0

Does it make sense to insert a foreign word into a paraphrase to mitigate against brute force? For example: "pussiMeansCatInEskimo" "caballoMeansHorse" "CatIsGatto" "SalopeMeansBitch" "BitchInFrenchIsSalope" "FoShizzleMyNizzle"

Drew Lex
  • 2,013
  • 2
  • 19
  • 24
  • I think that you need to provide "more context" into this question. E.g. what is "paraphrase" and where/how you use it. – Lachezar Balev Jun 29 '12 at 05:47
  • 4
    These hackers use dictionary databases in multiple languages. What you describe seems insecure. – Ramhound Jun 29 '12 at 11:49
  • What about completely made up words as passwords, for example something like "giroletisist" Dictionary would be useless, you could combine more of those to increase lenght –  Nov 21 '12 at 01:06

7 Answers7

9

Yes, it does help, but perhaps not as much as you would think.

A password/phrase is a sequence of tokens. In a password, the tokens are characters; in a passphrase the tokens are words.

To increase the resistance of a password/phrase to brute force attacks, you can:

  • increase the number of tokens in the sequence (i.e. make it longer)
  • increase the number of possible tokens used (i.e. use a bigger set of characters or words.)

This is called increasing the entropy of the password/phrase.

An important point it that a passphrase (series of words) is also a password (series of characters). An attacker might attack it as a password or as a passphrase, and it's resistance to the attack is different depending on how the attacker treats it.

If the attacker treats it as a password, the main factor is length (since there are few tokens used in words). If they treat it as a passphrase, the main factor is number of tokens (since the length is so short).

So, should you use foreign words? Well, if the attacker treats it as a password, it makes no difference. Length is length. "chicken" and "oiseau" increase the length be the same amount, as does "skdjnqs" and "aaaaaaa" for that matter. If the attacker treats it as a passphrase, then it does make a difference. Using words from French and English almost doubles the number of possible tokens. So it does help, but as I mentioned, not as much as you'd think.

This is because increasing length is a much more powerful technique than increasing number of tokens. A three-word passphrase in english has an entropy of about 40; a three-word passphrase in french and english has an entropy of about 44, but a six-word passphrase in english has an entropy of 81.

In fact, if you run the numbers, it turns out that adding a single extra english word increases the entropy of a passphrase to 54 - ten more than you get by using two languages. Ten bits of extra entropy means a brute force attack will more than a thousand times longer to run.

So adding another word is a much better way to strengthen your passphrase.

(Although an even better way is to add a small random password with numbers and punctuation!)

Lastly I will mention that the phrases in your examples are not random, which is a weakness against generated dictionary attacks, so you should think about that as well. You want something more like CorrectĈevaloBatteryStaple.

Graham Hill
  • 15,474
  • 37
  • 63
  • Since length seems to trump complexity I would conclude that a very strong password would be something like **!#ebay-password4321$#!** as it contains 22 characters but still easily remembered. Why even bother remembering something like "carr0t.s3t*N1x0n" which is shorter? – Drew Lex Jun 29 '12 at 17:41
  • 2
    Well, there are other kinds of attacks than pure brute force, so length alone is not enough. Munged dictionary, for example - attackers know that people use l33t to add complexity, so when they test a password they test the l33t translations as well. (Yes, this means your example of a strong password isn't much stronger than carrot.set*Nixon) – Graham Hill Jul 02 '12 at 12:36
5

The weakness with the passwords you provided is that they follow a common form. e.g. foreign[is|means]english. And now this approach is documented (thnaks! ;-)). I prefer groupings of 4 or 5 not just 2 or 3 like in your examples. If you are taking that approach these groupings should be uncommon unrelated words.

Also, my dictionary built from urbandictionary.com would crack FoShizzleMyNizzle the first time around (with my mangling rules).

When assessing security, look at your password, try to generalize it in your head to form a cracking strategy, then identify the parts that are variable and which parts are static. For the parts that are variable, identify the category they fit into. Think about how diverse that category is and how popular your choice is within it (top ten words for example is bad, sequences of characters commonly found together, etc.). This will give you an idea of how many combinations an attacker might have to go through.

chao-mu
  • 2,801
  • 18
  • 22
  • As long as every user uses his/her own made-up form, maybe add a salt like '##pass:' I would argue that it becomes just as strong the [XKCD password](https://xkcd.com/936/) – Drew Lex Jun 29 '12 at 18:05
  • The farther you get from random (assuming same length and character set), the more attack strategies their are. If you look through leaks you find a lot of people thinking that they were using "his/her own made-up form" and "salting" to add security, but ending up with the same form as many others and one of a handful of "salts". – chao-mu Jun 29 '12 at 19:17
  • There could be more "strategies" than the number of possible combinations for the password, thus how can attempting to crack a password using this set of strategies easier than brute forcing? – Drew Lex Jun 29 '12 at 19:35
  • 1
    As long as you don't repeat the same guess twice, the worst case is equivalent to that of brute forcing. In practicality, humans typically end up choosing poorly. The poster gave fantastic examples of such a failure. – chao-mu Jun 29 '12 at 20:21
2

It may if the foreign word is "Pneumonoultramicroscopicsilicovolcanoconiosis". It also largely depends on the type of hashing algorithm and the implementation of salts. The general problem is remembering secure passwords without writing them down. Try to make sentences and steal the first letter. For example:

 When I was 18 I dated Miranda Kerr for atleast 2 weeks, no seriously = WIw18IdMKfa2wns
Kurt
  • 616
  • 3
  • 12
  • 4
    "When I was 18 I dated Miranda Kerr for atleast 2 weeks, no seriously" is probably a more secure password than "WIw18IdMKfa2wns" if you can get away with it ;-). – chao-mu Jun 29 '12 at 13:21
  • Haha, well said. – Kurt Jun 30 '12 at 06:37
  • @chao-mu Well, not anymore, now that this passphrase is on the internet nobody can use it. Damn it, it was such a good passphrase. – Thomas Jul 01 '12 at 01:03
2

A better application would handle brute force attack either by enabling CAPTCHA or delayed response.

From users perspective, you may add your own "salt" to your password. "Salt" could be anything.

zakiakhmad
  • 464
  • 3
  • 10
  • +1 for Captcha. This helps for remote bruteforce attacks, but remote is slow anyway... limited by network throughput to perhaps a couple attempts per second to a few attempts per minute, even with no added delay. But, someone with access to a hacked server who could query the database (or has copied the database offline) could make hundreds or perhaps 1000 or more bruteforce attempts per second. – Kevin Fegan Nov 22 '14 at 23:07
1

I would say if you are going to use a set of dictionary words with no numeric or symbol characters then you weaken the process, especially if the words are related in any way. What you'd then be doing is using words as building blocks for your passwords instead of letters, which isn't going to make the job of guessing them as they are not increasing complexity.

What would be more complex would be using dictionary words, or even a phrase as a building block. If you like Duran Duran take the "Her name is rio and she dances on the sand". A simple way would be to use the first letter, as in hnirasdots . But that's too easy to guess if I know you are using music lyrics. I could alternate using whole words, parts of words, etc like hernisrandsdotsand . That's getting more and more like random text, but limiting it to lower case letters reduced the complexity. H3rn15rand5.0tSand would be very hard to get to from a cracking standpoint even if I know you were using music lyrics as a basis.

It's better to use unrelated words though, preferably of differing lengths, and then widen the character base by throwing punctuation, symbols, and numbers in. Take Carros, Set, and Nixon and transform it into carr0t.s3t*N1x0n for example.

GdD
  • 17,321
  • 2
  • 41
  • 63
1

In my opinion, if you use phonetic typing of another foreign language's word, it would be secure no matter what dictionary (brute force attack) a hacker may use. For example (for users who knows Arabic), Arabic name: khaled Saad (to use this name as password) in phonetic: 5aledsa3d (some Arabic letters are represented in numbers phonetically in chatting typing) kh = خ = 5
try translate.google.com from Arabic to English. If you only know English. Try to memorize many passwords as you can but don't write them down anywhere.

1

Sorry for the late answer, but I just joined. Graham has some good information, but it requires a bit of expansion and one correction. Entropy is a measure of randomness, not character set.

Regardless of passwords or passphrases, length is more important than complexity. Complexity becomes more important if you are limited to a short password (20 or less characters. A 15 character password that uses only lower case letters (26^15) is safer than a 10 character password that uses upper and lower case, numbers and symbols (95^10).

Now for brute forcing "word tokens" a six token passphrase is incredibly strong. You see, it isn't six tokens from a 95 character set, but six from a set that is over 1.2 million characters. Over 600k words in English doubled for upper and lower case. We won't deal with passphrases that have symbols like "?",etc.

Now the common initial response is that people don't used that many words. OK, let's cut the dictionary to the 500 most commonly used words, which is 1,000 with both cases of letters. now a six word passphrase is 1000^6. Not as strong as a 10 character password using all of the sets, but you can remember it much better than most complex passwords. But add 1 single obscure word and the dictionary can require more than 20,000 words (tokens/characters)x2 = 40,000.

"For the 1st time I answered a question on SX!"

10 "tokens" that require an extremely large token set (dictionary), and for a simple brute force attack it's 45 characters using all of the sets and very easy to remember.

I8@ ye ol' pub!!! 17 characters, easy to remember and dictionary repellent.

Not all tokens are equal!