1. Forum
  2. USENET
  3. sci.crypt

  • I don't get this RANDOM stuff...?

    From ignoramus@ignoramus@home.com to sci.crypt on Thu Apr 24 18:13:08 2025
    From Newsgroup: sci.crypt

    I don't understand the need for this random stuff.

    I just made up this somewhat easy to remember passphrase about my
    doggie's bathroom habits.

    My doggiiee poohps 2.3 tyhmes a dahy

    It can be 'hacked' because it isn't "random"?

    Every password checking web site says it would take thousands of
    centuries to hack. What am I missing?
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Richard Harnden@richard.nospam@gmail.invalid to sci.crypt on Sat Apr 26 10:09:57 2025
    From Newsgroup: sci.crypt

    On 25/04/2025 00:13, ignoramus@home.com wrote:
    I don't understand the need for this random stuff.

    I just made up this somewhat easy to remember passphrase about my
    doggie's bathroom habits.

    My doggiiee poohps 2.3 tyhmes a dahy

    It can be 'hacked' because it isn't "random"?

    Every password checking web site says it would take thousands of
    centuries to hack. What am I missing?

    I hope that means 2 or 3 times a day, because I don't want to think
    about what a 0.3 means.

    The problem is that it isn't random - once during morning walkies, maybe during lunchtime walkies and once during evening walkies - so it'll be
    very predictable and you only get a tiny bit of data evenly spaced out.

    Can you generate thousands of different passphases?



    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Juergen Nieveler@usenet@nieveler.org to sci.crypt on Mon May 5 07:25:54 2025
    From Newsgroup: sci.crypt

    ignoramus@home.com wrote:

    I don't understand the need for this random stuff.

    I just made up this somewhat easy to remember passphrase about my
    doggie's bathroom habits.

    My doggiiee poohps 2.3 tyhmes a dahy

    It can be 'hacked' because it isn't "random"?

    Every password checking web site says it would take thousands of
    centuries to hack. What am I missing?

    It's not so much that you'd get hacked because it's not random - but that you'd be tempted to use it on multiple services because "Oh, I have a very long and secure passphrase".

    Finding your password through brute force would indeed take AGES... as
    long as it's stored securely on the server in the form of a salted hash
    only. But if it's not... then somebody would know the password and could
    try it on all kinds of services to see where else you used it.

    That's why long memorable passphrases should only be used on password
    safes - the one thing where you REALLY shouldn't write down your password
    for, as that's where you store all your other passwords. And THOSE are
    random, because that's much much easier than coming up with hundreds of different phrases...

    Of course that password safe also needs 2FA of some kind just in case THAT password gets found somehow, that goes without saying.
    --
    Juergen Nieveler

    Ceterum censeo NSA esse delendam
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Oscar@oxxxxxxxxxxxs@gmail.com to sci.crypt on Mon May 5 15:09:08 2025
    From Newsgroup: sci.crypt

    Op 5-5-2025 om 09:25 schreef Juergen Nieveler:
    ignoramus@home.com wrote:

    I don't understand the need for this random stuff.

    I just made up this somewhat easy to remember passphrase about my
    doggie's bathroom habits.

    My doggiiee poohps 2.3 tyhmes a dahy

    It can be 'hacked' because it isn't "random"?

    Every password checking web site says it would take thousands of
    centuries to hack. What am I missing?

    It's not so much that you'd get hacked because it's not random - but that you'd be tempted to use it on multiple services because "Oh, I have a very long and secure passphrase".


    I think I would approach this just from the attackers point of view;

    Suppose you need to crack a hash, then you have a couple of options:
    (0. rainbow tables skipped for now)
    1. use a wordlist
    2. use a wordlist with rules (alter case, prepend/append numbers, use
    common substitions such as e->3,a->@ etc.)
    3. use a mask (for example; start with capital letter, followed by 6
    lowercase letters, followed by a special, followed by 2 digits)
    4. use pure bruteforce

    With "fast hashes", attackers can try millions of candidates per second. Passwords which fall in category 1 or 2 will most likely be cracked.
    Granted, your passphrase probably can't be cracked because of its length
    (it compensates for the lack of "randomness").
    But if I have many hashes generated from not too long passphrases
    consisting of a combination of 3 words from a list of 1000 common words
    that would only be 1.000.000.000 candidates which can be tried in
    seconds. Perhaps I can do the same and start with 'My ' or 'I ' ..
    (You realize this, otherwise you wouldnt have made the deliberate
    'spelling mistakes' like 'doggiiee' and 'poohps')

    Only "a random generated password" forces an attacker to use option 4,
    and indeed the searchspace grows so big with the length of the password
    that it will be infeasable to search the whole space even for shorter passwords.

    In short, anything an attacker may be able to predict about a password,
    he can use to narrow the searchspace.

    regards,
    Oscar





    --- Synchronet 3.21a-Linux NewsLink 1.2