SolarWinds hackers have a clever way to bypass multi factor authentication

Hackers who hit SolarWinds compromised a think tank three separate times.

Read the whole story

 

[fyo]

The best passwords are easy for humans to remember and hard for machines to brute-force. Phrases of unrelated words tend to be ideal.

I used to memorize random passwords like bahopre3 (one digit away from one of my old passwords that was compromised). But random numbers and symbols add entropy less quickly than just adding words.

Something like "purple dog flowers" or "social squash Augustus" is trivially easy to remember, but surprisingly difficult to brute-force. If there are 1000 common English words, then each word is about as good as 2 to 3 letters. If you use one or more obscure words, the passphrase gets radically stronger. Despite having more letters, I've found that pass-phrases are faster to type than passwords, and rather than mess with capitalization, numbers, and symbols, which are all slow to type, I prefer to just add more words.

Also, best to use a password manager so that you only need one or two actual passphrases.

LENGTH adds entropy quickly. Words have a tendency to add length.
Which is fine if you're brute forcing digit by digit/character by character, but that's not what people do.

People compile lists of common words/phrases, and then mutate them in a number of ways. (All A becomes 4, all e become 3, every other A etc.)
I wrote a parser that would take a language dictionary and dump out a bunch of the mutations pre-calculated, then concatenated in a bunch of different common methods.

Without those mutations you look at a phrase like "correct horse battery staple" and see 25 to 28 (spaces?) characters or points of entropy.

I look at a phrase like "correct horse battery staple" and I see 4 points of entropy.

Your "points of entropy" definition is odd. If by points you mean bits, then it's just wrong.

In the first example (treating pwd letter by letter), each letter/digit (is this your "point of entropy"?) can take roughly 60-90 possible different values (depending on the character set in use). Each digit in a base-10 number would have 10. The total entropy is thus 60^n, where n is password length.

In the second example, each word can take anywhere from a few thousand to a few hundred thousands of different values, leading to an entropy of 3000^n, where n here is your "point of entropy".

So your "points of entropy" cannot be compared. One "point" in one is worth a lot more entropy than one "point" in the other.

So the entropy in the first case is 60^25 = 3*10^44 bits of entropy.
In the second case just 3000^4 = 7*10^13

While certainly a massive difference, that's pretty much a worst case example (only 3000 words in our dictionary, no misspellings, no punctuation, no numbers, etc).

A completely random 16 character password with a length 60 character set has an entropy of about 3*10^28. Using just the 3000 most common words, you would need about 8 words for the same entropy.

The point being that a sentence of 8 words (letusjustgetthroughthisyearsafely) is A LOT easier to remember for most people than a completely random 16-character password. (Yes, my example didn't use caps, so shoot me.)