I know sometimes my threads kind of make users think I’m hiding from the FBI or something like that, but I’m curious to know: How strong are your passwords. My last root password for example was:
ToQuinHa*!23B%$YH1(0n&
It was time consuming to type that 15x/day so I wonder what are the odds of a regular user to look up online how to bypass a regular Linux root password, say “iloveyoumom” for example.
Please post your thoughts about how strong a root password should be like 
Yes you are hiding from someone but I am not far behind you. I use as many as 15 characters from as much of the keyboard as it will allow me., and I never allow any words to form.
My family members hate the passcodes that I place on their machines after I work on them.
Believe it or not, it does not take long to remember them. Once you have remembered such a passcode then it can easily be altered by a character or two.
As you are not seeking any help,this should go to chit-chat
https://forums.opensuse.org/english/other-forums/community-fun/general-chit-chat/
Home> Forum> English> Other Forums> Community & Fun> General Chit-Chat
It is difficult for me to remember your passcode 
But if any one knows(someone from your inner circle) that you like your mom then they can as well guess “iloveyoumom”
About 6 yrs ago I did several presentations on this topic which well well received by a number of security experts. It’s totally relevant still today. I’ve posted the slidedeck here
https://sites.google.com/site/4techsecrets/slide-presentations
Some points
What makes a practical password
How strong is your chosen password, really?
Creating passwords difficult for machine cracking yet memorable by humans
My prediction of rainbow table cracking
My prediction of how common cracking using web resources like Social Media has become
Why common password input validation for “Strong” passwords can be ineffective
And lots more… if this is what you’re interested in.
TSU
>
>> ToQuinHa*!23B%$YH1(0n&
that is far stronger than my root pass, but not as strong as the pass
for my bank, paypal, online broker account…
but, for a root pass to be useful to anyone they would first have to
get into my machine, electronically…not an easy task…it is a
lot easier to knock on the door of my bank account, than my root account.
my root pass looks like this:
XyZA1.b2_3
while paypal more like this:
_A1.BcdE$2fG3H-
except the real pass has no sequential letters or numbers (no abc, no
123 or 321)
–
dd
openSUSE®, the “German Engineered Automobile” of operating systems!
Btw-
You can have some fun calculating the strength of “iloveyoumom” using the calculator in my slidedeck. Today, given sufficient bandwidth (eg another box in the same LAN) and not necessarily physical access(eg reboot to LiveCD or similar), it might take between minutes or at most a few short hours to crack.
IMO,
TSU
It is a bit off topic from the real discussion, but not to far.
I wonder what you are doing on your system that you need becoming root on avarage 15 times/day?
It is only because I am rather active on the forums that I am using root a few times a day to check things against peoples problems, but for real use, I can work for days without becoming root.
And on my wifes system, where I am the system manager, I only use root once week normaly for maintanance.
And that brings this back to your real question, how difficult is a 15 character password when you type it only once a week? Maybe it is difficult, because remembering something that you only use once a week isd probably more difficult then when you type it once every hour.
On Thu, 09 May 2013 21:26:02 GMT
amarildojr <amarildojr@no-mx.forums.opensuse.org> wrote:
>
> I know sometimes my threads kind of make users think I’m hiding from
> the FBI or something like that, but I’m curious to know: How strong
> are your passwords. My last root password for example was:
>
> > ToQuinHa*!23B%$YH1(0n&
>
> It was time consuming to type that 15x/day so I wonder what are the
> odds of a regular user to look up online how to bypass a regular
> Linux root password, say “iloveyoumom” for example.
>
> Please post your thoughts about how strong a root password should be
> like
I’m not sure what the point is of going to all the bother of having a
really strong root password when it can be so easy to bypass. I’m no
cracker but if I wanted to access someone else’s machine, as long as I
had a live CD or installation DVD, I’d be able to access any file on
the machine that’s not encrypted or password-protected.
Having said that, I have a moderately strong but easily memorable
password on root and personal userid to deter casual noseyparkers.
[FUP to general-chit-chat]
–
Graham P Davis, Bracknell, Berks.
openSUSE 12.3 (64-bit); KDE 4.10.3; AMD Phenom II X2 550 Processor;
Kernel: 3.9.0; Video: nVidia GeForce 210 (using nouveau driver);
Sound: ATI SBx00 Azalia (Intel HDA); Wireless: BCM4306
I agree with several others that this is a nice and interesting discussion, but that it should go to General ChitChat. It will be moved there.
Thus it is CLOSED for the moment (about 15 mins).
Moved from Applications and open for discussion again.
Sorry, I noticed this after posting.
It’s not that difficult, just type a few times and you’re ready to go =)
I think what I tried to say with “iloveyoumom” is that it’s very easy for someone with the right tools to crack.
I don’t see how that’s effective, let’s say, for a non-Linux user, since most cracking happens with Key-Loggers or e-Mails “See your pictures from yesterday”. I can imagine Paypal/Banks store passwords with good encryption and it seems to be very difficult for crackes to get into it. I remember reading somewhere that most banks use Linux, add that to the fact that Linux was the only one standing up on a Hacker Fair and you seem to be pretty much safe regarding what would it take to someone crack into you bank account.
Thanks TSU, I’ll surely read it until Monday =]
Long story short: Various system re-installs (for testing purposes). Meaning the root password is type on installation, everytime I open YaST, log in etc, etc. Not to mention when opening my encrypted drive. Sure after all is configured right there’s less need to type it many times.
Well, this is kind of the main point of this thread. Is it really so easily by-passed? Why SHA-512 encryption then?
You completely got into my point after saying you could access any file while having a LiveCD. It’s true, but I forgot to mention I encrypt my /home partition. That uses an even stronger password than stated before. I guess in my case I really don’t need such a strong root password since my drive encryption has a powerful password on it.
I’m looking over the internet trying to search a good article about how a cracker can by-pass a user root password over the internet, using web attacks.
No problem, it was my fault.
If you have physical access, then the device is likely compromised, it’s just a matter of time particularly with today’s cheap computing power. All you can do is slow down the attack and hopefully push final compromise over the horizon.
So, over the network, bandwidth is typically the bottleneck. You can enhance its effectiveness by things like
Configure the standard login failure delay. Currently the default for a Console is 30 seconds, but AFAIK doesn’t apply to all types of logins, for Linux each is configured separately (eg SSH, various remote desktop protocols).
Some apps like fail2ban and DenyHosts help for specific types of connections
But if someone has physical access to the device then all bets are off even with disk encryption. To crack, typically the drive is imaged and if necessary (eg for TPM) the hardware environment is read and emulated. Then, once imaged any number of times the encryption can be hammered until it breaks. Note that the entire environment can be emulated, it’s not like someone has to go run to a store and buy a zillion of your model laptop for example.
And, it doesn’t make any diff what type of encryption algorithm is used, or how strong. Although no one seems to admit it, incidents like the US Drone downed by Iran a couple years ago are prime examples… If believed and assuming the USA wasn’t using any but the best encryption in their drones, supposedly with the help of a foreign state (Russia? China?) it took about 30 days to decrypt at least major parts of the onboard drives. IMO it can be assumed that anyone with large funds (Maybe only $100 million or so), sufficient motivation can crack anything in existence within a reasonable amount of time (months instead of decades), and that goes not only for nation states but criminal syndicates and other NGO. Yes, it’s scary, and it puts even more of a premium on physically protecting machines and not allowing massive data dumps.
So, back to something that’s probably more relevant to the Average User, your question should now be understood to be answered by “It Depends.” It depends on who you’re trying to protect from, and what you’re trying to protect. Not everyone has the funds to build their own super computer cracking machine, are you protecting only against the neighborhood thief, a competitor, law enforcement, who? And, what is the value of what you are protecting? Maybe your Privacy is worth something, and maybe your Financial, Health Records, etc are worth something, but how much do you think someone will invest in getting that info and how much are you willing to do to protect it?
Finally, recognize that Passwords are lousy security in general. If something is really valuable, maybe you should be considering certificates(which can be stored in a FOB) which are essentially very long, very random strings of characters.
IMO,
TSU
I usually use the lyrics of a song. Take the first letters and substitute,
I can still remember how that music used to make me smile
icsrhtmutmms
I(5rh+muTMMs
Random to a cracker, but the song plays in my head as I type it, making it very easy to remember. I doubt I could remember a truly “random” password.
At the college I used to work, this was very common. It sometimes made it hard to persuade students to change their passwords, even after explaining the risks.
On 2013-05-10 11:36, hcvv wrote:
>
> hcvv;2555601 Wrote:
>>
>> Thus it is CLOSED for the moment (about 15 mins).
> Moved from Applications and open for discussion again.
Too late… I think my post went to the previous thread somewhere. I’ll
repost.
On 2013-05-10 07:53, dd wrote:
>>
>>> ToQuinHa*!23B%$YH1(0n&
>
> that is far stronger than my root pass, but not as strong as the pass
> for my bank, paypal, online broker account…
Many banks and sites do not accept such long passwords. I found a bank
where I entered a password with symbols, and I could not get in later. I
had to go on foot to the branch, the phoned support internally, and it
turned out that “symbols” were not allowed in passwords, but they had
forgotten to verify that in the web form. So strong passwords for them
are just letters and numbers.
Some sites allow only 4 numbers.
One insurance company where I logged recently has forced me to change my
password to just 4 letter/numbers - I had 8.
Another utility company I know forces us to enter login, pass (stronger
than usual) and a capcha or human question (to deter dictionary attacks).
A bank I know sends mail (receipts, invoices, etc) in acrobat encrypted
files via email (ISIS Information Systems, actually). The password is
relatively strong, but I don’t think they enforce it that much (and I’m
not going to try).
> but, for a root pass to be useful to anyone they would first have to get
> into my machine, electronically…not an easy task…it is a lot
> easier to knock on the door of my bank account, than my root account.
They would have to get into my local network first. And if they are
inside my house, they have physical access, so they can change the
password, anyway. Which is why I use an encrypted partition with a long
passphrase.
No, there are things that worry me a bit more. Like the multimedia
device having a password that I can not change, or the router resetting
to factory default on its own, or the printer having no security…
> my root pass looks like this:
> XyZA1.b2_3
> while paypal more like this:
> _A1.BcdE$2fG3H-
Mmm… Maybe I have to change mine to a stronger one
It can be worse… I know people that use the same pin for absolutely
everything… !
–
Cheers / Saludos,
Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)
On 2013-05-10 20:46, chief sealth wrote:
> robin_listas;2555726 Wrote:
>> >
>> > It can be worse… I know people that use the same pin for absolutely
>> > everything… !
>> >
> At the college I used to work, this was very common. It sometimes made
> it hard to persuade students to change their passwords, even after
> explaining the risks.
I was not thinking of college accounts… but everything, from online
mail accounts to credit card pin. It is scary, but it is also difficult
to convince the other person. “I have very bad memory” or “What will I
do, carry a notebook with my passwords?”. I just hope that nobody
chances to attack this people, because if you successfully break the,
say, imap password you also have the bank account password…
–
Cheers / Saludos,
Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)
On Fri, 10 May 2013 11:46:03 +0000, amarildojr wrote:
> It’s not that difficult, just type a few times and you’re ready to go =)
> I think what I tried to say with “iloveyoumom” is that it’s very easy
> for someone with the right tools to crack.
Any password is easy for someone with the “right tools” to crack.
Passwords made up of words strung together are far more complex to crack,
though - unless you know the password (for example) is four words strung
together with the spaces removed (as opposed to using “*” in between the
words, or “_”, or “$”, or …)
Consider the mathematics:
If you use a password comprised of only the 26 letters in the English
alphabet, in lowercase, your pool to choose from is 26.
If you use upper and lower case (and the system can differentiate them),
then it’s 54.
If you add the 10 digits, it’s 64. Special characters on the number row
= 74.
That’s a relatively small set of characters, yet an 8 character password
made up from those 74 characters makes for 74^8 or about 9E14
combinations.
The total number of words in the English language is difficult to measure
(because what constitutes a “word”?), but the Oxford English Dictionary,
2nd edition contains 171,476 unique word definitions.
If we pick 4 of those 171,476 words and string them together with no
separator, that’s 8.64E20 combinations (allowing for repetition). Sure,
if you /know/ the password is 3 words strung together, it’s easy to
employ a dictionary attack, but how would you know that?
Now add character substitution to the mix - if instead of picking
“iloveyoumom”, you picked “1l0v3y0um0m”, even knowing it’s 4 words strung
together, a dictionary attack isn’t going to work unless it adds in
variations based on those substitutions, which increases the pool of
“words” being picked from. Say each word has on average one other
possible “spelling” using “l33t” substitution. That doubles the number
of “words” to 342,952 and the number of 4-word combinations to 1.38E22.
Now, consider that remote attacks are where a password is most effective
As someone else said, if physical access to the system is compromised all
bets are off. An offline attack can be done then, and with GPU power
being harnessed to do password hash cracking, the complexity ultimately
doesn’t matter because GPUs handle this type of computational task so
fast. You can slow it down with encryption, but even then, it’s really
just a matter of time and computing power.
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
That’s what I’m talking about. And often they felt that it was a fool-proof system and didn’t want to mess with it. A new password would ‘break’ their system.
That’s very interesting, but considering cracking passwords seem so easy over the internet, why is Linux so safe then?
The majority of web servers use Linux, even some governments, why even trust banks since crime orgs do have the tools to, in a period of time, invade banks/websites/govs?
I think my POV has gone too far, actually. Picture this:
How are YOU protected against a regular user in your home searching on Google “how to by-pass Linux root passwd” or “how to decrypt a hard drive”?
I don’t know about US or other 1st world country, but here it’s impossible for 99.99999% of the population to do so. Maybe if you store valuable data on your hard drive then a cyber-crime organization might try to steal it from you or even do a web attack, but then again my point would be “How safe is Linux”, because from what I could read on this thread it seems very possible (in a matter of minutes/hours) to crack into a PC running Linux.
On Sat 11 May 2013 12:56:02 AM CDT, amarildojr wrote:
That’s very interesting, but considering cracking passwords seem so easy
over the internet, why is Linux so safe then?
The majority of web servers use Linux, even some governments, why even
trust banks since crime orgs do have the tools to, in a period of time,
invade banks/websites/govs?
I think my POV has gone too far, actually. Picture this:
How are YOU protected against a regular user in your home searching on
Google “how to by-pass Linux root passwd” or “how to decrypt a hard
drive”?
I don’t know about US or other 1st world country, but here it’s
impossible for 99.99999% of the population to do so. Maybe if you store
valuable data on your hard drive then a cyber-crime organization might
try to steal it from you or even do a web attack, but then again my
point would be “How safe is Linux”, because from what I could read on
this thread it seems very possible (in a matter of minutes/hours) to
crack into a PC running Linux.
Hi
If your running a service that allows remote access, eg ssh, ftp etc
and open the default ports to the outside world, then have your
passwords set to something simple, then sure any system is
vulnerable…
Physical access to a system would take a few minutes, windows or linux
based system, your smartphone would be the same…
–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.4-desktop
up 3 days 23:30, 3 users, load average: 0.05, 0.06, 0.13
CPU Intel® i5 CPU M520@2.40GHz | GPU Intel® Arrandale