Are your passwords as "secure" as you think?

Yeah, anything worth its salt won't allow more than 100 or so incorrect password attempts before locking the account that's being attempted, in which case brute force becomes irrelevant.

I was thinking more of passworded files or password hash tables.
 

Excel Facts

Can you AutoAverage in Excel?
There is a drop-down next to the AutoSum symbol. Open the drop-down to choose AVERAGE, COUNT, MAX, or MIN
Haha - you know you are a computer nerd when.........you laugh at unintended salt puns!

Anyway, I don't subscribe to the view that forcing a password to have at least 1 capital letter and 1 numerical value makes a password more secure. From a brute force perspective this actually makes it considerably less secure. Why? I now know there are many many combinations that I do not need to test. I can eliminate all combinations that have no capital letters or no numerical values. What that value is I haven't yet calculated.

Regarding the 219 years from the article per the original post, it is only 219 years because the password in question starts with the letter 't' and the calculation assumed the testing started at 'a'. So there is not a lot being said about the calculation methodology and the time required would be divided by about 20 for a password that started with the letter 'a' under the same conditions per the article.

Andrew
 
With all due respect, I have to disagree with Andrew about the requirement of using at least one capital and one number making a password less secure, assuming that a 'significant' number of people would use NO uppercase letters or numbers in their password if they weren't required.

Assuming a password of length N:
The set of possible passwords using uppercase, lowercase and numbers has 62^n elements.

The set of all possible passwords consisting of only lowercase letters and numbers has 36^N elements.

The set of all possible passwords consisting of only lowercase and uppercase letters has 52^N elements.

The set of all possible passwords consisting of only lowercase letters has 26^N elements

Thus, the set of allowable passwords has:
62^N - 52^N - 36^N + 26^N elements. (we add the 26^N back in as it's being double counted in the 2nd and 3rd sets)

comparing this to the set of 26^N passwords using only lowercase letters, which I'm assuming is what this requirement is intended to do, we find out (using goal seek, just to keep this relevent to uses of Excel:)) the sets are the same size with n = 2.135755: in other words, so long as there are at least 3 characters in the password, the requirement should, more or less, strengthen "lazy" password choices. And let's face it, there are lots of lazy password choosers out there. (I'll let someone else figure out the percentage of "lazy" choosers there needs to be for this to strengthen the number of possible passwords)

In practice, I'm sure the rule mostly has users choosing passwords in the form Password1, then the next month Password2, etc. Still should make a dictionary type attack a little tougher, at least.

Oh yeah, the thing about nobody ever using a password of 'xxxxxx'? If people have actually called IT helpdesks about where the 'Any' key is on the keyboard, I'm betting that there are quite a few people that think they have to have their password be the same thing as the input mask.
 
Hi Chris

I have no issues with differing opinions. It is interesting to read others thoughts on this.

In saying it made it less secure, my comment was in relation to the option of having other characters, not the perspective of never using them - so the part I disagree with is comparing your reduced number to 26^n.

If I am brute forcing a password I need to test all combinations - if I don't know the construction requirement I need to (potentially) test 62^n combinations. But if I know there must be at least one uppercase character and one digit, then I need to test fewer combinations (as per your post). Again, this is purely from a theoretical viewpoint of testing all combinations.

Otherwise I agree if we knew the password was entirely lower case then yes that is naturally weaker given the smaller character set. I believe not having a forced construction is theoretically stronger (given the larger data set to test), but having it forces people to use something they might not (i.e. people compromise security by not utilising the full character set available).

From memory, there were forced constraints on the Enigma machines in WW2 that resulted in fewer combinations needing to be tested (I think it was something like not repeating a wheel position from the previous day). Whilst this was stronger from a practical perspective (in stopping lazy operators putting the system at risk) it actually gave fewer combinations to brute force from a theoretical perspective (and this theory was applied by the English). Enigma would have been stronger if this constraint was never imposed, and I'm guessing the inventor never sanctioned such a constraint.

So knowing something (sometimes anything) about a system means it can be used as a crib or a filter, resulting in a lower level of security than originally thought.

There is a very interesting book on this sort of subject called "The Code Book" by Simon Singh - it is an interesting read and written in a non-technical way for us laymen.

Regards
Andrew
 
On a tangentially related point, I enjoyed this read quite a lot (on a new tack):
A Shortcut Through Time: The Path to the Quantum Computer (Amazon)

Among other entertaining passages (such as describing a computer made of tinkertoys) the thought is that a quantum computer will be able to solve algorithmic problems using indeterminate quantum states that can be On or Off or both at once. Or put another way -- testing all solutions simultaneously. Quite fascinating. Of course maybe by then maybe we'll also be using quantum computers to create better security too.
 
xenou said:
using indeterminate quantum states that can be On or Off or both at once. Or put another way -- testing all solutions simultaneously.
Click to expand...

Schrödinger's cpu? :biggrin:
 
Happy days...I don't get the joke
Click to expand...
I'm glad I am not the only one...
I guess that means despite our best efforts, we aren't computer nerds yet!
:laugh:
 
Joe4 said:
I'm glad I am not the only one...
I guess that means despite our best efforts, we aren't computer nerds yet!
:laugh:
Click to expand...

I guess they mean: In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase. The output of the key derivation function is stored as the encrypted version of the password. ...
 
You must log in or register to reply here.

Forum statistics

Threads
1,223,761
Messages
6,174,343
Members
452,556
Latest member
Chrisolowolafe

Share this page

We've detected that you are using an adblocker.

We have a great community of people providing Excel help here, but the hosting costs are enormous. You can help keep this site running by allowing ads on MrExcel.com.
Allow Ads at MrExcel

Which adblocker are you using?

Disable AdBlock

Follow these easy steps to disable AdBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the icon in the browser’s toolbar.
2)Click on the "Pause on this site" option.
Go back

Disable AdBlock Plus

Follow these easy steps to disable AdBlock Plus

1)Click on the icon in the browser’s toolbar.
2)Click on the toggle to disable it for "mrexcel.com".
Go back

Disable uBlock Origin

Follow these easy steps to disable uBlock Origin

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back

Disable uBlock

Follow these easy steps to disable uBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back
Back
Top