Silk Road forums

Discussion => Security => Topic started by: AnotherPlebe on June 28, 2012, 11:42 pm

Title: Using Non-Keyboard Characters in Passwords
Post by: AnotherPlebe on June 28, 2012, 11:42 pm
Hey guys, I searched the forums here, and couldn't find anything discussing the possibility of using non-keyboard characters in passwords in order to increase the security.
My thought was that every character set I've seen for bruteforcing passwords has contained only letters, numbers, or regular symbols, so by using symbols like Æ (alt+658), you could avoid most bruteforce attacks. Howsecureismypassword.net seems to agree with me. When I enter in one of my lesss secure passwords, it tells me it'll take about 778 thousand years for a desktop pc to crack it. However, when I substitute one digit in my password with Æ, it tells me that it'll take about 49 trillion years. That's quite the jump, much more than just substituting that digit with the character code, 658.
I didn't want to only rely on howsecureismypassword.net, however, so I came here. What is your opinion on using non-keyboard characters? How much do they actually improve the security of a password? I don't think it can really be as good as howsecureismypassword.net indicates, or else every password creation guide ever would advise including one or two.

Also, how applicable are the figures produced  by howsecureismypassword.net? I realize that I'm not really a high profile target, seeing as I'm not a vendor and not downloading CP or anything, but if for some reason LE was trying to crack my passwords, I'm figuring they wouldn't just be using some shitty desktop pc, they might have a dedicated machine for it. Thanks!
Title: Re: Using Non-Keyboard Characters in Passwords
Post by: AnotherPlebe on June 29, 2012, 05:48 pm
Ah, thank you. Lots of information there. And I suppose you're correct about the Diceware, but I still think non-keyboard characters could be a way of shortening my current Diceware password (8 words) while still keeping the same security. But I suppose it doesn't matter as long as I can memorize my 8 words. Thank you!
Title: Re: Using Non-Keyboard Characters in Passwords
Post by: Darkwave on June 29, 2012, 07:06 pm


Back in 2005, Brian Krebs (then with the Washington Post) published a superb article (See below).  This proves that the Feds likely have networks of several thousand machines, whose spare CPU cycles are devoted to password cracking. You don't need to rely on high-ASCII characters to increase the search space. You can construct a secure enough passphrase using a method such as Diceware.  If you use 8-10 Diceware words, your passphrase will not be amenable to brute force in your lifetime.

See: http://www.diceware.com/

Guru

I've been lurking around the forums for a while before diving in, and from what I've read, there doesn't seem to be a more upstanding member than Guru here. Always pleasant, not a bad word to say about anybody, and a fountain of great info to boot. If I had the power, I'd +1 him all over the place.

Darkwave