Curse

Chrisworld · Oct 14, 2010, 08:08 PM // 20:08

Me of all people should know better but I want opinions from others here just to strengthen my thoughts here..

https://www.grc.com/passwords.htm

Does anyone here think that this webpage generates perfect brute-force-proof passwords..theoretically?

I'm not necessarily looking for a GW password generator here, because a lot of things use passwords besides GW...

More importantly ... would these also be good for use with GW or do the hackers know how to bust this stuff too?

The page always sends a random string of three different text, random ascii and hexadecimal stuff.

What are your thoughts?

Icy The Mage · Oct 14, 2010, 09:26 PM // 21:26

Any time anything is "pseudo-random" I raise an eyebrow as to how complicated their algorithms are. For all intents and purposes, using those passwords are completely hackproof due to the fact that the hackers would know neither the algorithm used to create the password, what password field you took yours from nor would they know the string length.

However, they could possibly hack or bribe(?) the GRC site admin into getting the algorithm but still, that's a completely huge stretch, ...

Alternatively, if you want true random:
http://www.random.org/

They don't use algorithms to create pseudo-random numbers but rather the aforementioned electrical / mechanical noise found in chaotic physical systems.

tl;dr: Unless you're being stalked by the Feds, GRC is fine - if you're paranoid about life itself, use random.org

Chthon · Oct 15, 2010, 02:05 AM // 02:05

1. The randomness of your password has no correlation to its resistance to brute forcing. All that matters against brute force is the size of the search space, which is generally going to be alphabet_size^password_length.

2. Really dumb passwords that are generated early by simple/obvious search algorithms are an exception, but a trivial one.

3. Randomness increases resistance against dictionary attacks, including attacks that try ciphers of the dictionary terms. But you don't need true randomness to avoid that - just nonsense.

4. Icy is correct that true random numbers derived from ambient physical data are superior to pseudo-random numbers for cryptography purpose, but...

5. If you're seriously anticipating an attack from someone where the difference would matter, there's probably a lot of more fundamental security steps you could take that would matter more - like changing to Linux and buying a gun.

Quaker · Oct 15, 2010, 03:29 PM // 15:29

"Brute force" methods rely mostly on trying every possible combo of letters and numbers, so it shouldn't matter what method was used to generate the password in the first place. Any possible 64 character password generated by that website could also be generated by other means, including monkeys randomly hitting keys.
The overall security of a password relies on more than just it's length and randomness. It also relies on the method used to input a password, and the relative value of time vs reward, especially when it comes to brute-force methods. For example a system that becomes inactive after X number of incorrect entries can greatly affect brute-force methods.
For GW, most of the account hacking involves key loggers, fake websites, or other methods of capturing the actual password and/or, in some cases, simply guessing the password when someone uses simple passwords like their girlfriends name or whatever. Trying to brute force a 64 character password for GW would be impractical given the time involved and possible rewards. Even a 6 or 8 character (random-ish) password should be enough for GW.