I'm not trying to hate on your script, it's pretty well done and it's a good idea. At least for me, remembering a 5 word passphrase isn't any easier than remembering a 12 character password- at that point you might as well just use a password manager with a truly random password. Obviously a longer pass phrase increases your entropy much faster than a longer pass word, but the advantage of a passphrase is supposed to be that it's easier to remember. It actually has less entropy if you allow people to pick their own passphrases since you'll see certain words more often. A 3-word passphrase picked randomly from a list of 500,000 english words has roughly the same entropy as a standard 8 character password. So please, can we cut the bullshit that your flimsy password is sufficient? Please? If you have not been hacked, it's because you have not been targeted. They are leveraging botnets, data sets, AI, ANY TOOL that will allow them to compromise your security. Anyone can build a brute-force cluster capable of guessing millions to billions of guesses per second, and if anyone can do it, what do you think groups with resources and capability are doing? Do you think they are stopping there? They are not. If one of these people decide to target you, your password will not keep you secure (to be honest if they are targeting someone protected by a password alone they are not going to crack the password, they are going to use your stupidity against you). Today you have nation-states sponsoring sophisticated botnets. The days of a kid in a fucking basement somewhere hacking telecom because he was able to grab a telecom manual off a truck are OVER. If this is how you think they work you are grossly wrong. if you are an American company then perhaps use a language such as one from a small Asian country that is not known for it's digital prowess.ĮDIT 2: In response to those that want to defend that their password is strong enough, I strongly advise you spend some time looking into what hackers are doing with brute force. In such context I would suggest you use a word list in a language that is uncommon to the organization e.g. The organizations most likely to be compromised are the largest ones with the biggest digital attack surface, so using a word list with easy-to-remember phrases or a small set of words in such a context does not make sense and somewhat defeats the purpose of switching to the new scheme. HOWEVER one should remember that the more common the words, the more likely an attack is to compromise the passphrase. User has suggested the following sources for word lists that may contain phrases that are easier to remember. The word list used to generate passwords is at ĮDIT: This code is agnostic to the word list assuming the word list is a text file with each word or phrase on it's own line. If I update this code I will update the module here: This version should be considered the latest and greatest. The code is relatively solid but should be tested before use. It meant to show the basic design so that others can build on it. I have created an example PowerShell module which will generate random passwords based on a word list of varying case and placed it here: This version is for demonstration/example purposes only. Recently the father of password generation apologized for his previous guidance and suggested a new method using random words: Passwords based on random characters or words with non-alphabet characters intermixed are easier to crack than phrase-based passwords
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |