide our split making it even harder to crack/guess or parallel-brute-force.

Enjoy

Re: Why it's ridiculously dumb having a 100% random password

Reply #8 – 17 December 2022, 14:28:15

Quote from: Surf3r – on 17 December 2022, 02:27:51

There's also a trick forgot to tell about.

Because you obviously didn't understand my posts, I have a little task for you.

You have to do nothing more than create 4 posts with 8 characters of your choice here in the thread in 3 minutes.
That is the same as entering your username and password when you log in twice.

The time is running.

Re: Why it's ridiculously dumb having a 100% random password

Reply #9 – 17 December 2022, 15:14:16

I give up i don't get it what that suppose to mean

If I write 8 chars in 4 different posts in 3 minutes what's with that? You can decrypt traffic or what's all about?

If you know something that we don't know would be nice to open a new topic so everybody can follow what you try to show.

I mean it's hard for me to know what you understand from my topic and to link your point with what's being said in this topic.

Here i'm trying to show how we can create super strong strings so can't be broken not different hacks or bugs that can be speculated.

Math tricks not hack tricks

Re: Why it's ridiculously dumb having a 100% random password

Reply #10 – 17 December 2022, 20:12:32

Most of this is over my head.
And sorry if you've already done so but can you link to some research showing a completely random password has the weakness you claim?

What you seem to be saying is we have to reject certain pattens because they are weak and only use the patterns that are stronger?
But if an adversary knew this approach was being used have you not just dramatically reduced the number of patterns to check in a brute force attack ?

I'm due to retire my password.
P4ssw0rd!

Served me well. I use it everywhere.
I'm considering
P4ssw0rd!P4ssw0rd!
That's not completely random so probably a good one ?

Re: Why it's ridiculously dumb having a 100% random password

Reply #11 – 17 December 2022, 22:19:46

It's weaker cos when you generate it via randomness solely and not targeting the bigger pile from the start you'll gonna end more likely with a weaker backbone pattern and more than that with many chars repeating lowering entropy.

But if you impose high standards, meaning choose a pattern with bigger number of possible variants, and choose char repetition at a minimum like only 1 or 2 repetitions (but best would be 0/no repetitions) so something like this 1122333355505000 will never have the chance to be your pass.

The way i wrote it is more obvious but writing it like 501350235020153 even if looks better it's not cos it has same 5 elements that repeat in the same amounts.

We can not appreciate visually a string if it's good or bad so we need to know exactly how many unique elements we use and how well we mix them in order to be hard to be guessed.

Assuming a random pass 14 chars long can be broken in 1 year it's enough to have a 6 times better dodged 14 char long pass to make any hacker get bored and eventually rage quit..

You can verify yourself generating 3 letter pass out of the 12 letters a-l (see above example in the first post) generate 10 or 20 random passwords and check their patterns you'll gonna see the bigger one 1|1|1 is gonna show less frequent than the others even if it has the bigger amount of variants but the others combined have more. Their downside though is that heir separate variant number is 2 times smaller 384/192=2 or even 6x 384/64=6

So if a clever hacker throws on each of those specific patterns some serious gpu's, guess what, those weaker patterns gonna start producing hits for the hacker and eventually 'easy' money. But the LAST STAND PATTERN will fall last if at all so that's why we need to use the best backbone for a password.

Now the example above has only 12 (a-l) chars for understanding/visualize the principle but once more chars and length are added to the mix you'll definitely want to have that LAST STAND PATTERN 1|1|1 any other being 2x or 6x weaker that hacker cluster gpu's would love to see.

Random passwords are insecure when you try protect some serious secrets i.e your bitcoin wallet pass with 100 bitcoin

Ow and speaking about crypto, those 12 or 24 words can be choose to respect my 'Golden Standard' 1|1|1 making it bullet proof.

Print screen bellow shows a GRC random generated password with a backbone

21|16|19|7 but best would be 24|18|18|3 an not only that GRC string has too many repeating chars (look in terminal the highlighted row that shows what and how many char repeated)

The chosen split is 32|26|26|10 (32 symbols/26 low caps/26 caps/10 numbers, 0-9) and best back bone would be 24|18|18|3 but you can see GRC produced 21|16|19|7 which sux.. could be 10/100 or more times weaker

Re: Why it's ridiculously dumb having a 100% random password

Reply #12 – 17 December 2022, 23:30:14

Still not making sense to me.

A brute force attack involves trying every possible combination of characters until the correct one is hit.
Given any set of characters and a fixed password length there's a finite number of available passwords.
Disallowing any passwords which have repeated characters is simply reducing the number of available passwords and therefore the number of brute force attempts needed, if the attacker knows of the no repetition rule.

I believe you are wrong.
I'm happy to be proved wrong myself. But again have you got any links to any research which backs up your claim?
If this was a 'thing' I'd expect there to be plenty of info out there. I'd expect my password manager (keepassxc) to disallow repeated characters or have an option to exclude them. Nada.

Re: Why it's ridiculously dumb having a 100% random password

Reply #13 – 18 December 2022, 00:49:50

GRC pass has only 46 unique elements in case you didn't notice mine has 63 or worst case 62 when i allow 1 repetition

If the attacker has the ingredients it has an easier task but if the ingredients are far more numerous than he expects then he will fail

Even if he by some kind of a miracle guesses 61 elements he will never get to the breaking point if he ignores 1 element in his cracking algorithms. While having all those only 46 he can form patterns that more likely will obliterate your string.

Check it out: 32|26|26|10    # Split (32 symbols/26 low caps/26 uppercaps/10 numbers, 0-9)
GRC 21|16|19|7 # Random password    A(32,21)*A(26,16)*A(26,19)*A(10,7)=3,54545759835082233041×10⁷⁶
LSP    24|18|18|3 # Last Stand Pattern    A(32,24)*A(26,18)*A(26,18)*A(10,3)=4,70089690495622425059×10⁷⁷

GRC string has 13.25 times less variants meaning if GRC can be broken in 1 year it will take 13.25 years to break mine

Therefore i can say mathematically mine is at least 13 times better than GRC super dupper pupper fully random string.

But there's a catch you see in the first post that 4|4|4 split with the backbone 1|1|1 if we calculate like previous it would give

A(4,1)*A(4,1)*A(4,1)= only 64 so where's the rest till 384? The answer is that 111 pattern can form arrangements in itself A(3,3)=6 cos the order is important i.e (a e i ) which is 111 but (i e a) is also 111 but differs so we have to count it accordingly

and 6*64=384

And you can see it's kinda hard to calculate so my pattern gives far more than 4,70089690495622425059×10⁷⁷ because its pattern form arrangements on their own

Also GRC's gives more than 3,54545759835082233041×10⁷⁶ but not more than my model.

So the difference that at first was only 3x stronger (the easy example with 3 letters, a-l) in fact is 6x therefor extrapolating a 13x stronger could be in fact 13*3=39x stronger

Anyway you wanna put it is considerable stronger mine than GRC's

I have no other resources to point you to cos everybody says like a broken record, random strings are the golden nugget. No they are not but can put user at risk if it uses shorter passwords like 15-20 maybe 30 purely random. Is ridiculous and not backed by any math logic.

It's even more hilarious seeing those guys trying to capture "whale noise in space" and other stupid things like that

Re: Why it's ridiculously dumb having a 100% random password

Reply #14 – 18 December 2022, 02:28:37

Nah still not making any sense.

It's not Wordle.
No login system etc returns "6 characters present in the string but in the wrong spot. Positions 4 and 12 correct"
It's just login failed or login succeeded.

Of course using a bigger pool of characters results in a a harder to crack password.
But repetition make no difference to the strength of a password. imho.