Ubisoft Hacked

Cuddlesworth

nesf wrote: »

If you've a word list of 100,000 words, there are only around 160 trillion three word combinations (10^14) you can make from this list. This is crackable with modern hardware. Someone recently built a small cluster specifically for a cracking, it could churn out 160 billion MD5 hashes a second and solved the 8 character space in five and a half hours when it was encoded with Microsoft's best encryption algorithm (25 GPUs cracked out 6 x 10^15 hashes in that time). Five words from the same list creates a far greater number of combinations, (of the order of 10^22). Even using words from a really small list like 20,000 words, five word combinations still number over 2 x 10^19. Whereas three words would only give us around 1 x 10^12 combinations. 10^19 isn't crackable in a reasonable length of time, 10^12 is. Even with a million word long word list you're only getting 10^17 combinations and you're starting to talk about remembering some very unusual words there if you're not mixing languages.

Five word passphrases are massively more secure than three word ones. That's the take home point.

Including pluralization, tenses and verb usage you would be lucky for a decent success rate with 100k entry's. Try 1 mil variations at the least. Which to me would place it at 10^18, ignoring the simple use of unexpected but easy to remember word variations, eg:wuffy.

I also don't have a problem with lastpass, I just don't need it.

delta36

I think with all this talk of password length, we're missing the real security risk.

http://xkcd.com/538/

Another +1 for LastPass. Using it a while now, with 2 factor auth. Well worth $12 a year!!

Also, their support on Twiiter is quite good.

Turtwig

Potential-Monke wrote: »

I'm running out of passwords and starting to forget others...

There are two solutions.
-A password manager.
-Or a password algorithm key/code.

A key/code is where you pick something that you know very well and use it for reference . For example I used to used an astronomical one. If the website was Ubi the first string of the password would go like this
UranusB3T3LG3USEnclntn@milky

(UranusBeletgeuseInclination@location of first object, if any locale. @void for no location.)

UBI play restricts this to a smaller password though but that's not relevant. You just know to truncate it to 16 characters.

Each letter of the website address would correspond to the first word I could think of astronomy related e.g E would be Earth. U-Uranus. D-Declination. etc.
They were the first word astronomy related that sprung into mind for each letter. I wouldn't be remembering a password as such. Just the key of 26 letters. Which was basically recalled by intuition and nothing more.

You could also pick a book with a glossary at the back and choose the nth word that correspond to the the nth letter in the list. e.g Sample Glossary.

A
Asylum,
Advocate
Apple

B
Berry
Blanchard
Boulevard.

I
Ireland.
India
Ignorant
So the first variant of a password for AIB would be :

AsylumIndiaBoulevard.

Then you may add other keys e.g if it begins with a vowel uses numbers in the 2nd, 4th, sixth . . . word. If begins with a consonant use numbers in odd words. Leave out vowels in third word. Capitalise the first vowel etc. Whatever you fancy.
All you have to do is remember the keys not individual passwords. So you can have about 20 different passwords all connected by the same keys.
Passwords are very easy if you approach them like that.

nesf

Cuddlesworth wrote: »

Including pluralization, tenses and verb usage you would be lucky for a decent success rate with 100k entry's. Try 1 mil variations at the least. Which to me would place it at 10^18, ignoring the simple use of unexpected but easy to remember word variations, eg:wuffy.

Sorry I should have been more explicit when making my point. When you are trying to crack passphrases you're not trying to crack them all because someone amongst the thousands of hashes you have used a word like vambrace or some other word that won't be on any very short list. You're aiming for the low hanging fruit, and this was my criticism of "HappyLittleBoys1" because it contains three words that would be on almost any shortlist of words to try (if you look at word frequency lists they are in the top 1300 words, so even a 1300 word list with plurals, so say 2000 words would crack this passphrase and you could solve a 2000 word passphrase space on a modern computer in a couple of seconds, so it's really not going to be skipped over by a cracker). If you want to use very common words you need to use more than three in your passphrase. You want to use more than three anyway because remembering four or five words isn't much more difficult but adds many orders of magnitude to the cracking task.

I'm not sure where you got 1 x 10^18, ((1000000+3-1)!)/((1000000-1)!×3!) = 1.6 x 10^17.