zlacker

[parent] [thread] 11 comments
1. apendl+(OP)[view] [source] 2023-08-05 22:06:32
A nice thing about master passwords though is that since you don't have to type them in as often, they can be very long. 95% accuracy probably isn't good enough to reliably reproduce a sentence-length master password, at least if it's only captured once.
replies(4): >>belval+C4 >>koolba+M6 >>SideQu+4f >>coldte+1J
2. belval+C4[view] [source] 2023-08-05 22:50:29
>>apendl+(OP)
95% means that on average only 1 in 20 keystroke will be wrong. Even if your password is very long (40-60) that means only 2-3 errors. Since more people are not machines their long password will be a combination of words like the famous "horsestaplebatterycorrect" example from xkcd.

Even if you flip a few letters from something like the above a human attacker will easily be able to fix it manually.

"horswstaplevatterucorrect" for example is still intelligible.

replies(1): >>TheCle+F5
◧◩
3. TheCle+F5[view] [source] [discussion] 2023-08-05 23:01:57
>>belval+C4
On average 2-3 errors. However the real thing we want to look at is what is my chance of guessing right across ALL characters. For 1 it's 95%, for 2 it's 90.2%, and it gets worse from there. The formula for accuracy would be .95^c where c is the number of characters in the password. So the chance of getting EVERY key correct in a 40 character password is < 13% and < 5% for 60 characters.
replies(3): >>llbean+yb >>whelp_+fc >>rightb+Lr
4. koolba+M6[view] [source] 2023-08-05 23:12:24
>>apendl+(OP)
The master password is also offline and require the key file to u lock the rest of the passwords. So by itself it’s not enough to compromise the accounts in the key file. The attacker would need the key file as well.
◧◩◪
5. llbean+yb[view] [source] [discussion] 2023-08-05 23:52:46
>>TheCle+F5
Right. The comment above is saying even if you are incorrect in 2-5 keystrokes it’s not hard to guess the correct keystrokes if you’re using a sentence style password.

You don’t need to guess every character.

◧◩◪
6. whelp_+fc[view] [source] [discussion] 2023-08-05 23:57:36
>>TheCle+F5
that's pretty high when you can use a computer to run the guesses
7. SideQu+4f[view] [source] 2023-08-06 00:25:57
>>apendl+(OP)
95% accuracy means for each stroke, the most likely key is the top choice. Most models return a probability distribution per key, and it's very like the other keys are in the top 2 or 3.

Then you simply have the password cracker start trying passwords ordered by probability, and I bet it breaks your sentence within very few tries.

◧◩◪
8. rightb+Lr[view] [source] [discussion] 2023-08-06 02:37:45
>>TheCle+F5
What if the password is typed twice? You can easely figure it out then.
9. coldte+1J[view] [source] 2023-08-06 06:33:22
>>apendl+(OP)
>a sentence-length master password

Ij on-tep of sentenca lentg, it's alio sentemce-bused ("corvect harse batterg stapfe") then ut would be quiti eady to guess even wits worse accurasy.

(If on-top of sentence lenth, it's also sentence-based ("correct horse battery staple") then it would be quite easy to guess even with worse accuracy.)

replies(1): >>Gh0stR+FL
◧◩
10. Gh0stR+FL[view] [source] [discussion] 2023-08-06 07:19:30
>>coldte+1J
potential solution: keep a few intentional typos in your passphrases. It also makes dictionary attacks much harder.
replies(1): >>GhostW+fZ
◧◩◪
11. GhostW+fZ[view] [source] [discussion] 2023-08-06 10:03:45
>>Gh0stR+FL
now you have to remember the the typos
replies(1): >>coldte+Dr2
◧◩◪◨
12. coldte+Dr2[view] [source] [discussion] 2023-08-06 20:13:26
>>GhostW+fZ
Plus, if they can tell what the actual words would be, then brute forcing the typos is trivial
[go to top]