The online racing simulator
Stupid little random pass gen
(52 posts, started )
Just got "sexyseduction" haha

I also added the name, Janice.
Quote from PMD9409 :Hey if you think about it, no one will be able to guess these passwords.

That's the whole point.

But they are not very safe against attacks.. After all, they only consist of letters, and maybe a number here or there. But if someone wants to hack your account, a strong password is not a 100% guarantee that they would fail. My main idea was to have a password that your friends have no way of guessing.

This is like the middle option:
Best: Use a strong password generator (very safe, but not really easy to remember)
Middle: Use this generator (not very safe, but fairly easy to remember)
Worst: Chose a password, which is either very easy to guess, or just the same as your username (no comment)


Of course, you can always think of a password yourself, but I didn't include that above, because I wouldn't have been able to say that PassGen is the middle solution.
Use a password generator which can generate passwords up to the maximum length allowed by the particular place where you need it (sometimes you can only use 10 characters, for example). Use the password generator for the username/login too, if you wish. Store the password (and username if required) in a password manager application which encrypts the data to disk (using strong encryption like 256 bit AES in CBC mode). Create a master password to encrypt/decrypt data to/from disk. The weakpoint with this approach is you need to remember the master password and you need to type it or otherwise input it (which is open to being detected through a keylogger, for example). There are different existing variations of this principle built into different OSs and programming languages. For example Keychain in MacOS. There are also loads of third party tools available.
So basically you're suggesting using some silly password manager? AES-256 is way overkill, that cipher is not required especially by a home user, let alone a business in most instances! :hide:

Besides if the master password is "cheese" or "lol1234" then what's the point in having the encryption in the first place? Sure, theoretically it would take longer than the known universe to brute force a AES-256 cipher however as the data is encrypted to a passphrase then it's only as strong as that passphrase. Then you can get stuck in an endless cycle of encrypting something to encrypt something to encrypt something else to try and disguise this passphrase.

Go PGP! :hide:

It's 4am and I'm way too tired for this shit.
Quote from S14 DRIFT :<Nonsense>

How many times do you need to be bitch slapped on technology before you realise you should just keep your mouth shut? Sorry for the harshness, but it's really getting tiring having to refute the nonsense you say so people don't believe you and end up getting into trouble.

Quote from S14 DRIFT :So basically you're suggesting using some silly password manager?

Yes. It's such a silly concept that it's been integrated into several commonly used operating systems, several commonly used programming languages and there are a myriad of third party tools available. Hmm...maybe it's not so silly after all...

Quote from S14 DRIFT :AES-256 is way overkill, that cipher is not required especially by a home user, let alone a business in most instances! :hide:

Say the average home user has 10 accounts they regularly use (email, online shopping, forums etc). Say the average username length is 8 characters and the average password length is 16 characters. That's 240 characters of data. Do you know how long it takes to encrypt or decrypt 240 characters of data even with 256 bit AES? Let me give you a hint...you're not going to be sitting there waiting half an hour like you see in films. When you have massively powerful tools available (yes, that's what a well done encryption algorithm is, at the end of the day) why not use them? Why settle for poor encryption strength when you can have incredible strength free and with the same (or very, very, very slightly longer) run time? It just makes no sense to say "this is too powerful, let's not use it".

Quote from S14 DRIFT :Besides if the master password is "cheese" or "lol1234" then what's the point in having the encryption in the first place? Sure, theoretically it would take longer than the known universe to brute force a AES-256 cipher however as the data is encrypted to a passphrase then it's only as strong as that passphrase. Then you can get stuck in an endless cycle of encrypting something to encrypt something to encrypt something else to try and disguise this passphrase.

Clearly it shouldn't be as simple as that. Most password management systems allow the user to see the security of the password they've chosen (as is becoming more common with other online services like Gmail) and many allow multiple different forms of protection (not just a master password). However, even if it was as simple as guessing a simple password the attacker would still need the file the passwords were encrypted in to actually use it.

Quote from S14 DRIFT :It's 4am and I'm way too tired for this shit.

+1

edit: I should also add that using a password manager and copy/pasting login/password information can be intercepted by applications that have access to the system clipboard. These include web browsers, so don't visit new pages with anything sensitive in the clipboard (e.g. copy some other random text immediately after inputting the sensitive information).
Quote from amp88 :How many times do you need to be bitch slapped on technology before you realise you should just keep your mouth shut? Sorry for the harshness, but it's really getting tiring having to refute the nonsense you say so people don't believe you and end up getting into trouble.

I've told paying clients this in the past and they have very secure systems. You cannot bitch everytime anyone says anything that you don't agree with.

Quote :Yes. It's such a silly concept that it's been integrated into several commonly used operating systems, several commonly used programming languages and there are a myriad of third party tools available. Hmm...maybe it's not so silly after all...

Yes. Maybe I actually like educating people about security rather than just saying "here, install this.."

Quote :Say the average home user has 10 accounts they regularly use (email, online shopping, forums etc). Say the average username length is 8 characters and the average password length is 16 characters.

The "average" home user will use the same username for all of their online things, or 2 or 3 ones at the most (and likely they will all be similar)

They also tend to use the same password, or variations of a password. For example, "password", and then "password1234" at another site that requires more complexity....you know what I mean

Quote :Do you know how long it takes to encrypt or decrypt 240 characters of data even with 256 bit AES? Let me give you a hint...you're not going to be sitting there waiting half an hour like you see in films.

I'm not some ibecile, this is the sector in which I work, and sure, I'm not the best, but I'm not the worst and I know enough to not be patronised, and I know enough to give advice to customers who pay for services. I don't know what you do - You may or may not do a similar job, however I don't throw random insults at you when I don't agree with your opinion.

Quote :Clearly it shouldn't be as simple as that. Most password management systems allow the user to see the security of the password they've chosen (as is becoming more common with other online services like Gmail) and many allow multiple different forms of protection (not just a master password). However, even if it was as simple as guessing a simple password the attacker would still need the file the passwords were encrypted in to actually use it.


Guess the password(s) - (probably the persons kids/husband/wife/transvestite/parents name), favourite band or something, and you can get access to whatever you want. I like how many vendors are putting "password strength" meters on their websites etc, however they are not to be taken at face value...I was playing around trying to come up with a variation of one of my usual passwords which would satisfy my PGP passphrase complexity requirements, and I tried something like 7E|3Ph0|\|E (telephone, incase you're too busy biting my head of to read - and no, that's not remotely similar to any password that I use), and it came up as only "moderately" secure, I tried it on about 5 other websites I could stumble across with password strength-o-meters and not one rated it as "high" or "maximum".

You know the most secure password? One you don't paste all over facebook.
Quote from S14 DRIFT :You cannot bitch everytime anyone says anything that you don't agree with.

I don't...just when people authoritatively say things that are either inaccurate, misleading or likely to cause problems.

Quote from S14 DRIFT :Yes. Maybe I actually like educating people about security rather than just saying "here, install this.."

OK, if you're in the mood for educating us tell us why a password manager application (built into the OS or 3rd party) is so "silly". What is your idea of a better alternative?
Keychain also provides benefits of not having to put your passwords into multiple applications. It'll ask you Allow/Allow Always/ Deny if an application requests access (then you can enter your password which ultimately unlocks Keychain), and then will let that application use your password information.

Helpful when FTP site login changes here, and magically it's changed in all your applications
Because I think an idea is not good does not mean I have to have a better one in order to quantify it.

Let's take your example, an average home user. (however we will assume this user has different passwords for each account, although in the real world this is rarely the case)

Ebay password: bob
Paypal password: bob1234
Youtube password: bobby
Social Networking: bobbob

Etc.

He uses a password manager and uses B0B1234! as the "master" key for encryption, and then encrypts all of his passwords with whatever your choice of encryption.

A hacker brute forces his master key passphrase (B0B1234), or guesses it by deductive reasoning, or by using freely availible tools - password crackers such as JtR (there are much better ones designed for commercial use if you pay) and additionally can utilise rainbow tables if there isn't cryptographic salt (although I hope with all of these OS patches these days that the user would be protected against these)

Thus, now the hacker has access to all of the other passwords. As I don't use password managers I'm not sure what other functionality they can provide in terms of security, whether you can divide your passwords into personal/business/finance "tabs", and have a seperate master passphrase/key for each of these tabs, but either way...once you crack one password, you can then get access to all the others.

If I were a hacker on a system with a password manager, that's the first thing I would atempt to gain access to.

O/T: SSO is great.
Quote from S14 DRIFT :He uses a password manager and uses B0B1234! as the "master" key for encryption, and then encrypts all of his passwords with whatever your choice of encryption.

Right...and what happens when the user chooses a non-trivial master password (as they should!)? Something relatively long (say ~16 characters, as before), containing uppercase and lowercase letters, numbers and punctuation. Now the task of brute forcing the master password has gone from something you make sound easy to something which is totally unrealistic.
No average home user will have a 16 character password.
Quote from S14 DRIFT :No average home user will have a 16 character password.

People are (slowly) improving their online security. I don't think it's a terrible stretch with continued education (which you claim to provide ). Anyway, you concede that in that situation brute forcing is not an option, yes?
Stop with the sarcasm, is Scottish a bi-word for that now? It doesn't make you look any smarter, just makes you look like a cock.

If there is a 16 character password, all lower case, then it may be bruteforceable, if it involved upper case letters or numbers then no, it would not really be possible to brute force. But then again 95% of "hackings" are social engineering, not brute forcing.
Not to mention with OSX, there's the option for Filevault, which encrypts your entire user folder, which includes your Keychain data. Unless you have the master password for both (which you can set to be different, by default it uses your user password).

So if somehow you do gain access to my computer (root access even).. my user account is encrypted, then if you get past that (unlikely, 256-bit AES encrypted), my keychain is still encrypted on top of that with 3DES.

If you get through that (you won't).. congrats, you've gotten the password to one of my pay porn sites. Good job.
I don't need to hack, I can simply ask..will you share?
No because I don't give my password out to anyone over the internet, no matter how trustworthy or how big their tits are.
You haven't even seen mine yet.
Quote from S14 DRIFT :Stop with the sarcasm, is Scottish a bi-word for that now? It doesn't make you look any smarter, just makes you look like a cock.

It doesn't matter how I look. What matters is the quality of what I'm actually saying. The quality of what I'm actually saying (i.e. my advice on security) is far better than yours, despite you claiming to provide security advice for companies with "very secure systems".
It depends on what you define as secure. I don't think that having all of your passwords in one place whether encrypted or not, is as secure as having individually stored passwords (again, whether encrypted or not)

It's clear we're never going to agree on this. Advice given by us both is perfectly valid, it just depends on your own standpoint.

On the subject, AES256 bit is over the top, 128bit would take 10^7^33 or something different possible permutatioins (I can't remember exactly, I worked it out on some paper at work and I've been half asleep since I got home at 4pm). In terms of processing power vs usability and security, 128bit is excellent.

But I guess that just makes me an idiot.
Except it's not over the top. If it's marginally slower to encrypt it exponetially more secure, why not take the extra millisecond to make it take hundreds of thousands of CPU hours to crack?

The gains seem pretty obvious to me.
Quote from S14 DRIFT :It depends on what you define as secure. I don't think that having all of your passwords in one place whether encrypted or not, is as secure as having individually stored passwords (again, whether encrypted or not)

Ah, but you're totally missing the point. If you use a password manager you can use pseudo-randomly generated (read: very strong) passwords for all your accounts. If you're just remembering all your passwords you end up making them simple enough that you can recall them quickly. That's the major difference. In your scenario above Bob ends up with passwords like "bob", "bob1234", "bobby", "bobbob". In the password manager scenario Bob ends up with passwords like "coiicbdcr974itn?c8h43", "fv0i9b09uy5pgnrpivh ;" and a master password that should be more difficult to brute force than "bob", "bob1234" etc.

Quote from S14 DRIFT :It's clear we're never going to agree on this. Advice given by us both is perfectly valid, it just depends on your own standpoint.

I disagree. Your 'advice' (which seems to be that you should just use a a slightly leet-ised word?) is massively uninformed.

Quote from S14 DRIFT :On the subject, AES256 bit is over the top, 128bit would take 10^7^33 or something different possible permutatioins (I can't remember exactly, I worked it out on some paper at work and I've been half asleep since I got home at 4pm). In terms of processing power vs usability and security, 128bit is excellent.

The average home user now has a massive amount of processing power available to them. Even on a 10 year old CPU the task of encrypting and decrypting a few hundred characters is nothing. For a very, very slight increase in encryption/decryption time you get a massive amount more security. Why would you advise someone to use a weaker form of security if the upside was barely noticeable? Sounds like bad advice to me...
Leet-ised word?

It was simply an example. A password which I would personally advise would include phonetics, character replacement, letter transposition, etc.

So for example if you wanted your password to be password, I would suggest DR0\/\/5sAP

Secure and fairly easy to remember. Or I would ask them to use a lyric from their favorite song, use the first letter of each word, obviously switch with letter/number swaps, etc.

I was reading on actually crackability of some ciphers and so far it's estimated even with a 128bit AES key, it would take approximately the length a very ****ing long time to crack. With all of the comptuers in the world trying to get the key, it would still be till the end of time trying before they got the correct key, presuming it's the last one they find. :o

I suppose in processing time/encryption strength, the rise on a chart would be like a cliff face in favour of strength, regardless; I would tell a customer to use 256 bit AES keys, but that wasn't really what I was talking about. I was stating 128 is enough, to me for a home user, 256 is just saying "mine is bigger than yours", and no to password managers.

Quote from S14 DRIFT :A password which I would personally advise would include phonetics, character replacement, letter transposition, etc.

So for example if you wanted your password to be password, I would suggest DR0\/\/5sAP

Secure and fairly easy to remember. Or I would ask them to use a lyric from their favorite song, use the first letter of each word, obviously switch with letter/number swaps, etc.

OK, so you want people to remember 10 different passwords like your example above? Didn't you just say the average user wouldn't use a 16 character password and now you want them to remember 10 passwords which aren't that easy to remember? Where's the upside in that compared to a single password like you could use for a password manager? With the password manager approach you make the user remember 1 password (and make sure they make it relatively complex) and that gets them access to all their other passwords (each of which is more secure than the ones you'd have them remember).

Quote from S14 DRIFT :I was reading on actually crackability of some ciphers and so far it's estimated even with a 128bit AES key, it would take approximately the length a very ****ing long time to crack. With all of the comptuers in the world trying to get the key, it would still be till the end of time trying before they got the correct key, presuming it's the last one they find. :o

I suppose in processing time/encryption strength, the rise on a chart would be like a cliff face in favour of strength, regardless; I would tell a customer to use 256 bit AES keys, but that wasn't really what I was talking about. I was stating 128 is enough, to me for a home user, 256 is just saying "mine is bigger than yours", and no to password managers.


ePenis doesn't come into it...it's all about practical security. 128 bit is only 'enough' if you can't use 256 bit for some reason.
Sorry guys, for totally ignoring your discussion, but I want to bump this, because I need a bit of help.

Basically, it's all because I want to rename the app, and get it its own personal domain name. But I'm not really excited about what names I came up with so far. So I made a poll on the PassGen facebook page (yup, it already has that).

If you want a direct link to the question, here it is: click it.
But really, just visiting the page and you will see it, as it is currently the latest post - and the page is not really getting any frequent updates, so it's probably still going to be on top when you get to read this, and open the link.

In case you prefer (or don't have a facebook account), you can submit your ideas here as well, as a reply to this thread.
The options on the facebook question, at the moment are these:
GetPass.net
PassGet.net
PhraseMate.net
PhraseGen.com


You don't have to check if the domain name you come up with is free - it's the idea that matters, because it could bring more ideas. Heck, it doesn't even have to be a domain name, it could be just a regular name.

Also, if you submit a new proposal, but also already like other name(s), please include them in your post as well. But I don't think it would be a good idea to just reply, telling me the names you like, because that's a bit on the border of spam (imo at least).

Thank you for any voting you do, and any suggestions you submit!
GetPass.net...

Btw, I got "pneumoultramicroscopicossilicovulcanoconiticodriving".
And some people said it's easy to guess the passwords this gen generates...
Also got:
superiorboob
boobfiesta
windowradiator
sensualunderwear
printertractor

Stupid little random pass gen
(52 posts, started )
FGED GREDG RDFGDR GSFDG