Sujet : Re: I don't get this RANDOM stuff...?
De : oxxxxxxxxxxxs (at) *nospam* gmail.com (Oscar)
Groupes : sci.cryptDate : 05. May 2025, 14:09:08
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <2c002035-4855-43e5-a231-80b163977967@gmail.com>
References : 1 2
User-Agent : Mozilla Thunderbird
Op 5-5-2025 om 09:25 schreef Juergen Nieveler:
ignoramus@home.com wrote:
I don't understand the need for this random stuff.
>
I just made up this somewhat easy to remember passphrase about my
doggie's bathroom habits.
>
My doggiiee poohps 2.3 tyhmes a dahy
>
It can be 'hacked' because it isn't "random"?
>
Every password checking web site says it would take thousands of
centuries to hack. What am I missing?
It's not so much that you'd get hacked because it's not random - but that
you'd be tempted to use it on multiple services because "Oh, I have a very
long and secure passphrase".
I think I would approach this just from the attackers point of view;
Suppose you need to crack a hash, then you have a couple of options:
(0. rainbow tables skipped for now)
1. use a wordlist
2. use a wordlist with rules (alter case, prepend/append numbers, use common substitions such as e->3,a->@ etc.)
3. use a mask (for example; start with capital letter, followed by 6 lowercase letters, followed by a special, followed by 2 digits)
4. use pure bruteforce
With "fast hashes", attackers can try millions of candidates per second. Passwords which fall in category 1 or 2 will most likely be cracked.
Granted, your passphrase probably can't be cracked because of its length (it compensates for the lack of "randomness").
But if I have many hashes generated from not too long passphrases consisting of a combination of 3 words from a list of 1000 common words that would only be 1.000.000.000 candidates which can be tried in seconds. Perhaps I can do the same and start with 'My ' or 'I ' ..
(You realize this, otherwise you wouldnt have made the deliberate 'spelling mistakes' like 'doggiiee' and 'poohps')
Only "a random generated password" forces an attacker to use option 4, and indeed the searchspace grows so big with the length of the password that it will be infeasable to search the whole space even for shorter passwords.
In short, anything an attacker may be able to predict about a password, he can use to narrow the searchspace.
regards,
Oscar