passwords!

brian carroll electromagnetize at gmail.com
Tue Nov 12 18:08:40 PST 2013


the list fool here chiming in...

i just wonder if there is a boundary condition that exists that is
making passwords insecure by protocols that could themselves be
modified, and alter the probabilities of easy dictionary attacks.

for instance, if A-Z and a few special characters are allowed in a US
keyboard alphabet, if that is the majority of what is being
automatically cracked, perhaps it is not surprising.

yet what if the passwords 'length' were not the issue, such that a 20
character string (of several number.words with several intermixed
special characters) could still be successfully attacked, given those
limited parameters. and such a view may be: moar characters, longer
string, etc.

perhaps mistaken though i wonder what 'dictionaries' are referenced
because if they are mapped to normal words of a given language, and
special symbols, and yet held within the walls or boundaries of a
particular alphabet or sign-system, then perhaps language-to-language
the password cracking situation remains basically the same.

yet, what if the Unicode barrier (if that is what it is) is dissolved,
such that many languages could co-exist, such as 12 different N's and
ligatures and other special characters...

ex. normal bounded password in a given Unicode
character set / alphabet, with special characters:

      th3r0uT33Nw4!z+3sezU3

compare this with a multi-alphabet approach:

      п世לកóવિz


what are the computational probabilities of searching across all
ascii/unicode alphabet characters and getting that pattern matched,
versus let's say [35] options per password character in a constrained
alphabet.

the calculation would be something like this (to 21 spaces in ex.)

[35][35][35][35][35][35][35][35][35][35][35][35][35][35][35]...[35]

versus, if wildly approximating: [1,000] options for the 'multiple
language Unicode characters and special symbols' password approach.

the following estimate may be inaccurate though for 35 times itself
over and over twenty one times, the number i arrived at was:

     9.321739789445372e+33

again, calculation may be inaccurate, though for the multiple
character approach, only 11 characters @ [1000] needed for:

     1.e+36

though imagining it could be many fewer characters in comparison, say
if accessing Chinese and Arabic other characters.

in other words, perhaps a hypothetical [10,000] symbols could be made
available per password unit than [35] in the highly restricted
approach that is easy to crack, and that would change how computation
occurs with regard to how such passwords are created, stored, and
exist, especially in a highly constrained OS and peripheral
environment that constrains cross-pollination of such key typographic
information that would change the basic dynamics, data behavior.

this is the slot-machine approach to  [p|a|s|s|w|o|r|d|s]  because at
a certain point, anything could tally...

     [*|*|x|ம்|7|*|*|#|ன்]

though what is more... for each _space_ there could be any
sign.symbol, as with icons or special characters, potentially, that
could be potential keyspace or what today may appear as "junk"
information that is infrastructural for multilanguage computing, and
be utilized beyond the language boundary for its signage, for
passwords & security.

in this way, the three unit password (icon=ascii symbol)

   ['icon'][પ્રે][ю]

could be stronger than a much longer, restricted alphabet, if going
towards 10,000+ options per character. yet the model itself could
example such that a password is constructed by a bit-set string, where
like a slot machine, could instead have 'words' as the units (as with
the existing password approach, word1&word2, etc.)...

  ['word1'][[પ્રે][ю]['gps-coords']


if only viewed in bounded terms and of serial computation, a long
*predictable* string may be easier to attack than a shorter
unpredictable string that takes massive resources to churn through the
possibilities - and who knows, maybe the password has a time-cycle
that automatically changes its nature during that time period of
calculation.


surface tension, iridescence, spinner




More information about the cypherpunks mailing list