Why it's ridiculously dumb having a 100% random password

Topic: Why it's ridiculously dumb having a 100% random password (Read 8105 times) previous topic - next topic

0 Members and 11 Guests are viewing this topic.

Re: Why it's ridiculously dumb having a 100% random password

Reply #75 – 17 January 2023, 21:43:43

Quote from: Lancia – on 17 January 2023, 20:59:41

I wouldn't exactly recommend setting your useragent to windows if you're using Linux.

I don't recommend it but do do it.

Quote

Any competent tracking system will figure out you're using X11/wayland

How exactly?
It's not perfect. I do not delude myself I'm untrackable. There are many elements to reducing the fingerprint.
It helps to part of a bigger shoal of fish. One small bit of the defense.

My browser lies about useragent, canvas, fonts etc, etc. Third party javascript is blocked except where I allow it.
The web as it appears to me is, for most sites, nothing like the designer of the page intended. Broken by (my) design.
I'll keep my windows useragent and semi functional webpages

Re: Why it's ridiculously dumb having a 100% random password

Reply #76 – 19 January 2023, 07:36:30

Quote from: Surf3r – on 14 January 2023, 10:21:50

... let's join together and mock and ridicule this METEOROLOGISTS that try to pass as Navy SEAL or SWAT or USAF.

Returning briefly

to the topic discussed here. I wanna make it clear I'm not mocking/ridicule people/users who don't know yet that generating their pass randomly they gonna be PROBABLE SECURE but yet with an uncomfortable chance of being PROBABLE INSECURE. Their security will be not more comfortable than Schrodinger's Cat if that can be called comfortable.

I'm just trying to lit a wake up call in those security experts/cryptographers minds to stop promoting randomness and shill it as security.

Our security should not be at fortune's will. If we have a bad day that's not a reason to have a bad password that more likely will cause even more bad days.

Re: Why it's ridiculously dumb having a 100% random password

Reply #77 – 19 January 2023, 18:50:10

Have you thought for a second that while Artix is a security and simplicity-focused distro, it isn't full OpenBSD level cryptography vault level and we aren't even in the right distro (or even unix variation) category for this discussion here whatsoever.

You've explained a lot of theory, but without applying it to something you're just wasting your time.

Study the code of Haveged, rng-tools and create your own entropy generator, or even try to port xBSD's Fortuna to linux, with application of the priciples described by you, and then we can effectively say we're onto something here.

Re: Why it's ridiculously dumb having a 100% random password

Reply #78 – 19 January 2023, 20:50:33

Yeah you have all the right to consider this matter how you feel or know is safe. But because you mentioned Entropy that's only about how long from how many but you see I personally want things to be that simple but unfortunately are not quite like that. There's not only about how long (S) from how many (T) but also how many of this and how many of that. It's like a recipe. If we put too much water into a soup will be tasteless if we put too little were not gonna have a soup but a gravy etc.

Even if it sounds ground breaking I'm pretty sure that the guys/devs could fix this in a matter of couple of months and I even theorize that eventually were gonna gain some performance boost if this method is widely accepted.

My 'standard' if I can call it that way is assuring we will never have a lower than a certain threshold security strength and that threshold will simply rule out any possibility of an easy way out for a hacker.

I'm thinking for example about a server that is almost always up and so a hacker has all the time to simply guess what's happening inside kernel/memory and so on. Having a random based security it means he can just try those couple of low guard variants and he can either buffer overflow or exploit or send crafted packets or try other vulnerability that derive from those low guard (guessable ) variants.

What's the first string a cracking tool tries? 1234567 etc It's going from easy to hard. Well my method enforces to start from hard cos if they start from easy they will have ZERO hits. Even if we are talking about memory pointers passwords kernel randomness etc

'No Easy Way Out' that's what we need when kernel allocates memory to processes, pids or whatever is been doing randomness wise.

> Study the code of Haveged, rng-tools and create your own entropy generator, or even try to port..

@Hitman that's a super cool idea, I'll be looking into it but my coding skills are not matching my expertise in probabilities, however I'll be
trying. And thank you very much for your suggestion it's greatly appreciated 👍 😉

Re: Why it's ridiculously dumb having a 100% random password

Reply #79 – 19 January 2023, 21:39:57

Quote from: Surf3r – on 19 January 2023, 20:50:33

What's the first string a cracking tool tries? 1234567 etc It's going from easy to hard. Well my method enforces to start from hard cos if they start from easy they will have ZERO hits.

1234567 therefore becomes the best password under your system as you'll be checking it last

Re: Why it's ridiculously dumb having a 100% random password

Reply #80 – 20 January 2023, 00:52:27

Yeah I'll be checking that last but not because it looks very familiar but because it belongs to the no rep. B. 11111..etc so I wouldn't
mess around with that B, no sir thank you very much 🫣

If I would be a cracker I think I would crack some indecently complicated strings for the eye of a normal user those with a lot of
repetitions and i mean a lot 🍟. Every cracking tool tries easy cakes first and when the brick wall of gillion variants starts all hacky
wacky gonna rage quit and hide under their beds..😹

But to see how fun math can be when the S=T one of the weakest B is that with no rep. but again if and only if S=T.

Numbers are incredible slippery, one wrong move and it gonna cheat on you 😵

Next time I'm gonna be showing how weaker and weaker the strength of a password becomes while is being brute forced. But I wouldn't call it brute force but brute-guess-force. And yeah brute-guess-force indeed may pose a threat.

Re: Why it's ridiculously dumb having a 100% random password

Reply #81 – 21 January 2023, 05:00:12

Quote from: Surf3r – on 20 January 2023, 00:52:27

Next time I'm gonna be showing how weaker and weaker the strength of a password becomes while is being brute forced. But I wouldn't call it brute force but brute-guess-force. And yeah brute-guess-force indeed may pose a threat.

Show me,

you don't have to do anything more than post the content [Reply #35] of you-may-begin.gpg.zip here.

Re: Why it's ridiculously dumb having a 100% random password

Reply #82 – 24 January 2023, 20:05:22

Took this dumbness generator. Generated couple of randumb pwds

Choose from a T=94 a short S=8 (the minimum requirement found often on websites)

Calculation shows that in this case repeating even only one char you basically dump 73% of the total possible variants and blend only
inside a more crackable minuscule ~15% pile, the other even worse variants COMBINED have around 12% . But because 12+15=27%
users will have a huge 'chance' 27% of having a pretty low quality pwd.

This is because, when we speak about a short S (string) and when we have a generous T (total chars) the difference between rep
pile size vs no rep pile size is humongous.

Highlighted in blue random string belongs to a 15% only pile. The other strings are ok. This is a classic example of how TO NOT generate a pwd.

If you take any other randumb generators all they fall in the same pit of mathematical lack of common sense.

This is one of probably many examples when indeed even talented programmers are in the woods when they are not backed by some pretty basic math.

I'll come back with that promise showing next hopefully how strength of a pwd degrades while blasted with guess-force. And why brute force is bs. Stay tuned ☮

Re: Why it's ridiculously dumb having a 100% random password

Reply #83 – 26 January 2023, 19:24:30

Quote from: Surf3r – on 24 January 2023, 20:05:22

I'll come back with that promise showing next hopefully how strength of a pwd degrades while blasted with guess-force. And why brute force is bs. Stay tuned ☮

lol,

Code: [Select]

(95^1) + (95^2) + (95^3) + (95^4) + (95^5) + (95^6) + (95^7) + (95^8) + (95^9) + (95^10) + (95^11) + (95^12) + (95^13) + (95^14) + (95^15) + (95^16) + (95^17) + (95^18) + (95^19) + (95^20) + (95^21) + (95^22) + (95^23) + (95^24) + (95^25) + (95^26) + (95^27) + (95^28) + (95^29) + (95^30) + (95^31) + (95^32) + (95^33) + (95^34) + (95^35) + (95^36) + (95^37) + (95^38) + (95^39) + (95^40) + (95^41) + (95^42) + (95^43) + (95^44) + (95^45) + (95^46) + (95^47) + (95^48) + (95^49) + (95^50) + (95^51) + (95^52) + (95^53) + (95^54) + (95^55) + (95^56) + (95^57) + (95^58) + (95^59) + (95^60) + (95^61) + (95^62) + (95^63) + (95^64) + (95^65) + (95^66) + (95^67) + (95^68) + (95^69) + (95^70) + (95^71) + (95^72) + (95^73) + (95^74) + (95^75) + (95^76) + (95^77) + (95^78) + (95^79) + (95^80) + (95^81) + (95^82) + (95^83) + (95^84) + (95^85) + (95^86) + (95^87) + (95^88) + (95^89) + (95^90) + (95^91) + (95^92) + (95^93) + (95^94) + (95^95) = ?

If you are not able to post the content of you-may-begin.gpg.zip here, you don't need to come back.

Re: Why it's ridiculously dumb having a 100% random password

Reply #84 – 26 January 2023, 21:49:07

@lq yeah length is important. However guess-brute-forcing it with some cluster of supercomputer, well there's chance @lq will be sad 😭.
Switch to standards described above ✅ and your chance of being sad will even more diminish .

Skipping to the serious jazz, had some more fun. In case some still have appetite to GRC their pwds.

Webpage GRC

If anyone see any errors or have any question, of course feel free to jump into discussion.

PS: still didn't had enough time for the promise but it will come no worries. 😎 ☮️

Re: Why it's ridiculously dumb having a 100% random password

Reply #85 – 30 January 2023, 17:31:57

   Ok, i'm back. Why brute force is not as good as guess-brute-force.

   This is the general formula

   where

   Pcrack% - cracking probability, percentage
T    - total possible variants (here we already saw we simply can't blend our string inside n^k because that big pie
we all want breaks down in smaller chunks so no matter what we want we're gonna be inside a smaller pile
   t    - target string number (in general we have 1 string so t=1)
n    - number of guesses

The above formula is generic and doesn't take into account we successively try guessing even if we took n (number of guesses)
into some consideration but not all.
To catch this aspect rigorously into our formula we will have to multiply the odds exponentially ^n because a probability X to happen
twice in a row has to be multiplied (i.e to roll 6 with a dice successively we would have (1/6)^2 which approx is 2.7%, to roll 3 times in a
row we will have (1/6)^3 which is ~0.46% very low probability)
So we saw probabilities somehow can be linked together and the more n's we try the higher the probability to crack a pwd. So
our formula will look more accurate like this

Tu - Total unfavorable variants or Tu = T-t (despite being almost equal with T, once things get exponentially multiplied that small
difference will eventually start taking a huge toll. The more n (guesses) the higher the cracking probability

This formula is valid IF AND ONLY IF we try to guess our target string but becomes inaccurate in case we
programmatically/methodically search for the target string. That's because when you go outside random events you can't expect
probabilistic laws to work the same.

Another draw back of brute-force vs guess-force is that the first need to keep a record of what has been checked or what still needs
to be checked while guess-force is much FASTER and needs only checking if the current guessed string matches the target hash.

In conclusion we saw the exact odds percentage of having our string cracked and why brute force is dumb vs guess-force.

One of the fastest Supercomputers can check with a rate of 10¹⁴/second (100 petaFLOPS).
If we multiply that by 31.536.000 (seconds in 1 year) in ten years we could check about 3,1536×10²² and that means we mapped
every possible variants of a 11 char long string or everything equivalent.

If we could keep both factors into account, keeping track what's being checked and randomly blasting in our search for the target
string, our cracking odds will improve even more. Cos n (guesses) will appear once more in our formula.

Feel free to ask or correct any errors. Things were pretty much verified and reviewed at this stage but who knows 🧐

Enjoy

Re: Why it's ridiculously dumb having a 100% random password

Reply #86 – 03 February 2023, 19:21:37

Quote from: Hitman – on 19 January 2023, 18:50:10

Study the code of Haveged, rng-tools and create your own entropy generator, or even try to port xBSD's Fortuna to linux, with application of the priciples described by you, and then we can effectively say we're onto something here.

Yeah, just looked over github to see that Haveged project. The main dev idk exactly who he is (in the sense of his mathematical
background) but his project from what I read it based on the same OBSOLETE principle, HARVESTING entropy and
RANDOMNESS to the moon and back.

Entropy (or bits of entropy) are just insufficient indicators of a string strength. And what I've extensively demonstrated is that uniqueness
alone is not the pinnacle of security nor randomness that erroneously is paired with a 'BETTER'' entropy. Entropy (random
generated or not) doesn't tell the full story.

If I would request or issue a bug to the Haveged project I would literally demolish the whole project cos this would not fit into what we know
to be a hard fork it's a totally different 'planet'

Haveged project might be good from the implementation/quality of code point of view but from mathematical point of view is flawed.

About a generator, yeah I'm on it 🫡

Re: Why it's ridiculously dumb having a 100% random password

Reply #87 – 04 February 2023, 07:45:28

Quote from: Surf3r – on 03 February 2023, 19:21:37

If I would request or issue a bug to the Haveged project I would literally demolish the whole project cos this would not fit into what we know
to be a hard fork it's a totally different 'planet'

Haveged project might be good from the implementation/quality of code point of view but from mathematical point of view is flawed.

If I were a forum admin I would lock the thread, ban the TO and make sure that he would have no chance to come back for the next 10,000 years.

Re: Why it's ridiculously dumb having a 100% random password

Reply #88 – 04 February 2023, 17:00:10

Quote from: Surf3r – on 03 February 2023, 19:21:37

If I would request or issue a bug to the Haveged project I would literally demolish the whole project cos this would not fit into what we know
to be a hard fork it's a totally different 'planet'

Haveged project might be good from the implementation/quality of code point of view but from mathematical point of view is flawed.

Why haven't you then ?
When you say "totally different planet" I'd agree but in a very different sense.

Re: Why it's ridiculously dumb having a 100% random password

Reply #89 – 05 February 2023, 00:20:46

@gripped Shuf or random commands are good enough to produce parts of the string if we talk about a pwd or a 40 bits of Entropy required by a hardened kernel. The thing is we need after generating those in a random fashion to tailor them to fit the mathematical principles in order to have really hard to guess strings. The way we have them today shows a lack of understanding basic math and more precisely in the combinatorics field.

I don't think we have to be on different planets but definitely a huge amount of people must wake up from the randomness safe heavens mirage and land on the math planet and not swimming on the coding for the sake of coding planet. People started to code to make life easier not harder.

The problem is not even that complex, I would call it mixed arrangements cos there are some elements that repeat some don't so those can't be counted exclusively by these two formulas A(n,k) or n^k n and each string has its own way of being accurately calculated.

The fact that we got used to think how random things 'cook dinner and make our beds in the morning' is not my fault but those who engaged in such baseless or insufficiently math backed statements. But I would ask anyone who's still in doubt, would you rather choose random standard and have 1/10k 'chance' to plane crash or choose my standard and have 1/1trillion. In real life we can't avoid some inevitable bad lucks but in digital world these accidents can be completely ruled out but there's a catch.
We can rule out those weak (low guard how I like them to call) vulnerable to guessing strings but if by some miracle a hacker ( @lq got triggered) is so lucky that can guess even those longer strings what can I say, lucky him...or good luck 🍀 with that.

No matter if Gripped gets gripped again or lq doesn't have an iq or me being the Big Foot, Yeti or a green little martian with a peanut brain, things are the way I've presented no matter if we like it or not and can be debunked only thru MATHEMATICAL means not thru swears jokes, curses, voodoo, referendum, coin flips, raffles or sending anybody on Mars or other even more exotic planets or places.

Any jokes etc etc will count as a loss. If anyone has some real math balls of steel please step forward and start debunking (good luck with that too)

And like always, enjoy