Hacker News new | past | comments | ask | show | jobs | submit login

To be precise, in the case of a patterned password (i.e., dictionary word or something a human can recognize), it leaks all but about 2-3 bits, assuming the human can work out the most likely mistake as in your example, and we assume it's a simple error like a nearby key or simple character flip.

If it's a random password, it may still leave 2-3 bits per character as it becomes much harder to know where the error is (e.g., if "j9^vl4JO" is wrong, what is the correct password?), but if you have your hands on two independent errors, which is reasonably likely, that pretty much collapses to 1-2 bits tops even in the random case (e.g., if you also have "k9^vl4JP" that pretty much nails it down to either the first and last being "j P" or "k O").

It is a truly terrible idea!






>e.g., if "j9^vl4JO" is wrong, what is the correct password?

Shouldn't that remain utterly trivial to brute though? If we're assuming all the standard face keys+shifted, I think that's 94 characters. If it's fully unknown then search space is 94^8 or about 6E15, not good but if it's an adaptive hash sizable. But if it's only a one character error, wouldn't you just brute through each of the 8 one by one with only 94 each? That'd reduce it to just 752 possibilities at worst which is so low someone determined could even do it by hand, even ignoring any obvious psychology like the likelihood that the special character isn't the mistake and probably the only special character too.

Certainly not quibbling that it's an awful idea. I don't even like "password hints" so many systems still seem to have, they should be random!


Yes. I'm just demonstrating with an example that a less structured password is less damaged. It is still something I'd consider "burned" in real life, though.

You don't think the special character could be a mistake?

Seems plausible the correct password might be j(6vl4JO...


>You don't think the special character could be a mistake?

Not that it makes any real difference here with such a small search space, but in this scenario (known typo, information revealed) it's less likely. Remember, we're considering a human typing something out on a keyboard, so the probabilities aren't fully random. If we're trying to use probabilities to cut down the search space further, a caret character requires shifting well away from the home row (shift-6 US standard qwerty) so it's more likely to represent active intent. Perhaps it could be % or & (shift-5/shift-7), but if you know someone is trying to type a password out and has made a typo then a left/right neighbor with shifting preserved is an easy place to start guessing.

Obviously, this whole thing is such an awful idea and breaks everything so badly that it's all kind of theoretical anyway, hopefully no software has had behavior like this for a long time. And any actual brute force program today has far more sophisticated pattern attacks based on the enormous corpus of password leaks and knowledge there now is, which is why it's foolish to try to try to be clever with passwords rather then just generating something fully randomized.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: