Why it's ridiculously dumb having a 100% random password

Topic: Why it's ridiculously dumb having a 100% random password (Read 8091 times) previous topic - next topic

0 Members and 3 Guests are viewing this topic.

Re: Why it's ridiculously dumb having a 100% random password

Reply #15 – 18 December 2022, 09:07:44

It's quite simple if a cracker starts its toys from easy to hard he gonna have a bunch of hits. If he starts from hard to easy he's losing his time and more than not gonna have 0 hits. And guess what your random stuff fell rather in the easy category vs mine

Hiding your password in an easy to guess (probabilistic speaking) spot thinking simply he does not know your your backbone cos it's random it doesn't hold.

First, random generators spit rather same patterns over and over see prnt screen the red square, therefor are pretty predictable.

A 63 long string from 94 total chars have 94^63=2,02793848362086089381×10¹²⁴ and this is he exact number not approximate. Unveiling your pattern not gonna make any hacker happy if it's 24|18|18|3 but if you tell your jazz is random and 20 long and you hide 1000 bitcoin with that thinking your pupper random pass can do wonders, yeah, right.

123456 it's random too

Re: Why it's ridiculously dumb having a 100% random password

Reply #16 – 18 December 2022, 10:30:25

Look 100% randomly generated and 1|11| is nowhere to be found even if it's the strongest

Those patterns with a 1 and a 2 have each only 192 vs 384 (those with 111)

Not to mention one variant (bfc) happened to repeat

...random stuff

The reason those 2|1|0 like patterns show up more often is because there are 6 of those 6*192=1152 but as a stand alone has only 192

It even produced one stinky 0|3|0 and that's to be expected when you rely 100% on randomness. And that is not because it doesn't come from a perfect cosmic random noise source like those baseless nickel heads 'experts' might think. Random=Surprises and not always pleasant.

There' a poor understanding of what random term really means.

Re: Why it's ridiculously dumb having a 100% random password

Reply #17 – 18 December 2022, 13:23:03

And if still anyone has any doubts it's time to check this last overkill proof. I'm gonna be marking this as solved.

Re: Why it's ridiculously dumb having a 100% random password

Reply #18 – 19 December 2022, 10:21:09

Quote from: Surf3r – on 18 December 2022, 13:23:03

And if still anyone has any doubts it's time to check this last overkill proof. I'm gonna be marking this as solved.

While this is very interesting and laudable work, let me interject if I may. Nobody can remember such a complex password, let alone rows of them (unless of course we're talking about complete schizos). Normies would have to use a password manager and lock it with a password they can memorize. <--- This is the weakest link.

Again, I'm not writing this as bad critique because it's very interesting and solid as proof-of-concept.

Re: Why it's ridiculously dumb having a 100% random password

Reply #19 – 19 December 2022, 10:59:29

Yeah lol

it's indeed hard to remember one of that. I'm not having that kinda password as my main password cos i will lock myself out

I was just trying to point out that the idea of linking randomness with security is bad marriage.

Many things that suppose to give us confidence about our security (in IT or real life) relies too much on this concept, 'randomness' that eventually some day will "bite us from behind" if not already bit some of us.

I'm stunned though to see so many people and surprisingly not n00bs singing in large choruses and praise randomness.

Hopefully here we've debunked a myth and hopefully will see security experts come back to their senses and re-think the security cos too many things rely on randomness inside our kernels/bitcoin phrases/and what not.

Re: Why it's ridiculously dumb having a 100% random password

Reply #20 – 19 December 2022, 13:49:49

I'm gonna be nuancing my point of view in a moment cos i reviewed my allegations and found that there's an error that i've found in my calculations.

My other posts in this thread are accurate and again only my reply nr 17 has math faults in it 😬

Re: Why it's ridiculously dumb having a 100% random password

Reply #21 – 19 December 2022, 15:29:02

Quote from: Surf3r – on 19 December 2022, 10:59:29

I'm stunned though to see so many people and surprisingly not n00bs singing in large choruses and praise randomness.

Hopefully here we've debunked a myth and hopefully will see security experts come back to their senses and re-think the security cos too many things rely on randomness inside our kernels/bitcoin phrases/and what not.

I'm the first to admit that much of what you've written goes right over my head.
My gut, along with the seeming lack of any other research along these lines (quoting you, I haven't looked), still tells me you are wrong.

I'm at an impasse in my brain regarding the fact that if you exclude dictionary attacks and rainbow table attacks (where hashes are available) any password should be just as secure, or insecure, as another.
How long it takes to crack a password will differ from a theoretically expected amount of time, with a certain amount of computing power, based largely on luck (good or bad) as to a what stage of the process that specific string is checked against the hash.
And as I've said before, any set of rules that excludes certain strings from being used as passwords only makes the number of attempts needed to check them all fewer for the attacker, if they know of such rules.

Have you bought this up with any 'experts' on any cryptography related discussion boards?

Please note that while I've stated 'I believe you are wrong' that's not the same as me saying 'You are certainly wrong'. I have not even close to the expertise (none!) to make the second statement.
Interesting topic anyway as it's had me thinking and I like that.

Re: Why it's ridiculously dumb having a 100% random password

Reply #22 – 19 December 2022, 19:16:17

The problem nuance is as follow, regarding reply 17 that brings complexity thru the roof..

Like we saw, GRC's password has only 44 unique elements meaning => 44^63 variants but some of those 44 elements repeat some don't. Those that do not repeat (in that example 28 chars) can be 'downgraded' in terms of variant category from arrangements with repetition which fall in the x^y category into arrangements without repetition which fall in the A(x,y) category with lower amount of variants.

So to reflect that in our calculation i think we would have to consider elements that do not repeat (28) as A(x,y) and only those that repeat (16) be calculated as x^y

We calculate with the juiciest (x^y) if and only if the whole string has repetition like i.e 142412 and we see all elements repeat 11, 22, 44 if not the string must be considered mixed in my opinion because if we take a 63 long string and it has only 1 repetition with 62 unique elements it's also incorrect to categorize the whole string as consisted in arrangements with repetition since we have only 1 repetition.

So will have only A(28,28) multiplied by (16^16) => A(28,28)*(16^16)=5,62419726410924816021×10⁴⁸

But we need more accurate than that calculation cos still those variants that form between different types of arrangements are not catched in the above calculus but i might have a way to solve that hopefully cos i'm working on that.

So definitely GRC password can't really have 44^63 but lower, how low will see.

On the other hand our 'Last Stand Password' that indeed has 63 unique elements but can't be either calculated as 63^63 cos it doesn't have any repetition and so it has to be downgraded to normal arrangements A(63,63)=1,98260831540444006412×10⁸⁷

But still there is a chance to randomly select a string that simply has no repeating chars.

@gripped Yeah would be nice to see more math center guys joining our discussion and reveal if they have better understanding than what we have on this thread

What can i add more on this is that everywhere i've looked everybody just pull out of their magic hat this taboo : " a password has to be random" but why and calculations they never show. Mathematically they have to prove same as i'm trying here to prove them wrong and till reply no 17 managed to show exactly that they are wrong.

The only thing i'm not sure of is if it's or not preferable to have repetitions in a pass. But what can be said with certainty is that the more repetitions we got the lower the number of unique elements and the lower number of variants.

Re: Why it's ridiculously dumb having a 100% random password

Reply #23 – 20 December 2022, 02:25:21

Think i've cracked it man. I need to digest properly this discovery so this will be just an intermediary review

So because the problem turned overly complex i needed some trick. And the trick is as follow. So because we can't count them the classic way i decided to use the NEGATIVE way, meaning instead of calc how much those are we can evaluate how much aren't.

I'm gonna be naming this zeroes counting.

We know some chars may show up more times and so i took both extremes where all chars repeats vs no chars repeats

No chars repeats means => 94-63=31 zeroes
Maximum repeating chars => 94-1=93 zeroes only 1 char repeats 63 times resulting the maximum zeroes possible (i.e 1111....63 times)
GRC pass sample has 50 zeroes => 94-44=50 (44 being those unique elements, let's call them non zero)

Now i call it the negative method as instead of looking at their chars how many repeats or not i'm looking at what their shadow can tell us. And their shadow is that zeroes amount. More of those zeroes => means more chars repeated in that particular string. Less zeroes chars repeating not that much. That being said, now the moment of truth...

So a password is characterized by some non zero elements and some zero elements depending on their specifics (here we talk about a 94 total elements) so we have

no char repeats with the least zeros amount when all chars differs and their zero shadow is minimum (LSP=Last Stand Pass)

LSP shadow A(94,31)=5,48452333326831116119×10⁵⁸ shadow (this is the no. of arrangements those zeroes form in this case)

   GRC shadow A(94,50)=4,09050063571205332982×10⁹¹

Only 1 char repeats 63 times A(94,93)=1,08736615665674308027×10¹⁴⁶   (O1Char aka Only 1 char)

Now you can easily see that the quality of the string is inverse proportional meaning the bigger figure of the shadow the weaker the pass. And that we know for sure because we all know there are only 94 of those that have only 1 unique element but repeated 63 times
i.e 11111111x(63) or 22222222x(63) or 3333333x(63) till...... 94 94 94x(63)

And now because we know each of those the order of magnitude, next is just basic arithmetic.

GRC÷LSP= (4,09050063571205332982×10⁹¹)÷(5,48452333326831116119×10⁵⁸ )=7,4582609775760796521×10³²

But because bigger means bad (being inverse proportional) => let's round it up, GRC pass is 7*10³² weaker than a Last Stand Pass (with no repeating chars)

I'm gonna reviewing tomorrow or coming days and look if any errors but i highly doubt it.

So in conclusion a random password can be much much worse than even I could have ever anticipated.

We need though mathematicians second opinions cos that's how science should suppose to work. I'm studding this probability stuff for quite some time.

Enjoy

Re: Why it's ridiculously dumb having a 100% random password

Reply #24 – 20 December 2022, 11:48:57

Quote from: Surf3r – on 20 December 2022, 02:25:21

So in conclusion a random password can be much much worse than even I could have ever anticipated.

You argue like a snake oil salesman and before you embarrass yourself further I suggest you read up here:

https://www.2uo.de/myths-about-urandom/

Re: Why it's ridiculously dumb having a 100% random password

Reply #25 – 20 December 2022, 12:07:43

Show me the math man. Calculate and show me mathematically that random passwords are better.

Random password it's simply not good. The only debate now is if is rather better or worse having chars repeating.

You embarrass yourself cos you can't calculate and prove. You can't prove shit..

If you believe in voodoo not math you need to search for a magician. Come back here when you can prove mathematically your embarrassing claim.

Re: Why it's ridiculously dumb having a 100% random password

Reply #26 – 20 December 2022, 12:19:41

Quote from: Surf3r – on 20 December 2022, 12:07:43

Show me the math man.

If you are such a good calculator, answer the question I asked you in post 5.

You can't do that at all because you don't have a clue.!

Re: Why it's ridiculously dumb having a 100% random password

Reply #27 – 21 December 2022, 12:21:42

Yep reviewed that shadow thing approach verified it and it didn't hold, meaning it's erroneous. Can't see where is the error but for sure it's erroneous cos it failed verification.

Re: Why it's ridiculously dumb having a 100% random password

Reply #28 – 21 December 2022, 14:04:53

Personally, I don't have the time or inclination to go to such extremes. There are more things to worry about than I have the capability to resolve in any reasonable manner, and I am 65 years old...so I can likely spend my remaining time on less stressful and more pertinent matters. I realise that security is important...but I want to use my computer in the meantime. "Security" in this day and age, is, in my opinion, mostly an illusion.
I am not dismissing your efforts....but they are beyond my field of view.

Best regards.

Re: Why it's ridiculously dumb having a 100% random password

Reply #29 – 21 December 2022, 22:31:03

Yeah it's true it's tedious work but some more research i don't think it hurts cos I can pretty much see some hole in this area of research and can't blame anybody cos these huge numbers can get some guys bored. But for the folks out there with a math background might be interesting.

In the meantime found a cool python3 script (i'll put it at the bottom) that takes a number i.e 63 and spits patterns whatever one can find useful. For example speaking about 24|18|18|3 it's just one out of other 37.820 and there's no way doing that by hand.

If splitting 63 in smaller chunks, that will give even more numerous patterns but each of those variants/pattern starts to drop.

And here's the script, it has already 63 long, split in 4 chunks see this part of the script bellow Compositions(63,4):

Code: [Select]

def Compositions(n,k):
    if k==1:
        yield [n]
    elif n == 0:
        yield []
    else:
        for i in range(1,n):
            for comp in Compositions(n-i, k-1):
                yield comp + [i]

for c in Compositions(63,4):
    print(c)