[Novalug] Password Patterns

Joel Fouse joel@fouse.net
Wed Mar 5 10:09:02 EST 2008


Hey, if non-alpha-num chars are allowed in the format screen (like dots
and commas), don't take out the spaces if you're doing a phrase or
something.  Maybe switch them around or something if you like, but
they're useful characters too, and not as common.  I went to a
presentation at Shmoocon a few weeks ago on...*ahem* smarter password
cracking.  It was by a guy who's done a bunch of analysis on actual
password lists that have been disclosed to see what kinds of patterns
people are using these days.  He had some nifty slides up with tables
showing the percentages of formats people actually used, like "if C is a
character and n is a number, 65% percent of people on such and such a
list used a format like CCCCn followed by CCCCnn..." and so on.  The
idea is that you can target a given probability of format when trying a
password attack.  While I in all seriousness have no interest in doing
any such thing, I found the information nonetheless useful in the "don't
be an easy target" category -- that was the flipside of some of his
data, which is to say "here are some things you can do yourself to have
better passwords".  And I seem to recall using spaces was a part of
that, as a not-as-common special character to sprinkle about.

They don't have the slides up from the talk, but I'll try to remember to
keep an eye out for it and pass on a link when they do.  Fascinating
stuff...

- Joel


On Wed, 2008-03-05 at 08:47 -0500, Tux Subscriber Dave Aronson wrote:

> While we're chiming in on how we create passwords... what I do is take
> some word (or better yet, short phrase) that the site reminds me of,
> maybe even a double-jump.  Then I "1337ify" it.  (For the ungrokking,
> that's "leetify", meaning to substitute digits that look like
> letters.)  This is a common enough trick that I figure the h4x0rZ have
> rainbow tables that take that into account.  So I give it a bit of a
> twist, and only 1337ify every OTHER occurrence of 1337ifiable
> characters, AND decrement them, by 1 the first time, 2 the second, and
> so on  Sure, it could be undone by automation, but the number of
> specific combinations of such algorithms adds several bits to the
> number of different rainbow tables they'd have to have..  (Actually,
> my real algorithm is slightly different.  But you've got to go through
> many guesses to get it right.  See what I mean?)
> 
> For example, let's suppose the name NoVaLUG reminds me of luggage,
> which via Terry Pratchett becomes The Luggage.  With the space
> squeezed out, and the remainder 1337ified every other occurrence, that
> becomes 7h3Lu9g49e.  Decremented that becomes 6h2Lu8g37e.  You'd never
> have guessed, would you?  But I can look at what is asking for my
> password, be reminded of the original word, apply my transformation,
> and Curly would say, viola!
> 
> Of course, one could apply the same sorts of transformations to
> passwords created by other means, such as "take the first letters of
> the opening line of your favorite song" (or some song the site reminds
> you of).  Better yet if it's something you wrote, and you're not a
> famous songwriter.  For instance, the entire Nantucket limerick
> yields, with punctuation, TowamfN,Wdwslhcsi.Hswag,Wwhc,"ImewacIcfi."
> normally, but the even harder
> 69w3mfN,Wdw40hcs0.H3wag,Wwhc,"Im2w2c9cfi." after transformation.
> 
> -Dave
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20080305/b9c9e52f/attachment.htm>


More information about the Novalug mailing list