|
raddevus wrote: more difficult to remember for users. That's fine. So, don't make it required. My problem is they are preventing you from using a special character.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Oh, very good point.
That's ridiculous that they don't allow it. What?
I use my app exclusively for my own passwords and I'm always annoyed when sites tell me that I have to use a special char, because with my app my passwords now look like:
1. cf82bb8b015707c5cef11942b88bb058d3795f4dcae551e65ea72891333a1384
2. ea50612a6d5dde56c7a826cc03317e99c2f2f5547b0bd0b5e985ac27883b8242
Those are extremely strong because they are long and not based upon words.
Those silly password checkers will say they are of medium complexity.
The industry has a lot to learn.
|
|
|
|
|
raddevus wrote: Those silly password checkers will say they are of medium complexity. Ya, sure. I was only off by one character when I tried to guess your password.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
You have the fantastic ability of generating SHA256 hashes completely from memory.
There are only more of them than there are stars in the universe so it's easy.
|
|
|
|
|
raddevus wrote: There are only more of them than there are stars in the universe so it's easy Ya, I needed a challenge after I counted all the stars.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
RyanDev wrote: Ya, I needed a challenge after I counted all the stars
|
|
|
|
|
Dont s'pose you changed your surname by deed-poll at marriage and that your wife has a father-in-law called Chuck, does she?
|
|
|
|
|
Off by one character, in EVERY character position
|
|
|
|
|
raddevus wrote: Those are extremely strong because they are long and not based upon words.
Those silly password checkers will say they are of medium complexity.
They ain't silly...
12 chars with 26 possibilities (9,54e16 combinations)
10 chars with 52 possibilities (1,445e17 combinations)
Your length is bullish when it comes to complexity
Rules for the FOSW ![ ^]
if(this.signature != "")
{
MessageBox.Show("This is my signature: " + Environment.NewLine + signature);
}
else
{
MessageBox.Show("404-Signature not found");
}
|
|
|
|
|
Best passwords ever, so easy to remember and having characters [0-9a-f] is definitely something no hacker would try, because base-16 is so uncommon within computers. Everyone knows that h4x0rZ use base-23.
|
|
|
|
|
I agree. The point is a sha256 hash is a value on the order of 2^256.
That's 1.1579208923731619542357098500869e+77 -1
So basically we are saying:
My password is one out of the set of all 256-bit numbers. Guess it now.
If you can guess the resultant hash or you have a algorithm that can calculate it then you pwn all computers anyway.
|
|
|
|
|
Each digest is created by adding 65 bytes, 64 digits = 512 bytes which is exactly the length of single-iteration digest, this means this has two iterations, therefore a shorter string exists that could generate exactly the same hash as the one that is hashed by your passwords. Not that it could be guessed in seconds/hours/days/years, but it is not as difficult as this calculation. Basically anything beyond 447 bits does not increase the difficulty.
|
|
|
|
|
Plamen Dragiyski wrote: but it is not as difficult as this calculation.
I agree with you. I was basically summarizing for brevity and generalizing for analogy in order to explain it without all the details. Thanks for adding to the conversation. Always like to think about how to make these things more clear and more correctly explained.
|
|
|
|
|
Exactly!
Why should people with real keyboards suffer because of the witless hordes whose entire life is enshrined in a hand-held device?
This also implies that yes, indeed, I've noticed this. There's even a financial institution I used that doesn't allow special characters (like an underscore!) in usernames or passwords.
Well - in a world that targets dumbing down as much as possible I raised my kids to be knowers-of-things (didn't let them use calculators until HS, and then, only when essential). Essentially, a greedy concept that my progeny will be lions amongst the sheep.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
And a couple I've noticed that won't allow a hyphen in an email address...
No prizes for guessing which "special character" is in my domain name?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
OriginalGriff wrote: won't allow a hyphen in an email address... That is bad (code word for stupid)
I suppose it can get worse (polite way of saying stupider):
I've a domain name ending in .info - which is rejected as invalid by a number of places. I didn't test to see what top level domains they think are real - but, well, as we well know:
There's no limit to or cure for stupid.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
Too long - everybody knows that ".com" is only three letters...
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
|
Well, maybe "🐑-🐑.com"
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
So, take the password you wanna use, including the special characters, then base64-encode the whole string. Bam, there's the password you should use on those sites. Problem solved.
Wait, what?
|
|
|
|
|
Cool, and exactly how one does remember that password? On a device, which may be unavailable at any time? Oh right, you can put it on the "cloud", and how do you protect the access to that account?
Basically a slighlty altered and less reliable folded paper with passwords in the wallet.
DURA LEX, SED LEX
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
|
|
|
|
|
No, there is no cloud with C'Ya Pass.
Here's how it works.
1. You add unique site/keys to the app.
That is a text-based string that will help you remember what the password is associated with.
The app hashes that value.
2. You draw a pattern in the grid.
The original hash is salted with the generated value from the grid of the pattern that you drew.
Now, each time you select your site/key and draw your exact pattern then the unique hash is generated.
Your passwords are not stored anywhere.
This is the paradigm shift.
They are generated every time you select the site/key and draw the pattern.
Your password is cryptographically strong since it is a SHA256 hash. Plus it is long (64 chars) and just random chars and numbers.
Thanks for asking.
|
|
|
|
|
So it is a pattern to be drawn each time, this is fairly cool. It still requires a device with that app, which may be unavailable (ever been mugged? Or with a phone TFU?). A good 10-14 password unique to the site is more than enough. Usually my only problem is remembering if I registered as den2k or den2k88 (many site don't accept user names with less than 6 characters).
DURA LEX, SED LEX
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
|
|
|
|
|
den2k88 wrote: It still requires a device with that app, which may be unavailable
That is correct. I have it available on Windows and Android and coming soon (within a week) to iOS (iphone/ipad).
Also, there is another compelling part to all of this. I've created a bluetooth device that you attach to your computer's (works on Apple, Windows and Linux) USB port.
That device has a bluetooth module that you can pair with your phone, device, etc.
Then, you can have the app just on your phone and press a button in C'Ya Pass app and it will type the password on your computer.
I use it every day and it is so much fun. It allows you to login to the windows login from your phone or device.
You can read about the initial project here at CP: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^]
It won 2nd prize in the IoT contest.
Thanks again for asking.
|
|
|
|
|
My main problem is that if you have to access to an account but not have a smart-thing with you or the USB thingie (which I suppose must be installed and that may be not possible if roaming or with another's machine) you are by all accouts locked out.
Goodbye access to you banking site / e-mail while at work if the smartphone is unavailable due to hardware failure / in the pocket of a less-than-honest person. Especially if you work on the move, as a guest in many different companies (think of industrial equipment maintenance).
The only device I rely on is my head since if it fails or is missing from the rest of the body it is evident that I have more pressing problems on my hands than a password. Also remembering a pattern isn't that easy, after months you may very easily forget which is the starting coordinate and how long is the pattern, even for a single line. It still relies on brains, plus a device. Cut the dependecies and use only the brain, it's easier and allows access under any condition which isn't physically incapacitating to the individual.
DURA LEX, SED LEX
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
|
|
|
|