forked from Botmasher/compchomp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path08-passwords.txt
92 lines (50 loc) · 9.25 KB
/
08-passwords.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
Passwords
I love cookies. But while they’re definitely the world’s best dessert, the apps I log into every day and the ones I build with my lowly brute-force coding skills tell me cookies make a terrible password. Until I capitalize a letter and add a couple numbers, maybe throw in some geometric shapes and secret illuminati symbols… Whew, finally! Good to go!
Too bad I’ll never remember it. So, why the runaround? How exactly did passwords stop being, well, words?
[intro]
Passwords started out as a linguistic way to determine who had special access to an area, and who should be kept out. Spoken words are symbols in a protocol - protocol? anyone? my video about are programming languages languages? So these symbols can pass information back and forth quickly, which is why people have used secret watchwords since ancient times. That’s Roman soldiers using them.
Obviously, though, ancient Romans didn’t have an app to give them directions over the Rubicon or to get tickets to the gladiatorial games. It was when digital computing came around that passwords took their modern form: text you type in to verify that you are the right user.
(? 1961 early comp turns off print to screen when type PASSWORD and then your password - VERIFY )
And that’s the switch that changed the nature of passwords.
See, when you think of text, you think of words, like the words you use in English. But that’s not what a computer thinks.
The language of your computer passwords isn’t human language, it’s the language of strings. More precisely, string literals. These are any bunch of characters appearing one after another in a sequence. Computers can identify these strings from the telltale quotes on both sides.
And the string’s text that can appear between those quotes is defined by a simple formal language - don’t be scared, if this and this… if these scare you, go watch my video on languages! Words over an alphabet, my friends. That just means computer strings can be any sequence of letters (meaning characters) from a character set. So this is a valid string, but so is this, and … this! And… this, which is an empty string!
When we start applying our password rules to those strings, we can decide which ones are well-formed - follow our rules - and which ones don’t count as passwords to us. That’s actually something that’s up to sites, apps or whatever to decide. If you give me a string, I’m the one deciding what to do with it and whether or not it counts as a password.
But in this process, computers are still using us humans to come up with these well-formed passwords. And we, naturally and predictably, rely on our more intuitive human language to think of words and phrases that mean something to us. We don’t see a string full of possibilities. We start with our own language. And, if we’re lucky, maybe we get really clever and substitute numbers for vowels and smirk at our own brilliance. But more often than not, we’re exactly as clever as the next guy and pat ourselves on the back for that. Don’t believe me? Just look at last year’s most used passwords. If you’re one of the wannabe spies who entered trustno1, that’s gotta hurt. It felt like you came up with that one all on your own, didn’t it? (“dragon” and “1234567890” and “trustno1” http://www.prweb.com/releases/2015/01/prweb12456779.htm).
Linguistic wordplay worked for old-time passwords because you would go up to that secret door, someone would open up that creepy eye-slit thing, and you would utter the secret word once. You wouldn’t sit there spamming the door until you got right one. You wouldn’t fumble through unpronounceable non-word words.
But now that creepy slit is an innocent input text box, and you can knock down that door with any string you want from anywhere in the world. So it’s important for those strings to be harder to guess.
And harder to guess doesn’t mean more clever human words. It means more entropic computer words.
Entropy. In computers, entropy reduces predictability. And how do you become less predictable? By being random. You can switch up your patterns in your day with a little randomness, and you can do the same with your passwords! Programmers even talk about “getting entropy”. Maybe the next time you snooze your alarm and wake up late, just tell ‘em your you needed to get some entropy!
And you need to get some entropy because password hackers are getting better and better at predicting, even predicting the seemingly unpredictable. You can’t hide behind those little dots and asterisks for long!
Two straightforward hack attacks you’re trying to avoid are brute force and dictionary attacks.
Those dictionary hacks are what they sound like - trying all the words in a dictionary, or some other similarly loooong list of words.
(? Heh, “brute force”, it sounds kind of like an insult, but it’s actually a legit type of algorithm.)
A hacker who’s trying to brute force your password will just guess every possible combination of characters. If you do the math, that’s a lot of combinations - it’s the number of characters in your character set multiplied by itself as many times as you have letters in the password. That means with each character you add to make your password longer, this probably takes a lot more time to guess.
Probably… because guessing and predictability are about probability. A hacker might randomly decide to start by guessing “trustno2”, but it’s a good bet they won’t. It’s easier to start with that list of shame that includes trustno1, so it’s much more likely that an account with trustno1 will be cracked before trustno2. Even if it’s just right before - the very next account to get cracked could likely be the sucker with trustno2.
This brings me to a good tip. You’re getting convinced to shove strange characters into your passwords to beef it up, to make it more complex. But did you ever stop to think about how much length alone matters for reducing guessability? And which do you think matters more, complexity or size?
In password-cracking tests done by Senior Security Consultant Rick Redman, he found that 8-character passwords took 8 days to crack. Adding just one extra character raises that time to 750 days. And 11 characters would take, get this, 17000 years.
Now there’s a lot more to this, and it’s not all up to you. A lot can depend on the hash function being used by the people keeping your password, with better algorithms taking longer to hash.
(?
I don’t want you to leave me, but make sure you watch his talk. C’mon, how awesome is this line in the description: “if you think I don't already know your password, you are wrong”.
(https://www.youtube.com/watch?v=zUM7i8fsf0g)
)
Length and funny characters aren’t the only things that make something guessable. Just because something looks random to your eyes, does that mean it’s really random?
( #EDC@WSX!QAZ )
This looks like a nice, random, hard-to-guess string. But it’s totally not. There’s a pattern here. Can you guess it? Stop guessing with your eyes and use your hands instead. Look at my keyboard while I type this in.
8o
[ typing ]
TADAAA! This is not the entropy you were looking for.
Just how paranoid do you want to get? Cuz we can go all day with this entropy stuff.
Hence the real reason that real pass-WORDs have been on the outs - it’s not because computers hate English or really want to make life harder on you so that you give up and play the password recovery game every few months.
It’s because words are predictable.
So why not just kill passwords?
Well, “passwords are dead” has been echoed so often it’s really a tech meme at this point. Technically, they’ve been right for longer than they realize - I’ve already showed you how we moved from pass-words to pass-strings.
But without playing semantics, think a bit more about the kind of things computers can check before letting you in.
They can pat you down and ask you what you have (like a keycard), who you are (like biometric scans or the location of your IP address), what you know (like a password) or what you can do (a skill).
(https://www.youtube.com/watch?v=wRmxiyuH8zY)
Checking your skills, or “behaviormetrics”, stands out to me there. Computers are already telling individuals apart from skills like how you walk, how you type, or the way you speak. (? Even stuff as seemingly unimportant as the timing of your key presses can matter.) Heh, a day could come soon when passwords are human-style words once more.
Until that fabled day when “passwords are dead” at last, there’s a good reason why passwords aren’t plain old words anymore - it’s thanks to the programming and hacking you saw here. Subscribe to keep up with me and see more of the code behind our everyday lives! Chomp!
(?
Feinmann anecdote - first “”, then “password”
J’s over in the corner fidgeting. (INDEED! :) I know what he’s thinking. We didn’t even get to the good stuff - the security and crypto. Encrypting and decrypting those strings so they’re not stored at face value so that when the next big-box store you bought those naughty gifts last Christmas - those w - gets hacked, your plaintext password isn’t just hanging out there. Hide your shame. What makes a classical cipher so much weaker than the AES? Why do passwords taste better with salt?
)