Why it's ridiculously dumb having a 100% random password

Topic: Why it's ridiculously dumb having a 100% random password (Read 8135 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Re: Why it's ridiculously dumb having a 100% random password

Reply #30 – 22 December 2022, 23:57:29

Lol guys, guess what re-verified the shadow method an it gives accurate numbers. Have to refine it a little bit cos took the wrong numbers for the shadow and need to determine one more little key aspect.

Re: Why it's ridiculously dumb having a 100% random password

Reply #31 – 28 December 2022, 09:50:47

Yep after debunking the fact that a random pass throws shitty patterns lowering considerably the pile you wanna hide your string in, now myth number 2 has to come down like a rotten tooth.

Myth no.2 refers to the question: Is better or worse having multiple chars repeating inside you string? And the answer is, NO is pretty dumb having that kind of password. And the explanation is much more simplistic than anyone might have expected.

The reason is this: repeating chars can't form different variants so i.e an "a,a" it will always have only 1 variant "a,a" but an "a,b" have two "a,b" and "b,a"

Now use your common sense and think what would happen to a longer one , aaaaaaa instead of ackjoch, while the first you can write it only in 1 way the second can be written in 5040 ways and those arrange with the rest of the string amplifying even more this effect.

The aaaaaaa string can form different variants when change their order/position inside a string but when their order isn't changed they simply form only 1 variant degrading and lowering the overall possible variants. See print screen example

While choosing from 94 and let the opportunity of chars repeat inside a 63 (or 40 or 20 long pass) might sound like the better option is NOT, each of those char repeating strings are weaker and weaker depending on how many times and how many chars repeat. The more repetition the weaker the string.

We can only have at the most 1 repetition without degrading the string strength cos i.e A(63,63)=A(63,62) first dived by 0! which is 1 and second divides by 1! which is also 1 but to have the Last Stand Password in full swing, we should have 0 (ZERO repetition) and the second requirement is to respect the 24|18|18|3 pattern meaning choose 24 symbols/18 low cap/18 upper cap/3 numbers (if we talk about 63 long string)

Have a good one, and enjoy

Re: Why it's ridiculously dumb having a 100% random password

Reply #32 – 28 December 2022, 17:32:52

But what about ab, ba, aa, and bb making four possibilities thus double the combinations of not allowing repetition? If the password is unknown it could be any of them. If it is hashed, does that allow anyone to guess one character, validate it, then find the next, but don't they have to guess the whole thing in it's entirety and check the hash to see if it matches? So the more options to choose from, the harder the task is - providing obvious stuff is filtered out that would come up in list based attacks and other ways to target easily remembered stuff, like using all or mostly all the same character, modified words and phrases and so on.
Probability can be non-intuitive though, so I couldn't say for sure. Have you seen the Monty Hall problem? You have three options, one wins the prize. You pick one, then are shown one of the others is not the winner, and allowed to switch your choice. To have the best chance of winning you should switch, because when you made your choice there was a 2 in 3 chance you were wrong, even though out of the two remaining options you might think there was still an even chance, there isn't.

Re: Why it's ridiculously dumb having a 100% random password

Reply #33 – 28 December 2022, 19:33:50

No, those belong to other category meaning, all elements repeat (aa,bb,) so those do not add up cos that is different kind of repetition string. We have to count them toe to toe, mathematically not in bulk.

A string defined by any repetitions stands no chance against any string with no repetitions with the same length. Variants with repetitions are more numerous as a whole (they sum up those with 1/2/3/4 /5/11 etc. but independently they are million/billion of times by case weaker than any non repeating same length string ) but each and every one of those alone has no chance against a non repetition string.

The math is extremely simple. Arrangements with repetition form mirror useless variants

i.e (case 1) A b f g r A has only 1 of that compared to
(case 2) A b f g r B that can also form => B b f g r A and those are already twice as much vs the string with repetition, get it

Now imagine one 'Super Dupper' GRC password with 16 repetition (see relpy 17). That string will simply form a bunch of useless mirror arrangements reducing the sheer number of that kind of string. Because they repeat they will fail form distinct arrangements and will spit a bunch of useless mirror arrangements that do not count.

Also there is one HUGE difference to choose from a total 94 chars 63 different and total fail to choose from 94 only 44 while some char repeating till reach 63 .

And here's why is better to have 63 no rep extracted from a 94 total vs 62 with one rep. Even if toe to toe both strings have as much as the other but A(94,63) will always be bigger than A(94,62)

Arrangements with repetition may look like Hulk (they form a huge sum but only as a whole and NOT separate) but fight like Coyote from Road Runner cartoon

(not even single arr. with rep. have more stamina than a non rep string)

Therefor I can say: Choosing a random password is like trying to get the best while in fact you get the worst vs a non random/non repeating/ 24|18|18|3 string

Simply taking out from 94 chars and choosing arbitrarily using the pattern 24|18|18|3 but without repeating any char will simply be multiple millions to billion times much stronger string than any bullshit random cosmic whale farts caught with Arecibo radio Telescope.

Re: Why it's ridiculously dumb having a 100% random password

Reply #34 – 29 December 2022, 01:37:00

After taking even closer look, all possible patterns with repetitions meaning all the ways you can sum elements to form a 63 long string excluding those that do not repeat (last stand pass, no rep.) are

94^63 ÷A(94,63)= (2,02793848362086089381×10¹²⁴)÷(1,32237321244807078695×10¹¹²)

Arr. with rep are 1,53355986383495911197×10¹² times more numerous as bulk than those that don't rep. but those form in weaker individual rep. patterns (the more rep. the weaker) while non rep. arr. are stand alone massive, billions of times stronger than any individual rep. arr. patterns. They (LSP) only have little competition amongst those with the lowest rep. 1 /2 /3 that progressively becomes weaker and weaker with each rep.

While rep. arr strength lays in those million patterns and very little in its own , non rep arr. strength lays in its own vast/huge amounts of possibilities.

But like I said because of those rep. , unique elements will be 44, 40 or even less by case and combined with those useless mirror arr. we would have a pretty useless string.

Bellow you can see 2 examples: 3 out of 12 and 4 out of 12 the moment numbers goes up, numbers of no rep arr. drop vs the rep. arr. but still any of those broken down patterns have huge less than the LSP (billions of times less)

Now think what if a smart hacker knows or assumes a security focused user generated randomly his 'just' 20 long pass with a bunch of rep. he will more likely have less unique elements and eliminating those no rep arr. can save a lot of time

in hacker job so A(94,20) will fell of the table in just a millisecond instead of an eternity

) Even if still it's hard life for him he has better odds knowing he has to use only 16 / 15 or lower numbers into his jazz.

Re: Why it's ridiculously dumb having a 100% random password

Reply #35 – 29 December 2022, 12:33:34

Quote from: Surf3r – on 29 December 2022, 01:37:00

Now think what if ...

How about proving your assertion not only by constant repetition, but also in practice?

With your well-founded knowledge, it must not be a problem for you to find the appropriate patterns and to post the contents of the linked file here?

Re: Why it's ridiculously dumb having a 100% random password

Reply #36 – 29 December 2022, 13:58:32

I already showed why. If you still in doubt which is perfectly fine. Use a scaled down TEST.

Take that example (a-l) 12 letter total char, 3 char length, then choose 10 passwords, 5 random generated and other 5 that don't have rep. chars at all (my standard)

After that put all those 1728 possible variants ( generate them on your own) shuffle them how much you like then take the final shuffled text file and start searching thru that file with ctr+f for your random vs no rep. strings. The expected result should be that your rep strings you'll find them faster (meaning at the beginning of that text file vs my no rep. strings which more likely will be at the bottom) On shorter scaled examples this proves more easily cos it doesn't produce a shit ton of patterns i.e 63 can form over 1.5 mil patterns used this python code

And that will simply prove that non rep. strings are safer than those that rep.

When scale up to a 63 long string out of 94, the number of each patterns with rep. will asymptotically 'try' to get closer and closer (to the LSP) when the least rep. are present in a string but when those rep. start to grow, their sheer variant numbers start to decline and will eventually reach the worse case scenario pattern where the whole string is made out of only 1 unique element i.e aaaaaaaaa or bbbb or cccccc and so on, being only 94 which basically can be broken in 1 nanosecond.

About

Quote from: lq – on 29 December 2022, 12:33:34

How about proving ..

The knowledge proving imply having some gpu clusters which are expensive and i'm into securing things not breaking but that doesn't mean someone can't use these.

I'm just trying to obliterate as much as I can the inept idea of securing things thru randomness.

Randomness <=> Predictability which ≠ Security. Therefor Security has no common denominator with Randomness

Practice makes perfect that's why i like to repeat

I'm gonna be drawing a sketch so it will be easier to visualize what happens when GRC vs LSP but that next year so i will not exasperate @lq

Re: Why it's ridiculously dumb having a 100% random password

Reply #37 – 30 December 2022, 21:32:30

Quote from: Surf3r – on 29 December 2022, 13:58:32

The knowledge proving imply having some gpu clusters which are expensive and i'm into securing things not breaking but that doesn't mean someone can't use these.

No you test with examples that are easy to crack. As in say only the digits 0-9. Then generate your lists of all the combinations both with and without repetition allowed.

Randomly choose a combination from each list and generate a hash. Store in a file that John the Ripper will recognise as a password file.

Several times randomly shuffle your combinations and feed into John the Ripper as dictionary files attacking your password files.
But separately. You only attack the password with no repetitions with the no repetitions dictionary file. Because an attacker will know that "it's ridiculously dumb having a 100% random password" so will only check non repetitive combinations.

John the Ripper will, in general, crack the non repetitive combinations in far less time.

Quote

I'm just trying to obliterate as much as I can the inept idea of securing things thru randomness.

Sorry I think you're failing

Quote

Randomness <=> Predictability which ≠ Security. Therefor Security has no common denominator with Randomness

That makes no sense to me ?

Re: Why it's ridiculously dumb having a 100% random password

Reply #38 – 31 December 2022, 00:22:00

Quote from: Surf3r – on 19 December 2022, 10:59:29

Yeah lol it's indeed hard to remember one of that. I'm not having that kinda password as my main password cos i will lock myself out

I was just trying to point out that the idea of linking randomness with security is bad marriage.

Many things that suppose to give us confidence about our security (in IT or real life) relies too much on this concept, 'randomness' that eventually some day will "bite us from behind" if not already bit some of us.

I'm stunned though to see so many people and surprisingly not n00bs singing in large choruses and praise randomness.

Hopefully here we've debunked a myth and hopefully will see security experts come back to their senses and re-think the security cos too many things rely on randomness inside our kernels/bitcoin phrases/and what not.

Randomness is just another form of obscurity. Security through obscurity is how locks have been made for generations. Real advancement in security is slow because of it. Security is always the same, whether a lock or a passcode; they only keep honest people out.

Re: Why it's ridiculously dumb having a 100% random password

Reply #39 – 31 December 2022, 11:03:32

> Sorry I think you're failing

Nope a hacker will have more hits knowing users generated their string randomly which throws weaker patterns and a bunch of mirrored useless permutations. This is because your particular randomly gen pattern is billion times weaker than a non rep pattern so yours is more likely to pop up first in hacker's cracking tools than mine. If you think it will not guess your pattern it's wrong cos randomness it's predictable. They will guess your pattern due to probability likelihood and when they search inside that pattern it will be easier to brute-force that instead of a LSP

A random (63 length) gen spits strings in between 39 uniques and at the most around 50 uniques more or less. And so just think how many variants a hacker will simply rule out of its cracking tools. You can't even imagine believe me it's an obscenely vast number. You'll get tired if you write it down, and adding to that no rep. another humongous indecent number you will have your jazzy string behind a precarious weak and more crackable pattern.

> That makes no sense to me

<=> this in mathematics is the sign of equivalence, now try again

Told you if you still not convinced you can add to your string just couple of repetitions 2/3/ maximum 4 anything more than that are simply junk patterns vs LSP

So you better ditch altogether any random generator

@gripped A cure I can think of if you're still umbilically attached/mesmerized with the randomness (dumbnessnes) idea is after you random gen your string, count your repetitions and add as many but different chars as the number of repeating chars.

So if you're having 3 repeating chars add to your string another 3 totally different chars.

> they only keep honest people out. @cat herders of linux

Yeah, I would not rule out that possibility either but eventually denying evidences and realities will make those that embrace this kind of 'philosophy of keeping honest people out' , reach a dark end.

Re: Why it's ridiculously dumb having a 100% random password

Reply #40 – 31 December 2022, 11:29:20

Randumbness

😅

Re: Why it's ridiculously dumb having a 100% random password

Reply #41 – 31 December 2022, 14:25:40

Quote from: Surf3r – on 31 December 2022, 11:03:32

<=> this in mathematics is the sign of equivalence, now try again

I'm talking about the statement not the sign.
Randomness is not equivalent to predictability. It's the exact opposite.

As I've said several times your concept decreases the randomness and increases the predictability. That is not an improvement in security.

Re: Why it's ridiculously dumb having a 100% random password

Reply #42 – 31 December 2022, 18:39:37

When authenticating with a password, the COMPLETE character string is verified and not, as you claim, parts/patterns and certainly not individual characters of the character string.

Quote from: Surf3r – on 17 December 2022, 22:19:46

21|16|19|7 but best would be 24|18|18|3 an not only that GRC string has too many repeating chars (look in terminal the highlighted row that shows what and how many char repeated)

The chosen split is 32|26|26|10 (32 symbols/26 low caps/26 caps/10 numbers, 0-9) and best back bone would be 24|18|18|3 but you can see GRC produced 21|16|19|7 which sux.. could be 10/100 or more times weaker

The usual use case of passwords is that a password is assigned to a single person and that this person keeps the password secret.

Quote from: Surf3r – on 29 December 2022, 13:58:32

Practice makes perfect that's why i like to repeat

Code: [Select]

cat /dev/urandom | tr -cd '[:print:]' | fold -w 95 | sed -e 's/.\{5\}/& /g' | head -n 75

Re: Why it's ridiculously dumb having a 100% random password

Reply #43 – 31 December 2022, 20:55:24

@lq That jazz or voodoo you keep saying doesn't hold any mathematical rationale. Doesn't matter you hide your background radiation noise string of bs in 1 in a 1.5 million drawers if once opened that drawer everything inside can be guessed billion/trillions or/quintilion times easier. You choose millions and lose gillions can't you understand? The fact that a hacker assumes or knows you have no rep password pattern it doesn't mean he has free Burritos for his whole city or endless time at the pedicure lol while keeping a secret your random pattern still that doesn't mean it safer cos it has so few variants that will simply float like a garbage can in the ocean of variants and will be easier for a hacker to pick it up and sip it up like spaghetti 😅

@gripped > Randomness is not equivalent to predictability
It's more predictable than you are prepared to accept. Already addressed that in reply #16 with a lower scale example, I know might be tough news but that's how things works. Numbers do not tell lies.

(Case 1) everything (63 in length) random string is packed in 1.5 mil distinct patterns (mixed arrangements + LSP) each having staggering lower and lower variants depending on the rep count, the more rep the worse, the fewer the better, none, best case scenario LSP

(Case2) non rep. (63 in length), LSP gives a natively best strength only 1 single distinct pattern bigger billion/trillion/gillion times by case than any of the rest within those 1.5 mil distinct pattern . If anyone needs to hide something then is better to blend it inside the bigger pile and the bigger pile is no other than a non rep. pattern A(63,63) stand alone and a A(94,63) from where those are extracted from.

Don't shoot the 'Magellan' of passwords 😅. Is not anyone fault i'm right and the GRC guy is wrong. It isn't that hard to understand even without doing any calculations but once you do you simply can't deny numbers.

Re: Why it's ridiculously dumb having a 100% random password

Reply #44 – 31 December 2022, 22:24:40

#16

Quote

There' a poor understanding of what random term really means.

There sure is. By you.

By all means you can claim that any particular method of generating random numbers is flawed. That the results produced are not in fact entirely random and are to some extent, or possibly entirely, predictable. Of course you'd be expected to show some proof if you wanted to be taken seriously.

But when you claim

Quote

Randomness <=> Predictability

you lose, in my eyes at least, any hint of credibility on the topic in question.

But as always I accept that there's the possibility that I (and most of humanity) completely fail to recognise that in fact true randomness <=> predictability.
And that you alone, through your maths genius, have discovered the predicability of true randomness.
So just in case I again suggest you go to some security / cryptography discussion boards and let them all know of the flaw you have discovered. I imagine they'd be the people to be able to fix this claimed house of cards of security based on randomness. I'd go as far as to say it's your duty and responsibility as a decent human being. And think of the plaudits and recognition. Not to mention money and Time magazine covers etc.

Quote

Numbers do not tell lies.

Numbers are just numbers. Both your methodology and theory behind it are massively flawed imho. So the numbers you present prove nothing except seemingly to yourself. You keep talking about pattens as though an attacker receives useful information back from each brute force attempt allowing them to refine their attack and home in on the dumbass repetitive password. It simply doesn't work like that. 'Failed or 'Succeeded', that is all. Yet you haven't addressed this afaict ?

It's reminding me of the saying along the lines of "If you meet a couple of idiots in a day you've met a couple of idiots. If everyone you met in a day is an idiot you are the idiot."
You're pretty much saying that the entirety of cryptography / security professionals are idiots because they haven't figured out that Randomness <=> Predictability and are putting us all at increased risk.