So to prove my point i've used 12 letters (a-l) only low cap and only 12 for the ease of crunching numbers and we need to create a password only from 3 letters, same for simplicity.
Total number of possible arrangements with repetition are as follow:
12^3 = 1728 (12 total elements and 3 the length of the pass) see print screen.
Total variants can be ordered by their backbone pattern. This patterns form in respect with an arbitrarily chosen shape. So i've split those 12 (a-l) letters in 3 fields, first abcd second efgh and third ijkl so we'll have 4|4|4
Now having this we can deduce all backbone patterns that can derive from this. This is being called variant dispersion as follow:
4|4|4
---------
1 0|0|3
2 0|1|2
3 0|2|1
4 0|3|0
5 1|0|2
6 1|1|1
7 1|2|0
8 2|0|1
9 2|1|0
10 3|0|0
-----------------------
1728
Now to see which one of these patterns has the most combination we have to count how many variant for each pattern we have and after somewhat tedious work i've determined, see prnt screen
(https://i.postimg.cc/Wb6GJkX1/Screenshot-2022-10-20-17-33-16.png)
Now can be seen each pattern how many variants has behind it. The most numerous is by far that at nr (6) with 384 variants that can be formed in respect with its pattern.
Now imagine we're gonna use some random password generator to give us a random ' fairy tale supersecure password' out of the above example. Now you can see even if we have the chance to generate a password from the better pattern (111) that has a high probability of 1 in 4.5 cases to occur we more likely not going to have that kind of password and here's why.
Those 384 variants are not enough (probabilistic speaking) compared with the rest till 1728 meaning 1728-384=1344 and 1728/1344 gives roughly 1 in 1.28 cases which means has higher chances of occurrence than 1 in 4.5 therefor it means our "fairy tale supersecure password' belongs to a weaker than 111 pattern.
Also if we count those 3 one of the weakest patterns 003; 030 and 300 we have 1728/192 meaning 1 in 9 chances to have a pretty weak pass that can be broken in milliseconds.
So my proposal is that we need to calculate previously depending on the length and how many chars we use (so call search space depth) the backbone pattern in this case best would be 111 and generate exclusively those kind of passwords. For better hiding the pattern itself we can use either 111 or one of those 012 but never something like 003 or its variants.
Think i've nailed this time
See this better pass generator that respects everything we've talked above https://forum.artixlinux.org/index.php/topic,4320.msg28354.html#msg28354 (http://pass gen)
That would be the case if pass length would be 12 but only 3 different chars. And yeah instead of adding a different char to the mix is always better to choose a longer pass.
So assuming we have a hacker with some good math level on board if he wanna crack passwords it would take each of those 10 possible patterns and would generate specific combinations for each. Instead of putting a huge supercomputer to go thru all those combinations it can just seek first thru those weaker patterns since we assume the victim generate his password via random generator.
A supercomputer can split it's processing power into 10, each generating like i said pattern specific variants. In general it's considered enough generating/searching only half of those variants to find the key.
We must stop suggesting people generate random passwords and use target randomness. Purely random passwords can make users vulnerable to this kind of attacks
Now there's also a need to determine what's the better arbitrary split. Above i showed splitting in 3 but that's not necessarily the best. I have a guess the best would be splitting into chunks of 7, 8 or 10 chars out of 94 total for example. When numbers go up things start to become a nightmare.
It is not that simple. See countermeasures (https://wiki.archlinux.org/title/Security).
While l letter frequency (https://en.wikipedia.org/wiki/Letter_frequency) is fairly well researched and lists of known passwords (https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm) are not necessarily short, I make it even simpler.
He gets from me not only the source code but also the output of it.
I can even print out the result and hang it on the wall next to the screen.
for ((i=1; i<=13; i++)); do echo -n "$i: " && cat /dev/urandom | tr -cd '[:print:]' | fold -w 39 | sed -e 's/.\{3\}/& /g' | head -n 1 && echo; doneNo, my friend, it's not as easy as you suggest here, because the talented hacker doesn't even know what my real user name is.
Not so fast ;) cos we can count/determine how much bits of entropy a string has. If it uses 63 unique elements the higher the Entropy. Also bigger space depth (total chars to choose from) results increased Entropy. And guess what the higher entropy the harder it can be guessed.
A 63 long string from a 94 space depth has to have around 412 bits of entropy see here math formula (https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)
A password generated exclusively via random generator (without targeting one of the best patterns and couple of other requirements) will have about 380, 370 or even lower 360 350 bits of entropy
A password generated via 'my standards' ensure 412 bits each and every time. It simply ensures your password belongs to the biggest pile of variants and with the highest possible entropy.
This kind of string would take billion years to be cracked with clusters of super computers, the numbers are really astronomical.
Now i don't wanna give the lame idea a random password 63 long is easy to crack, no, but it's significantly easier to crack compared to 'my standard' described in detail.
But the thread title says something different.
My example clearly shows that he doesn't need a supercomputer, he just has to start typing.
To login, he needs not only the right string for the password but also the right string for the user name.
He has to try ALL strings (unlike you claim).
The chance that he will find two correct strings at the first attempt is, in my opinion, impossible.
Further attempts, both remotely and directly on the machine, will also be unsuccessful.
The calculation is quite simple.
I don't have to do anything more than restrict the number of login attempts, e.g. after 2 failed attempts, I have to force him to take a 4-hour break.
Assuming he doesn't need a new keyboard and the hardware won't crumble to dust and he himself does not die of old age while typing, when would he be done?
Theoretically, mankind can build intergalactic starships, but what about in reality?
Username can be discovered thru social engineering. Some leaked/hacked password database can be in the hashed password form, meaning the hacker has only the hash needed to login but not the password that gave that particular hash. So he has all the time he wants to crack those real strings. Then he can use a split whatever he wants (in 2/3/4/5/etc) in order to break them down as much as possible, then use for each pattern powerful gpu's, 10/20/100, whatever he needs depending on the importance of the target.
The secret is to get as many patterns possible (in the above example it's split in 3, but he can split in such a way to have many more patterns not only 10 but 100 or 500 etc and the number for each will go down and it will become more digestible for the gpu's )
The time is compressed as you don't check 1 variant at a time but 500 or 1000 (the number of patterns) multiplied by the gpu tries/second
So if your split gives let's say 1000 patterns you can use 1000 gpu's targeting first those less numerous patterns. Then when finish with those weaker patterns you gonna target gradually those more numerous
This i would call parallel-brute-force because you are not counting like this 1,2,3...n^k but (1-1000)*gpu, (1001-2000)gpu, (2001-3000)gpu.... # where gpu means gpu tries/second.
To make a comparison instead of letting one guy counting till 7 billion (that would take 1 mil year) you put 7 billion count one and that will literally take 1 second. Of course i overly exaggerated things to describe what parallel-brute-force would mean.
So to summarize we need to kinda stop recommending random passwords unless are long enough (63 -64chars). A 15-20 long random password think is a highly qualified hacker's dream.
> But the thread title says something different.
Yep mathematically speaking is dumb because not everybody choose 63 long passwords but random only about 20 long and even if it's 63 long making it 100% random it's not a bright idea having in mind you choose that long pass in order to keep something pretty important, safe. So depending on the point of view can be or not that dumb. If you wanna protect 1000 bitcoin is dumb, if you login to facebook is ok
There's also a trick forgot to tell about.
So for the best results if you have let's say 95 chars to choose from but you need your password to be just 20 long you have to get rid of 95-20=75, with targeted randomness.
So let's say your split is in 5 chunks => 95/5=19
so we will have 19|19|19|19|19
To establish the best pattern for your 20 long pass you need to remove 75 numbers out of 95 and so we need to subtract from each
those 19|19|19|19|19 => 75/5=15 and therefor 19-15=4 so the best backbone pattern following this split will be 4|4|4|4|4
meaning from each of those 19|19|19|19|19 will 'remove' at random 15 and will get 4|4|4|4|4
We have to calculate it that way when we don't split even but for example like 17|19|25|16|18
And here we can't use an even 4|4|4|4|4 pattern but will get 2|4|10|1|3 (after subtracting 15 from each of those)
That can happen for example when we group symbols numbers letters or other special chars so we know the needed share of each in our string.
Another reason for that is to hide our split making it even harder to crack/guess or parallel-brute-force.
Enjoy 8)
Because you obviously didn't understand my posts, I have a little task for you.
You have to do nothing more than create 4 posts with 8 characters of your choice here in the thread in 3 minutes.
That is the same as entering your username and password when you log in twice.
The time is running. ;)
I give up i don't get it what that suppose to mean ::)
If I write 8 chars in 4 different posts in 3 minutes what's with that? You can decrypt traffic or what's all about?
If you know something that we don't know would be nice to open a new topic so everybody can follow what you try to show.
I mean it's hard for me to know what you understand from my topic and to link your point with what's being said in this topic.
Here i'm trying to show how we can create super strong strings so can't be broken not different hacks or bugs that can be speculated.
Math tricks not hack tricks
;)
Most of this is over my head.
And sorry if you've already done so but can you link to some research showing a completely random password has the weakness you claim?
What you seem to be saying is we have to reject certain pattens because they are weak and only use the patterns that are stronger?
But if an adversary knew this approach was being used have you not just dramatically reduced the number of patterns to check in a brute force attack ?
I'm due to retire my password.
P4ssw0rd!
Served me well. I use it everywhere.
I'm considering
P4ssw0rd!P4ssw0rd!
That's not completely random so probably a good one ?
It's weaker cos when you generate it via randomness solely and not targeting the bigger pile from the start you'll gonna end more likely with a weaker backbone pattern and more than that with many chars repeating lowering entropy.
But if you impose high standards, meaning choose a pattern with bigger number of possible variants, and choose char repetition at a minimum like only 1 or 2 repetitions (but best would be 0/no repetitions) so something like this 1122333355505000 will never have the chance to be your pass.
The way i wrote it is more obvious but writing it like 501350235020153 even if looks better it's not cos it has same 5 elements that repeat in the same amounts.
We can not appreciate visually a string if it's good or bad so we need to know exactly how many unique elements we use and how well we mix them in order to be hard to be guessed.
Assuming a random pass 14 chars long can be broken in 1 year it's enough to have a 6 times better dodged 14 char long pass to make any hacker get bored and eventually rage quit.. :D
You can verify yourself generating 3 letter pass out of the 12 letters a-l (see above example in the first post) generate 10 or 20 random passwords and check their patterns you'll gonna see the bigger one 1|1|1 is gonna show less frequent than the others even if it has the bigger amount of variants but the others combined have more. Their downside though is that heir separate variant number is 2 times smaller 384/192=2 or even 6x 384/64=6
So if a clever hacker throws on each of those specific patterns some serious gpu's, guess what, those weaker patterns gonna start producing hits for the hacker and eventually 'easy' money. But the LAST STAND PATTERN will fall last if at all so that's why we need to use the best backbone for a password.
Now the example above has only 12 (a-l) chars for understanding/visualize the principle but once more chars and length are added to the mix you'll definitely want to have that LAST STAND PATTERN 1|1|1 any other being 2x or 6x weaker that hacker cluster gpu's would love to see.
Random passwords are insecure when you try protect some serious secrets i.e your bitcoin wallet pass with 100 bitcoin 8)
Ow and speaking about crypto, those 12 or 24 words can be choose to respect my 'Golden Standard' 1|1|1 making it bullet proof.
Print screen bellow shows a GRC (https://www.grc.com/passwords.htm) random generated password with a backbone
21|16|19|7 but best would be 24|18|18|3 an not only that GRC string has too many repeating chars (look in terminal the highlighted row that shows what and how many char repeated)
The chosen split is 32|26|26|10 (32 symbols/26 low caps/26 caps/10 numbers, 0-9) and best back bone would be 24|18|18|3 but you can see GRC (https://www.grc.com/haystack.htm) produced 21|16|19|7 which sux.. could be 10/100 or more times weaker
(https://i.postimg.cc/JncZPbZw/proof.png)
Still not making sense to me.
A brute force attack involves trying every possible combination of characters until the correct one is hit.
Given any set of characters and a fixed password length there's a finite number of available passwords.
Disallowing any passwords which have repeated characters is simply reducing the number of available passwords and therefore the number of brute force attempts needed, if the attacker knows of the no repetition rule.
I believe you are wrong.
I'm happy to be proved wrong myself. But again have you got any links to any research which backs up your claim?
If this was a 'thing' I'd expect there to be plenty of info out there. I'd expect my password manager (keepassxc) to disallow repeated characters or have an option to exclude them. Nada.
GRC pass has only 46 unique elements in case you didn't notice mine has 63 or worst case 62 when i allow 1 repetition
If the attacker has the ingredients it has an easier task but if the ingredients are far more numerous than he expects then he will fail
Even if he by some kind of a miracle guesses 61 elements he will never get to the breaking point if he ignores 1 element in his cracking algorithms. While having all those only 46 he can form patterns that more likely will obliterate your string.
Check it out: 32|26|26|10 # Split (32 symbols/26 low caps/26 uppercaps/10 numbers, 0-9)
GRC 21|16|19|7 # Random password A(32,21)*A(26,16)*A(26,19)*A(10,7)=3,54545759835082233041×10⁷⁶
LSP 24|18|18|3 # Last Stand Pattern A(32,24)*A(26,18)*A(26,18)*A(10,3)=4,70089690495622425059×10⁷⁷
GRC string has 13.25 times less variants meaning if GRC can be broken in 1 year it will take 13.25 years to break mine
Therefore i can say mathematically mine is at least 13 times better than GRC super dupper pupper fully random string.
But there's a catch you see in the first post that 4|4|4 split with the backbone 1|1|1 if we calculate like previous it would give
A(4,1)*A(4,1)*A(4,1)= only 64 so where's the rest till 384? The answer is that 111 pattern can form arrangements in itself A(3,3)=6 cos the order is important i.e (a e i ) which is 111 but (i e a) is also 111 but differs so we have to count it accordingly
and 6*64=384
And you can see it's kinda hard to calculate so my pattern gives far more than 4,70089690495622425059×10⁷⁷ because its pattern form arrangements on their own
Also GRC's gives more than 3,54545759835082233041×10⁷⁶ but not more than my model.
So the difference that at first was only 3x stronger (the easy example with 3 letters, a-l) in fact is 6x therefor extrapolating a 13x stronger could be in fact 13*3=39x stronger
Anyway you wanna put it is considerable stronger mine than GRC's
I have no other resources to point you to cos everybody says like a broken record, random strings are the golden nugget. No they are not but can put user at risk if it uses shorter passwords like 15-20 maybe 30 purely random. Is ridiculous and not backed by any math logic.
It's even more hilarious seeing those guys trying to capture "whale noise in space" and other stupid things like that
Nah still not making any sense.
It's not Wordle.
No login system etc returns "6 characters present in the string but in the wrong spot. Positions 4 and 12 correct"
It's just login failed or login succeeded.
Of course using a bigger pool of characters results in a a harder to crack password.
But repetition make no difference to the strength of a password. imho.
It's quite simple if a cracker starts its toys from easy to hard he gonna have a bunch of hits. If he starts from hard to easy he's losing his time and more than not gonna have 0 hits. And guess what your random stuff fell rather in the easy category vs mine
Hiding your password in an easy to guess (probabilistic speaking) spot thinking simply he does not know your your backbone cos it's random it doesn't hold.
First, random generators spit rather same patterns over and over see prnt screen the red square, therefor are pretty predictable.
A 63 long string from 94 total chars have 94^63=2,02793848362086089381×10¹²⁴ and this is he exact number not approximate. Unveiling your pattern not gonna make any hacker happy if it's 24|18|18|3 but if you tell your jazz is random and 20 long and you hide 1000 bitcoin with that thinking your pupper random pass can do wonders, yeah, right.
123456 it's random too :D ;)
(https://i.postimg.cc/pTNdCkDk/Screenshot-2022-12-18-09-27-14.png)
Look 100% randomly generated and 1|11| is nowhere to be found even if it's the strongest
(https://i.postimg.cc/W4cK7f95/Screenshot-2022-12-18-11-05-54.png)
Those patterns with a 1 and a 2 have each only 192 vs 384 (those with 111)
Not to mention one variant (bfc) happened to repeat :D ...random stuff
The reason those 2|1|0 like patterns show up more often is because there are 6 of those 6*192=1152 but as a stand alone has only 192
It even produced one stinky 0|3|0 and that's to be expected when you rely 100% on randomness. And that is not because it doesn't come from a perfect cosmic random noise source like those baseless nickel heads 'experts' might think. Random=Surprises and not always pleasant.
There' a poor understanding of what random term really means.
And if still anyone has any doubts it's time to check this last overkill proof. I'm gonna be marking this as solved. :D 8)
(https://i.postimg.cc/XNDz4Zsb/overkill-fin.png)
While this is very interesting and laudable work, let me interject if I may. Nobody can remember such a complex password, let alone rows of them (unless of course we're talking about complete schizos). Normies would have to use a password manager and lock it with a password they can memorize. <--- This is the weakest link.
(https://imgs.xkcd.com/comics/security.png)
Again, I'm not writing this as bad critique because it's very interesting and solid as proof-of-concept.
Yeah lol :D it's indeed hard to remember one of that. I'm not having that kinda password as my main password cos i will lock myself out :D
I was just trying to point out that the idea of linking randomness with security is bad marriage.
Many things that suppose to give us confidence about our security (in IT or real life) relies too much on this concept, 'randomness' that eventually some day will "bite us from behind" if not already bit some of us.
I'm stunned though to see so many people and surprisingly not n00bs singing in large choruses and praise randomness.
Hopefully here we've debunked a myth and hopefully will see security experts come back to their senses and re-think the security cos too many things rely on randomness inside our kernels/bitcoin phrases/and what not.
I'm gonna be nuancing my point of view in a moment cos i reviewed my allegations and found that there's an error that i've found in my calculations. :-[
My other posts in this thread are accurate and again only my reply nr 17 has math faults in it 😬
I'm the first to admit that much of what you've written goes right over my head.
My gut, along with the seeming lack of any other research along these lines (quoting you, I haven't looked), still tells me you are wrong.
I'm at an impasse in my brain regarding the fact that if you exclude dictionary attacks and rainbow table attacks (where hashes are available) any password should be just as secure, or insecure, as another.
How long it takes to crack a password will differ from a theoretically expected amount of time, with a certain amount of computing power, based largely on luck (good or bad) as to a what stage of the process that specific string is checked against the hash.
And as I've said before, any set of rules that excludes certain strings from being used as passwords only makes the number of attempts needed to check them all fewer for the attacker, if they know of such rules.
Have you bought this up with any 'experts' on any cryptography related discussion boards?
Please note that while I've stated 'I believe you are wrong' that's not the same as me saying 'You are certainly wrong'. I have not even close to the expertise (none!) to make the second statement.
Interesting topic anyway as it's had me thinking and I like that.
The problem nuance is as follow, regarding reply 17 that brings complexity thru the roof..
Like we saw, GRC's password has only 44 unique elements meaning => 44^63 variants but some of those 44 elements repeat some don't. Those that do not repeat (in that example 28 chars) can be 'downgraded' in terms of variant category from arrangements with repetition which fall in the x^y category into arrangements without repetition which fall in the A(x,y) category with lower amount of variants.
So to reflect that in our calculation i think we would have to consider elements that do not repeat (28) as A(x,y) and only those that repeat (16) be calculated as x^y
We calculate with the juiciest (x^y) if and only if the whole string has repetition like i.e 142412 and we see all elements repeat 11, 22, 44 if not the string must be considered mixed in my opinion because if we take a 63 long string and it has only 1 repetition with 62 unique elements it's also incorrect to categorize the whole string as consisted in arrangements with repetition since we have only 1 repetition.
So will have only A(28,28) multiplied by (16^16) => A(28,28)*(16^16)=5,62419726410924816021×10⁴⁸
But we need more accurate than that calculation cos still those variants that form between different types of arrangements are not catched in the above calculus but i might have a way to solve that hopefully cos i'm working on that.
So definitely GRC password can't really have 44^63 but lower, how low will see.
On the other hand our 'Last Stand Password' that indeed has 63 unique elements but can't be either calculated as 63^63 cos it doesn't have any repetition and so it has to be downgraded to normal arrangements A(63,63)=1,98260831540444006412×10⁸⁷
But still there is a chance to randomly select a string that simply has no repeating chars.
@gripped Yeah would be nice to see more math center guys joining our discussion and reveal if they have better understanding than what we have on this thread
What can i add more on this is that everywhere i've looked everybody just pull out of their magic hat this taboo : " a password has to be random" but why and calculations they never show. Mathematically they have to prove same as i'm trying here to prove them wrong and till reply no 17 managed to show exactly that they are wrong.
The only thing i'm not sure of is if it's or not preferable to have repetitions in a pass. But what can be said with certainty is that the more repetitions we got the lower the number of unique elements and the lower number of variants.
Think i've cracked it man. I need to digest properly this discovery so this will be just an intermediary review
So because the problem turned overly complex i needed some trick. And the trick is as follow. So because we can't count them the classic way i decided to use the NEGATIVE way, meaning instead of calc how much those are we can evaluate how much aren't.
I'm gonna be naming this zeroes counting.
We know some chars may show up more times and so i took both extremes where all chars repeats vs no chars repeats
No chars repeats means => 94-63=31 zeroes
Maximum repeating chars => 94-1=93 zeroes only 1 char repeats 63 times resulting the maximum zeroes possible (i.e 1111....63 times)
GRC pass sample has 50 zeroes => 94-44=50 (44 being those unique elements, let's call them non zero)
Now i call it the negative method as instead of looking at their chars how many repeats or not i'm looking at what their shadow can tell us. And their shadow is that zeroes amount. More of those zeroes => means more chars repeated in that particular string. Less zeroes chars repeating not that much. That being said, now the moment of truth...
So a password is characterized by some non zero elements and some zero elements depending on their specifics (here we talk about a 94 total elements) so we have
no char repeats with the least zeros amount when all chars differs and their zero shadow is minimum (LSP=Last Stand Pass)
LSP shadow A(94,31)=5,48452333326831116119×10⁵⁸ shadow (this is the no. of arrangements those zeroes form in this case)
GRC shadow A(94,50)=4,09050063571205332982×10⁹¹
Only 1 char repeats 63 times A(94,93)=1,08736615665674308027×10¹⁴⁶ (O1Char aka Only 1 char)
Now you can easily see that the quality of the string is inverse proportional meaning the bigger figure of the shadow the weaker the pass. And that we know for sure because we all know there are only 94 of those that have only 1 unique element but repeated 63 times
i.e 11111111x(63) or 22222222x(63) or 3333333x(63) till...... 94 94 94x(63)
And now because we know each of those the order of magnitude, next is just basic arithmetic.
GRC÷LSP= (4,09050063571205332982×10⁹¹)÷(5,48452333326831116119×10⁵⁸ )=7,4582609775760796521×10³²
But because bigger means bad (being inverse proportional) => let's round it up, GRC pass is 7*10³² weaker than a Last Stand Pass (with no repeating chars)
I'm gonna reviewing tomorrow or coming days and look if any errors but i highly doubt it.
So in conclusion a random password can be much much worse than even I could have ever anticipated.
We need though mathematicians second opinions cos that's how science should suppose to work. I'm studding this probability stuff for quite some time.
Enjoy 8) ;)
You argue like a snake oil salesman and before you embarrass yourself further I suggest you read up here:
https://www.2uo.de/myths-about-urandom/
Show me the math man. Calculate and show me mathematically that random passwords are better.
Random password it's simply not good. The only debate now is if is rather better or worse having chars repeating.
You embarrass yourself cos you can't calculate and prove. You can't prove shit.. :D
If you believe in voodoo not math you need to search for a magician. Come back here when you can prove mathematically your embarrassing claim. ;D
If you are such a good calculator, answer the question I asked you in post 5.
You can't do that at all because you don't have a clue.!
Yep reviewed that shadow thing approach verified it and it didn't hold, meaning it's erroneous. Can't see where is the error but for sure it's erroneous cos it failed verification.
Personally, I don't have the time or inclination to go to such extremes. There are more things to worry about than I have the capability to resolve in any reasonable manner, and I am 65 years old...so I can likely spend my remaining time on less stressful and more pertinent matters. I realise that security is important...but I want to use my computer in the meantime. "Security" in this day and age, is, in my opinion, mostly an illusion.
I am not dismissing your efforts....but they are beyond my field of view.
Best regards.
Yeah it's true it's tedious work but some more research i don't think it hurts cos I can pretty much see some hole in this area of research and can't blame anybody cos these huge numbers can get some guys bored. But for the folks out there with a math background might be interesting. :D
In the meantime found a cool python3 script (i'll put it at the bottom) that takes a number i.e 63 and spits patterns whatever one can find useful. For example speaking about 24|18|18|3 it's just one out of other 37.820 and there's no way doing that by hand.
If splitting 63 in smaller chunks, that will give even more numerous patterns but each of those variants/pattern starts to drop.
And here's the script, it has already 63 long, split in 4 chunks see this part of the script bellow Compositions(63,4):
def Compositions(n,k):
if k==1:
yield [n]
elif n == 0:
yield []
else:
for i in range(1,n):
for comp in Compositions(n-i, k-1):
yield comp + [i]
for c in Compositions(63,4):
print(c)
Lol guys, guess what re-verified the shadow method an it gives accurate numbers. Have to refine it a little bit cos took the wrong numbers for the shadow and need to determine one more little key aspect.
Yep after debunking the fact that a random pass throws shitty patterns lowering considerably the pile you wanna hide your string in, now myth number 2 has to come down like a rotten tooth.
Myth no.2 refers to the question: Is better or worse having multiple chars repeating inside you string? And the answer is, NO is pretty dumb having that kind of password. And the explanation is much more simplistic than anyone might have expected.
The reason is this: repeating chars can't form different variants so i.e an "a,a" it will always have only 1 variant "a,a" but an "a,b" have two "a,b" and "b,a"
Now use your common sense and think what would happen to a longer one , aaaaaaa instead of ackjoch, while the first you can write it only in 1 way the second can be written in 5040 ways and those arrange with the rest of the string amplifying even more this effect.
The aaaaaaa string can form different variants when change their order/position inside a string but when their order isn't changed they simply form only 1 variant degrading and lowering the overall possible variants. See print screen example
(https://i.postimg.cc/zvkT3WWb/Screenshot-2022-12-27-11-37-05.png)
While choosing from 94 and let the opportunity of chars repeat inside a 63 (or 40 or 20 long pass) might sound like the better option is NOT, each of those char repeating strings are weaker and weaker depending on how many times and how many chars repeat. The more repetition the weaker the string.
We can only have at the most 1 repetition without degrading the string strength cos i.e A(63,63)=A(63,62) first dived by 0! which is 1 and second divides by 1! which is also 1 but to have the Last Stand Password in full swing, we should have 0 (ZERO repetition) and the second requirement is to respect the 24|18|18|3 pattern meaning choose 24 symbols/18 low cap/18 upper cap/3 numbers (if we talk about 63 long string)
Have a good one, and enjoy :P 8)
But what about ab, ba, aa, and bb making four possibilities thus double the combinations of not allowing repetition? If the password is unknown it could be any of them. If it is hashed, does that allow anyone to guess one character, validate it, then find the next, but don't they have to guess the whole thing in it's entirety and check the hash to see if it matches? So the more options to choose from, the harder the task is - providing obvious stuff is filtered out that would come up in list based attacks and other ways to target easily remembered stuff, like using all or mostly all the same character, modified words and phrases and so on.
Probability can be non-intuitive though, so I couldn't say for sure. Have you seen the Monty Hall problem? You have three options, one wins the prize. You pick one, then are shown one of the others is not the winner, and allowed to switch your choice. To have the best chance of winning you should switch, because when you made your choice there was a 2 in 3 chance you were wrong, even though out of the two remaining options you might think there was still an even chance, there isn't.
No, those belong to other category meaning, all elements repeat (aa,bb,) so those do not add up cos that is different kind of repetition string. We have to count them toe to toe, mathematically not in bulk.
A string defined by any repetitions stands no chance against any string with no repetitions with the same length. Variants with repetitions are more numerous as a whole (they sum up those with 1/2/3/4 /5/11 etc. but independently they are million/billion of times by case weaker than any non repeating same length string ) but each and every one of those alone has no chance against a non repetition string.
The math is extremely simple. Arrangements with repetition form mirror useless variants
i.e (case 1) A b f g r A has only 1 of that compared to
(case 2) A b f g r B that can also form => B b f g r A and those are already twice as much vs the string with repetition, get it ;)
Now imagine one 'Super Dupper' GRC password with 16 repetition (see relpy 17). That string will simply form a bunch of useless mirror arrangements reducing the sheer number of that kind of string. Because they repeat they will fail form distinct arrangements and will spit a bunch of useless mirror arrangements that do not count.
Also there is one HUGE difference to choose from a total 94 chars 63 different and total fail to choose from 94 only 44 while some char repeating till reach 63 .
And here's why is better to have 63 no rep extracted from a 94 total vs 62 with one rep. Even if toe to toe both strings have as much as the other but A(94,63) will always be bigger than A(94,62)
Arrangements with repetition may look like Hulk (they form a huge sum but only as a whole and NOT separate) but fight like Coyote from Road Runner cartoon ;D (not even single arr. with rep. have more stamina than a non rep string)
Therefor I can say: Choosing a random password is like trying to get the best while in fact you get the worst vs a non random/non repeating/ 24|18|18|3 string
Simply taking out from 94 chars and choosing arbitrarily using the pattern 24|18|18|3 but without repeating any char will simply be multiple millions to billion times much stronger string than any bullshit random cosmic whale farts caught with Arecibo radio Telescope.
After taking even closer look, all possible patterns with repetitions meaning all the ways you can sum elements to form a 63 long string excluding those that do not repeat (last stand pass, no rep.) are
94^63 ÷A(94,63)= (2,02793848362086089381×10¹²⁴)÷(1,32237321244807078695×10¹¹²)
Arr. with rep are 1,53355986383495911197×10¹² times more numerous as bulk than those that don't rep. but those form in weaker individual rep. patterns (the more rep. the weaker) while non rep. arr. are stand alone massive, billions of times stronger than any individual rep. arr. patterns. They (LSP) only have little competition amongst those with the lowest rep. 1 /2 /3 that progressively becomes weaker and weaker with each rep.
While rep. arr strength lays in those million patterns and very little in its own , non rep arr. strength lays in its own vast/huge amounts of possibilities.
But like I said because of those rep. , unique elements will be 44, 40 or even less by case and combined with those useless mirror arr. we would have a pretty useless string.
Bellow you can see 2 examples: 3 out of 12 and 4 out of 12 the moment numbers goes up, numbers of no rep arr. drop vs the rep. arr. but still any of those broken down patterns have huge less than the LSP (billions of times less)
Now think what if a smart hacker knows or assumes a security focused user generated randomly his 'just' 20 long pass with a bunch of rep. he will more likely have less unique elements and eliminating those no rep arr. can save a lot of time ;) in hacker job so A(94,20) will fell of the table in just a millisecond instead of an eternity ;)) Even if still it's hard life for him he has better odds knowing he has to use only 16 / 15 or lower numbers into his jazz.
(https://i.postimg.cc/rFp17GQH/Screenshot-2022-12-29-01-34-36.png)
How about proving your assertion not only by constant repetition, but also in practice?
With your well-founded knowledge, it must not be a problem for you to find the appropriate patterns and to post the contents of the linked file here?
I already showed why. If you still in doubt which is perfectly fine. Use a scaled down TEST.
Take that example (a-l) 12 letter total char, 3 char length, then choose 10 passwords, 5 random generated and other 5 that don't have rep. chars at all (my standard)
After that put all those 1728 possible variants ( generate (https://www.dcode.fr/arrangements-with-repetitions) them on your own) shuffle them how much you like then take the final shuffled text file and start searching thru that file with ctr+f for your random vs no rep. strings. The expected result should be that your rep strings you'll find them faster (meaning at the beginning of that text file vs my no rep. strings which more likely will be at the bottom) On shorter scaled examples this proves more easily cos it doesn't produce a shit ton of patterns i.e 63 can form over 1.5 mil patterns used this python code (https://www.geeksforgeeks.org/ways-to-sum-to-n-using-natural-numbers-up-to-k-with-repetitions-allowed/)
And that will simply prove that non rep. strings are safer than those that rep.
When scale up to a 63 long string out of 94, the number of each patterns with rep. will asymptotically 'try' to get closer and closer (to the LSP) when the least rep. are present in a string but when those rep. start to grow, their sheer variant numbers start to decline and will eventually reach the worse case scenario pattern where the whole string is made out of only 1 unique element i.e aaaaaaaaa or bbbb or cccccc and so on, being only 94 which basically can be broken in 1 nanosecond.
About
The knowledge proving imply having some gpu clusters which are expensive and i'm into securing things not breaking but that doesn't mean someone can't use these.
I'm just trying to obliterate as much as I can the inept idea of securing things thru randomness.
Randomness <=> Predictability which ≠ Security. Therefor Security has no common denominator with Randomness
Practice makes perfect that's why i like to repeat 8) :D
I'm gonna be drawing a sketch so it will be easier to visualize what happens when GRC vs LSP but that next year so i will not exasperate
@lq :D
No you test with examples that are easy to crack. As in say only the digits 0-9. Then generate your lists of all the combinations both with and without repetition allowed.
Randomly choose a combination from each list and generate a hash. Store in a file that John the Ripper will recognise as a password file.
Several times randomly shuffle your combinations and feed into John the Ripper as dictionary files attacking your password files.
But separately. You only attack the password with no repetitions with the no repetitions dictionary file. Because an attacker will know that "it's ridiculously dumb having a 100% random password" so will only check non repetitive combinations.
John the Ripper will, in general, crack the non repetitive combinations in far less time.
Sorry I think you're failing
That makes no sense to me ?
Randomness is just another form of obscurity. Security through obscurity is how locks have been made for generations. Real advancement in security is slow because of it. Security is always the same, whether a lock or a passcode; they only keep honest people out.
> Sorry I think you're failing
Nope a hacker will have more hits knowing users generated their string randomly which throws weaker patterns and a bunch of mirrored useless permutations. This is because your particular randomly gen pattern is billion times weaker than a non rep pattern so yours is more likely to pop up first in hacker's cracking tools than mine. If you think it will not guess your pattern it's wrong cos randomness it's predictable. They will guess your pattern due to probability likelihood and when they search inside that pattern it will be easier to brute-force that instead of a LSP
A random (63 length) gen spits strings in between 39 uniques and at the most around 50 uniques more or less. And so just think how many variants a hacker will simply rule out of its cracking tools. You can't even imagine believe me it's an obscenely vast number. You'll get tired if you write it down, and adding to that no rep. another humongous indecent number you will have your jazzy string behind a precarious weak and more crackable pattern.
> That makes no sense to me
<=> this in mathematics is the sign of equivalence, now try again
Told you if you still not convinced you can add to your string just couple of repetitions 2/3/ maximum 4 anything more than that are simply junk patterns vs LSP
So you better ditch altogether any random generator
@gripped A cure I can think of if you're still umbilically attached/mesmerized with the randomness (dumbnessnes) idea is after you random gen your string, count your repetitions and add as many but different chars as the number of repeating chars.
So if you're having 3 repeating chars add to your string another 3 totally different chars.
> they only keep honest people out.
@cat herders of linux Yeah, I would not rule out that possibility either but eventually denying evidences and realities will make those that embrace this kind of 'philosophy of keeping honest people out' , reach a dark end.
Randumbness :D 😅
I'm talking about the statement not the sign.
Randomness is not equivalent to predictability. It's the exact opposite.
As I've said several times your concept decreases the randomness and increases the predictability. That is not an improvement in security.
When authenticating with a password, the COMPLETE character string is verified and not, as you claim, parts/patterns and certainly not individual characters of the character string.
The usual use case of passwords is that a password is assigned to a single person and that this person keeps the password secret. Yoda would say to you:
"Much to learn you still have."But I am not Yoda and therefore I say:
"You can repeat bullshit as often as you like, but that doesn't make you a master, just a blockhead."https://en.wikipedia.org/wiki/Keyboard_layout
https://www.asciihex.com/ascii-printable-characters
https://en.wikipedia.org/wiki/UTF-8
https://www.2uo.de/myths-about-urandom/
https://en.wikipedia.org/wiki//dev/random
https://en.wikipedia.org/wiki/Entropy
https://en.wikipedia.org/wiki/Cryptography
https://en.wikipedia.org/wiki/History_of_cryptography
https://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://en.wikipedia.org/wiki/Tempest_(codename)
https://en.wikipedia.org/wiki/Red/black_concept
https://wiki.archlinux.org/title/Security
https://en.wikipedia.org/wiki/Network_security
https://en.wikipedia.org/wiki/Checksum
https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
https://en.wikipedia.org/wiki/Password
https://en.wikipedia.org/wiki/Password_strength
cat /dev/urandom | tr -cd '[:print:]' | fold -w 95 | sed -e 's/.\{5\}/& /g' | head -n 75
@lq That jazz or voodoo you keep saying doesn't hold any mathematical rationale. Doesn't matter you hide your background radiation noise string of bs in 1 in a 1.5 million drawers if once opened that drawer everything inside can be guessed billion/trillions or/quintilion times easier. You choose millions and lose gillions can't you understand? The fact that a hacker assumes or knows you have no rep password pattern it doesn't mean he has free Burritos for his whole city or endless time at the pedicure lol while keeping a secret your random pattern still that doesn't mean it safer cos it has so few variants that will simply float like a garbage can in the ocean of variants and will be easier for a hacker to pick it up and sip it up like spaghetti 😅
@gripped > Randomness is not equivalent to predictability
It's more predictable than you are prepared to accept. Already addressed that in reply #16 with a lower scale example, I know might be tough news but that's how things works. Numbers do not tell lies.
(Case 1) everything (63 in length) random string is packed in 1.5 mil distinct patterns (mixed arrangements + LSP) each having staggering lower and lower variants depending on the rep count, the more rep the worse, the fewer the better, none, best case scenario LSP
(Case2) non rep. (63 in length), LSP gives a natively best strength only 1 single distinct pattern bigger billion/trillion/gillion times by case than any of the rest within those 1.5 mil distinct pattern . If anyone needs to hide something then is better to blend it inside the bigger pile and the bigger pile is no other than a non rep. pattern A(63,63) stand alone and a A(94,63) from where those are extracted from.
Don't shoot the 'Magellan' of passwords 😅. Is not anyone fault i'm right and the GRC guy is wrong. It isn't that hard to understand even without doing any calculations but once you do you simply can't deny numbers.
#16
There sure is. By you.
By all means you can claim that any particular method of generating random numbers is flawed. That the results produced are not in fact entirely random and are to some extent, or possibly entirely, predictable. Of course you'd be expected to show some proof if you wanted to be taken seriously.
But when you claim
you lose, in my eyes at least, any hint of credibility on the topic in question.
But as always I accept that there's the possibility that I (and most of humanity) completely fail to recognise that in fact true randomness <=> predictability.
And that you alone, through your maths genius, have discovered the predicability of true randomness.
So just in case I again suggest you go to some security / cryptography discussion boards and let them all know of the flaw you have discovered. I imagine they'd be the people to be able to fix this claimed house of cards of security based on randomness. I'd go as far as to say it's your duty and responsibility as a decent human being. And think of the plaudits and recognition. Not to mention money and Time magazine covers etc.
Numbers are just numbers. Both your methodology and theory behind it are massively flawed imho. So the numbers you present prove nothing except seemingly to yourself. You keep talking about pattens as though an attacker receives useful information back from each brute force attempt allowing them to refine their attack and home in on the dumbass repetitive password. It simply doesn't work like that. 'Failed or 'Succeeded', that is all. Yet you haven't addressed this afaict ?
It's reminding me of the saying along the lines of "If you meet a couple of idiots in a day you've met a couple of idiots. If everyone you met in a day is an idiot you are the idiot."
You're pretty much saying that the entirety of cryptography / security professionals are idiots because they haven't figured out that Randomness <=> Predictability and are putting us all at increased risk.
I'm not getting into cryptography, there is a total different accent meaning cryptography has to keep safe the secret so can't be reversed. In cryptography there's not only randomness involved there are other mathematical operations and so that is a different topic.
Other than that it doesn't mean cryptography that relies to much on randumbness (let's call it dumbness for a while) isn't weaker than others that do not rely that much. I'm not covering that cryptography part even if clearly this topic has huge implications. But on this I would add, have you ever heard about a bitcoin mnemonic phrase that repeats 2/3 or more times the same dictionary word? And I will leave it there in the cryptographers yard the ball is in their tennis court.
@gripped yeah we overly supra-estimated what random things can do and guarantee they can't do a lot of things but give a fake sense of security. Why the heck we expect randomness be that good?
True randomness 😏, common man we fetishized too much that thing let's get over it. And why we never try to connect some dots knowing so many hacks are presented day by day. Well maybe it's because they overly supra-estimated random generators who knows? It's enough for the hacker to try a smelly 'floating' pattern ..
Random non random, can you tell the difference? This true randomness seeking stuff is another fiasco in this field
ddk
eej
Can anyone tell which one is random and which I pulled out of my mood? And if anyone can, let him explain what kind of 'medicinal cocaine' he uses..
And because longer strings same we can't tell if are random or not just by looking at them nor any other methods it simply means the random-security idea is altogether a made-up idea without any mathematically base. The only hint we have is when we have a bunch of rep. which may suggest it's random, but anyone can take it's pattern and write one from the top of the head that it's in the same league (same pattern) so still we could not make any difference between those two. Btw the first one ddk is random generated the second pulled out of my inspiration just for the record even if doesn't matter at all.
In the coming days i'm gonna be showing exactly why a 63 length random gen are literally garbage sold by let's call them fortune tellers. One thing I can add, like you crank left right an old radio button you can literally crank password strength from the weakest to the toughest, it's just like a spectrum that it's mainly defined by the size length and total chars number.
Random things look better in nature but not in passwords. I'm having a theory related to gravity being tightly linked with entropy but i'm not alone on that one. In a way you can look at a planet like a 'random' system where it's particles spawn similar patterns that make them hold together but that's already Science Fiction.
Btw 🥂Happy new year everybody!!!
Happy new year to you too.
I have not repeated myself at all, but have added to my second post.
Hiding something? On the contrary, I merely wanted to make visible the patterns you keep describing.
I remember I've read about hardened-kernel (https://wiki.archlinux.org/title/Security#Kernel_hardening) having: Heap randomization test (PIE) : 40 quality bits (guessed)
Now I don't know exactly what that means but what I do know is that 40 bits of entropy it's a pretty low number, basically equivalates with ~ 6 length random gen string out of 94 total. But knowing computers uses only 0 and 1 (bits) has to be 40 digit long string of ones and zeroes. 2^40 which is roughly 1000 billions. Now if I would apply 'my' standard, the biggest pattern would be that where we have equal amounts of 0 and equal amounts of 1 => 20 zeroes and 20 ones those strings that repeat more ones or zeroes would be drastically fewer by case.
i.e 1111111111111111111111111111111111110000 this kind of patterns are fewer than
1111111111111111111100000000000000000000 this kind of pattern string (that would be LSP brought down in the kernel)
Because some are fewer therefor are more easily guessable meaning our security is let at the random mercy.
So you can get hacked or not depending how lucky you are and how misfortune a hacker has to be, and that my friends I for one can't call that security. A hacker has to have the least possible chance using our brains not letting randomness do black magic security. So we have to increase the odds in our favor.
So to reduce the luck of a hacker and increase the luck of the user would be perfectly fine to instruct kernels to spawn strings in the LSP range an not in dumbness range making a hacker guess things in memory or whatever he's been doing, much much harder and make him rage quit.
The other imbalanced strings will simply form more mirrored useless permutations than the other more balanced increasing security
I'm not an expert in cybersecurity so anyone more knowledgeable in this field has to apply his own corrections to the above claims.
EDIT: equivalates with ~ 6 length not 3
Computers work with knowledge, not because you believe in them.
I'm really curious if before my lifetime ends you will write a post that will make any sense without "hackers" and "patterns".
When you go to the supermarket, are you choosing your food randomly? And if yes how you cook them? Randomly? And if yes, how you eat them? Randomly?
We need a new concept of securing things with THE BEST EFFORT philosophy not with BEST RANDOMNESS EFFORT, we do not want the best randomness we want best security. There's no better or worse RANDOMNESS. A phenomena is or is not RANDOM. Comparing different kinds of RANDOMNESS it's a pretty lame science if you ask me. How do you compare them? All random things obey to the same probabilistic laws therefor can not be a better or worse randomness.
And on the contrary, Security works best with worse RANDOMNESS meaning we target the biggest pile of variants each and every single time to blend our jazz as best we can.
Choosing from '1.5 million beds' still not better if your butt pops out underneath, cos you just choose billion times smaller/tiny bed that lets your ass be seen easily, while choosing the biggest bed under where your rear end not gonna be seen but billion/trillion/gillion times harder, you'll be much safer there. So you see my friend you run for the wrong rabbit, we don't care if it's random or not, we care cos it's SECURE and it's more SECURE cos we can calculate it with high accuracy. RANDOM is one thing and SECURITY totally different thing. That's why we have two separate words so we can distinguish them while you say those are the same.
It's not and will never be 8) 😏
PS: almost forgot, hackers and patterns so you'll have a tiny satisfaction 🫡
I don't see any difference between preparing food as a cook and computer system maintenance as an admin.
Both (the cook and the admin) have very effective means of keeping unauthorised butt-faces out of their areas of responsibility.
Have some breaking news.
Mapped a whole string 4 total char (a-d), 4 char length, 4^4=256. And must admit the result took me by surprise. The biggest pile did not belonged to the non rep. but with the least rep. meaning that with ONLY ONE rep. This kind of BBP (backbone pattern) already intuited but did not get verified thru more rigorous checks but only now (see bottom prt screen)
What must be noted is that the shorter the STRING (length of the pass, i.e 3) vs TOTAL (search space depth i.e 12) the number of arr. with rep. drop far below the number of arr. with no rep.(see my Reply #34 prt sc (https://i.postimg.cc/rFp17GQH/Screenshot-2022-12-29-01-34-36.png))
In that case where string short vs total, non rep. are predominant (reply #34), but on longer strings i.e 63 out of 94 (our long debated LSP) arr. with ONE rep. starts to gain terrain.
Has to be determined at what length (proportion i.e 94/63, 94/47, etc) BBP with ONLY 1 rep. start to exceed other with no rep. or more rep.
For those that wanna take a closer look download file here (https://filepost.io/d/XM8GGMzmAb)
(https://i.postimg.cc/ZYfnhxhJ/finz2.png)
You're repeating the same shit from your first post just packaged differently.
I want to know how many times (number) you have to execute the following line of code to get the identical (100%) output (your/my screenshoot).
cat /dev/urandom | tr -dc 'a-d' | fold -w 64 |sed -e 's/.\{4\}/& /g' | head -n 16In my humble opinion: an answer without the said number can clearly be seen as proof that you can neither calculate nor think logically and that your revolutionary theory (which you announced in the thread title) is as useful as a pile of cow shit on a pizza. (the list of foodstuffs is rather insignificant)
Nope, you did not get it, as usual, 🤦🏻 there's 0 surprises in that.
The strongest BBP that will give us the LSP depends on the ratio between T (total chars) and S the length of the string we use.
@lq you hide behind that jazzy noobish command yet you can't input any math in the real problem as you're still umbilical attached
with that joke of a philosophy valid only for kids in short pants 😏
This is starting to look like a trolling thread since it is appears to be going into personal attacks than actual information.
So you confirm yourself that your assertion (thread title) is FALSE.
And the stupid line of code proves that everyone has enough entropy to create a secure password.
Nope, rock solid proof incoming, see prt screen bellow.
Side note. I'm gonna name BBP as a simple B for simplicity but that's for the future
Managed to put together things in a more digestible shape and even have a FORMULA so everyone can calculate what BBP should
adopt and when depending on their desired STRING length and Total chars used (search space depth, i.e 94)
If anyone is trolling, it's not me.
I guess can be made a script to automate things up so a user should just input its S and T and the Output
should spawn a LSP string in the right BBP. Think a python script should do the job just a OK
If anyone see any flow in the Formula or any other spot, feel free to just say.
(https://i.postimg.cc/xTZ9rR0Q/Screenshot-2023-01-07-18-40-14.png)
Enjoy 8)
I'm not saying is not secure I'm just saying mine is more secure 8) and therefor choosing a random password is simply OBSOLETE
science.
Also in case any one of you guys didn't noticed yet i've just pushed from an arbitrary split (reply #1) to a split based on rep. non rep. and even how many rep. BBP
Reply #1 did not take the fundamental QUESTION of the need of rep or no rep. or how much rep it was just a simple arbitrary split but now we reached a deeper rabbit hole that most only dream about.
Still improvements can always pop from where you expect the least.
Next I'm gonna be explaining why a ONLY ONE rep. BBP prevails vs any other when conditions are met. But that for the next coming days.
Roger and out. 8)
The reason STRING LENGTH MATTER is because when STRING short it has lower amplification factor
A[T,(S-1)]*3(S-2)
So the loss in the first factor A[T,(S-1)] attenuates when string is longer in the second factor 3(S-2) and ultimately when S exceeds certain length (S >25, T=94) the
result will make BBP with 1 rep numerically bigger than BBP with no rep.
When S goes up the overall amount is pushed little by little in favor of the BBP with ONE repetition.
Have to test now if we can talk about a third BBP when string length exceeds 63 (not interesting in real world, cos nobody would
choose longer than 63 or 64 string)
The third BBP can have the form of 22111111111... etc TWO repetition instead of just ONE
I have to determine same, if the loss from the first factor can be overwhelmed by the second factor thru the length of the S
But I give few chances of that happening at all at any S length.
Has to be determined.
But for now the conclusion that has to be drawn is that we have till now not 1 but 2 best BBP depending on the string length
When S ≤ 25 LSP will be inside a NO rep. BBP, in the form 111111...25
while
When S ≥ 26 LSP will be inside THE LEAST rep. BBP, in the form 21111..62
Lastly it has to be determined if there is a chance of a third BBP when S > 63 in the form of 221111...? I give few chances of this to hit reality. though. But have to put my mouth where the math is.
So stay tuned 8)
Verified that 221... or 31.... etc and do not even come close to 21111...The more rep. progressively they start belonging to weaker and
weaker BBP's 10/100/1000 and eventually /gillions x weaker
All we need is to see where is the flipping point where LSP jumps from 11111111.. to 2111111.. that's bout it. And that I've already
covered by calc. both of those A(T,S) and A[T,(S-1)]*3(S-2) and see which one produces bigger numbers
Now I'm just showing another well known example, a simple 4 digit PIN (0-9)
Text file can be downloaded (https://filepost.io/d/Xeznhmo7Ui) for better grasp of it
(https://i.postimg.cc/wTSVJVYz/Screenshot-2023-01-13-12-23-39.png)
Now look with your own eyes what it means to generate your PIN randomly
First 6266 randomly generated PIN belongs to a BBP (3100) that has only 360 possible variants. But you can see another even worse PIN 5566 that has a BBP (2200) even weaker 270 variants.
Also you can notice most of the random PIN's has 1 rep number that correspond to 2nd best BBP. Couple of others indeed belong to the 1st Ranked BBP. But the point already was proven.
Random means random and not secure. Nobody would want to randomly generate a PIN that is roughly 19x weaker and for what lol
There is no RATIONALE in choosing passwords/pins or any other security related components thru Lotteries/Coffee guessing/nor
other Enchantments or voodoo or stupid shit like that.
(https://i.postimg.cc/2ymKhNqP/Screenshot-2023-01-13-13-21-48.png)
🚫🚫🚫 RANDOM PASSWORDS 🚫🚫🚫 ARE A GOOD RECIPE FOR DISASTER ‼️‼️‼️‼️
🚨 🚨 🚨 DO NOT GENERATE HAZARDOUSLY PASSWORDS FOR SECURITY REASONS BUT ONLY FOR FUN 🚨 🚨 🚨
How come so many of your randomly generated passwords shown have duplicated numbers, if there is a much greater number of possibilities that do not? Is the random generator malfunctioning?
It is stupid not to use a password generator.
cat /dev/urandom | tr -dc '[:digit:]' | fold -w 4 | head -n 20
That utterance is possibly closer to a randomly generated password than it is to a coherent English sentence ;)
@####### It's not malfunctioning it's what random things really are. Remember we don't want a probable security. We need a strong security. The reason the guys blindly search for the "PERFECT RANDOMNESS' it's because they can see the short comings of their dumb model but put it on the back of a "NOT PERFECTLY ENOUGH RANDOMNESS". Which doubles their stupidity and brings it thru the roof.
Nobody wants too much meteorology or lottery in their security. While my model offers best strength of a password, a random generated password offers only a probable security. I for one consider random-security as inadequate and anachronistic for the year 2023. It should have not be considered from the beginning.
If the phrase "It could be secure" is enough for you then keep it up. If not let's join together and mock and ridicule this METEOROLOGISTS that try to pass as Navy SEAL or SWAT or USAF.
METEOROLOGY/LOTTERY is not about SECURITY it's about the 🌦️ weather/luck 🍀. And even the weather, here and there are rumors, it can be changed
We have to re-think our encryption/kernels/memory randomization and everything random has to be ruled out as a deprecated concept.
@gripped it make perfect sense my fren you just reading it wrong. Or you just want to read it wrong :P
@lq you just proved that PROBABLE your password is secure. Nothing more. Why on earth you need PROBABLE and not full blown SECURE? But do not forget you generated a shit ton of PINs with 1 repetition which is second best and not the best so yours will be cracked faster 🤣. If PIN exceeds 5 digits then yeah you'll be good but how do you know for sure? Simple, follow my standards and you'll be good.
I see.
"Ceterum censeo M$ esse delendam"
All that I want to add on this is if someone got inspired from this thread and wanna write an article or any other public assertion on what's being discussed here I would politely wanna ask them to specify somewhere visible: The source link from where they got inspired, Artix Community that made possible debating the subject and the User (Me) who opened this thread. Thanks and as usual, have an amazing day everyone.
@lq It's a spoofed user agent in firefox. Already addressed that. It's "privacy.resistFingerprinting" flipped to true in firefox about:config advanced settings
Going off the crazy ( :P ) topic here but mine shows the same for the same reason. It's something I actually considered bringing up on here. That perhaps this 'OS' in the drop down should be user settable, or just not be there, as it it can't be reliably deduced from a user agent string. Once maybe but not any more. But in the end I decided not to bother. It amuses me that I'm shown as using Windows 10
It's clear from your posts [not just here in the thread] that you're a m$ groupie, so your explanation doesn't really matter.
I call that irony of fate, because I can't see any difference at all between KDE-Plasma and M$-Windows. ;)
MS have certainly taken a lot of inspiration from Plasma 8)
First time when I've met linux was on my mobile and not on laptop or desktop surprisingly. It had a so called Maemo operating system, forked from debian. It was back in 2009 when
@lq was 5 years old :D :P
You can call me a groupie of whatever you want but not a MS groupie. On laptop/desktop switched to Linux back in 2015. I consider MS Windoze a lame operating system for lazy and digitally unalphabetized users.
For the bitcoin/crypto enthusiast a warning ⚠️ ⚠️ ⚠️
Bitcoin mnemonic phrase strength
T - 2048 Total word list ; S - String length 12
A(T,S) A(2048,12)=5,27×10³⁹ NO rep.
A[T,(S-1)]*3(S-2) A(2048, 11)*3*10=7,76×10³⁷ ONE rep.
Repeating even ONE single word will degrade mnemonic phrase strength by a factor of roughly 68 times
Recommendation would be to use at least 3 multisig (3, 5 or even 7 mnemonic phrases) and do not repeat any word
from the word list in the same mnemonic phrase ‼️
This is an approximation because the last word in a mnemonic phrase has to complete some sort of a checksum
so it can't be just any word out of those 2048 but only some of those and so the requirement of having multisig wallet
is even more necessary.
For comparison a 63 long string from a Total of 94 symbols and chars with ONE rep.
has about 7,56×10¹¹² possible variants and so it's far more secure (about 10⁷⁵ more secure) than a bitcoin mnemonic
phrase because STRING length is longer vs Total chars number while Bitcoin mnemonic phrase length is only a tiny insignificant
fraction 12 or 24 words out of 2048 total dictionary words.
WARNING !!! 🚫 🚫 🚫 ⚠️ ⚠️ ⚠️
DO NOT STORE BITCOIN ON A NON AT LEAST 3 MULTISIG WALLET MORE THAN COUPLE OF DAYS IF AT ALL !!!
Better feel safe than sorry ☮️ ☮️ ☮️ ;)
I wouldn't exactly recommend setting your useragent to windows if you're using Linux.
Any competent tracking system will figure out you're using X11/wayland, you telling you're on windows yet your windowing system is from Unix is the equivalent of strapping a giant neon sign to yourself with fireworks going off everywhere with just how unique you make yourself out to be.
If you really want a windows useragent, use an appropriate windows VM of if you're on Linux, my best guess would be to use a Linux Chrome ( not chromium ) useragent.
I don't recommend it but do do it.
How exactly?
It's not perfect. I do not delude myself I'm untrackable. There are many elements to reducing the fingerprint.
It helps to part of a bigger shoal of fish. One small bit of the defense.
My browser lies about useragent, canvas, fonts etc, etc. Third party javascript is blocked except where I allow it.
The web as it appears to me is, for most sites, nothing like the designer of the page intended. Broken by (my) design.
I'll keep my windows useragent and semi functional webpages :D
Returning briefly :P to the topic discussed here. I wanna make it clear I'm not mocking/ridicule people/users who don't know yet that generating their pass randomly they gonna be PROBABLE SECURE but yet with an uncomfortable chance of being PROBABLE INSECURE. Their security will be not more comfortable than Schrodinger's Cat if that can be called comfortable.
I'm just trying to lit a wake up call in those security experts/cryptographers minds to stop promoting randomness and shill it as security.
Our security should not be at fortune's will. If we have a bad day that's not a reason to have a bad password that more likely will cause even more bad days.
Have you thought for a second that while Artix is a security and simplicity-focused distro, it isn't full OpenBSD level cryptography vault level and we aren't even in the right distro (or even unix variation) category for this discussion here whatsoever.
You've explained a lot of theory, but without applying it to something you're just wasting your time.
Study the code of Haveged, rng-tools and create your own entropy generator, or even try to port xBSD's Fortuna to linux, with application of the priciples described by you, and then we can effectively say we're onto something here.
Yeah you have all the right to consider this matter how you feel or know is safe. But because you mentioned Entropy that's only about how long from how many but you see I personally want things to be that simple but unfortunately are not quite like that. There's not only about how long (S) from how many (T) but also how many of this and how many of that. It's like a recipe. If we put too much water into a soup will be tasteless if we put too little were not gonna have a soup but a gravy etc.
Even if it sounds ground breaking I'm pretty sure that the guys/devs could fix this in a matter of couple of months and I even theorize that eventually were gonna gain some performance boost if this method is widely accepted.
My 'standard' if I can call it that way is assuring we will never have a lower than a certain threshold security strength and that threshold will simply rule out any possibility of an easy way out for a hacker.
I'm thinking for example about a server that is almost always up and so a hacker has all the time to simply guess what's happening inside kernel/memory and so on. Having a random based security it means he can just try those couple of low guard variants and he can either buffer overflow or exploit or send crafted packets or try other vulnerability that derive from those low guard (guessable ) variants.
What's the first string a cracking tool tries? 1234567 etc It's going from easy to hard. Well my method enforces to start from hard cos if they start from easy they will have ZERO hits. Even if we are talking about memory pointers passwords kernel randomness etc
'No Easy Way Out' that's what we need when kernel allocates memory to processes, pids or whatever is been doing randomness wise.
> Study the code of Haveged, rng-tools and create your own entropy generator, or even try to port..
@Hitman that's a super cool idea, I'll be looking into it but my coding skills are not matching my expertise in probabilities, however I'll be
trying. And thank you very much for your suggestion it's greatly appreciated 👍 😉
1234567 therefore becomes the best password under your system as you'll be checking it last 8)
Yeah I'll be checking that last but not because it looks very familiar but because it belongs to the no rep. B. 11111..etc so I wouldn't
mess around with that B, no sir thank you very much 🫣
If I would be a cracker I think I would crack some indecently complicated strings for the eye of a normal user those with a lot of
repetitions and i mean a lot 🍟. Every cracking tool tries easy cakes first and when the brick wall of gillion variants starts all hacky
wacky gonna rage quit and hide under their beds..😹
But to see how fun math can be when the S=T one of the weakest B is that with no rep. but again if and only if S=T.
Numbers are incredible slippery, one wrong move and it gonna cheat on you 😵
Next time I'm gonna be showing how weaker and weaker the strength of a password becomes while is being brute forced. But I wouldn't call it brute force but brute-guess-force. And yeah brute-guess-force indeed may pose a threat.
(https://i.postimg.cc/DZq6sNvf/640px-Schrodingers-cat-svg.png)
Show me,
you don't have to do anything more than post the content [Reply #35] (https://forum.artixlinux.org/index.php/topic,4690.msg31434.html#msg31434) of you-may-begin.gpg.zip (https://forum.artixlinux.org/index.php?action=dlattach;topic=4690.0;attach=2394) here.
Took this (https://www.ipvoid.com/password-generator/#custom) dumbness generator. Generated couple of randumb pwds
Choose from a T=94 a short S=8 (the minimum requirement found often on websites)
Calculation shows that in this case repeating even only one char you basically dump 73% of the total possible variants and blend only
inside a more crackable minuscule ~15% pile, the other even worse variants COMBINED have around 12% . But because 12+15=27%
users will have a huge 'chance' 27% of having a pretty low quality pwd.
This is because, when we speak about a short S (string) and when we have a generous T (total chars) the difference between rep
pile size vs no rep pile size is humongous.
(https://i.postimg.cc/y6ngVw5j/Screenshot-2023-01-24-20-17-18.png) (https://i.postimg.cc/CKjCJcK2/Screenshot-2023-01-24-19-27-02.png) (https://i.postimg.cc/KzpkxWv4/Screenshot-2023-01-24-21-00-52.png)
Highlighted in blue random string belongs to a 15% only pile. The other strings are ok. This is a classic example of how TO NOT generate a pwd.
If you take any other randumb generators all they fall in the same pit of mathematical lack of common sense.
This is one of probably many examples when indeed even talented programmers are in the woods when they are not backed by some pretty basic math.
I'll come back with that promise showing next hopefully how strength of a pwd degrades while blasted with guess-force. And why brute force is bs. Stay tuned ☮
lol,
(95^1) + (95^2) + (95^3) + (95^4) + (95^5) + (95^6) + (95^7) + (95^8) + (95^9) + (95^10) + (95^11) + (95^12) + (95^13) + (95^14) + (95^15) + (95^16) + (95^17) + (95^18) + (95^19) + (95^20) + (95^21) + (95^22) + (95^23) + (95^24) + (95^25) + (95^26) + (95^27) + (95^28) + (95^29) + (95^30) + (95^31) + (95^32) + (95^33) + (95^34) + (95^35) + (95^36) + (95^37) + (95^38) + (95^39) + (95^40) + (95^41) + (95^42) + (95^43) + (95^44) + (95^45) + (95^46) + (95^47) + (95^48) + (95^49) + (95^50) + (95^51) + (95^52) + (95^53) + (95^54) + (95^55) + (95^56) + (95^57) + (95^58) + (95^59) + (95^60) + (95^61) + (95^62) + (95^63) + (95^64) + (95^65) + (95^66) + (95^67) + (95^68) + (95^69) + (95^70) + (95^71) + (95^72) + (95^73) + (95^74) + (95^75) + (95^76) + (95^77) + (95^78) + (95^79) + (95^80) + (95^81) + (95^82) + (95^83) + (95^84) + (95^85) + (95^86) + (95^87) + (95^88) + (95^89) + (95^90) + (95^91) + (95^92) + (95^93) + (95^94) + (95^95) = ?
If you are not able to post the content of you-may-begin.gpg.zip (https://forum.artixlinux.org/index.php?action=dlattach;topic=4690.0;attach=2394) here, you don't need to come back. ;)
@lq yeah length is important. However guess-brute-forcing it with some cluster of supercomputer, well there's chance
@lq will be sad 😭.
Switch to standards described above ✅ and your chance of being sad will even more diminish .
Skipping to the serious jazz, had some more fun. In case some still have appetite to GRC their pwds.
(https://i.postimg.cc/dtyj6VzP/grcc.png)
Webpage GRC (https://www.grc.com/haystack.htm)
If anyone see any errors or have any question, of course feel free to jump into discussion.
PS: still didn't had enough time for the promise but it will come no worries. 😎 ☮️
Ok, i'm back. Why brute force is not as good as guess-brute-force.
This is the general formula
(https://i.postimg.cc/k5fbx7y6/Screenshot-2023-01-30-17-29-22.png)
where
Pcrack% - cracking probability, percentage
T - total possible variants (here we already saw we simply can't blend our string inside n^k because that big pie
we all want breaks down in smaller chunks so no matter what we want we're gonna be inside a smaller pile
t - target string number (in general we have 1 string so t=1)
n - number of guesses
The above formula is generic and doesn't take into account we successively try guessing even if we took n (number of guesses)
into some consideration but not all.
To catch this aspect rigorously into our formula we will have to multiply the odds exponentially ^n because a probability X to happen
twice in a row has to be multiplied (i.e to roll 6 with a dice successively we would have (1/6)^2 which approx is 2.7%, to roll 3 times in a
row we will have (1/6)^3 which is ~0.46% very low probability)
So we saw probabilities somehow can be linked together and the more n's we try the higher the probability to crack a pwd. So
our formula will look more accurate like this
(https://i.postimg.cc/63xWV0K7/Screenshot-2023-01-30-20-16-05.png)
Tu - Total unfavorable variants or Tu = T-t (despite being almost equal with T, once things get exponentially multiplied that small
difference will eventually start taking a huge toll. The more n (guesses) the higher the cracking probability
This formula is valid IF AND ONLY IF we try to guess our target string but becomes inaccurate in case we
programmatically/methodically search for the target string. That's because when you go outside random events you can't expect
probabilistic laws to work the same.
Another draw back of brute-force vs guess-force is that the first need to keep a record of what has been checked or what still needs
to be checked while guess-force is much FASTER and needs only checking if the current guessed string matches the target hash.
In conclusion we saw the exact odds percentage of having our string cracked and why brute force is dumb vs guess-force.
One of the fastest Supercomputers can check with a rate of 10¹⁴/second (100 petaFLOPS).
If we multiply that by 31.536.000 (seconds in 1 year) in ten years we could check about 3,1536×10²² and that means we mapped
every possible variants of a 11 char long string or everything equivalent.
If we could keep both factors into account, keeping track what's being checked and randomly blasting in our search for the target
string, our cracking odds will improve even more. Cos n (guesses) will appear once more in our formula.
(https://i.postimg.cc/25TKxQPk/Screenshot-2023-01-30-20-42-34.png)
Feel free to ask or correct any errors. Things were pretty much verified and reviewed at this stage but who knows 🧐
Enjoy 8)
Yeah, just looked over github to see that Haveged project. The main dev idk exactly who he is (in the sense of his mathematical
background) but his project from what I read it based on the same OBSOLETE principle, HARVESTING entropy and
RANDOMNESS to the moon and back.
Entropy (or bits of entropy) are just insufficient indicators of a string strength. And what I've extensively demonstrated is that uniqueness
alone is not the pinnacle of security nor randomness that erroneously is paired with a 'BETTER'' entropy. Entropy (random
generated or not) doesn't tell the full story.
If I would request or issue a bug to the Haveged project I would literally demolish the whole project cos this would not fit into what we know
to be a hard fork it's a totally different 'planet'
Haveged project might be good from the implementation/quality of code point of view but from mathematical point of view is flawed.
About a generator, yeah I'm on it 🫡
If I were a forum admin I would lock the thread, ban the TO and make sure that he would have no chance to come back for the next 10,000 years.
Why haven't you then ?
When you say "totally different planet" I'd agree but in a very different sense.
@gripped Shuf or random commands are good enough to produce parts of the string if we talk about a pwd or a 40 bits of Entropy required by a hardened kernel. The thing is we need after generating those in a random fashion to tailor them to fit the mathematical principles in order to have really hard to guess strings. The way we have them today shows a lack of understanding basic math and more precisely in the combinatorics field.
I don't think we have to be on different planets but definitely a huge amount of people must wake up from the randomness safe heavens mirage and land on the math planet and not swimming on the coding for the sake of coding planet. People started to code to make life easier not harder.
The problem is not even that complex, I would call it mixed arrangements cos there are some elements that repeat some don't so those can't be counted exclusively by these two formulas A(n,k) or n^k n and each string has its own way of being accurately calculated.
The fact that we got used to think how random things 'cook dinner and make our beds in the morning' is not my fault but those who engaged in such baseless or insufficiently math backed statements. But I would ask anyone who's still in doubt, would you rather choose random standard and have 1/10k 'chance' to plane crash or choose my standard and have 1/1trillion. In real life we can't avoid some inevitable bad lucks but in digital world these accidents can be completely ruled out but there's a catch.
We can rule out those weak (low guard how I like them to call) vulnerable to guessing strings but if by some miracle a hacker (
@lq got triggered) is so lucky that can guess even those longer strings what can I say, lucky him...or good luck 🍀 with that.
No matter if Gripped gets gripped again or lq doesn't have an iq or me being the Big Foot, Yeti or a green little martian with a peanut brain, things are the way I've presented no matter if we like it or not and can be debunked only thru MATHEMATICAL means not thru swears jokes, curses, voodoo, referendum, coin flips, raffles or sending anybody on Mars or other even more exotic planets or places.
Any jokes etc etc will count as a loss. If anyone has some real math balls of steel please step forward and start debunking (good luck with that too)
And like always, enjoy 8) ;)
You're missing the point still.
If you are so sure of your theory go and discuss it with folk who are capable of debunking it fully. And possibly even interested?
Places where you'll find experts in the subject with 'some real maths balls of steel'.
Create your haveged issue and demolish the project. Enjoy 8) ;)
I'm going out on a limb here but I don't think anyone here is interested? Or if they are they're not really engaging with you.
In my option the best thing to do going forward is to put your theories into code.
Once it is coded then the users of your application will be able use the better security offered if you are correct in your line of reasoning.
While I did find a few posts mathematically interesting, it is not something I want to dive into.
I think the chances of this esoteric subject of another Artix user to get into mathematic proofs would be extremely low.
An university, encryption or similar technology forum would be better suited for these detailed math discussions.
PS: I find the personal jabs/jokes/attacks sprinkled through this thread to be in poor taste.
I did try to look up some of the concepts here, and found some suggestions that the best password scheme is to use random passwords but minus "obvious" ones like those appearing in hacked password lists and dictionaries and so on. The concept of "pure randomness" does seem to be acknowledged as lacking, if you fail to filter out the "abc123" "my-pa55w0rd" and similar results that are possible to randomly procure. But does this relate to hashed strings, which is the way almost all passwords are stored? Have you found evidence that they are somehow more predictable or obvious if they do not fit your criteria?
$ echo "123" |sha256sum
181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b -
$ echo "124" |sha256sum
ca2ebdf97d7469496b1f4b78958f9dc8447efdcb623953fee7b6996b762f6fff -
$ echo "38r@ywf%o6u?" |sha256sum
d6f717645c7f437e8b38a426c782105d0c43f5e8762037ebd1718065a9a1ba5c -
$ echo "111" |sha256sum
1fc917c7ad66487470e466c0ad40ddd45b9f7730a4b43e1b2542627f0596bbdc -
$ echo "222" |sha256sum
8f8eea956d0ea50d6442fdab213326f75bb6f584268b0795ad452faa85db5f9d -
Regardless of the strength of the initial password, it apparently results in the same length hash that is equally unclear as to it's origins unless you try and guess the initial one and compare the hash. If you have indeed found some weakness in the hash values from certain passwords, then that must be a flaw in the hashing algorithm which would be especially interesting. ;D
lol,
entropy or chaos is not static, as you keep repeating, but dynamic and that's why your imaginary hacker can't guess anything.
Because you asshole don't want to understand that, the discussion is over for me.
If a string is vulnerable (weak) its hash is vulnerable (weak). Nobody would bother reverse engineer the hash algorithm itself since it can search for unfortunate random easy cakes that produces easy hashes. And all hashing algorithms have collisions that basically means instead of 1 solution (hash) there are 2 or 3 depending on the algorithm. So when adding to the party the hash algo instead of complicating the problem it makes it easier as a hacker doesn't care it really broke your unique hash or its doppelganger derived from a different string and not yours.
And speaking of random again maybe you guys can throw a look into this ASLR (https://en.wikipedia.org/wiki/Address_space_layout_randomization#Effectiveness)
and this reducing entropy (https://en.wikipedia.org/wiki/Address_space_layout_randomization#Reducing_entropy)
"In many systems, 2^N can be in the thousands or millions; on modern 64-bit systems, these numbers typically reach the millions at least, Hector Marco-Gisbert and Ismael Ripoll showed in 2014 how to bypass the ASLR in 64-bit systems in less than one second under certain circumstances.[5] For 32-bit systems at 2004 computer speeds which have 16 bits for address randomization, Shacham and co-workers state "... 16 bits of address randomization can be defeated by a brute force attack within minutes"
This was back in 2014, 9 years later I guess they found even better ways of sneaking thru our random 'safe heavens'
True randomness has always been a concern since the first computer was created.
Nothing can beat the randomness of swirling cooling hot liquid.
I think that most of the stuff encrypted can be broken with the right tools and powerful enough system.
It all boils down to just a matter of time to get it cracked.
The best one can do is try to minimize the foot print for attack by using different user names and accounts that are not linked together in any fashion so if one breaks one is not completely exposed.
Personally all the breaches in my information security have been the result of the major companies and government databases being cracked and not from my passwords being hacked.
So here's the latest development on the realm of patterns in case anyone missed new things I've 'cracked'.
Because it looks like things do not scale the way I've deduced. Was a deduction not a demonstration even if it made a lot of sense
So things get more nuanced. And the place they nuance the most is where the string length S = T (T is total pwd ingredients used)
Pattern variant calculations seem to scale as follow, deduced from crash testing strings. When I say crash testing I mean generating
their brute arrangements and verify how it matches deductions, and there are mixed results.
So starting from 3x3, 4x4, 5x5, 6x6, 7x7 and have to see If my machine can resist a 8x8 or a 9x9 string crash test
would be awesome 😄
The results are as follow
3x3 (abc) best pattern is 21 match deduced formula A[T,(S-1)]*3(S-2)
4x4 (abcd) 211 match deduced formula A[T,(S-1)]*3(S-2)
5x5 (abcde) 2111 doesn't match but still best pattern deduced thru crash test
Now here starts the funny part
6x6 (abcdef) best pattern is claimed by 2211 no longer 21111 as previously thought
7x7 (abcdefg) 22111 no longer 211111
8x8 (abcdefgh) not yet crash tested but it may preserve 221111 and no longer 2111111
Now when 9x9 (abcdefghi) there's a big chance were going to see a 222111 for the best bbp
If this squeeze of a 2 inside best patterns every 3 (T x S) when T=S (key aspect! T=S) remains constant we can deduce or even
demonstrate a formula but now there's a question how we can be sure when 'reach' these out of touch strings like 94x94 (T=S=94)
if we wouldn't see some best patterns like 44433322211111 etc
When T is significantly bigger than S there are slim chances for a better patterns than that wit ONE rep char. i.e. 2111111
I'll try next to crash test a 8x8 and a 9x9 to see if best patterns gonna kick another 2 in or not or even a 3 who knows
If we can somehow obtain a mathematically working formula for these mixed arrangements thru which we can determine accurately
the exact way these patterns and their corresponding variant number scale we would be real scientists. 😛
Got news again. I'll be short and eventually will update. Here's the catch. Those ONE rep. strings have a weakness in fact, all have but we just need to crack their secrets. So the thing is as follow and checked + double checked. For the first factor I've nailed it from the start it's A[T,(S-1) but second is not as straight forward cos belongs to a so called recurrence relation not a 1st degree equation, more accurately these kinda sequences are called triangle sequence. So here is the way a ONE repetition string scale its variant numbers, , the general formula:
A[T, (S-1)] * [S*(S-1)]/2 S≥3
So let's say we have a 7 long string and ONE repeats like i.e. aabcdef will match 211110 bbp,
let's say we have 10 total elements T=10, S=7
A(10,6) * [S*(S-1)]/2) = (10!/4!) * [7*(7-1)]/2 = 3.175.200
while NO rep
A(10,7) = 604.800 meaning about 5.25 smaller
Other bbp have different sequence of course but they tend to have a higher amplification factor but there isn't that much to amplify like in the ONE rep. strings. When tend to reach symmetry like for a 10x10 string where T=S=10 the bigger bbp will have not ONE but more char that repeat, have to determine their sequence
Factorials tend to land on these recurrent relations.
I'll try to reverse engineer a 221110 to find their sequence, at first hand they seem to like bigger amplification factor like 15/45/105
Instead of a 3 it start straight up with a 15 but loses big time from its first factor
EDIT: done it deduced properly the sequence for a 221..like bbp
A[T,(S-2)] * S!/8((S-4) S ≥ 5 cos 2+2+1 has to be at least 5
As a conclusion I've greatly underestimated the amplification factor these multiple twos like bbp ca give at the right S length not just always
As a change the ONE rep 211..like bbp becomes more powerful than a NO rep 111.. bbp much earlier that previously though at S=14
not at 25. It looks like once string length S is increased closer to T we tend to have an even amount of TWOS and ONES.
Still the previous conclusion of undesirable RANDOM generator holds the line as NOTHING can guarantee generating a weak string.
Repetitions are good in certain amount but NOT with a GRC level repetition .
So there's a moment when you have to have a 2, another longer string to have double 2, triple 2 and so on
EDIT2 : In the meantime bellow are couple of formulas specific for each bbp. I'll add more once I 'crack' them.
T,S ∈ ℕ , T ≥ 1 , S ≥ T
A(T,S) 1...........1 NO repetition string S ≥ 1
A[T,(S-1)]*S!/2(S-2)! 21.........0 ONE rep. S ≥ 3
A[T,(S-2)]*S!/8(S-4)! 221......00 TWO reps. S ≥ 5
A[T,(S-3)]*S!/48(S-6)! 2221...000 THREE reps. S ≥ 7
Edit3: Added the so called universal formula that gives the shear number of variants for any T of any S for any amount of twos from 1 to infinity. This is the most numerous/predominant/relevant bbp. Other bbp with threes, fours or fives at very best can equal if at all those with twos but never exceed them. See print screen bellow the GOLDEN formula
(https://i.postimg.cc/8PMdCYnX/vchcjkhg.png)
Now after the decisive help from Artix devs and community primarily
@nous and
@replabrobin I've managed to have a script derived from the above universal formula found by myself 8) And I'm gonna use an example and put the script bellow. So to use this script you have to feed it 3 values. Two of which generally will be the same and the 3rd will be used to sample different values to determine what the string needs to have. So if we have a T=94, an S=63 and an n=3 (meaning testing the result when we have 3 reps like this, 2221111111....)
We will feed the perl script script like this:
./count.pl 94 63 3
the e+122 means 10^ in this case 10^122
We will try multiple values of n till we get the highest possible value vs that when n=3
After we reach some maximum value if we still increase n, the value will start falling meaning we already found the best value of n for that particular T and S see print screen
When T=94, S=63, n=3 we will have ~ 3.75×10^116 222111111111111 ...till reach 63
When T=94, S=63, n=14 => 1.22×10^122 (best possible) 222222222222221 ...till reach 63
Total possible is 94^63=2×10^124
A string that belongs to the 2nd pattern in this examples has ~ 325.294 more variants than the 1st, yes 325 thousand times stronger than the 1st
(https://i.postimg.cc/L8cpz099/Screenshot-2023-04-08-17-28-16.png)
And here's the perl script, currently doesn't accept n=0 but you can improve it if you want or wait till I figure it out ;) Of course first make the script executable
#!/usr/bin/perl
use strict;
no strict 'refs';
use warnings;
use 5.36.0;
die "Usage: $0 <T: total elements> <S: pass length> <n: number of twos>" if $#ARGV < 2;
our ($T, $S, $n) = (int $ARGV[0], int $ARGV[1], int $ARGV[2]);
for (qw/T S n/) {
die "$$_ not a positive integer" if !($$_ > 0);
}
die "Not T>S" if ($S > $T);
die "Not n<S" if ($n > $S);
die "Not S-n<T" if ($S-$n > $T);
die "Not 2n<S" if (2*$n > $S);
my $Z=$S-$n;
my $k=2*$n;
# T! / (T-Z)! * S! / [(2^n) * n! * (S-k)! ]
say fact($T)/fact($T-$Z)*fact($S)/((2**$n)*fact($n)*fact($S-$k));
sub fact {
return 0 if (my $f = shift) == 0;
my ($i, $p) = (1, 1);
$p *= $_ foreach ($i++ .. $f);
return $p;
}
Rather big step forward in this project. Managed to deduce a formula that gives the result no matter what we have twos/threes/fours etc. However did not deduced yet a mix between them like 3322211 or 43111 etc . But for now any mix like 2211 or 33111 or 44411 555551111 271111 etc bellow formula can accurately give the exact result. For this another factorial parameter m stepped in (m!)
m it's the value that shows up in the bbp i.e. for 22222211111 our m =2! for 444441111111 etc our m=4!
The goal is to deduce a formula that covers every possible mix of patterns not only between m and ones.
The challenge is that for something like 54321...its S=15 is huge. To deduce that there' need to crash test a 15x15 which implies a supercomputer unless this can be deduce thru a mathematical demonstration.
I'll make a python script that asks for m along T, S and n but here's the formula.
(https://i.postimg.cc/RZxfRbH6/uygfkfgkg.png)
EDIT: While working on the python script the Z (zipped string length) can be calculated as follow
Z = S-n(m-1)
this is because Z parameter value changes as a function of S, n and m
Edit2: Here's the python script. If it throws an error (negative...) it's because for that S, you choose either an m or an n that exceed the S value. S can not be smaller than m or n amount etc. Final result gives 2 formats (integers, the most accurate and decimal format) for the ease of result evaluation
# Online Python - IDE, Editor, Compiler, Interpreter
T = int(input("T: "))
S = int(input("S: "))
m = int(input("m: "))
n = int(input("n: "))
Z = int(S)-int(n)*(int(m)-int(1)) # S-n(m-1)
k = int(m)*int(n)
import math
a = math.factorial(T)
b = math.factorial(T-Z)
c = math.factorial(S)
d = math.factorial(n)*math.factorial(m)**n*math.factorial(S-k)
e = int(a)*int(c)
f = int(b)*int(d)
g = (e/f)
print(g)
print(int(g))
Well, guess what guys, I've done it. Found the Universal formula for Mixed Arrangements. This formula can accurately calculate the exact amount of possibilities a certain bbp has, no matter how many elements repeat or not or in which way. This eventually can be used to evaluate the quality of any string random generated or not. The quality of a string is higher when its backbone has a bigger amount of variants that can be built on the back of that same particular pattern. But let's dive into the deepest possible rabbit hole of the arrangements.
(https://i.postimg.cc/90tV8BpN/Screenshot-2023-04-24-01-25-56.png)
The 'm' is the repeating element. If an element repeats 5 times m5=5
Depending on the mix of repeating elements we will have different 'ems' i.e. m5=5, m3=3, m2=2 when we have a bbp like 53211111...
(note we can not have an m=1 as that it's not a repeating element, m can be either 0 meaning no repeating element or from 2 and up)
m symbolizes we have reps in our string bbp
Depending on how many 'ems' we have into the string were gonna have their corresponding ''ens' i.e. m5 has an n5, an m3 has an n3 an m2 has an n2 etc
(note that n can be 1 as that indicates that an m5=5 shows up only once so n5=1 if m5 shows up 5 times m5 will have a corresponding n5=5
Gonna take a bigger example:
Let's take this bbp 66 5 44 3 2222 111111
We will have m6=6 and n6=2, m5=5 and n5=1, m4=4 and its n4=2, m3=3 and n3=1, m2=2 and its n2=4 (no m1 to be considered)
When we have no 'ems' we can consider m=0 and n=0, basically the formula will fallback on simple arrangements
Z - is zipped string length from above example Z=16 (bbp has 16 digits)
S - unzipped string, or the length of the pwd here S=6+6+5+4+4+3+2+2+2+2+1+1+1+1+1+1=42
T - total elements considered to choose from i.e. T=94 (a-Z, 0-9, symbols ; 26+26+10+32=94, without space symbol)
S ≤ T
K=m*n
The last factor (S-k2-k3..)! can be calculated much simple as follow. Subtract from string length S=42 any repeats 42-6-6-5-4-4-3-2-2-2-2=42-36=6 (we do not subtract from S any 1 but repeats only) Now let's try calculate how many strings this bbp has 66 5 44 3 2222 111111 T=94 S=42 Z=16
A(94,16)*42!/(6!)^2*2!*(5!)^1*(4!)^2*2!*(3!)^1*(2!)^4*4! = 9,6×10³⁰ × 5,9×10³³ = etc..
I'll get done a python script that will do all these nasty calc automatically
Some news.
Submitted my mixed arrangements formula on OEIS. The editors there approved it but later on they said was approved by mistake.. :D
Idk how the hell you can approve by mistake such things..Now it has the proposal status.
The formula is checked and ultra checked at this stage there's no error in it.
EDIT: it was approved by 'mistake' twice. Also what I've learned there's no really reject. Is approved or not. Those sequences that are erroneous or don't met certain requirements receive the keyword dumb or are deleted completely which isn't the case. In this case editors did not agree with the Mixed Arrangements title./name given by me. I did not agree to change the name though.
Now manged to put together a python script that calculates:
1 Total number of variants. (in two formats, decimal and integer for better/quicker evaluation).
2 Prints Z, the number of unique elements for that pattern.(zipped string length)
3 Prints the number of possible variants derived from that pattern. (gives two formats, decimal and integer for quick view)
4 Prints the percentage from the total variants (the bigger the better)
When T<S still patterns are ways to sum to S but from T number of factors. e.g. T=3 S=8 patterns can have 3 factors at the most
e.g. 5 2 1 but not 4 2 1 1 cos that belongs to a T=4 not 3.
Now to give an example for T=8, S =8, pattern 33110000 see print screen. When there's no repeating elements in the pattern
just hit enter for ems and for ems (m will be considered 0 meaning no rep. elements in the pattern)
(https://i.postimg.cc/GmwN9bSP/Screenshot-2023-06-13-11-56-31.png)
And here's the fixed script with the help of
@suren EDIT: Added python-mpmath syntax (needs mpmath module to be installed) and changed, 'int' with 'abs' for higher accuracy
print("enter your T and S")
T, S = map(int, input().split())
#T=94
#S=16
J = T**S
print('Total variants T^S:', (format(J, "e")))
print(J)
print("your ems")
print("insert your ems, e.g. 5 4 3 2")
array1 = list(map(int, input().split()))
print("insert your ens e.g. 4 3 2 1")
print("your ens")
array2 = list(map(int, input().split()))
# Resize the arrays by filling with zeros
array1 = array1 + [0, 0, 0, 0]
array2 = array2 + [0, 0, 0, 0]
m7, m6, m5, m4 = array1[:4]
n7, n6, n5, n4 = array2[:4]
ens = int(n7) + int(n6) + int(n5) + int(n4)
kmn = int(m7) * int(n7) + int(m6) * int(n6) + int(m5) * int(n5) + int(m4) * int(n4)
Z = int(ens) + (S - kmn)
#print(kmn)
print('Your Z is:', int(Z))
import mpmath
# Set the desired precision
mpmath.mp.dps = 1000
a = mpmath.factorial(T)
b = mpmath.factorial(T-Z)
#print(b)
c = mpmath.factorial(S)
p = mpmath.factorial(n7)*(mpmath.factorial(m7))**n7
o = mpmath.factorial(n6)*(mpmath.factorial(m6))**n6
j = mpmath.factorial(n5)*(mpmath.factorial(m5))**n5
w = mpmath.factorial(n4)*(mpmath.factorial(m4))**n4
dum = p*o*j*w*mpmath.factorial(S-kmn)
#print(dum)
e = abs(a)/abs(b)
f = abs(c)/abs(dum)
#print(f)
g = abs(e)*abs(f)
#print(format(g, "e"))
print(int(g))
#print(f"{e:,}")
h = g/J
l = h * 100
#print(l, '%')
#print(l,"% from total variants T^S") EDIT:
Discussion about this topic moved here on github (https://github.com/jirka-h/haveged/issues/79)