Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
2 Likes
Leo, Leo, Leo…It was Paul Allen not Steve Ballmer who founded Microsoft.
1 Like
The past few shows have touched on password strength, especially given some recent beaches. In my circle I’m the guy you mention: the one everyone comes to for computer help. (Also a long time fan Leo, Screensaver days, ZDTV, etc) anyway, I was surprised the old XKCD comic didn’t get mentioned! Some of your younger listeners/viewers may not know of the web comic but they had an excellent and concise explanation of why modern password rules are basically garbage when it comes to actually creating a STRONG password. When it comes to strength vs brute force attacks, it’s not variety but rather LENGTH that is King 
. I’ll link the comic here and I’m interested to know your take on it Leo.
Thanks for all the great content.
Rob in Tennessee
1 Like
I think this advice has not aged well. There are tools that can use ASICs and word lists. Nothing easy to remember is likely to remain “safe” in the long term. So you need a better approach, not just words, but variety. So instead of correct horse battery staple, you need Correct12!Horse3-4Battery$56Staple_99 but actually something less predictable still. (Come up with your own “system” and tell no one.) And now that I have posted that, it will definitely eventually get added into a “word list” for known passwords.
1 Like
While we are talking about passwords, lets revisit the missing password for Leo’s Bitcoin account. Leo has said many times he has used various methods for generating and remembering them. If he could zero in on the date he would have opened the account, he could also look at the method he was using at that time. If he should then have that voila moment and get in he should share the proceeds with me.
D’oh! Right you are. Slip of the tongue. I think I’ve blocked out Paul Allen’s name.
Here’s the story:
This XKCD has been widely debunked.
I’m pretty sure Steve has addressed this as well. Passphrases have the benefit of being memorable, but are not nearly strong enough. If it’s memorable it’s not strong.
I can’t believe I’m emailing with THE Leo Laporte! Lol sorry but you’ve been my hero ever since my first computer: an IBM XT Clone with two five and one quarter inch floppy drives, a green screen, and a monochrome Hercules graphics card, oh and 640k of RAM. LOL. Sorry for rambling on but I guess that it seemed to make sense to me intuitively since basically when a computer is brute forcing characters in a string of characters, if we look at simply the letters in the English alphabet then the computer is forced to go through 26 iterations for each character that it’s trying to guess. Then if you compound that number of iterations with the number of characters present in the passphrase you’ve come up with an astronomical number if your passphrase is long enough. In other words if my password is made up of six words that are each five letters long for a total of 30 characters. If a computer is trying to brute Force that string of 30 characters, it’s not just 30 times 26 or 780 iterations… It’s 30 to the 26th power, because it must try each of the 26 letters in the English alphabet at each one of the 30 spaces… and then (on top of that) you have to consider that for instance if the computer starts with the letter A for the first character in the passphrase then it will have to guess the passphrase first using a as the first letter and then a is the second then B is the second then C is the second and so on and so forth. So while I don’t doubt what you say when you said that it has been debunked, I still feel that the number of permutations that a computer must go through if it is brute forcing a 30 character long password that is made up of five letter English words then it will in fact be a strong password. Now obviously if we are considering that most password cracking programs will first attempt to use list of known passwords and simply use a substitution algorithm. In that case obviously yes it would be a much simpler task to crack a passphrase made up of five random English words but unless it’s using an algorithm specifically just to substitute words in place of five letter groups then I think that the numbers are going to be much higher. Thank you so much for answering my email/question in the thread. I’m going to have to do more research since I believe that we are now delving into advanced mathematics and not so much computer tech. But in any event whether I become disappointed because the cartoon does not in fact have any basis in truth or whether I discover with a lot of research into advanced mathematics that it is technically harder for a computer to brute force that either way Leo Laporte actually answered an email from me! so I can check one thing off my bucket list. LOL. Not sure what that says about me… the fact that one of my bucket list items is doing email correspondence with Leo Laporte but in any event thank you again for taking time to answer.
Robert K. Peck
1 Like
I should probably also have read the included link before I spoke. LOL. As I thought, the author of The rebuttal pointed out common hacker tactics such as using dictionary attacks to crack a password and what I mentioned also about common English words reducing the pool of available guesses… in other words if you use a common English word you are limiting yourself. And just to put your mind at ease I am not currently using “correcthorsebatterystaple” or any variation thereof as my personal password. And I do practice good password hygiene, in other words changing it regularly, using two-factor authentication, not doubling up with the same password over multiple sites. Etc etc.
Robert K. Peck
An attacker will have a dictionary of all 5 letter words. It will try all combination of passwords with one word, two words, three words, and so on… Let’s say there are 15,000 5 letter words (I have such a dictionary, but am too lazy to go count right now) so it will try 15K one word passwords + 15K15K two word passwords + 15K15K15K three word passwords + 15K15K15K15K four word passwords and so on…
15K+(15K)^2+(15K)^3+(15K)^4+(15K)^5+(15K)^6 = 11,391,384,425,628,375,225,015,000
Now if you assume a letter based password has 95 possible characters per letter, and the password is 13 letters long, that’s 95^13 = 51,334,208,327,950,511,474,609,375
The second number is about 4x larger but they’re on the same magnitude… So that says that a passphrase made of up to six 5 letter words concatenated together is roughly equivalent to a 13 character password of truly random characters.
That’s not to say it’s insignificantly hard to break… but it’s not magically harder is all… Now if the attacker doesn’t specifically attack word concatenations then they fact a password that is 6x5 = 30 letters… which is roughly 26^30, which is 2.813e+42 which is much harder (the previous numbers were on the order of e+24.) So the lesson is knowing the structure of the password allows it to potentially be attacked much more easily.
(Thanks for the kind words @F4LCON65!)
I think the main point is that we grossly underestimate the speed of brute force tools these days. If a cracker can run at full speed it will try many millions of combinations a second. Any organizing scheme that makes your password easier to remember makes it weaker. Using dictionary words, even with “leet” replacements like 0 for O, dramatically weakens the password.
TL;DR Stick with the fully random passwords generated by password managers and don’t try to be clever.
Indeed, the old l33t speak has (like us) been around for quite a while, so it’s no longer novel enough or unknown enough to make the passwords using it any harder. It’s funny… These days when I watch an old classic movie like “Hackers” it’s amazing the things the main characters were gushing about! Lol. Like when Johnny Lee Miller’s character was going on and on about Angelina Jolie’s laptop… How her laptop was so great. I think Apple sponsored the movie and they said her laptop was a PowerBook duo 720c… Which means It had a 33Mhz processor and 4 MB of RAM… Granted that seemed futuristic when I was using an old IBM XT clone that I hadv upgraded from 640k of RAM just so I could run Windows 98, but still… Those old specs seem ridiculous now.
I do still like that Movie. It’s like comfort food for me. Takes me back to a simpler time.