Actuarial Outpost
 
Go Back   Actuarial Outpost > Actuarial Discussion Forum > Software & Technology
FlashChat Actuarial Discussion Preliminary Exams CAS/SOA Exams Cyberchat Around the World Suggestions


Reply
 
Thread Tools Display Modes
  #1  
Old 08-08-2017, 04:00 PM
Gonzo's Avatar
Gonzo Gonzo is offline
Member
SOA
 
Join Date: Jun 2009
Location: gonzo.
Studying for gonzo?
Favorite beer: gonzo!
Posts: 8,172
Default Passphrase vs password

they say the passphrase is orders of magnitude more secure, but is it really?

http://gizmodo.com/the-guy-who-inven...now-1797643987

sure, if you use brute force to crack a passphrase. but won't they come up with more elegant methods to crack a passphrase? combinations of most used words, use words from the lyrics of the top 1M songs/movies/plays?
Reply With Quote
  #2  
Old 08-08-2017, 04:26 PM
Gonzo's Avatar
Gonzo Gonzo is offline
Member
SOA
 
Join Date: Jun 2009
Location: gonzo.
Studying for gonzo?
Favorite beer: gonzo!
Posts: 8,172
Default

here's the cartoon in the article:

Reply With Quote
  #3  
Old 08-08-2017, 04:27 PM
Incredible Hulctuary's Avatar
Incredible Hulctuary Incredible Hulctuary is offline
Member
Non-Actuary
 
Join Date: Jan 2002
Posts: 23,386
Default

The passphrase must be truly random words to be secure, otherwise if the words are correlated it greatly narrows down the universe of possibilities that an attacker needs to test.

It also helps if some of the words are slightly misspelled or have mixed case.

The main benefit of passphrases is that it's easier to remember random words than a string of random characters with equal strength.

For example, 5 words randomly chosen from a dictionary of 10,000 words gives you 10,000^5 = 10^20 possibilities. To meet or exceed that with random characters from a typical US/English keyboard you'd need 11 characters, which is generally harder to memorize than 5 words.
__________________
A lot of people are afraid of heights; not me, I'm afraid of widths. - Steven Wright
Reply With Quote
  #4  
Old 08-08-2017, 04:38 PM
Gonzo's Avatar
Gonzo Gonzo is offline
Member
SOA
 
Join Date: Jun 2009
Location: gonzo.
Studying for gonzo?
Favorite beer: gonzo!
Posts: 8,172
Default

Quote:
Originally Posted by Incredible Hulctuary View Post
The passphrase must be truly random words to be secure, otherwise if the words are correlated it greatly narrows down the universe of possibilities that an attacker needs to test.

It also helps if some of the words are slightly misspelled or have mixed case.

The main benefit of passphrases is that it's easier to remember random words than a string of random characters with equal strength.

For example, 5 words randomly chosen from a dictionary of 10,000 words gives you 10,000^5 = 10^20 possibilities. To meet or exceed that with random characters from a typical US/English keyboard you'd need 11 characters, which is generally harder to memorize than 5 words.
i agree that a passphrase is more secure. what i'm questioning is the brute force method of cracking them, and using that as a measure of how secure it is.
Reply With Quote
  #5  
Old 08-08-2017, 04:53 PM
Incredible Hulctuary's Avatar
Incredible Hulctuary Incredible Hulctuary is offline
Member
Non-Actuary
 
Join Date: Jan 2002
Posts: 23,386
Default

Quote:
Originally Posted by Gonzo View Post
i agree that a passphrase is more secure. what i'm questioning is the brute force method of cracking them, and using that as a measure of how secure it is.
If you use a valid sentence like "my horse eats purple eggs", that falls into the grammatical pattern of "my [noun][verb][adjective][noun]", which is a pattern likely to be tested by a grammar-aware intelligent attacking program.

That's why you're supposed to use a random passphrase, so attempts to use intelligent methods of cracking them will be no faster than brute force -- a passphrase made up of random words doesn't let the attacker benefit from predictable grammatical characteristics such as "verb follows noun" and "noun follows adjective".
__________________
A lot of people are afraid of heights; not me, I'm afraid of widths. - Steven Wright
Reply With Quote
  #6  
Old 08-08-2017, 05:14 PM
Gonzo's Avatar
Gonzo Gonzo is offline
Member
SOA
 
Join Date: Jun 2009
Location: gonzo.
Studying for gonzo?
Favorite beer: gonzo!
Posts: 8,172
Default

Quote:
Originally Posted by Incredible Hulctuary View Post
If you use a valid sentence like "my horse eats purple eggs", that falls into the grammatical pattern of "my [noun][verb][adjective][noun]", which is a pattern likely to be tested by a grammar-aware intelligent attacking program.

That's why you're supposed to use a random passphrase, so attempts to use intelligent methods of cracking them will be no faster than brute force -- a passphrase made up of random words doesn't let the attacker benefit from predictable grammatical characteristics such as "verb follows noun" and "noun follows adjective".
yes, but like 90% of the computer using population, when asked to create a passphrase, will use some predictable form
Reply With Quote
  #7  
Old 08-08-2017, 05:20 PM
Maphisto's Sidekick's Avatar
Maphisto's Sidekick Maphisto's Sidekick is offline
Member
CAS AAA
 
Join Date: Nov 2001
Location: South Park Genetics Lab
College: Ardnox
Favorite beer: The kind with alcohol
Posts: 1,949
Default

Quote:
Originally Posted by Gonzo View Post
yes, but like 90% of the computer using population, when asked to create a passphrase, will use some predictable form
I predict the #1 passphrase will be: "password password password password"
Reply With Quote
  #8  
Old 08-08-2017, 06:27 PM
JMO's Avatar
JMO JMO is offline
Carol Marler
Non-Actuary
 
Join Date: Sep 2001
Location: Back home again in Indiana
Studying for Nothing actuarial.
Posts: 36,111
Default

Quote:
Originally Posted by Maphisto's Sidekick View Post
I predict the #1 passphrase will be: "password password password password"
or "make secure pass word"

FWIW, my prior password for the AO was "justme"
I wasn't worried about making it secure. But I only disclose it now that I have a completely different password.
__________________
Carol Marler, "Just My Opinion"

Pluto is no longer a planet and I am no longer an actuary. Please take my opinions as non-actuarial.


My latest favorite quotes, updated Aug 15, 2017.

Spoiler:
I should keep these four permanently.
Quote:
Originally Posted by rekrap View Post
JMO is right
Quote:
Originally Posted by campbell View Post
I agree with JMO.
Quote:
Originally Posted by Westley View Post
And def agree w/ JMO.
Quote:
Originally Posted by MG View Post
This. And everything else JMO wrote.
MORE:
Quote:
Originally Posted by Woodrow View Post
Complementing your technical skills with social skills - whatever they are - will help your career. This is not a sign that the world is unjust.
Quote:
Originally Posted by Bro View Post
I recommend you get perspective.
Quote:
Originally Posted by Enough Exams Already View Post
Dude, you can't fail a personality test. It just isn't that kind of test.
Quote:
Originally Posted by Locrian View Post
I'm disappointed I don't get to do both.
Quote:
Originally Posted by PeppermintPatty View Post
It's SO much better to work for a good manager.
Quote:
Originally Posted by Patience View Post
slow down
Reply With Quote
  #9  
Old 08-08-2017, 08:35 PM
whisper's Avatar
whisper whisper is offline
Member
CAS AAA
 
Join Date: Jan 2002
Location: Chicago
Favorite beer: Hefewizen
Posts: 33,736
Default

Quote:
Originally Posted by Gonzo View Post
tbut won't they come up with more elegant methods to crack a passphrase?
If you use a bad passphrase - yes. Password dictionaries capture some of the harder passwords, and the same idea would work with a pass phrase.

Ideally, you'd use a password locker that has random passwords for most of your sites and a few passphrases that you use for the few sites that you have to enter yourself.
Reply With Quote
  #10  
Old 08-09-2017, 08:15 AM
SlowMotionWalter's Avatar
SlowMotionWalter SlowMotionWalter is offline
Member
CAS
 
Join Date: Jun 2013
Posts: 9,887
Default

Quote:
Originally Posted by JMO View Post
or "make secure pass word"

FWIW, my prior password for the AO was "justme"
I wasn't worried about making it secure. But I only disclose it now that I have a completely different password.
Note to self: JMO's pw for the AO is justme1
__________________
Quote:
Originally Posted by Kangaz wit Attitude View Post
Force of habit, 2pac's been typing "88" a LOT since Trump got elected.
Spoiler:
Quote:
Originally Posted by JMO View Post
You ought to see the bush. It's impressive.
Quote:
Originally Posted by Pikachu
10:53 pm: some ppl dont take advices well
Quote:
Originally Posted by mayo fan
9:45 pm: ao fan would be hot covered in mayo!
Quote:
Originally Posted by Snikelfritz
if you'd like I can come visit and dress up like a girl and get in some fights
Quote:
Originally Posted by Kaner3339 View Post
i think everyone needs to do this type of thing to get a dose of reality and straighten people up. it's kinda like going to the mountains and becoming a monk except it's with hundreds of potatoes and a lot of stoners with tattoos in a kitchen
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 11:43 PM.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
*PLEASE NOTE: Posts are not checked for accuracy, and do not
represent the views of the Actuarial Outpost or its sponsors.
Page generated in 0.37422 seconds with 9 queries