On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote: > On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote: > 'Us'? Do not speak for all the list please.
It is a construct; intended to involve everyone in the conversation. > Admit that you just did not read the pdf. It is not concerned with online cracking. That is obvious. Why should I spend time in reading its each and every detail > > How does this help with attacking the password for a login with online > > techniques? > > Simple. You generate passwords by using adjectives, nouns and verbs from > Oxford and/or Webster dictionary. You don't put all the words together > (the result will have too much volume), you try to create grammatically > correct (although meaningless) phrases. A mathematical concept that > allows you to do so is Markov chains. An implementation of this concept > is called Prince Attack on hashcat lingua. > > Overall entropy of 'my!only"reason£for$living%is^ebay' password (aka > XKCD 936 password) could be reduced significantly, leaving > 'eq8GeKBhVXOTjF0dAyd0' password (aka base64 password) far superior. > > Also, bruteforcing a password by feeding a list of those to the online > service of any kind is dumb (unless you have a disposable botnet > dedicated to this purpose). Smart move is to obtain a list of > (hopefully) hashed passwords, which all bad guys are doing these days. Services accept numerous failed *online* logins without doing anything about it? We (or, if you prefer - you) have now decided to move to offline cracking. It makes for a better press. > > > > We are mesmorised by the skills of offline crackers. They dazzle us and > > > > blind us to realities. Where is someone saying that > > > > > > > > eq8GeKBhVXOTjF0dAyd0 > > > > > > > > is a splendid password? It wouldn't have a chance of being forced via an > > > > online attack. > > > > > > Since it appeared in a public maillist - it is a bad password by > > > definition. > > > > It will not be used again. > > > > How easy is it to force > > > > +H3GHd8kXs8HfmRDzZ7y > > Since you put it on the public maillist again - trivially. Damn. I spent ages using the technique in the first post in this thread to devise it. -- Brian.
