<div style="color:rgb(0, 0, 0);font-family:arial,sans-serif;font-size:12pt"><p style="margin: 0.1rem 0; line-height: 1.0;"> </p>
</div>
<div class="elnk-inline-message-container" style="border-left: 1px solid #aaa; box-sizing: border-box; padding: 10px 0 10px 15px; margin: 0;">
<p>-----Original Message-----<br>From: Tom Mitchell <mitch@niftyegg.com><br>Sent: Dec 27, 2021 12:17 PM<br>To: Jerry Leichter <leichter@lrw.com><br>Cc: Henry Baker <hbaker1@pipeline.com>, Crypto <cryptography@metzdowd.com><br>Subject: Re: [Cryptography] Brute-force password crackers?</p>
<p style="margin: 0.1rem 0; line-height: 1.0;"> </p>
<div dir="ltr"><br>On Sat, Dec 25, 2021 at 6:03 PM Jerry Leichter <<a href="mailto:leichter@lrw.com">leichter@lrw.com</a>> wrote:
<div><span class="gmail_default" style="font-family: 'times new roman',serif; font-size: large;">>></span>..... If you have your hands on the device, you can read the sticker on it, so even a strong, unique default password is known to you - let's hope the user either changed it (if that's</div>
<div><span class="gmail_default" style="font-family: 'times new roman',serif; font-size: large;">>></span>possible!) or removed the sticker. If you can bypass the OS to read /etc/shadow, you can modify it as well and create your own username/password. (I doubt any IoT </div>
<div><span class="gmail_default" style="font-family: 'times new roman',serif; font-size: large;">>></span>devices are capable of this, but there could be a secure boot sequence that prevents you from changing what's there. But anyone who implements that will sign - and probably encrypt - the entire thing.)<br><br>
<div class="gmail_default" style="font-family: 'times new roman',serif; font-size: large;">Before tossing the sticker back it up someplace safe.<br>That is likely the password is needed after a physical reset.<br>Also backup the settings hopefully the device makes that easy.<br>If a default password is lost there is a denial of service bricked-it option for the bad guys. <br><br>Yes, change the password.<br> Are there better tools than apg.<br> <span style="font-weight: bold; color: #5f6368; font-family: Roboto,arial,sans-serif; font-size: 14px;">apg</span><span style="color: #4d5156; font-family: Roboto,arial,sans-serif; font-size: 14px;"> "generates several random passwords. It uses several password generation algorithms (currently two)"<br> If you suspect generated passwords are guessable, grab some physical dice to chop generated passwords into 1-6 char chunks.</span></div>
</div>
<div><br>-- <br><br> T o m M i t c h e l l (on NiftyEgg[.]com )</div>
</div>
</div>
<div class="reply-comment">---</div>
<div class="reply-comment">OK, we have databases of >10^6 passwords, so we can easily compute distributions for graphs, digraphs, trigraphs, etc.</div>
<div class="reply-comment"> </div>
<div class="reply-comment">So a 'random' password is potentially guessed more quickly than a 'non-random' password which utilizes these distributions for pessimizing guessability.</div>
<div class="reply-comment"> </div>
<div class="reply-comment">In particular, shouldn't password generators make sure that passwords utilize less-frequently used characters -- e.g.,the 'long tail' ? It should certainly reject the very rare cases of all digits, etc.</div>
<div class="reply-comment"> </div>
<div class="reply-comment">While these passwords may not be easy to type -- e.g., Unicode -- this may not make much difference with keepass-type programs.</div>
<div class="reply-comment"> </div>
<div class="reply-comment">Nicht wahr?</div>
<div class="reply-comment"> </div>
<p style="margin: 0.1rem 0; line-height: 1.0;"> </p>