base64 for an easy & strong encrypted key-pass.

If it doesn't relate to Debian, but you still want to share it, please do it here

base64 for an easy & strong encrypted key-pass.

Postby bester69 » 2018-08-21 20:33

Hi,

What do you thing about using encoding base64 as a password key for encrypting?

It gives you a resulting encoded word which contains Numeric + lower/capital letters.. to prevent hacking this method, it occurs to me adding some two dots charcters intercaled in a fixed position.. It seems a good way to get unbreakable encoded passwords with very easy key words.

example.
1. - Key = umbrella >> base64(umbrella)= dW1icmVsbGE=
2. We apply a litle bit of stenography to the resulted base64 word:
i.e We add some two recordable complex ascii character in a knowed position to break any hacker base64 technique they used in the uncoding process.
dW1icmVsbGE= >> d€W1icmVsbGE€= (In this case we added € in second and penultimate position)

final result: umbrella == d€W1icmVsbGE€=

So, I expect some opinions here. :o
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1209
Joined: 2015-04-02 13:15

Re: base64 for an easy & strong encrypted key-pass.

Postby debiman » 2018-08-22 04:44

bester69 wrote:So, I expect some opinions here. :o

what seems difficult to hack for humans, is easy for machines.
your "recipe" follows a simple set of rules:
  1. translate a dictionary word with base64
  2. add a single charactyer to it twice
number 2 is clearly making it a little harder to crack, but still... you could've just as well used u€mbrell€a.
there's about a thousand ways to go about this, most of them better.
User avatar
debiman
 
Posts: 3008
Joined: 2013-03-12 07:18

Re: base64 for an easy & strong encrypted key-pass.

Postby bester69 » 2018-08-22 05:20

debiman wrote:
bester69 wrote:So, I expect some opinions here. :o

what seems difficult to hack for humans, is easy for machines.
your "recipe" follows a simple set of rules:
  1. translate a dictionary word with base64
  2. add a single charactyer to it twice
number 2 is clearly making it a little harder to crack, but still... you could've just as well used u€mbrell€a.
there's about a thousand ways to go about this, most of them better.

Hi debiman, thanks for answering

It seems simple rules, but I dont see any weakness in them, with base64 we're getting a very strong word to break (base64 Alphanumeric).. adding some interleaved ascii characters prevent a hacker trying base64 inverse decoding force brute/libray book.

What you're proposing (u€mbrell€a) its a weaker word beacuse you're using only lower alpha characters plus two ascii interleaved characters.. And I guess tools for hacking follow a order rules in decoding, starting for lower chatacter, following with other ascii combinations, I guess that word would be relative quickly broken. It might take some few hours/minits with a relative new processor. You're only using a lowerCharcter set (base26) plus two comun ascii characters; A set decoding similar to this would break that code in minits/hours : 'a-z.,€$@&%!;:'

That's why they recommend you to use LowerCharacters + UpperCharacters + Numbers + FewExtrangeAscii , cos this force them to use full ASCII set for decoding (ASCII is base95) which with just a 5 characters word might take months/years with a powerfull CPU.

I think what Im proposing follow with the rules of unbreakable password, but furthermore has the advantages you can remember the complex password by using those two rule steps you wrote down (removing intercaled characters + uncoding base64). So we can use simple words like : dog, yellow, monday, 1980 in order to generate unbreakable and unforgettable passwords.



'
Last edited by bester69 on 2018-08-22 05:32, edited 1 time in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1209
Joined: 2015-04-02 13:15

Re: base64 for an easy & strong encrypted key-pass.

Postby bester69 » 2018-08-22 05:29

debiman wrote:..there's about a thousand ways to go about this, most of them better.[/url]


The idea is to get a complex unbreakable password you can always and easily to remember/decoding

Example:
1980 == U.s7snhj.2=

You cant remember U.s7snhj.2=, but you can 1980
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1209
Joined: 2015-04-02 13:15

Re: base64 for an easy & strong encrypted key-pass.

Postby Head_on_a_Stick » 2018-08-22 05:32

I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8164
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: base64 for an easy & strong encrypted key-pass.

Postby bester69 » 2018-08-22 05:46

Head_on_a_Stick wrote:https://xkcd.com/936/

(supressive attitude personality goes on) Organic Portal? :shock:
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1209
Joined: 2015-04-02 13:15

Re: base64 for an easy & strong encrypted key-pass.

Postby kopper » 2018-08-22 09:21

This mainly relies on lack of awareness of the attacker. Offline brute force attack can counter this by applying the same principle on all guesses the cracker software makes. I.e. base64(guess) + additional characters to predefined positions, then compare the hashed result to stolen hash. It doesn't matter that the end-result is more complex than the input, since the process is 100% reversible with adequate information. And that information can often be obtained by other means. Relying on the fact that attacker does not know about base64, selected "salt characters" or placement of them is security through obscurity.

It might provide some resilience against rainbow tables, as there are fewer tables containing hashes for longer passwords. It might initially buy you some time, but it doesn't take long to write a script for JohnTheRipper or other tools to make this almost completely useless. Worst case scenario, this will make crackers life even easier since users trusting this are likely to use even crappier passwords. Leading effectively to increased efficiency of dictionary attacks.

Cryptography is hard and I'm by no means an authority on the issue. However, using encoding in place of cryptographic function in this kind of scenario is like pulling on two pairs of socks and claiming you're only wearing one.
Debian 9.5 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 126
Joined: 2016-09-30 14:30

Re: base64 for an easy & strong encrypted key-pass.

Postby RU55EL » 2018-08-22 12:44

bester69 wrote:[...] You cant remember U.s7snhj.2=, but you can 1980


What do you mean you can't remember U.s7snhj.2=. It is only 11 digits! And not that complicated.

Now these might be a little hard to memorize:

Code: Select all
+']_.+#;>!]&)~;$'(]=&>*@(

GYUAFFSJKPWXMDKFMHSBKBQAZ

dqbJ^yFM'sQ*d=Q-Wy.rXt,uo

hqnyq,^/dnq&god)`ut*-*}pj

76DA77QHE6AVJAPCBR9BK3HHU


But they can be memorized and they are halfway decent passwords.
User avatar
RU55EL
 
Posts: 383
Joined: 2014-04-07 03:42
Location: /home/russel

Re: base64 for an easy & strong encrypted key-pass.

Postby bester69 » 2018-08-22 12:54

kopper wrote:....
It might provide some resilience against rainbow tables, as there are fewer tables containing hashes for longer passwords. It might initially buy you some time, but it doesn't take long to write a script for JohnTheRipper or other tools to make this almost completely useless

.....

ok, do you really thing most of attackers are considering this :"I.e. base64(guess) + additional characters to predefined positions", do you thing they will use matching decoding algotrithm?.. Thats supposing too much in my opinion..this sounds to me similar to "linux do have viruses", (but none has ever met them..)

ok, You're kind of right, seems a fair weakeness thounght very improbable scenario in my opinion, I would bet this scenario is very unlikely to happend for casual hackers, I really dont see it happening.

Anyways, I suppose we might add an addional security obscurity layer, that would make it a "perfect procedure" against any contemplated/guessed scenario by any hacker.

For example: we might use as well (two characters intervealed in the source encoding word, as well), that would break any possibility matching procedure algorithm by trying reverse base64 decoding diccitionary; it would fail.

Example:
umbrella >> u$mbrell$a >> (base64) >> Asnajh54n= >> A$snajh54n$=

THIS DO SEEMS QUICK UNPROBABLE IMPOSSIBLE HACKING Im wondering myself How many algorithms in world can break that example word..

Anyway, this procedure is perfect for cloud services, as all of them lock the account by few failed intents. See!!, In this scenario, this method is Great 8)


regards.
Last edited by bester69 on 2018-08-22 13:14, edited 15 times in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1209
Joined: 2015-04-02 13:15

Re: base64 for an easy & strong encrypted key-pass.

Postby sunrat » 2018-08-22 12:55

Head_on_a_Stick wrote:https://xkcd.com/936/


Damn, I better change my pass word. :shock: :lol:

JK, I was thinking to post that same link after reading OP.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!
User avatar
sunrat
 
Posts: 2461
Joined: 2006-08-29 09:12
Location: Melbourne, Australia

Re: base64 for an easy & strong encrypted key-pass.

Postby kopper » 2018-08-22 15:32

bester69 wrote:ok, do you really thing most of attackers are considering this [retracted] Thats supposing too much in my opinion.

Not initially of course, but eventually that would become public knowledge given enough time. If you're implementing this as part open-source project, it is public as soon as the project goes live. Even if it's propriatery, it will be found as vulnerability soon enough. Don't underestimate people's interest in "new unbreakable passwords". At least that claim will get everyone to try and break it, when it comes to security industry. For reference, you might be interested to take look how it worked for John McAfee when he said his Bitfi wallet was "unhackable".

Security through obscurity in defense isn't really anything you should aim for. Security should not be affected by the fact that potential adversary knows the used algorithms inside out. On offensive field, obscurity has more use cases in operational security, like remaining undetected until you achieve what you want. I.e. you acknwoledge that you're operating on limited time window.

bester69 wrote:For example: we might use as well

To counter it, just write a longer script for the cracker software. You can't achieve anything new by iterating between encoding and adding characters.

bester69 wrote:Anyway, this procedure is perfect for cloud services, as all of them lock the account by few failed intents. See!!, In this scenario, this method is Great 8)

That already works quite fine for normal passwords. Anyone who's not a bot or an idiot wouldn't try to brute force live web application / cloud service with such restrictions.
Debian 9.5 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 126
Joined: 2016-09-30 14:30

Re: base64 for an easy & strong encrypted key-pass.

Postby RU55EL » 2018-08-22 22:07

bester69 wrote:[...]ok, do you really thing most of attackers are considering this :"I.e. base64(guess) + additional characters to predefined positions", do you thing they will use matching decoding algotrithm?.. Thats supposing too much in my opinion..this sounds to me similar to "linux do have viruses", (but none has ever met them..)[...]


Yeah, that gives your argument lots of credibility!

I guess you think it is impossible to write a virus for Linux.

PS: This is an example of what I consider to be a good password:

Code: Select all
^]\`KPRE~`FL\D/&>[__ZT]S\.J~*K#R;GJMFE}GC`_$$~/E'{
User avatar
RU55EL
 
Posts: 383
Joined: 2014-04-07 03:42
Location: /home/russel

Re: base64 for an easy & strong encrypted key-pass.

Postby bester69 » 2018-08-23 00:06

RU55EL wrote:
bester69 wrote:[...]ok, do you really thing most of attackers are considering this :"I.e. base64(guess) + additional characters to predefined positions", do you thing they will use matching decoding algotrithm?.. Thats supposing too much in my opinion..this sounds to me similar to "linux do have viruses", (but none has ever met them..)[...]


Yeah, that gives your argument lots of credibility!

I guess you think it is impossible to write a virus for Linux.

PS: This is an example of what I consider to be a good password:

Code: Select all
^]\`KPRE~`FL\D/&>[__ZT]S\.J~*K#R;GJMFE}GC`_$$~/E'{


You just need >= 8 ASCII(Base 95 characters) .. what the hell are you doing man?? :lol: You wouldnt break that even with a quantum computer :shock:

See this litle ASCII 9 characters:
/yjH.23dZ

Would take around 1300 years according this calculator (2015 cpu computer): https://www.betterbuys.com/estimating-p ... ing-times/
Would take around 7 years according this calculator: https://random-ize.com/how-long-to-hack-pass/
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1209
Joined: 2015-04-02 13:15

Re: base64 for an easy & strong encrypted key-pass.

Postby RU55EL » 2018-08-23 04:56

bester69 wrote:
You just need >= 8 ASCII(Base 95 characters) .. what the hell are you doing man?? :lol: You wouldnt break that even with a quantum computer :shock:

See this litle ASCII 9 characters:
/yjH.23dZ

Would take around 1300 years according this calculator (2015 cpu computer): https://www.betterbuys.com/estimating-p ... ing-times/
Would take around 7 years according this calculator: https://random-ize.com/how-long-to-hack-pass/


Try checking at How secure is my password. Estimate for your password "/yjH.23dZ"
It would take a computer about

1 month

to crack your password


Estimate for " ^]\`KPRE~`FL\D/&>[__ZT]S\.J~*K#R;GJMFE}GC`_$$~/E'{"

It would take a computer about

830 quattuorvigintillion years

to crack your password


I usually check the password size limit (for where it is used) and use that for the size of the password. You can never be too sure.

PS: The password size limit here at forums.debian.net is 30 digits. Do you think you can guess my password?

PPS: How big is a quattuorvigintillion?
User avatar
RU55EL
 
Posts: 383
Joined: 2014-04-07 03:42
Location: /home/russel

Re: base64 for an easy & strong encrypted key-pass.

Postby Head_on_a_Stick » 2018-08-23 06:08

RU55EL wrote:https://howsecureismypassword.net/

Nice site!

Apparently, the password "howsecureismypassword" would take 410 billion years to crack and it's really easy to remember — there's a lesson there for us all, I think :mrgreen:
I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8164
Joined: 2014-06-01 17:46
Location: /dev/chair

Next

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable