Silk Road forums
Discussion => Security => Topic started by: Stark on January 15, 2013, 07:52 pm
-
Hello everyone, I've been browsing here for a long time, but have never made an account. I decided today was the day and I'd like to start by helping out the SR community.
This will eventually evolve into a total guide for beginners with an aim at helping in every aspect from the start of their journey to after their first order.
Anyways, what you'll need to do it this: Find a poem or song you like, anything, that you remember the lyrics to.
For the sake of this, we'll be using some bullshit lyrics I'm going to make up now:
"Nigga awe yeah that's some good shit let's light that dank up bro
--Hell yeah burn all day, WestCoastRX man you already know
--I'd be worried about the cops if they rolled up while I'm buyin Blow
--But I do it on SR so they ain't got shit, nope nowhere to go."
Basics: Only use one line, transcribed(I'll show this), for each password at different sites.
Step 1. Choose Song or Poem
Step 2. Take whatever line you'll be using from your poem, song, or whatever, and take the first letter of each word and make it capital. So in this case, it'll be: NAYTSGSLLTDUB.
Step 3. Now, if you're on Tor you probably have some idea of what 1337speak is. If not, be creative. Change out certain letters for symbols or spellings.
- Example: What I'm going to change is in parenthesis; NAY(T)SG(S)L(L)TDU(B). I'm going to change the letters I've taken and either make them a corresponding symbol, or spell them out. The end result is this: NAY7SG5L1TDUbee
Easy enough, From start to finish the process goes like this:
1. "Nigga awe yeah that's some good shit let's light that dank up bro"
2. NAYTSGSLLTDUB
3. NAY(T)SG(S)L(L)TDU(B)
4. NAY7SG5L1TDUbee
As long as you can remember your song, you can remember your passwords. Now just as you'd sing a song aloud, whenever you're in a private residence or area and you need to type your password, sing the lyrics as you type. Do NOT sing or say your password itself, type it as you say each word. This helps associate your password with your song and you'll have it memorized extremely quickly. You can ofcourse write it down, which I do suggest; however, this is merely for the sake of the case when you either lose the item you've written them down on, or can't currently access it and need your encryption pw's or SR pw.
I'll add another Numeric / Symbol method later, which is much more simple. I understand that this can look like a lot of text for creating a password, but I feel it's worth it.
I really hope this helped! Great day and happy hunting ;)
-
Or you could use this excellent password generator.
From the site:
What makes these perfect and safe?
Every one is completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again.
Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999, this page which was custom generated just now for you will not be cached or visible to anyone else.
https://www.grc.com/passwords.htm
-
^ Yeah sorry, I'm gonna have to pass.
-
Yeah... I agree with Stark. I would rather use his technique and create my own pass words. I'm probably just unnecessarily paranoid.
-
Yeah... I agree with Stark. I would rather use his technique and create my own pass words. I'm probably just unnecessarily paranoid.
Nooo haha, that was a pretty sketchy post he made xD. You have to have a special kind of paranoid for it to be bad on SR :D, like accessing it in public for fear of using it at a home computer.
-
your passwords should be at least 20 characters, always include special characters like #*¡>£} if possible, makes brute forcing exponentially more difficult.
nothing wrong with using words you just need lots of them
example:
saLly456loVes987diCk}{»moRe$&_thAn";:joHn
perfectly secure and i just used a sentance and patterns of characters inbetween with every 3rd letter of a word capitalized. theres no need to make it mentally taxing on yourself.
this password is too complex for dictionary + character pattern attacks to be very useful.
-
i think this is a better writeup of the method you are trying to do, little more indepth 44 page read.
http://www.sans.org/reading_room/whitepapers/authentication/simple-formula-strong-passwords-sfsp-tutorial_1636
or lookup simple formula for strong passwords
older document but still relevant, just use longer passwords than recommended in artical.
-
I don't know if this is helpful:
Let's say your password (s) / passphrase (s) are really complex, but you're already getting used to them, just close your eyes and try to "visualize" them.
You can do little exercises while having a bath or taking a shower.
If you have to write on different keyboard layouts, then try to memorize the combination for specific additional characters.
-
Pass phrases composed of words have a higher entropy to memorization difficulty ratio.
Consider this example:
Easy enough, From start to finish the process goes like this:
1. "Nigga awe yeah that's some good shit let's light that dank up bro"
2. NAYTSGSLLTDUB
3. NAY(T)SG(S)L(L)TDU(B)
4. NAY7SG5L1TDUbee
OP's password has upper and lower case letters, and numbers. That's a character space of 26 + 26 + 10 = 62. The password is 16 characters long, so that's a total password strength of 16 * log2 62 = 95.3 bits of entropy.
But what about these random words: "light goes consider method page agree what sorry"
which I picked randomly from the comments above. If you spent a few minutes repeating them, could you memorize them?
If you could, you would get a surprising 228 bits of entropy (that's 10^40 times harder to crack than OP's password). The character space is 26 lower case letters + spaces, so 27 total, but it's 48 characters long.
That's assuming the attacker doesn't know the pass phrase is composed of dictionary words. If he does, then he could do a literal dictionary attack. A standard dictionary might have 80,000 unique root words, which is the new "character space". Thus the entropy is 8 * log2 80000 = 130 bits, still 10^10 times stronger than OP's password, and not much harder to remember.
For every word you add, you get another 16 bits of entropy, while in OP's password, for every character you add, you get 6 bits of entropy. The interesting thing is that words are not much harder to remember than characters, because your brain remembers both as whole chunks of information. In fact, to get OP's password you need to memorize whole words (plus a protocol) to derive the individual characters when you could just remember whole random words. The only real advantage is that songs/rhythms make things easier to remember.
The downside is that he didn't use a random collection of words. If the attacker knows that OP used a meaningful sentence, he could do a statistical attack based on grammar. For example, "let's" is more likely to be followed by a verb, like "light", then by a noun. That greatly reduces the search space.
-
exactly! and add in special characters ·`{}|[]<>~\*%$@$&_():;" ect.. between your long phrases to REALLY increase the number of possibilities.
i think the op was trying to create dictionary resistant passes by adding characters in his words but made the mistake of using numbers that can visually represent a letter like 7 for t or 5 for s. adding numbers to the middle of your word is great
ex
myfakepassword => m1yfak2epasswor3d
step further
m1y$fak2e&passwor3d%
use 6 or so broken words with letters and sp. char in between and nsa will have a hard time with your pw.
-
One word: Diceware
See: https://www.diceware.com/
Also see: http://en.wikipedia.org/wiki/Diceware
Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
-
Great post Astor. Just a shame that in so many places you can't use passwords like that, they're too long or they require certain cases/characters.