What would it take to make a password unbreakable? IBM, Google, and the NSA think it would be a normal function of a quantum computer and thus are working feverishly to bring a practical one into existence. The quantum computer works using photons instead of the traditional silicon 1's and 0's we all know and love. Light, as you quantum physicists out there know, exists in more than one state simultaneously. This significantly enhances it's ability to carry information. In fact if a quantum computer were put to the task, it could decipher every known password in a matter of seconds. The military, financial, and government security in place today would quickly become obsolete. The scary part of all this is that the components exist today and are being developed for general release within the next decade.
The only way to counter this potential threat is to use quantum computers to generate passcodes for encryption. Conventional computers are not random enough so that something on the magnitude of a quantum computer would be required to generate codes that cannot be broken by brute force. The network would be optical, and Heisenberg assures us that there is uncertainty in photon transmission. If you try to intercept the encrypted data, the fact that you are viewing it changes the state of the data. That's pure quantum physics. But the real beauty of quantum computing is that it can easily produce truly random numbers at speeds heretofore unthinkable. This would make brute force password attacks impossible. The only glitch in this scheme is that the further down the optical fiber you send a signal, the lower the bandwidth. Such transmissions have a theoretical limit of 186 miles at which point it gets down to 1 bit per second.
Well, some well funded groups all over the world are working on the problem as I write this.
http://www.pbs.org/newshour/updates/unb ... -password/
Unbreakable Passwords
Re: Unbreakable Passwords
If they can create it, it can be reverse engineered, and/or hacked...
Re: Unbreakable Passwords
The analogy they give with tin cans and a string between them to communicate shows the beauty of quantum mechanics. If you cut the string to intercept the message, communication ceases. I'm sure there is a way around all this quantum computing security, but the point of my quoting the article is to note the magnitude of the issues involved. Ways to blow though every security system ever invented are on the horizon. I'm glad some of the giants on our side are looking into it.
Re: Unbreakable Passwords
Or they could be using it against us too! Don't forget the power of Big Brother, hi hi...
I watched a film on how hackers break passwords, not one or two here and there, but thousands all at once.
I'm not sure if web sites still work this way or not, because this was way back in 2003 I think.
A hacker breaks into a server and captures the member log-in datafile.
It doesn't matter whether the screen name is encrypted or not, but the password file usually is.
At that time, the entire datafile was encrypted using the same encryption technique.
So it was just a matter of running codes through the computer until some of the passwords started to be recognizable words. Once they hit the right code combination, all of the passwords in the datafile were now visible.
So it didn't matter how simple or how complex a password the user came up with, once the encryption was broken, all of the passwords on file were now available to them.
One thing that surprises me is the use of HTTPS over HTTP. Everyone can see the website and interact with it, whether it is sent HTTP or HTTPS. I know you are going to say I'm missing something here, hi hi...
But if it is encrypted, how can I see it unless I have the decryption key?
Since I can see it, how did I get the key?
Oh, they sent it to me when I logged in. What if I didn't log in, I just went there from Google.
Sorta reminds me of a Notary Public. You go to a total stranger who does not know you from Adam's Ox to Verify you are who you say you are, based on a couple of documents which could be easily forged.
But I guess technically, all they are really verifying is the person standing in front of them is the person who signed the document in their presence. Who they claim to be, or who their documentation claims they are is beside the point.
They merely witnessed a signature. Compound this with a signature can be any mark and does not have to be legible.
So what is the real purpose of a Notary Public?
I watched a film on how hackers break passwords, not one or two here and there, but thousands all at once.
I'm not sure if web sites still work this way or not, because this was way back in 2003 I think.
A hacker breaks into a server and captures the member log-in datafile.
It doesn't matter whether the screen name is encrypted or not, but the password file usually is.
At that time, the entire datafile was encrypted using the same encryption technique.
So it was just a matter of running codes through the computer until some of the passwords started to be recognizable words. Once they hit the right code combination, all of the passwords in the datafile were now visible.
So it didn't matter how simple or how complex a password the user came up with, once the encryption was broken, all of the passwords on file were now available to them.
One thing that surprises me is the use of HTTPS over HTTP. Everyone can see the website and interact with it, whether it is sent HTTP or HTTPS. I know you are going to say I'm missing something here, hi hi...
But if it is encrypted, how can I see it unless I have the decryption key?
Since I can see it, how did I get the key?
Oh, they sent it to me when I logged in. What if I didn't log in, I just went there from Google.
Sorta reminds me of a Notary Public. You go to a total stranger who does not know you from Adam's Ox to Verify you are who you say you are, based on a couple of documents which could be easily forged.
But I guess technically, all they are really verifying is the person standing in front of them is the person who signed the document in their presence. Who they claim to be, or who their documentation claims they are is beside the point.
They merely witnessed a signature. Compound this with a signature can be any mark and does not have to be legible.
So what is the real purpose of a Notary Public?
Re: Unbreakable Passwords
The thing to keep in mind about Big Brother is that the idea came into popularity via a book of fiction.
I don't know what movie you watched, but the technique you describe is reminiscent of how to break into password files used by Windows since the "NT" days. Those programs to hack Windows' passwords are readily available, and to give you an idea how valuable they are, my malware checkers do not even flag them as potentially unwanted. LOL
The typical scenario is to steal the password file, which is easily done in Linux boxes, and then to attempt to decrypt individual entries. All the common passwords are tried first to get a match and that reveals about 30% of the list in the blink of an eye on an average 64-bit desktop. Then the entire English language dictionary is applied which yields another 30%. The remaining passwords get brute forced. That uses every possible combination of letters and characters against each password. As recently as three years ago it was thought that an 8 character password can be broken in about twenty minutes. If you have hours and days or even weeks to spare, you can brute force in excess of 16 character passwords. By the time you get to that level only a few percent of the passwords in the stolen file remain encoded. If those few are specially targeted individuals, then it might be worth running your computer for a few weeks just to get the results you are looking for. But, the really clever passwords are double or triple encrypted so that brute force isn't effective against those. Well it wasn't, but now you can parallel video cards and make your own super computer for the price of one brand new silver Yogi - ok maybe two, but it's just a matter of wiring ten cards together.
From what I understand brute force is a benchmark, but there are other better and more efficient ways to break passwords if you are really interested in doing such a thing. The quantum computers talked about in the article are said to be capable of taking all the password files in existence, plus those that ever existed, and decrypt them using brute force in a matter of seconds. Certainly no longer than a few minutes. What kind of crazy computing power are we talking about here?
Way back when we discussed encryption on neoBrainformation, we talked about two purposes for network encryption keys. One is for verification that you are indeed communicating with who you think you are. The other purpose is for security of exchanged data. HTTPS does both over the public network and it does it in such a way that you do not need to know the encryption keys. The keys are automatically generated and discovered by the browser in the the background. Thus, all that beautiful plain text from the forms you send out never leaves your computer unless it's encrypted. You don't get back plain text either. It's all handled at the browser level via HTTPS.
The Notary Public analogy applies in some ways. The job of the notary is to do exactly what you described. S/he affixes a seal to testify that s/he witnessed the person sign the document. End of story. A signature guarantee, however, is one that has identified the signatory as being who they claim to be. These signature guarantees are not provided by a notary. I had to get a bank official involved when I needed them a couple times. They had to see the request for my signature and I had to produce documents verifying my identity which included mail with my name on it to my address. The purpose of a notory is simply to be a state appointed witness to an event. Guaranteeing your identiy/signature is a whole different ball game.
I don't know what movie you watched, but the technique you describe is reminiscent of how to break into password files used by Windows since the "NT" days. Those programs to hack Windows' passwords are readily available, and to give you an idea how valuable they are, my malware checkers do not even flag them as potentially unwanted. LOL
The typical scenario is to steal the password file, which is easily done in Linux boxes, and then to attempt to decrypt individual entries. All the common passwords are tried first to get a match and that reveals about 30% of the list in the blink of an eye on an average 64-bit desktop. Then the entire English language dictionary is applied which yields another 30%. The remaining passwords get brute forced. That uses every possible combination of letters and characters against each password. As recently as three years ago it was thought that an 8 character password can be broken in about twenty minutes. If you have hours and days or even weeks to spare, you can brute force in excess of 16 character passwords. By the time you get to that level only a few percent of the passwords in the stolen file remain encoded. If those few are specially targeted individuals, then it might be worth running your computer for a few weeks just to get the results you are looking for. But, the really clever passwords are double or triple encrypted so that brute force isn't effective against those. Well it wasn't, but now you can parallel video cards and make your own super computer for the price of one brand new silver Yogi - ok maybe two, but it's just a matter of wiring ten cards together.
From what I understand brute force is a benchmark, but there are other better and more efficient ways to break passwords if you are really interested in doing such a thing. The quantum computers talked about in the article are said to be capable of taking all the password files in existence, plus those that ever existed, and decrypt them using brute force in a matter of seconds. Certainly no longer than a few minutes. What kind of crazy computing power are we talking about here?
Way back when we discussed encryption on neoBrainformation, we talked about two purposes for network encryption keys. One is for verification that you are indeed communicating with who you think you are. The other purpose is for security of exchanged data. HTTPS does both over the public network and it does it in such a way that you do not need to know the encryption keys. The keys are automatically generated and discovered by the browser in the the background. Thus, all that beautiful plain text from the forms you send out never leaves your computer unless it's encrypted. You don't get back plain text either. It's all handled at the browser level via HTTPS.
The Notary Public analogy applies in some ways. The job of the notary is to do exactly what you described. S/he affixes a seal to testify that s/he witnessed the person sign the document. End of story. A signature guarantee, however, is one that has identified the signatory as being who they claim to be. These signature guarantees are not provided by a notary. I had to get a bank official involved when I needed them a couple times. They had to see the request for my signature and I had to produce documents verifying my identity which included mail with my name on it to my address. The purpose of a notory is simply to be a state appointed witness to an event. Guaranteeing your identiy/signature is a whole different ball game.
Re: Unbreakable Passwords
Apparently the NSA is sharing some of the trepidation you foresee Gary. They are telling people now to forget pursuit of encryption as we know it today and to concentrate on quantum computing resistant algorithms.
QUANTUM FEVER: http://motherboard.vice.com/read/the-ns ... ntum-fever
QUANTUM FEVER: http://motherboard.vice.com/read/the-ns ... ntum-fever
Re: Unbreakable Passwords
I read the information in the link to Quantum Fever.
I can see having to keep national security documents and exchanges at the highest level of security possible.
What I don't understand is all the hype behind HTTPS for posting a public message on Farcebook.
So it is encrypted so nobody can read it before it is decrypted and placed on a Public News Feed so everyone can freely read it.
You did mention something about individual password encryption. I read somewhere a couple of days ago that websites do not encrypt the users passwords, they encrypt the whole file, yes, but each users password is encrypted independently. This would explain why only a few get cracked each time a hacker runs his program to figure them out.
However, if each persons password is encrypted, wouldn't it also mean that the decryption of it is also held at the same location in order to decrypt it?
Let's say I use a password such as "John17Doe_eTbOb"
I have to type it in a second time before it is encrypted and stored by the web site requesting same.
But when I go back to the website later, I would use exactly what I typed in to start with.
So they would have to take what I typed in, check what encryption they used to convert it to the encrypted form, then make sure they have that password on file before letting me in.
Whether the same code is used for everyone, or each individual person is given a different code, the input to the website is still your password as typed. A good place for a hacker to steal the passwords is at the input port I would think.
I can see storing it encrypted so probing eyes can't see what the passwords are. But a hacker could if he got the list figure them out. So it seems to me, protecting the list from hackers should be of more importance.
So, to make sure, we now store everything in a cloud, hi hi...
Sounds a little hazy to me!
Another Topic:
Remember Google's BIG PUSH for everyone to make their websites Mobile Friendly, so we wouldn't lose ranking, AND so that Mobile Friendly sites would get the "Mobile Friendly" line along with their listings.
Have you seen any marked "Mobile Friendly"? I haven't, and don't know anyone who has.
TTUL
Gary
I can see having to keep national security documents and exchanges at the highest level of security possible.
What I don't understand is all the hype behind HTTPS for posting a public message on Farcebook.
So it is encrypted so nobody can read it before it is decrypted and placed on a Public News Feed so everyone can freely read it.
You did mention something about individual password encryption. I read somewhere a couple of days ago that websites do not encrypt the users passwords, they encrypt the whole file, yes, but each users password is encrypted independently. This would explain why only a few get cracked each time a hacker runs his program to figure them out.
However, if each persons password is encrypted, wouldn't it also mean that the decryption of it is also held at the same location in order to decrypt it?
Let's say I use a password such as "John17Doe_eTbOb"
I have to type it in a second time before it is encrypted and stored by the web site requesting same.
But when I go back to the website later, I would use exactly what I typed in to start with.
So they would have to take what I typed in, check what encryption they used to convert it to the encrypted form, then make sure they have that password on file before letting me in.
Whether the same code is used for everyone, or each individual person is given a different code, the input to the website is still your password as typed. A good place for a hacker to steal the passwords is at the input port I would think.
I can see storing it encrypted so probing eyes can't see what the passwords are. But a hacker could if he got the list figure them out. So it seems to me, protecting the list from hackers should be of more importance.
So, to make sure, we now store everything in a cloud, hi hi...
Sounds a little hazy to me!
Another Topic:
Remember Google's BIG PUSH for everyone to make their websites Mobile Friendly, so we wouldn't lose ranking, AND so that Mobile Friendly sites would get the "Mobile Friendly" line along with their listings.
Have you seen any marked "Mobile Friendly"? I haven't, and don't know anyone who has.
TTUL
Gary
Re: Unbreakable Passwords
Encryption is very enigmatic. I wish I knew more about it so that I could explain it in understandable terms. 
HTTPS is about data encryption. The data exchanged between you and a site using HTTPS goes through a process of encryption/decryption under the hood so to speak. You do not have to intervene for it to happen. The bidirectional transmissions are all encoded, and that is the sole function of HTTPS.
The most likely form of hacking on the Internet is what is called a Man In The Middle attack. This is simply a situation where all the communication between you and the intended server is routed through an intermediary computer that is owned by some nefarious hacker. The hacker collects everything coming and going from your computer and analyzes it at his convenience. HTTPS scrambles all the data before you send it out so that the bad guy just gets gibberish. Thus HTTPS has value for defending against Man In The Middle attacks.
There are several ways to produce encryption keys and that article I quoted suggests that the standard methods are quickly becoming obsolete. I don't know if any of that article applies to HTTPS, but I do know when using that protocol nothing leaves your network card unless it's encrypted first. The server receives your encrypted password and stores it as a record in a database. It could also be stored in a file where the file itself can be encrypted to provide double encryption. When you log into that server it compares your encrypted password against the previously hashed password it has in it's database. If the two hashes are identical, you must have sent the correct password and they let you in.
Exactly where and how the encryption of your password takes place varies depending on the methods used. The point to be made is that your passwords are hashed when they are stored on most servers and it is the hash that is being looked at to validate your credentials.
You ask a legitimate question when you cite social networks that use secure transmissions. What's the point? The point is that not everything you send is published on your timeline. Private messages, for example, do not get published. Your login credentials and any financial information you give them to buy stuff does not get publicized. All these things benefit from the use of HTTPS but only to the extent of making that Man In The Middle do a little more work. However, keep in mind that places like Facebook own everything you give them. They keep that information and sell it to anyone who can pay for it.
HTTPS is about data encryption. The data exchanged between you and a site using HTTPS goes through a process of encryption/decryption under the hood so to speak. You do not have to intervene for it to happen. The bidirectional transmissions are all encoded, and that is the sole function of HTTPS.
The most likely form of hacking on the Internet is what is called a Man In The Middle attack. This is simply a situation where all the communication between you and the intended server is routed through an intermediary computer that is owned by some nefarious hacker. The hacker collects everything coming and going from your computer and analyzes it at his convenience. HTTPS scrambles all the data before you send it out so that the bad guy just gets gibberish. Thus HTTPS has value for defending against Man In The Middle attacks.
There are several ways to produce encryption keys and that article I quoted suggests that the standard methods are quickly becoming obsolete. I don't know if any of that article applies to HTTPS, but I do know when using that protocol nothing leaves your network card unless it's encrypted first. The server receives your encrypted password and stores it as a record in a database. It could also be stored in a file where the file itself can be encrypted to provide double encryption. When you log into that server it compares your encrypted password against the previously hashed password it has in it's database. If the two hashes are identical, you must have sent the correct password and they let you in.
Exactly where and how the encryption of your password takes place varies depending on the methods used. The point to be made is that your passwords are hashed when they are stored on most servers and it is the hash that is being looked at to validate your credentials.
You ask a legitimate question when you cite social networks that use secure transmissions. What's the point? The point is that not everything you send is published on your timeline. Private messages, for example, do not get published. Your login credentials and any financial information you give them to buy stuff does not get publicized. All these things benefit from the use of HTTPS but only to the extent of making that Man In The Middle do a little more work. However, keep in mind that places like Facebook own everything you give them. They keep that information and sell it to anyone who can pay for it.
Re: Unbreakable Passwords
Actually, what you said today, rang a bell with me.
Every time you connect to a website, and possibly after each data transfer, a handshake is established.
Within this handshake is where the encryption code for your next outbound transmission is included.
So the recipient can decode the next transfer of data.
It sounds like passwords work sorta like the checksum of a file transfer.
If that is how the programmer who wrote the website set it up to work I would think.
Before we got the new mainframe at work, one of the things we had to do was type in an entire paragraph from a book or document only we knew what it came from. This was used to encrypt what they were sending to us, but it became encrypted when we sent it to them, so even they did not know what it was.
How all this worked I don't know. At least all I had to do at my end was enter a security number in order to see what was sent to me.
The only thing bad about that old system was if our computer broke and we had to use a different computer, we had to set up everything all over again for each computer we used.
We do not have to do this on the new system they installed.
Probably a good thing too, because if you forgot that long paragraph we had to type in, it was twice as hard to get another one set up to replace it.
In the early days of computing, when I needed to get someones credit card, I had them send each set of four digits in a different e-mail and to a different e-mail address. It was a pain for them I'm sure, but back then, it was the safest way I knew to do it. Most folks didn't mind because the number was sent like as if it was part of a telephone number in one, as a part of a product serial number in another, etc. I made it easier for them by sending a four part form which they sent back in four separate e-mails, and as I said to four different e-mail addresses, at different ISPs too.
Today everything is handled through a shopping cart service.
There are probably a lot more hackers today than there were back then too, hi hi...
Every time you connect to a website, and possibly after each data transfer, a handshake is established.
Within this handshake is where the encryption code for your next outbound transmission is included.
So the recipient can decode the next transfer of data.
It sounds like passwords work sorta like the checksum of a file transfer.
If that is how the programmer who wrote the website set it up to work I would think.
Before we got the new mainframe at work, one of the things we had to do was type in an entire paragraph from a book or document only we knew what it came from. This was used to encrypt what they were sending to us, but it became encrypted when we sent it to them, so even they did not know what it was.
How all this worked I don't know. At least all I had to do at my end was enter a security number in order to see what was sent to me.
The only thing bad about that old system was if our computer broke and we had to use a different computer, we had to set up everything all over again for each computer we used.
We do not have to do this on the new system they installed.
Probably a good thing too, because if you forgot that long paragraph we had to type in, it was twice as hard to get another one set up to replace it.
In the early days of computing, when I needed to get someones credit card, I had them send each set of four digits in a different e-mail and to a different e-mail address. It was a pain for them I'm sure, but back then, it was the safest way I knew to do it. Most folks didn't mind because the number was sent like as if it was part of a telephone number in one, as a part of a product serial number in another, etc. I made it easier for them by sending a four part form which they sent back in four separate e-mails, and as I said to four different e-mail addresses, at different ISPs too.
Today everything is handled through a shopping cart service.
There are probably a lot more hackers today than there were back then too, hi hi...