Cigar Asylum Cigar Forum  

Go Back   Cigar Asylum Cigar Forum > Non Cigar Specialty Forums > Misc > Jokes

Reply
 
Thread Tools Display Modes
Old 03-11-2014, 08:59 PM   #1
RUNYYFan
Life, Liberty, Happiness
 
RUNYYFan's Avatar
 
Join Date: Feb 2010
First Name: Marc
Location: Splitting time between Dayton, NJ and Needmore, PA
Posts: 360
Trading: (0)
Partagas
RUNYYFan will become famous soon enough
Default Great password

During a recent company audit, it was found an employee was using the following password:

MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramen to

When asked for the reason for such a long password, she rolled her eyes and said, "Hello! It asked for at least eight characters and include one capital."

- - -

<groan>

Although the IT VP in me has to comment that 52 alpha characters set up like that is quite strong.
__________________
Marc
Fear is the dark room in which negatives are developed. - Anon.
RUNYYFan is offline   Reply With Quote
Old 03-11-2014, 09:03 PM   #2
icehog3
Admiral Douchebag
 
icehog3's Avatar
15
 
Join Date: Oct 2008
First Name: Tom
Location: Clermont, Kentucky
Posts: 71,441
Trading: (60)
HUpmann
icehog3 has disabled reputation
Default Re: Great password

__________________


Thanks Dave, Julian, James, Kelly, Peter, Gerry, Dave, Mo, Frank, Týr and Mr. Mark!
icehog3 is offline   Reply With Quote
Old 03-11-2014, 09:04 PM   #3
big_jaygee
I'm nuts for the place
 
big_jaygee's Avatar
9
 
Join Date: Dec 2012
First Name: Jason
Location: Houston
Posts: 3,914
Trading: (59)
big_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to behold
Default Re: Great password



thats great
big_jaygee is offline   Reply With Quote
Old 03-11-2014, 09:14 PM   #4
pnoon
YNWA
 
pnoon's Avatar
16
 
Join Date: Oct 2008
First Name: Peter
Location: San Diego
Posts: 29,919
Trading: (20)
RA
pnoon has disabled reputation
Default Re: Great password

Quote:
Originally Posted by RUNYYFan View Post
During a recent company audit, it was found an employee was using the following password:

MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramen to

When asked for the reason for such a long password, she rolled her eyes and said, "Hello! It asked for at least eight characters and include one capital."

- - -

<groan>

Although the IT VP in me has to comment that 52 alpha characters set up like that is quite strong.
Not really - since it only contains 2 of the 4 categories of characters. Adding a numeral, special character or both would then make it quite strong.
from another IT professional.
__________________
Be more concerned with your character than your reputation, because your character is what you really are, while your reputation is merely what others think you are.
-John Wooden
pnoon is offline   Reply With Quote
Old 03-11-2014, 09:39 PM   #5
Chainsaw13
Mřřse bites can be nasty
 
Chainsaw13's Avatar
14
 
Join Date: Jan 2010
First Name: Bob
Location: The Enchanted Mitten
Posts: 7,198
Trading: (96)
Bolivar
Chainsaw13 is a splendid one to beholdChainsaw13 is a splendid one to beholdChainsaw13 is a splendid one to beholdChainsaw13 is a splendid one to beholdChainsaw13 is a splendid one to beholdChainsaw13 is a splendid one to beholdChainsaw13 is a splendid one to behold
Default Re: Great password

I wonder how long a brute force crack would take?
__________________
My neighbor came by my house this morning at 2AM, pounding on the door. Good thing I was still up playing the drums.
Chainsaw13 is offline   Reply With Quote
Old 03-11-2014, 10:00 PM   #6
RUNYYFan
Life, Liberty, Happiness
 
RUNYYFan's Avatar
 
Join Date: Feb 2010
First Name: Marc
Location: Splitting time between Dayton, NJ and Needmore, PA
Posts: 360
Trading: (0)
Partagas
RUNYYFan will become famous soon enough
Default Re: Great password

Quote:
Originally Posted by pnoon View Post
Not really - since it only contains 2 of the 4 categories of characters. Adding a numeral, special character or both would then make it quite strong.
from another IT professional.
Fair enough. The 53 alpha characters with the upper and lower case could be cracked. I'm just thinking of a login that limits to three attempts and a mandatory reset.

Quote:
Originally Posted by Chainsaw13 View Post
I wonder how long a brute force crack would take?
It would be interesting to try it.
__________________
Marc
Fear is the dark room in which negatives are developed. - Anon.
RUNYYFan is offline   Reply With Quote
Old 03-11-2014, 10:46 PM   #7
markem
Bunion
 
markem's Avatar
16
 
Join Date: Oct 2008
First Name: Mark
Location: Second Star on the Right
Posts: 22,625
Trading: (47)
HUpmann
markem has disabled reputation
Default Re: Great password

Quote:
Originally Posted by Chainsaw13 View Post
I wonder how long a brute force crack would take?
The equation you want is called "Anderson's Formula". Here is an example from an Illinois University exam.

4. (30pts) Given an alphabet size of 400, and an opponent capable of checking 24000 passwords a second.

a. [10 pts] What formula would you use to decide on the required size of the password, to achieve an upper bound p on the probability of a brute force attack being successful within a given time period, and a given password cracking processing rate?

Anderson’s Formula P>=TG/N
P – Probability of guessing a password
T – Time
G – No. of guesses in a time period
N – No. of possible passwords

b. [10 pts] Find out the minimum size of the password for an user, if you want probability of discovery within a year to be less than 20%

400**x = (24000*60*60*24*365)/0.2
Solving for x we get x = 4.83385
Therefore password has to be at least 5 characters long

c. [10pts] What limitations, if any, can you identify for the formula used in part a?

Anderson’s Formula is based on the assumption that passwords are uniformly distributed. In practice passwords are not randomly picked and so not uniformly distributed. Therefore an attacker may first go through most common or weak passwords and crack passwords much faster than estimated by Anderson’s formula.

------------------------------------------

Now, for our purposes, we are only using 52 characters (26 upper and 26 lower case letters) and a password length of (about) 50 characters.

So P is the probability of cracking the password.
T is the amount of time, so let's say 1 year. T=60*60*24*365 = 3.1536 * 10**7.
G is the number of guesses per second. A reasonable number is G=50000.
N is the password space size, which for us is 52**50.

So for P>=TG/N, we have:
P >= (3.1536*10**7)*50000)/(52**50)
P >= (1.5768*10**12) /(52**50)
P >= 2.0*10**(-74) is the probability of cracking this password in 1 year or less.

this means that with a 52 character alphabet and a 50 character password that the probability of cracking the password in a year or less is very close to 0.

-------------------------------------------------------

If we want to know how many days it will take to crack the password using brute force, then the formula gives:

1.0 = ((60*60*24*Y)*(50000))/(52**50)
52**50 = Y*(60*60*24*50000)
Y = (52**50) / (4.32*10**9)
Y = 1.46*10**76 days ~= 4*10**73 years

Mind you, this is a statistical average and not a hard floor. It is possible to guess the right password on the first stab, so the minimum is 1 and the average over many passwords (not one specific one) is as above. This is counter-intuitive but the password length really makes all the difference (since it used as an exponent).

PS: in practice, most systems that allow the use of a very long (64-128 character) password really only use a maximum of 8 characters internally for historical reasons. If this is the case, well, then the password will be broken quite fast.

PPS: I'm on Benadryl, so your math may vary and, in fact, be more accurate.

PPPS: As a modern Intel 6 core processor will be able to guess several more orders of magnitude per second and even more if the code is properly threaded, it would be interesting to see how many guesses per second one would need to crack that password on average. This is left as an exercise for the student.

and finally
PPPPS: a network of computers can bring this down even more since breaking up the password space is pretty simple to do, so you could ask how many Intel 6 core computers will it take. Quite possibly not as many as you may think.

from a former computer science instructor whose information security program was a top 25 in the nation as ranked by several TLA (three letter acronym) US government agencies.
__________________
I refuse to belong to any organization that would have me as a member.
~ Groucho Marx

Last edited by markem; 03-11-2014 at 10:59 PM. Reason: one more thing... and then one more thing ...
markem is offline   Reply With Quote
Old 03-12-2014, 10:04 AM   #8
357
Will herf for food
 
357's Avatar
 
Join Date: Oct 2008
First Name: Mike
Location: Home is where I park it
Posts: 4,075
Trading: (9)
VR
357 is a splendid one to behold357 is a splendid one to behold357 is a splendid one to behold357 is a splendid one to behold357 is a splendid one to behold357 is a splendid one to behold
Default Re: Great password

Quote:
Originally Posted by Chainsaw13 View Post
I wonder how long a brute force crack would take?
Mark's answer is very thorough but proper names and whole words making up the password often shortens the time the algorithm requires quite a bit. As stated, the 24,000/second might be way off too. Most average PCs now have 2-4 cores and entry level servers have 2 sockets with 8-10 cores (16-20 CPUs). All of this significantly shortens the time required.

My
__________________
“Eating and sleeping are the only activities that should be allowed to interrupt a man's enjoyment of his cigar;” Mark Twain
357 is offline   Reply With Quote
Old 03-11-2014, 10:01 PM   #9
hotreds
Ephesians 2:8
 
hotreds's Avatar
13
 
Join Date: Oct 2008
Location: 5 miles past "Resume Speed"
Posts: 11,665
Trading: (63)
Bolivar
hotreds has disabled reputation
Default Re: Great password

Yeah, put a comma between the names, and an exclamation point at the end and you have a very strong PW!
__________________
God loves you so much, that he made you read this, just to let you know.
hotreds is offline   Reply With Quote
Old 03-11-2014, 11:17 PM   #10
big_jaygee
I'm nuts for the place
 
big_jaygee's Avatar
9
 
Join Date: Dec 2012
First Name: Jason
Location: Houston
Posts: 3,914
Trading: (59)
big_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to beholdbig_jaygee is a splendid one to behold
Default Re: Great password

WOW impressive to say the least
big_jaygee is offline   Reply With Quote
Old 03-12-2014, 12:36 AM   #11
SvilleKid
Yes I am a Pirate
 
SvilleKid's Avatar
7
 
Join Date: Oct 2008
Location: 33°46′08″N 86°28′16″W / 33.76895°N 86.471037°W
Posts: 2,776
Trading: (52)
SvilleKid has disabled reputation
Default Re: Great password

Now my head hurts!!
__________________
Ceilin' fan it stirs the air, Cigar smoke does swirl. The fragrance on the pillow case, and he thinks about the girl. Thanks, JB, 1975.
SvilleKid is offline   Reply With Quote
Old 03-12-2014, 12:43 AM   #12
AdamJoshua
Article 4 Free Inhabitant
 
AdamJoshua's Avatar
11
 
Join Date: Jan 2013
First Name: The Other Adam
Location: Satellite Beach
Posts: 14,787
Trading: (40)
Bolivar Army (Served With Honor)
AdamJoshua has much to be proud ofAdamJoshua has much to be proud ofAdamJoshua has much to be proud ofAdamJoshua has much to be proud ofAdamJoshua has much to be proud ofAdamJoshua has much to be proud ofAdamJoshua has much to be proud ofAdamJoshua has much to be proud ofAdamJoshua has much to be proud ofAdamJoshua has much to be proud of
Default Re: Great password

I'm sorry but I just love this thread and the turn it took.
AdamJoshua is offline   Reply With Quote
Old 03-12-2014, 12:50 AM   #13
icehog3
Admiral Douchebag
 
icehog3's Avatar
15
 
Join Date: Oct 2008
First Name: Tom
Location: Clermont, Kentucky
Posts: 71,441
Trading: (60)
HUpmann
icehog3 has disabled reputation
Default Re: Great password

Mr. Mark, can you repeat that middle part again?
__________________


Thanks Dave, Julian, James, Kelly, Peter, Gerry, Dave, Mo, Frank, Týr and Mr. Mark!
icehog3 is offline   Reply With Quote
Old 03-12-2014, 09:46 AM   #14
CigarNut
F*ck Cancer!
 
CigarNut's Avatar
16
 
Join Date: Jan 2009
First Name: Michael
Location: Clermont, Florida
Posts: 18,042
Trading: (111)
RA
CigarNut has disabled reputation
Default Re: Great password

How is it that you have employee passwords -- which should be one-way encrypted -- in clear text?
__________________
Need Beads? Need Five Finger Bags?

2 of 3 Requirements for use of the CA Rolodex: 100 posts/ 60 day membership/ participation in trade (trader rating). New members can be added at any time.
CigarNut is offline   Reply With Quote
Old 03-12-2014, 09:50 AM   #15
markem
Bunion
 
markem's Avatar
16
 
Join Date: Oct 2008
First Name: Mark
Location: Second Star on the Right
Posts: 22,625
Trading: (47)
HUpmann
markem has disabled reputation
Default Re: Great password

Quote:
Originally Posted by CigarNut View Post
How is it that you have employee passwords -- which should be one-way encrypted -- in clear text?
You 'crack' them by encoding them (MD5 or SHA-1 these days) and comparing the resulting ciphertext with the stored one. This is the same way that the logon process verifies that you entered the correct password.
__________________
I refuse to belong to any organization that would have me as a member.
~ Groucho Marx
markem is offline   Reply With Quote
Old 03-12-2014, 09:52 AM   #16
CigarNut
F*ck Cancer!
 
CigarNut's Avatar
16
 
Join Date: Jan 2009
First Name: Michael
Location: Clermont, Florida
Posts: 18,042
Trading: (111)
RA
CigarNut has disabled reputation
Default Re: Great password

Quote:
Originally Posted by markem View Post
You 'crack' them by encoding them (MD5 or SHA-1 these days) and comparing the resulting ciphertext with the stored one. This is the same way that the logon process verifies that you entered the correct password.
My guess is that he did not crack this one...
__________________
Need Beads? Need Five Finger Bags?

2 of 3 Requirements for use of the CA Rolodex: 100 posts/ 60 day membership/ participation in trade (trader rating). New members can be added at any time.
CigarNut is offline   Reply With Quote
Old 03-12-2014, 10:01 AM   #17
RUNYYFan
Life, Liberty, Happiness
 
RUNYYFan's Avatar
 
Join Date: Feb 2010
First Name: Marc
Location: Splitting time between Dayton, NJ and Needmore, PA
Posts: 360
Trading: (0)
Partagas
RUNYYFan will become famous soon enough
Default Re: Great password

Quote:
Originally Posted by AdamJoshua View Post
I'm sorry but I just love this thread and the turn it took.
So true. Great job markem!
__________________
Marc
Fear is the dark room in which negatives are developed. - Anon.
RUNYYFan is offline   Reply With Quote
Old 03-12-2014, 10:01 AM   #18
8zeros
What's this button do?
 
8zeros's Avatar
 
Join Date: Dec 2013
First Name: Roger
Location: Far from everything
Posts: 268
Trading: (0)
8zeros will become famous soon enough
Default Re: Great password

It's just a joke.
Hey Mark, that formula doesn't seem to take into account that after each guess the pool of guesses gets smaller, thereby increasing your chance of a lucky guess each time. Not that it would matter on a 52 character password.
__________________
8zeros is offline   Reply With Quote
Old 03-12-2014, 10:11 AM   #19
markem
Bunion
 
markem's Avatar
16
 
Join Date: Oct 2008
First Name: Mark
Location: Second Star on the Right
Posts: 22,625
Trading: (47)
HUpmann
markem has disabled reputation
Default Re: Great password

Quote:
Originally Posted by 8zeros View Post
It's just a joke.
Hey Mark, that formula doesn't seem to take into account that after each guess the pool of guesses gets smaller, thereby increasing your chance of a lucky guess each time. Not that it would matter on a 52 character password.
The algorithm is for the average time over a random collection of passwords. As stated before, it isn't a floor since 1 is the true minimum. It is also possible that it will take substantially more than the average since, well, it's an average and for it to be an average there has to be at least one data point above the average.

The value of (50**52) is the list of all passwords within that space (technically one could argue that it is 50**53 but that's not as important in this case). This value represents the 'closure' or fully enumerated list of possible combinations within the space from 1 character up to 50 character passwords including all possible combinations. Once again, the crypto math is a little bit more than this, but this approximation is close enough for hand grenades and atom bombs.
__________________
I refuse to belong to any organization that would have me as a member.
~ Groucho Marx
markem is offline   Reply With Quote
Old 03-12-2014, 10:04 AM   #20
markem
Bunion
 
markem's Avatar
16
 
Join Date: Oct 2008
First Name: Mark
Location: Second Star on the Right
Posts: 22,625
Trading: (47)
HUpmann
markem has disabled reputation
Default Re: Great password

Okay, students, we've looked at the brute force method, not let's look at a slight improvement on that approach.

The English language has 1,025,110 words, more or less. This means that for Anderson's formula, the value of 'N' just got really small.

Anderson’s Formula P>=TG/N
P – Probability of guessing a password
T – Time
G – No. of guesses in a time period
N – No. of possible passwords

So going back to our example of the likelihood of cracking a password in less that a year, we have:


P >= (3.1536*10**7)*50000)/(52**50) // old calculation with very large denominator

P >= (3.1536*10**7)*50000)/(1025110**9) // new calculation with very small denominator

P>= 1.54*10**(-3) which is 1.54%

This looks ominous because by making a very small change to the search algorithm, the chances of cracking the password with no other information than that the password consists of English language words leaves us with a dramatic increase in the probability to break the password. If we know that the password is a list of names (people and place) then it comes down far faster. We can easily approach 100% chance of success just by learning a bit more about the person we wish to crack. One trivial modification is to only check words with the first letter capitalized, which changes (1025110**9) to ~(505022**9).

For example, here is a list of towns that I have lived in since I was 21 as a password:

ButteSaltLakeCityRedmondKentBellevueBeaverton

Heck, I could also toss in a zip code or two. However, a local sysadmin, who may have access to my resume in the HR database, would know to make these place names a priority (along with names of references, relatives, etc).
__________________
I refuse to belong to any organization that would have me as a member.
~ Groucho Marx
markem is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -6. The time now is 04:33 AM.


Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
All content is copyrighted jointly by Cigar Asylum and the content provider.