Pages:
Author

Topic: A trick for long passwords in Linux - page 2. (Read 2212 times)

member
Activity: 70
Merit: 10
Only a curious passer-by / FirstBits: 13zsc1
August 16, 2011, 06:20:58 PM
#9
That trick is ok, but your easy password should not be a dictionary word. Dictionary words, specially english words are very well knowed.
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
August 16, 2011, 06:20:24 PM
#8
Good points all around. My method assumes no one knows you are encoding a simple password. And yes, it would be better to use a non-word. Then an attacker must go the brut force route. The Md5 is long and complex enough to avoid being in the "low hanging fruit" category.

The main advantage is ease of use and relatively strong protection using an easy to remember PW. With a little creativity you can go further. Suppose I used the Md5 result string to hash it again?
full member
Activity: 143
Merit: 101
August 16, 2011, 06:16:58 PM
#7
Use bcrypt()+SHA512 or something. MD5 is far too short.
legendary
Activity: 1400
Merit: 1005
August 16, 2011, 06:04:00 PM
#6

BUT, that assumes that the password hacker knows that he is using an md5 hash for his password.

[...]

Basically, it's very secure (IMO), as long as you don't announce to the world that you're using it.

Such an approach is known as Security through obscurity and not very recommended.
That's like saying your password isn't secure if you post it on a forum.  Roll Eyes  I HIGHLY doubt any hackers are seriously going to add MD5 hashes (or other hashes) of dictionary words to their "check if this is their password" list, much less an even longer list of all of the typical dictionary items that they probably use to check password lists, much less an even longer list of all of those typical dictionary items that they use in all known hashed forms.  I'd give far better chances to me forgetting my own password because it is too complex than a hacker finding out what it is.

I mean, would you go to the MtGox password list and attempt to find someone who used an MD5 hash of a dictionary word as their password (which would have subsequently been stored as md5(md5(word)))?  Probably not.  You'd probably start with dictionary words, then go with dictionary words + numbers, then go with dictionary words + dictionary words, etc.  There's going to be a lot better chances of going through a lot of other lists (heck, even random alphanumeric characters) of finding the correct password than there would be of going through an MD5 hash list.

Now I'm not saying one should use a simple MD5-hashed dictionary word as their password, but perhaps whatever is the most complicated "memorable" password with an MD5 hash would be best.  Something like Tails4Thew1n, in MD5 hash form, and no dictionary attack is going to get it.

Call it security through obscurity all you want, but it would work, and it would work a heck of a lot better than people using (and losing) their 64 random character combinations.
legendary
Activity: 1764
Merit: 1007
August 16, 2011, 05:39:53 PM
#5

BUT, that assumes that the password hacker knows that he is using an md5 hash for his password.

[...]

Basically, it's very secure (IMO), as long as you don't announce to the world that you're using it.

Such an approach is known as Security through obscurity and not very recommended.
hero member
Activity: 602
Merit: 502
August 16, 2011, 04:45:17 PM
#4
BUT, that assumes that the password hacker knows that he is using an md5 hash for his password.  So few people would actually store their passwords in such a manner that it would not be worth it for a generic brute-force program to attempt to break into a passwords list by using a prehashed list like that.  The only way it would be insecure is if it was a targeted attack against a known subject who was known to be using such a password storage method.  Like the OP.

Basically, it's very secure (IMO), as long as you don't announce to the world that you're using it.

You are right, but I wouldn't use this with simple english words. Adding md5 of dictionary words to a wordlist is easy and it doesn't take that long to test.
It is a nice method, but use a fairly good password with it.

Anyway, I propose an improvement because some stupid websites still require that you use a password with upper letters, lower letters, numbers and signs regardless of how long your password is:

Quote
$ echo -n c00l_password! | md5sum | awk '{printf $1}' | base64
NWY0ZWVmMzRmZTM3YmU5MDlhNmRiNzc1NWFkMzk2NDA=

  • Using base64 after md5 guarantees the = sign at the end
  • It is a little longer and it is more unlikely that it will be at included in any wordlist
  • md5sum outputs '-' so I have to use that ugly awk
legendary
Activity: 1400
Merit: 1005
August 16, 2011, 03:36:38 PM
#3
RodeoX,

My guess is if I take the MD5 hash of every word in an English wordlist, plus every word with a single number after it I will have your passwords in that list. It should not take long to do that amount of hashing on a modern CPU.

Your scheme is better than using dictionary words but not by much.


I normally generate passwords with something like:
dd if=/dev/urandom bs=1 count=6 2>/dev/null | base64

One password per account as password reuse is evil. Adjust the count to your liking and use /dev/random instead of urandom if you are feeling truly paranoid.

Store passwords with something trustworthy.

BUT, that assumes that the password hacker knows that he is using an md5 hash for his password.  So few people would actually store their passwords in such a manner that it would not be worth it for a generic brute-force program to attempt to break into a passwords list by using a prehashed list like that.  The only way it would be insecure is if it was a targeted attack against a known subject who was known to be using such a password storage method.  Like the OP.

Basically, it's very secure (IMO), as long as you don't announce to the world that you're using it.
sd
hero member
Activity: 730
Merit: 500
August 16, 2011, 03:32:26 PM
#2
RodeoX,

My guess is if I take the MD5 hash of every word in an English wordlist, plus every word with a single number after it I will have your passwords in that list. It should not take long to do that amount of hashing on a modern CPU.

Your scheme is better than using dictionary words but not by much.


I normally generate passwords with something like:
dd if=/dev/urandom bs=1 count=6 2>/dev/null | base64

One password per account as password reuse is evil. Adjust the count to your liking and use /dev/random instead of urandom if you are feeling truly paranoid.

Store passwords with something trustworthy.
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
August 16, 2011, 03:08:58 PM
#1
A quick tip for creating long passwords in Linux.

Open a terminal window and type in the following command:

rodeox@Linux-ThinkPad:~$ echo -n test |md5sum

The part in red will be your user and computer name. The part in purple will be your easy to remember password.
Now hit enter and your computer will create an Md5 key for you.

Example for the word "test":
098f6bcd4621d373cade4e832627b4f6

Now any time I want to remember that long string of numbers and letters I just go to my terminal and enter my easy password. Each time it will give the same answer.
Pages:
Jump to: