The passwords in the database are almost never in plain text (text humans can read with their eyes). Gosney: Typically, when we talk about password cracking, we’re talking about offline password cracking, which is where someone has obtained a copy of a password database. Our conversation, lightly edited for brevity and clarity, is below.Īngwin: To start, what is password cracking, and what does this profession look like? So I called him up and asked him to explain the new thinking in the password world. He helps run the DEF CON Password Village and the PasswordsCon track at Security BSides Las Vegas. He helped develop the open source password recovery software Hashcat, and he is the former CEO of the password-cracking firm Terahash. The most important feature of a strong password these days, he said, was uniqueness-having a different password for each account. Jeremi Gosney, a renowned password cracker, gave a talk at a hacker conference and declared that entropy was overrated. She eventually turned it into an online business that she still operates to this day.īut this summer I heard some news about passwords that blew my mind. I am so invested in this method that when my daughter was 8 years old, I started paying her to roll dice and make Diceware passwords for me.
“ Password Strength” by XKCD is licensed under the Creative Commons Attribution-Noncommercial 2.5 License. That means, he writes, a six-word passphrase is only “breakable by an organization with a very large budget, such as a large country’s security agency.” I use six-word Diceware passphrases, which Diceware creator Arnold Reinhold says has 77.5 bits of entropy.
The computer science measure of how hard a password is to crack is something called “entropy.” The longer the password, the more entropy it has.
The resulting password is a series of dictionary words that is easy for me to remember and hard for a computer to crack. By rolling dice, I come up with random numbers and use those numbers to pick words from a word list where each word is assigned a number. The method I use to make my important passwords is called Diceware. I use a password manager for most accounts, and my most important passwords are long word combinations that are stored both in my head and using pen and paper. Ever since my Twitter account was hacked a decade ago-because of a weak password-I’ve been passionate about creating and using better passwords.
0 kommentar(er)
