back to article Kaspersky Password Manager's random password generator was about as random as your wall clock

Last year, Kaspersky Password Manager (KPM) users got an alert telling them to update their weaker passwords. Now we've found out why that happened. In March 2019, security biz Kaspersky Lab shipped an update to KPM, promising that the application could identify weak passwords and generate strong replacements. Three months …

  1. martinusher Silver badge

    If you value your security get a hardware random number generator -- or two

    Although the RNG algoritm used in our computers is, well, pretty random its really not secure for situations where you really need it to be secure -- at best its going to be some kind of pseudo random number generator seeded with some number derived from a source like the time between two keypresses (or just the time).

    Quite respectable hardware random number generators are cheap, the one I have ("TrueRNG") cost about $50 and is a USB dongle. They work on a well known principle -- differencing two random noise streams (I beleive it was the mechanism used in the original ERNIE). I'm actually surprised that we don't have them built into the architecture of every computer but then given the systematic weakening of encryption (the "accidental" choice of weak elliptic curve parameters in sample code, for example) without a lot of testing we'd neer know if the thing hadn't been compromsed either in the design or somewhere in the firmware.

    1. fredblogggs

      Re: If you value your security get a hardware random number generator -- or two

      "I'm actually surprised that we don't have them built into the architecture of every computer..."

      We do. amd64 has RDRAND. Arm implementations with TrustZone have a TRNG built in. There are other implementations as well. Many have even been "independently audited".

      "given the systematic weakening of encryption (the "accidental" choice of weak elliptic curve parameters in sample code, for example) without a lot of testing we'd neer know if the thing hadn't been compromsed either in the design or somewhere in the firmware."

      Firmware isn't in play here. Microcode would be, in many implementations. But this is exactly why no one trusts this type of implementation: it's too easy for malicious actors to alter just one thing and compromise millions of machines, and the semiconductor manufacturers' insistence on secrecy makes the delivered implementation unauditable. Especially if the implementer is Intel who most people reasonably believe accommodate NSA backdoor requests. Your "TrueRNG" could easily have similar weaknesses; even if the onboard entropy source is truly random, the commodity microcontroller presenting the USB interface could easily be vulnerable in any number of ways. Unfortunately, short of building things yourself, by hand, from discrete transistors, there's really no way to trust something for this purpose.

      1. Ozan

        Re: If you value your security get a hardware random number generator -- or two

        You reminded me of Ken Thompson's "Reflections on Trusting Trust".

      2. Anonymous Coward
        Anonymous Coward

        Re: If you value your security get a hardware random number generator -- or two

        amd64 has RDRAND. Arm implementations with TrustZone have a TRNG built in. There are other implementations as well.

        SPARC has one as well, and it's been certified to meet NIST requirements.

        1. Doctor Syntax Silver badge

          Re: If you value your security get a hardware random number generator -- or two

          But who certifies the certifiers?

          1. Anonymous Coward
            Anonymous Coward

            Re: If you value your security get a hardware random number generator -- or two

            NIST does. It accredits the labs which test to NIST standards and submit results to NIST for review.

            If you're asking who writes and validates the NIST specs themselves, it's mostly the various crypto experts who work for and with NIST.

            1. Paul Uszak

              Re: If you value your security get a hardware random number generator -- or two

              Actually NIST doesn't. Not for crypto. That's a common fallacy. It's in the front matter, quoting from NIST 800-90b:-

              "This publication has been developed by NIST in accordance with its statutory responsibilities under the [Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq.](https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf), Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. "

              Which says:-

              "§ 3553. Authority and functions of the Director and the Secretary:-

              ‘‘(d) NATIONAL SECURITY SYSTEMS.—Except for the authorities and functions described in subsection (a)(5) and subsection (c), the authorities and functions of the Director and the Secretary under this section shall not apply to national security systems.

              ‘‘(e) DEPARTMENT OF DEFENSE AND INTELLIGENCE COMMUNITY SYSTEMS.—(1) The authorities of the Director described in para-graphs (1) and (2) of subsection (a) shall be delegated to the Sec-retary of Defense in the case of systems described in paragraph (2) and to the Director of National Intelligence in the case of systems described in paragraph (3). "

              So, good enough for the people, but not (US) national security?

          2. JWLong Bronze badge

            Re: If you value your security get a hardware random number generator -- or two

            The FBI, CIA, NSA, and HOMELAND INSECURITY ADMINISTRATION. In that order.

      3. Anonymous Coward
        Anonymous Coward

        Re: If you value your security get a hardware random number generator -- or two

        Unfortunately, short of building things yourself, by hand, from discrete transistors, there's really no way to trust something for this purpose.

        This sounds like exactly the sort of project that should be available as an open hardware design so that hardware and code can be examined publicly.

        1. Paul Uszak

          Re: If you value your security get a hardware random number generator -- or two

          Read you loud and clear. Some of us are already trying to do that:-

          http://www.reallyreallyrandom.com

          1. Anonymous Coward
            Anonymous Coward

            Re: If you value your security get a hardware random number generator -- or two

            Oh wow, thanks for that.

        2. Paul Uszak

          Re: If you value your security get a hardware random number generator -- or two

          It's this easy, If you have batteries and a Zener diode:- http://www.reallyreallyrandom.com/zener/breadboard/

          Just suck up the entropy with a microcontroller of your choice.

    2. Anon

      Re: If you value your security get a hardware random number generator -- or two

      Why do you trust trust TrueRNG? How can I trust your reply?

      1. martinusher Silver badge

        Re: If you value your security get a hardware random number generator -- or two

        >Why do you trust trust TrueRNG? How can I trust your reply?

        I can't. That's why my choice of words does not recommend anything.

    3. W.S.Gosset Silver badge

      Re: "without a lot of testing we'd neer know"

      Shakespearian verse?

      That's a bit random.

      1. Neil Barnes Silver badge

        Re: "without a lot of testing we'd neer know"

        That's not random, that's the pass-phrase. Who after the seventeenth century would mis-spell it that way...

        1. jake Silver badge

          Re: "without a lot of testing we'd neer know"

          "Who after the seventeenth century would mis-spell it that way..."

          Somebody with toast crumbs under the "v" key. (The "v" key, being little used in day-to-day typing, tends to attract crumbs shifted out from under adjacent keys by the act of typing.)

          1. Terry 6 Silver badge

            Re: "without a lot of testing we'd neer know"

            As a side issue, I hate getting a -v- in Scrabble. It's really hard to find a use for it without a very useful combination of support letters.

            1. Neil Barnes Silver badge

              I think you need lots of Es, of which fortunately English Scrabble has plenty

              The words that spring immediately to mind all seem near anagrams of each other: never ever sever severe veer vent eve vee peeve pervert version... but on the other hand https://wordfind.com/contains/v/ returns 2,992 possibilities.

              A large proportion of their list also includes an 'e' though anchovy doesn't. Neither does zyzzyva.

              Which is probably why I'm crap at Scrabble and anagrams.

    4. Phil O'Sophical Silver badge

      Re: If you value your security get a hardware random number generator -- or two

      at best its going to be some kind of pseudo random number generator seeded with some number derived from a source like the time between two keypresses (or just the time).

      There are much better approaches than that, but in any case any DRBG used for passwords and other crypto should at least be written to comply with NIST SP 800-90B, and preferably be tested by an approved lab, especially if it's being sold as a password generator and not just used to simulate a dice roll in a game.

      1. Grizzled2much

        DRBGs & TRNGs

        Incorrect NIST publication cited.

        There are three related and somewhat overlapping NIST Special Publications all SP 800-90*

        90A covers the need for quality DRBGs and outlines the NIST approved high level designs

        90B looks at the sources of entropy that are available to seed a DRBG

        90C provides pseudocode realisations of the designs presented in 90A

        Accordingly SP 800-90B does not provide any assessment criteria for either

        DRBG

        TRNG used as seed for DRBG

        The quality of the output of a DRBG design should be measured by a suite of statistical tests such as 'Dieharder'.

        However, a minimised yet statistically meaningful subset of such tests should be executed on every DRBG instance on every power-up as a 'health test'.

    5. Paul Uszak

      Re: If you value your security get a hardware random number generator -- or two

      ERNIE: It wasn't a differencing operation. It was simply amplifying the electrical noise on a QS92 regulating valve (http://www.r-type.org/exhib/aag0022.htm). That then gated a counter and the numbers popped out using:- https://i.stack.imgur.com/cHpf9.png.

      TrueRND: I too have one :-( Not really happy with it. But please remember on what article we are commenting on/getting excited. There is a concept called computational indistinguishability. That means you cannot differentiate a pseudo random sequence from a truly random sequence, no matter how hard you try. It's just the maths/statistics. That applies to TrueRND too. That's why the only solution that provides 100% confidence is a self build.

      But most don't care, so ignore my ranting and I've got the lawn to mow...

  2. TVC

    I don't understand

    How do brute force password crackers work?

    If I get my phone password wrong a few times it takes a photo of me and wipes itself. Other systems typically lock after a few goes.

    Is it that some systems just let you keep trying.

    What am I missing?

    1. Lord Elpuss Silver badge

      Re: I don't understand

      In the case of your phone, the simplest way to brute force it would be to make a bit-accurate copy of the encrypted data, put it in a VM and apply as many password variants as needed to crack it.

      More advanced phones may have a trusted cryptography module built in which complicates the above process, but in essence these can still be cracked; it just takes a bit more time.

      1. elsergiovolador Silver badge

        Re: I don't understand

        > in which complicates the above process,

        Or it makes it simpler. These modules are redundant. Can't see a reason why would they exist apart from providing VIP backdoor entrance.

        1. Lord Elpuss Silver badge

          Re: I don't understand

          "These modules are redundant."

          They're very, very not redundant.

        2. Persona Silver badge

          Re: I don't understand

          The crypto module stops an attacker getting the encryption key. The correct password allows the phone to request the encryption key from the module but the module itself implements a lock out to stop password guessing. Consequently you can't get the key so need to brute force the entire key space to access a copy of the phones secured data and thanks to strong encryption that is not computationally feasible.

        3. TRT Silver badge

          Re: I don't understand

          Did you see that forensics thing on BB2 I think it was last night? The Digital Forensics team was a woman guessing PINs to get into a phone. Yeah - I think not.

          EDIT

          Since reading on I note that the perp had set their PIN to 0000 / 000000

          There's no accounting for idiot.

          I guess 0000s is a starting place instead of powering up the old NSA/FBI iPhone cracking sledgehammer software / device thing that we all know they have secretly hidden away somewhere.

      2. jake Silver badge

        Re: I don't understand

        A simpler way to brute force my way into your cell phone would be with a red-hot poker.

        Or a $55 wrench.

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't understand

          You're (a) not very original and (b) waaay overpriced.

          You must be a consultant :)

          1. jake Silver badge

            Re: I don't understand

            a) Mixing memes is never original, but can be funny iI you get the joke(s).

            b) Read the mouse-over ... us consultants know the actual price of tools.

    2. Cuddles Silver badge

      Re: I don't understand

      Attackers aren't trying to crack your phone, they're trying to crack a database full of millions of records that was taken off some unsecured S3 bucket or similar. This is precisely why such breaches are such a big deal - it's trivial to prevent brute force attacks on your own systems, but once your data is out in the wild anyone is free to take as long as they like doing whatever they want with it.

  3. Jamie Jones Silver badge

    Not a bug

    Not a bug, but a series of fundamental design errors.

    It doesn't inspire confidence in their developers, or hence their code.

    1. Persona Silver badge

      Re: Not a bug

      That's often the case when people design a system where they don't know enough to realize how much they don't know.

    2. jake Silver badge

      Re: Not a bug

      What else would you expect from purveyors of Snake Oil?

  4. elsergiovolador Silver badge

    Like that?

    int32_t getRandomNumber(void) {

    // pinky swear it's totally random. It's how many burps Andrey had after his kvas! TODO: change it for next release!

    return 5;

    }

    1. tommitytom

      Re: Like that?

      This is exactly what the PS3 was doing and what allowed it to be hacked back in the day

    2. Anonymous Coward
      Anonymous Coward

      Re: Like that?

      Obligatory XKCD:

      https://xkcd.com/221/

    3. Ken Hagan Gold badge

      Re: Like that?

      In the context of the article, the real weakness of that code is that it could only ever return about 4 billion possible answers, which is only an order of magnitude larger than something that the article claimed could be brute-forced in a few minutes.

  5. G R Goslin

    It's always puzzled me....

    .... why attacks on passwords are granted so much time to carry out brute force attacks, or indeed any attack carried out with multiple submissions. Surely, it's not that difficult to devise a system which progressivley increases the interval between submissions, or permits only so many, before shutting down, or has such a period beween submissions, such that a lifetime could pass before such an attack succeeded. Then passwords could, once again be real and memorable. As it is, a user is required to use an artificial memory system, which could so easily be lost, break, or be stolen. I keep my passwords on an old psion netBook, which is never connected to the net. The last time I looked at it, in whole, it ran to twenty-four pages of A4, at four lines to the subject

    In any case, most passwords users are vulnerable to threats of violence, either to them or others, negating the most sophisticated password creation.

    1. Steve K Silver badge

      Re: It's always puzzled me....

      Where do you keep the backup for the old NetBook….?

      1. G R Goslin

        Re: It's always puzzled me....

        You don't need a backup with the psion netBook. It's only crashed once in the past twenty years of continuous running

    2. Anonymous Coward Silver badge
      Pirate

      Re: It's always puzzled me....

      Because there are ways to circumvent such defences.

      Yes, a website can lock an account after x tries. But then when their database leaks and the password hashes are exposed, those can be cracked on an independent system at the attacker's leisure.

      Hardware (eg phones) can have their RAM imaged and rewritten such that any counters/timers are nullified after each attempt.

      Simple timers may be vulnerable to NTP/GPS/MSF spoofing.

      Basically, crackers are devious.

  6. Filippo Silver badge

    Obligatory XKCD

    https://xkcd.com/221/

  7. knarf

    Get s bag of D20s and Scrabble set

    Would be an improvement this rubbish

    1. Robert Carnegie Silver badge

      Re: Get s bag of D20s and Scrabble set

      I've got three dice.

      One rolls 0, 1, or 2.

      One rolls 0, 3, or 6.

      One rolls 0, 9, or 18.

      The total is a number 0 to 26 which I use for any letters required in a password.

      1. Phil O'Sophical Silver badge

        Re: Get s bag of D20s and Scrabble set

        The total is a number 0 to 26 which I use for any letters required in a password.

        You have a 27-letter alphabet?

        1. Irony Deficient Silver badge

          Re: Get a bag of D20s and a Scrabble set

          You have a 27-letter alphabet?

          Some did. (That page came from a book that was published in 1863. Back in the year 1011, Byrhtferð listed 29 letters in the English alphabet; since then, three letters have been adopted, six letters have been abandoned, and two letters have been adopted, then abandoned. The ampersand was the last to go.)

          Alternatively, perhaps Robert rerolls a “27” result (which might be a literal “26”, if he starts counting letters from 0, or might be a literal “0”, if he starts counting letters from 1).

          1. Anonymous Coward
            Anonymous Coward

            Re: Get a bag of D20s and a Scrabble set

            Daily Mail have a 27-character alphabet...

            Recently on Countdown one of the contestants offered a borderline smutty word which DM scribes (scribblers?) wrote as 'C*****D'. Susie Dent confirmed the word and added "'c*****d out', a bad throw at 'c***s'"

            Unfortunately the picture desk provided clear unedited screen grab of the word, not once, not twice (identical to the 1st) but added a third, this time featuring Carol Vorderman, as it wasn't the first time this word had home up.

            It did think to censor the word W****R in another screen grab

          2. Robert Carnegie Silver badge

            Re: Get a bag of D20s and a Scrabble set

            I just roll again after 0, 0, 0, and also when the number repeats - I've met some systems that reject a password with a repeated letter, and, rather than try to keep track of what rules apply where, I play safe,

            Another fun dimension is systems that choke on certain non-alphabet symbols in a password: the mandated workplace password generator dropped me in the !@#$& last week. Letters are fine if there's enough of them. You can set any password as binary 0s and 1s, but then you probably wouldn't want to type it.

        2. Terry 6 Silver badge

          Re: Get s bag of D20s and Scrabble set

          Blanks?

        3. Anonymous Coward
          Anonymous Coward

          Re: Get s bag of D20s and Scrabble set

          He will if he lives in Malta, for instance.

          Plenty of them about, although most have been brute-forced into ASCII. In German, for instance, u and ü are entirely different characters but because impoverished minds could barely cope with the 128 available in ASCII they were forced to change the ü into ue to make it work for them. Hence Mueller instead of Müller. Ditto for plenty other languages.

          Ironically, those who forced this still do not actually speak proper English, but I would not want it to be said that I poured a drum of gasoline over that particular set of glowing embers <evil grin>

          :)

          1. Robert Carnegie Silver badge

            Re: Get s bag of D20s and Scrabble set

            Ist das kein Märchen?

  8. ricegf

    The Only Safe Password

    The only Safe Password is twelve words rolled using the Diceware tables. In a darkened closet. With death metal music playing at full volume. Rolled with hand-carved dice. That you smash immediately thereafter with a sledgehammer.

    1. Anonymous Coward
      Anonymous Coward

      Re: The Only Safe Password

      And after you generate it, your counterparty will store it unsalted and unhashed in a plaintext file in a world-readable S3 bucket. A few weeks later you'll start getting spam telling you what password you generated and implying the sender used it to surreptitiously turn on a camera to watch you polish your helmet.

      Security is a team effort, and most of your teammates aren't even pretending to try.

      1. Anonymous Coward
        Anonymous Coward

        Re: The Only Safe Password

        How did they know I was a member of The Sealed Knot?

    2. JWLong Bronze badge

      Re: The Only Safe Password

      I recently read that the NSA are now selling dice with round corners. Very much like Windows and IOS/MACOS.

      1. jake Silver badge

        Re: The Only Safe Password

        I have a set of dice. I'll let you roll them. And I'll clean up ... I am The House, and you are The Sucker.

        Generic "you", not you personally JWL.

  9. mark l 2 Silver badge

    Unless you are working on top secret government programs or have Jeff Bezos levels of money, its just as safe to have your passwords backups written down in the back of a book that you could leave in plain sight on your book shelf, assuming you trust other members of your household.

    As burglars are looking for jewellery, cash and expensive tech they can sell on not for cheap paperback novel with passwords written down in the back pages.

    You could add a simple cypher of putting random characters at the beginning or end of the passwords which you know to remove before entering the password but others would not and so the password would not work for them if they did find it and try.

    Of course this is vulnerable to natural disasters such as fire or flood etc, but then you last worries will probably that you lost the password to your social media accounts if your house burned down.

    1. ThatOne Silver badge

      In the same spirit, a (any) password manager would be enough, and have several advantages: First of all it's less tedious to keep track of lots of passwords (to prevent reuse), and also it's very easy to backup the encrypted database (we all have old USB sticks lying around, put one in your car, one at work, one at a family member's house).

      It might not be perfect or secret services-level secure, but it's still way better than a bunch of sheets of paper covered in locations, logins and passwords. A password manager is also more convenient to use, and the biggest enemy of normal peoples' security isn't hoodie-wearing hackers, it's laziness and convenience.

      1. Lord Elpuss Silver badge

        Exactly the same conversation I have with my dad on a regular basis. He has a USB stick with all his passwords in an Excel spreadsheet, kept in the bottom of a desk organiser. The cells are White text on a White background and the sheet is locked with the NSA-proof ultra-high-security* Excel password function, and passwords are 'encrypted' with every digit incremented by 3; so a 1 would be entered as a 4, an A entered as a D and so on.

        Not only does this make it INCREDIBLY tedious to retrieve a forgotten password (which happens on an equally tedious basis, it adds essentially nothing to the 'security' of just storing passwords in a book. He's made it as difficult as possible for HIM to retrieve passwords, whilst having a negligible effect on the difficulty for a COMPUTER to crack them.

        Password managers may not be perfect, but any reputable one is likely to be an order of magnitude more secure than any 'system' you or I could come up with.

        *Not really

      2. Claptrap314 Silver badge

        And just how many fails (at various levels) have we seen of these managers? In theory, they make a whole lot of sense. In practice? Not nearly as much as I need to be comfortable.

        1. ThatOne Silver badge

          > how many fails (at various levels) have we seen of these managers?

          Certainly less than with using "0000" or your children/pet's name as your password.

          But you're right, you have to chose your password manager with some care, many are chocolate teapots, others are downright scams. But there are still a number of reliable ones to chose from - unless of course if you're up against the NSA, in which case your best bet is to not use a computer or Internet at all.

    2. Fred Flintstone Gold badge

      I've been using SecureSafe for ages. Even the free version has password inheritance features, so someone I trust has the inheritance password which, when used, will give access to the passwords I have so designated, but only after a few days.

      I, however, get a daily countdown message from the moment that "clock" is started, so I can cancel it and reset the password, which stops any abuse of that right of access.

      Simple, effective and, astonishingly, free..

      By the way, I'm not worried about social media passwords - I don't use it :).

  10. Giles C Silver badge

    On a slight tangent

    I was watching forensics the real csi on the bbc last night.

    A suspected criminals phone needed to be got into to trace the information history on it.

    It took the forensics investigatior 5 seconds to break into to this iphoneX. The reason the passcode was set to 0000 yes 4 zeros.

    No password is proof against human stupidity…..

    1. Lord Elpuss Silver badge

      Re: On a slight tangent

      I have a lot of questions here.

      iPhone X came with iOS 11, which had a default passcode length of 6 digits, unpopulated by default. Setting it to 0000 would require jumping through some hoops to actively reduce security to 4 digits (ignoring the warning message), and then actively set it to 0000 (ignoring a second warning message.

      In short: the only reason a passcode would be set to 0000 is if the owner actively WANTED to make it easy for people to get in.

      1. ThatOne Silver badge
        Facepalm

        Re: On a slight tangent

        Maybe his own memory capacity was only 4 digits?...

        But most likely, he just preferred to reuse once more the same code he had been using for the last 15 years on everything from luggage to his bank account. No, don't smile, unfortunately I know people like that... The only difference is that their "password" is usually their child's first name (fiendishly cunning, isn't it).

      2. Giles C Silver badge

        Re: On a slight tangent

        Who knows - there is the old expression ‘thick as thieves’ but I thought it referred to them not wanting to shop another not their intelligence.

        If you are in the uk watch it on iplayer it was a good programme.

        1. Terry 6 Silver badge

          Re: On a slight tangent

          From what I've gathered, most bog standard thieves often are pretty dim. Which is why they're thieves- working hard, with unsociable hours, and taking risks for usually small amounts of cash.

          If they were brighter they'd become lawyers. Which is mostly a legal way of taking money off people.

    2. batfink Silver badge

      Re: On a slight tangent

      Just like lots of phones you see in TV shows. Our hero/heroine needs to read something off someone's phone, and all they seem to need to do is get hold of the phone to have complete access. Yes, even if the owner is now dead.

      Although TBF there probably ARE a lot of people out there with 000000 as their passcode.

  11. Cuddles Silver badge

    Blatant lies

    "This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings."

    As quoted in the article, this bug meant the password generator was only capable of creating a very small number of passwords which could be cracked in a trivial time. There is no need whatsoever to know the exact time a password was generated, that would just mean you could do it in one go instead. There is also no need to know any account information, given that this information is not used anywhere in the password generator. This isn't just PR trying to play things down, it's clear and deliberate lies on Kaspersky's part.

    1. yetanotheraoc

      Re: Blatant lies

      "This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings."

      Maybe it's blatant lies. Probably not though, because blatant lies is not a good PR look in the long term. More likely Dunning-Kruger, so it's what the pseudo-genius who used a pseudo-random generator actually thinks about password security. If so, don't blame only the pseudo-genius. Reserve some disdain for the Kaspersky manager that hired them, and for the PR flack who is uncritically passing on the pseudo-explanation.

  12. TRT Silver badge
    Devil

    What I don't understand about this is...

    If they had a screen full of "rapidly shifting random characters", why didn't they use THOSE instead of the PRNG? ;-)

  13. garrettahughes

    CRACK MY 8 CHARACTER PASSWORD

    Unless you have the mythical quantum computer at your disposal, or crack "The A Register" password server database, you are not going to crack mine any time soon. It will take about 193 years to look at all of them or maybe half that on average if you are lucky, and can process the possibilities at one per microsecond. The number of unique sequences available with repetition is 94^8 or ~ 6.1E15.

    My passwords consists of characters drawn from the Unicode Basic Latin set with decimal values ranging from 33 to 126 inclusive. The values are generated from a clock seeded pseudorandom number generator. The twist is that my code generates a table of characters from which the user can choose a sequence of 8 (or any number of) characters of their choice. That way it's easy to build a password that has multiple unique (and generally stupid) server requirements.

    You can freely download the code for your own use at

    https://www.modelingcomplexsystems.net/Problems%20Year%20One/Personal%20Password%20Protection/PersonalPasswordProtection.html

    Or you can simply generate your own unique table or tables online from

    https://www.modelingcomplexsystems.net/Problems%20Year%20One/Personal%20Password%20Protection/PasswordGeneratorMatrix.php

    BTW: don't store this table or any of your passwords on an electronic device if you want them to remain "secure".

    1. Claptrap314 Silver badge

      Re: CRACK MY 8 CHARACTER PASSWORD

      Rookie errors in what you describe. Do some reading.

    2. Paul Uszak

      Re: CRACK MY 8 CHARACTER PASSWORD

      Oh dear. Rolling your own crypto :-(

      Please read https://crypto.stackexchange.com/questions/43272/why-is-writing-your-own-encryption-discouraged .

      Plus 6.1E15 is nothing. Sorry. Stick to the tried stuff, or try to use one time pads if security is of such concern. But for that you'll need access to a trusted TRNG. Which you'll have to build yourself. 100% un-breakability comes at a price.

  14. Irony Deficient Silver badge

    “For example, there are 315619200 seconds between 2010 and 2021, […]”

    Between e.g. 2011-01-01T00:00:00Z and 2021-01-01T00:00:00Z, there were also three leap seconds interspersed within those 3,653 days, so that total should have been 315,619,203 seconds.

    1. Jamie Jones Silver badge
      Happy

      Re: “For example, there are 315619200 seconds between 2010 and 2021, […]”

      I love the El Reg commentards!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021