J. J. Lodder <nospam@de-ster.demon.nl> wrote:
> mechanic <mechanic@example.net> wrote:
>
>> On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
>>
>>> As long as people need to type in passwords they aren't going to
>>> use long and complicated strings.
>>
>> No excuse!
>
> And long passwords need not be difficult.
> 1RoseByAnyOtherNameWillSmellAsSweet!
> will be just fine,
> (if you are not known for fandom)

Or correct-horse-battery-staple

Yet people still think complexity is better than length. Sometimes this is
true as some places artificially restrict the length of acceptable
passwords. Some as short as 9-12 characters IME.

On 2023-02-20 02:45, Chris wrote:
> Alan Browne <bitbucket@blackhole.com> wrote:
>> On 2023-02-19 17:56, Chris wrote:
>>> Alan Browne <bitbucket@blackhole.com> wrote:
>>>> On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
>>>>> On 18/2/2023 7:25 am, Alan Browne wrote:
>>>>>>
>>>>>> Not in the dictionary much.
>>>>>>
>>>>>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>>>>>> the co.
>>>>>>
>>>>>> Another engineer used a dictionary attack.  Got nowhere.
>>>>>> Then asked "who was the engineer anyway?"
>>>>>> "Eric"
>>>>>> He switched to a Hebrew dictionary and the zip file was opened
>>>>>> quickly... (Hebrew rendered in the English alphabet).
>>>>>
>>>>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>>>>>
>>>>> The other method is of course using the characteristic of ASCII/EBCDIC!
>>>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", ....  This
>>>>> method will definitely work, but needs time! ;)
>>>>
>>>> That was back then - since then people have learned (I hope) to use real
>>>> passwords such as the one I put up.
>>>
>>> Many do and many don't.
>>>
>>> As long as people need to type in passwords they aren't going to use long
>>> and complicated strings.
>>
>> Either use a password manager (as I do) or become clever in the
>> composition of the passwords.
>
> I agree and do use s password manager myself. However, having tried to
> persuade family members to do the same, it's just too much of a faff and
> they stick with their crappy and/or written down passwords.
>
> With the best will in the world many people will not be using best
> practices.

Alas, very true. At least my SO has developed the "clever" passwords
mode. But she does keep them written down in a "safe place".

--
“Donald Trump and his allies and supporters are a clear and present
danger to American democracy.”
- J Michael Luttig - 2022-06-16
- Former US appellate court judge (R) testifying to the January 6
committee

On 20/2/2023 8:42 pm, Chris wrote:
>
> At work one time, I set up my password as a 25 character random string via
> my password manager which was great until they decided to sync the network
> password with the local password on my machine. So when when I needed to
> login after a reboot or screensaver kicks in I had to type it in manually.

You should use your brain to memorize all 25-character random strings. :)

On 2023-02-20 07:33, J. J. Lodder wrote:
> mechanic <mechanic@example.net> wrote:
>
>> On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
>>
>>> As long as people need to type in passwords they aren't going to
>>> use long and complicated strings.
>>
>> No excuse!
>
> And long passwords need not be difficult.
> 1RoseByAnyOtherNameWillSmellAsSweet!
> will be just fine,

Good, but insert a few numbers/spec chars in the middle too ... along
with a misspelled word and caps in the "wrong" places ... and it will be
as good as random where a dictionary+brute force attack occurs.

--
“Donald Trump and his allies and supporters are a clear and present
danger to American democracy.”
- J Michael Luttig - 2022-06-16
- Former US appellate court judge (R) testifying to the January 6
committee

Alan Browne <bitbucket@blackhole.com> wrote:

> On 2023-02-20 07:33, J. J. Lodder wrote:
> > mechanic <mechanic@example.net> wrote:
> >
> >> On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
> >>
> >>> As long as people need to type in passwords they aren't going to
> >>> use long and complicated strings.
> >>
> >> No excuse!
> >
> > And long passwords need not be difficult.
> > 1RoseByAnyOtherNameWillSmellAsSweet!
> > will be just fine,
>
> Good, but insert a few numbers/spec chars in the middle too ... along
> with a misspelled word and caps in the "wrong" places ... and it will be
> as good as random where a dictionary+brute force attack occurs.

Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,

Jan

Mr. Man-wai Chang <toylet.toylet@gmail.com> wrote:

> On 20/2/2023 8:42 pm, Chris wrote:
> >
> > At work one time, I set up my password as a 25 character random string via
> > my password manager which was great until they decided to sync the network
> > password with the local password on my machine. So when when I needed to
> > login after a reboot or screensaver kicks in I had to type it in manually.
>
> You should use your brain to memorize all 25-character random strings. :)

No problem with that at all, for me.
The problem is memorising a few particular ones,

Jan

In article <1q6gy5q.1fuccml6gve0bN%nospam@de-ster.demon.nl>, J. J.
Lodder <nospam@de-ster.demon.nl> wrote:

>
> Most sites insist nowadays on at least one digit,
> one capitalised letter, and one special sign.
> My example complies,

that actually makes it *easier* to crack, since all passwords that
don't meet the artificial requirements can immediately be ruled out,
thereby reducing the number of possibilities.

nospam <nospam@nospam.invalid> wrote:

> In article <1q6gy5q.1fuccml6gve0bN%nospam@de-ster.demon.nl>, J. J.
> Lodder <nospam@de-ster.demon.nl> wrote:
>
> >
> > Most sites insist nowadays on at least one digit,
> > one capitalised letter, and one special sign.
> > My example complies,
>
> that actually makes it *easier* to crack, since all passwords that
> don't meet the artificial requirements can immediately be ruled out,
> thereby reducing the number of possibilities.

Yes, but the character space becomes much greater.
There really are people who have lower case-only,
or digits-only passwords.

Jan

J. J. Lodder <nospam@de-ster.demon.nl> wrote:
> Alan Browne <bitbucket@blackhole.com> wrote:
>
>> On 2023-02-20 07:33, J. J. Lodder wrote:
>>> mechanic <mechanic@example.net> wrote:
>>>
>>>> On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
>>>>
>>>>> As long as people need to type in passwords they aren't going to
>>>>> use long and complicated strings.
>>>>
>>>> No excuse!
>>>
>>> And long passwords need not be difficult.
>>> 1RoseByAnyOtherNameWillSmellAsSweet!
>>> will be just fine,
>>
>> Good, but insert a few numbers/spec chars in the middle too ... along
>> with a misspelled word and caps in the "wrong" places ... and it will be
>> as good as random where a dictionary+brute force attack occurs.
>
> Most sites insist nowadays on at least one digit,
> one capitalised letter, and one special sign.
> My example complies,

It may not comply with length restrictions and some sites only allow
certain special characters.

Mr. Man-wai Chang <toylet.toylet@gmail.com> wrote:
> On 20/2/2023 8:42 pm, Chris wrote:
>>
>> At work one time, I set up my password as a 25 character random string via
>> my password manager which was great until they decided to sync the network
>> password with the local password on my machine. So when when I needed to
>> login after a reboot or screensaver kicks in I had to type it in manually.
>
> You should use your brain to memorize all 25-character random strings. :)

Waste of grey matter. Remembering one or two long, non-random strings is
sufficient :)

On Tue, 14 Feb 2023 20:10:11 -0000, Paul <nospam@needed.invalid> wrote:

> On 2/14/2023 10:05 AM, Commander Kinsey wrote:
>> Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to believe zips are that tightly sealed.
>
> Old ZIP, trivially crack-able.
> New ZIP, not so much.
>
> https://en.wikipedia.org/wiki/ZIP_%28file_format%29#Strong_encryption_controversy
>
> "WinZip introduced its own AES-256 encryption"
>
> Not everything with that file extension, is easy pickins.
> You'll need a dictionary attack, and cracking speed will
> depend on whether they decided to use multi-pass or not.
>
> The last time I experimented with cracking, the software
> said "it will take 13 years" :-) You get the idea. Mind you,
> I was unable to get my video card to work on it, my attempt
> ran CPU-only.
>
> $ file SketchUp2017.zip <=== made an AES-256 with 7-ZIP zip option, set password to "12345"
>
> SketchUp2017.zip: Zip archive data, at least v5.1 to extract
>
> $ file shotwell-master.zip
>
> shotwell-master.zip: Zip archive data, at least v1.0 to extract
>
> $ file Sandboxie-5.40.zip
>
> Sandboxie-5.40.zip: Zip archive data, at least v1.0 to extract
>
> The non-crypto ones are the "more-compatible" ones that even
> Windows can open for extraction.

Yip, Windows is annoying, it opens a zip without me even noticing it's not a folder, since the icons are so similar. Then it gives a stupid error nothing to do with the problem. The problem being I need a password, but it doesn't seem to know that.

On Tue, 14 Feb 2023 20:20:41 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:

> Commander Kinsey wrote on 2/14/2023 :
>> On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org>
>> wrote:
>>
>>> Commander Kinsey explained on 2/14/2023 :
>>>> Trying to get into a password protected zip. Got three instances of a
>>>> free
>>>> password cracker (Stella Data Recovery) running for the last handful of
>>>> hours
>>>> trying three different methods (they only use 1 core each). Still not got
>>>> in. I find it hard to believe zips are that tightly sealed.
>>>
>>> 256 bit encryption is pretty strong.
>>>
>>> What was used to encrypt it?
>>
>> Is there not a standard for all zips?
>>
>> I remember from the 90s when zips were a new thing, it was a laugh they could
>> easily be opened.
>
> Yes, their password protection was feeble. Now they 'can' encrypt with
> 128 or 256 bit encryption algorithms.
>
> That is a very large 'password space' (keyspace) to slog through doing
> even modified brute force attacks.

Yes, the program I tried asked for hints. Like did I use capital letters, numbers, symbols etc. I guess it was designed for people trying to hack into their own zip files....

On Wed, 15 Feb 2023 16:35:42 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:

> Tim Slattery formulated on Wednesday :
>> "Commander Kinsey" <CK1@nospam.com> wrote:
>>
>>> Trying to get into a password protected zip. Got three instances of a free
>>> password cracker (Stella Data Recovery) running for the last handful of
>>> hours trying three different methods (they only use 1 core each). Still not
>>> got in. I find it hard to believe zips are that tightly sealed.
>>
>> The ZIP format was created for data compression, not security. Since
>> then password protection has been added to it. I guess it would be as
>> strong or weak as any other encrypted format.
>
> From:
>
> https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.7.TXT
>
> 4.4.3 version needed to extract (2 bytes)
>
> 4.4.3.1 The minimum supported ZIP specification version needed
> to extract the file, mapped as above. This value is based on
> the specific format features a ZIP program MUST support to
> be able to extract the file. If multiple features are
> applied to a file, the minimum version MUST be set to the
> feature having the highest value. New features or feature
> changes affecting the published format specification will be
> implemented using higher version numbers than the last
> published value to avoid conflict.
>
> 4.4.3.2 Current minimum feature versions are as defined below:
>
> 1.0 - Default value
> 1.1 - File is a volume label
> 2.0 - File is a folder (directory)
> 2.0 - File is compressed using Deflate compression
> 2.0 - File is encrypted using traditional PKWARE encryption
> 2.1 - File is compressed using Deflate64(tm)
> 2.5 - File is compressed using PKWARE DCL Implode
> 2.7 - File is a patch data set
> 4.5 - File uses ZIP64 format extensions
> 4.6 - File is compressed using BZIP2 compression*
> 5.0 - File is encrypted using DES
> 5.0 - File is encrypted using 3DES
> 5.0 - File is encrypted using original RC2 encryption
> 5.0 - File is encrypted using RC4 encryption
> 5.1 - File is encrypted using AES encryption
> 5.1 - File is encrypted using corrected RC2 encryption**
> 5.2 - File is encrypted using corrected RC2-64 encryption**
> 6.1 - File is encrypted using non-OAEP key wrapping***
> 6.2 - Central directory encryption
> 6.3 - File is compressed using LZMA
> 6.3 - File is compressed using PPMd+
> 6.3 - File is encrypted using Blowfish
> 6.3 - File is encrypted using Twofish

Could my stockfish decrypt twofish?

On Wed, 15 Feb 2023 17:09:44 -0000, Paul <nospam@needed.invalid> wrote:

> On 2/15/2023 11:13 AM, Tim Slattery wrote:
>> "Commander Kinsey" <CK1@nospam.com> wrote:
>>
>>> Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to believe zips are that tightly sealed.
>>
>> The ZIP format was created for data compression, not security. Since
>> then password protection has been added to it. I guess it would be as
>> strong or weak as any other encrypted format.
>
> The export laws on crypto, historically had a chilling effect
> on crypto strength.

No government can stop me encrypting how I wish, then sending it to anyone in any country.

> And to some extent, that hasn't changed.
> It's only when it impacts the competitiveness of a country,
> that it stops.
>
> It used to be "you stop it before it happens" was how
> you handled crypto. Today, it's the usage of rubber hoses
> which is the preferred method (the TrueCrypt mystery,
> and legislative attempts to build backdoors).
>
> When ZIP was invented, elliptic curve didn't exist. But
> there were still likely to have been methods which signal
> you are using the "tough" version. Using a weak-as-piss
> method ensures your product can be Exported.
>
> The same kinds of things happened on PDF format.
>
> And the old protection on ZIP is so weak, if Google wants to,
> they can scan ZIP attachments in GMail with that protection method,
> in "real time". You can't have a much weaker crypto than that.
> It's no barrier at all.
>
> The newer method on the other hand, is more of an impediment.
>
> Even the encryption on 7Z has had the odd issue, but these
> implementation details have been corrected.

Isn't 7zip just a zip program, using the same standards as any other?

Am 23.02.23 um 09:10 schrieb Commander Kinsey:
> On Wed, 15 Feb 2023 17:09:44 -0000, Paul <nospam@needed.invalid> wrote:
>
>> On 2/15/2023 11:13 AM, Tim Slattery wrote:
>>> "Commander Kinsey" <CK1@nospam.com> wrote:
>>>
>>>> Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to believe zips are that tightly sealed.
>>>
>>> The ZIP format was created for data compression, not security. Since
>>> then password protection has been added to it. I guess it would be as
>>> strong or weak as any other encrypted format.
>>
>> The export laws on crypto, historically had a chilling effect
>> on crypto strength.
>
> No government can stop me encrypting how I wish, then sending it to anyone in any country.

Sure. But you will be blacklisted and not allowed to fly anymore.
Your next parking ticket is your death sentence ... :-D

America is as totalitarian as Russia or China.
But many Americans think they live in a free country.

*ROTFLSTC*.

--
Gutta cavat lapidem (Ovid)

On 2/23/2023 3:10 AM, Commander Kinsey wrote:
> On Wed, 15 Feb 2023 17:09:44 -0000, Paul <nospam@needed.invalid> wrote:
>
>> On 2/15/2023 11:13 AM, Tim Slattery wrote:
>>> "Commander Kinsey" <CK1@nospam.com> wrote:
>>>
>>>> Trying to get into a password protected zip.  Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each).  Still not got in.  I find it hard to believe zips are that tightly sealed.
>>>
>>> The ZIP format was created for data compression, not security. Since
>>> then password protection has been added to it. I guess it would be as
>>> strong or weak as any other encrypted format.
>>
>> The export laws on crypto, historically had a chilling effect
>> on crypto strength.
>
> No government can stop me encrypting how I wish, then sending it to anyone in any country.
>
>> And to some extent, that hasn't changed.
>> It's only when it impacts the competitiveness of a country,
>> that it stops.
>>
>> It used to be "you stop it before it happens" was how
>> you handled crypto. Today, it's the usage of rubber hoses
>> which is the preferred method (the TrueCrypt mystery,
>> and legislative attempts to build backdoors).
>>
>> When ZIP was invented, elliptic curve didn't exist. But
>> there were still likely to have been methods which signal
>> you are using the "tough" version. Using a weak-as-piss
>> method ensures your product can be Exported.
>>
>> The same kinds of things happened on PDF format.
>>
>> And the old protection on ZIP is so weak, if Google wants to,
>> they can scan ZIP attachments in GMail with that protection method,
>> in "real time". You can't have a much weaker crypto than that.
>> It's no barrier at all.
>>
>> The newer method on the other hand, is more of an impediment.
>>
>> Even the encryption on 7Z has had the odd issue, but these
>> implementation details have been corrected.
>
> Isn't 7zip just a zip program, using the same standards as any other?

Just as RAR has a custom compressor (and charges money for it),
7ZIP has a custom compressor (7z) and it is free.

I think these are arithmetic compressors, similar to LZMA, but
you'll probably find a wikipedia entry with the details.

The other thing it has, is a pre-processor. There is a method
for re-encoding EXE files, and if 7Z senses EXE files, it passes
the data through the pre-processor, before the main 7Z compression
step runs.

7ZIP has multithreaded compression and multithreaded decompression.
By using all the cores, the slow LZMA-like method is delivered at
moderate speed.

To compress a hard drive full of data with 7Z, costs about $1 worth
of electricity. Just to give some idea, that certain computing things
do cost real money. A machine can grind for most of the day,
compressing a disk drive.

Some of the other compressors built into 7Z, are not multicore.
The winZIP compressor is probably not running on multiple cores.

PIGZ is a parallel version of GZIP. It uses multiple cores during
compression, but only one core during decompression. And the
multiple cores, may have a limit. Whereas 7ZIP can use all your
cores for .7z .

On Win10 or Win11, you set the thread count to 2x as many as
the CPU. A CPU with 6C 12T, you set the thread count to 24,
so that the 12 virtual cores are well-loaded. This helps keep
the CPU usage bar at 100%. If you set the thread count to 12
(one per virtual core), it only runs at about 80% or so.
Since the dictionary size for Ultra mode is 600MB per thread,
24*600 = close to 16GB of RAM. So if you want to make your
CPU as hot as possible, you need sufficient RAM for all the
threads of execution to use.

And then, when 7ZIP is finished all that mumbo-jumbp, it
can do a pass of AES256 and encrypt the output blocks.
Encryption is done after compression, because encrypted
data does not compress. That's how you can tell the
quality of encryption, if it does not compress and
the file becomes smaller.

Paul

On Sat, 18 Feb 2023 13:35:15 -0000, Mr. Man-wai Chang <toylet.toylet@gmail.com> wrote:

> On 18/2/2023 7:25 am, Alan Browne wrote:
>>
>> Not in the dictionary much.
>>
>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>> the co.
>>
>> Another engineer used a dictionary attack. Got nowhere.
>> Then asked "who was the engineer anyway?"
>> "Eric"
>> He switched to a Hebrew dictionary and the zip file was opened
>> quickly... (Hebrew rendered in the English alphabet).
>
> It's still a dictonary hack, using a human languagte called Hebrew! :)

They're not human.

> The other method is of course using the characteristic of ASCII/EBCDIC!
> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
> method will definitely work, but needs time! ;)

Especially if it's a password like I use. Press the shift slowly on and off, while mashing the other hand on the letters and numbers. So you get capitals, lower case, symbols, and numbers.

On Sat, 18 Feb 2023 13:35:51 -0000, Mr. Man-wai Chang <toylet.toylet@gmail.com> wrote:

> On 18/2/2023 9:35 pm, Mr. Man-wai Chang wrote:
>>
>> The other method is of course using the characteristic of ASCII/EBCDIC!
>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
>> method will definitely work, but needs time! ;)
>
> Exactly like hacking a combination lock...

No, you listen with a stethoscope to see if you get a number right. Or if the lock is shit, you can pull it slightly further apart when one number is correct.

Mind you, a combination lock doesn't encrypt the contents, so you can just use bolt cutters.

On Sun, 19 Feb 2023 05:54:34 -0000, Mr. Man-wai Chang <toylet.toylet@gmail.com> wrote:

> On 19/2/2023 1:18 am, FromTheRafters wrote:
>>
>> Modified Brute Force attack.
>>
>> Twice Modified Brute Force attack.
>>
>> Brute Force attack.
>
>
> People might not know the meaning of "brute force". Picking phyical
> locks might be easier to understand. :)

Everybody knows what brute force is.

On Sun, 19 Feb 2023 07:38:58 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:

> Mr. Man-wai Chang explained on 2/19/2023 :
>> On 19/2/2023 1:18 am, FromTheRafters wrote:
>>>
>>> Modified Brute Force attack.
>>>
>>> Twice Modified Brute Force attack.
>>>
>>> Brute Force attack.
>>
>> People might not know the meaning of "brute force".
>
> True, but as you know it just means the whole keyspace is searched and
> on average you check half of them to get a winner.

Does that mean we should always have passwords full of Zs? Would ZZZZZZZZZZZZZZZZZZZZ be the slowest password to hack?
>> Picking phyical locks might be easier to understand. :)

If it's a key lock, you don't randomly poke at it.

> True again, but when you can reduce the keyspace to a smaller set it is
> a 'Modified Brute Force attack' so needing to check only for words
> reduces the effective keyspace and then further restricting to only
> words for a language known to be used by the person doing the
> encryption narrows it even further.

Nobody uses words, it's always something like GiraFfE-36£!

On Sat, 18 Feb 2023 17:12:33 -0000, Alan Browne <bitbucket@blackhole.com> wrote:

> On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
>> On 18/2/2023 7:25 am, Alan Browne wrote:
>>>
>>> Not in the dictionary much.
>>>
>>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>>> the co.
>>>
>>> Another engineer used a dictionary attack. Got nowhere.
>>> Then asked "who was the engineer anyway?"
>>> "Eric"
>>> He switched to a Hebrew dictionary and the zip file was opened
>>> quickly... (Hebrew rendered in the English alphabet).
>>
>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>>
>> The other method is of course using the characteristic of ASCII/EBCDIC!
>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
>> method will definitely work, but needs time! ;)
>
> That was back then - since then people have learned (I hope) to use real
> passwords such as the one I put up. Also the encryption level used
> these days is far better than back then.

Encryption level is irrelevant if you're trying passwords.

On Mon, 20 Feb 2023 00:00:12 -0000, Paul <nospam@needed.invalid> wrote:

> On 2/19/2023 5:56 PM, Chris wrote:
>> Alan Browne <bitbucket@blackhole.com> wrote:
>>> On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
>>>> On 18/2/2023 7:25 am, Alan Browne wrote:
>>>>>
>>>>> Not in the dictionary much.
>>>>>
>>>>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>>>>> the co.
>>>>>
>>>>> Another engineer used a dictionary attack. Got nowhere.
>>>>> Then asked "who was the engineer anyway?"
>>>>> "Eric"
>>>>> He switched to a Hebrew dictionary and the zip file was opened
>>>>> quickly... (Hebrew rendered in the English alphabet).
>>>>
>>>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>>>>
>>>> The other method is of course using the characteristic of ASCII/EBCDIC!
>>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
>>>> method will definitely work, but needs time! ;)
>>>
>>> That was back then - since then people have learned (I hope) to use real
>>> passwords such as the one I put up.
>>
>> Many do and many don't.
>>
>> As long as people need to type in passwords they aren't going to use long
>> and complicated strings.
>>
>>> Also the encryption level used
>>> these days is far better than back then.
>>
>> It doesn't matter how good the encryption is if the password is bad.
>
> Any Internet-facing passwords here, are long and strong.
>
> Security inside my LAN is poor. If something gets in here,
> it's total destruction time... If I spent the whole day
> building a fort out of cardboard boxes, there would be nothing
> of value inside the fort (all my waking hours would be spent
> on the fort and nothing else).
>
> Is my router vulnerable ? Based on industry standards of
> security, the answer to that is... Yes.
>
> Part of the security for a home user, is what the ISP
> is doing. For example, I watched one day, as someone within
> myisp.com was scanning my node. Today, the ISP does not allow
> other users to scan internal nodes, so I no longer see
> script kiddies doing stuff like that. However, Google can
> still attempt to scan the node. There is, of course, no
> purposeful webserver running (that I know of). There could
> be localhost:631 within the bash shell, but that's about it.
> Even if IIS on the current OS, actually installed useful
> stuff (it doesn't), I would not be doing that. I have used
> the IIS ftpd setup in the past, but only on an episode basis
> (for a couple hours, and not port-forwarded, then removed).
>
> Since my WinXP machine died, my imaginary security has
> gone up this much [fingers measure a tiny space about
> the size of a millimeter] :-)

I once ran a security check on my computer, which scanned from an outside website, and apparently it wa 100% tightly shielded and even broke a load of RFCs by not responding.

On Sun, 19 Feb 2023 23:10:30 -0000, Alan Browne <bitbucket@blackhole.com> wrote:

> On 2023-02-19 17:56, Chris wrote:
>> Alan Browne <bitbucket@blackhole.com> wrote:
>>> On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
>>>> On 18/2/2023 7:25 am, Alan Browne wrote:
>>>>>
>>>>> Not in the dictionary much.
>>>>>
>>>>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>>>>> the co.
>>>>>
>>>>> Another engineer used a dictionary attack. Got nowhere.
>>>>> Then asked "who was the engineer anyway?"
>>>>> "Eric"
>>>>> He switched to a Hebrew dictionary and the zip file was opened
>>>>> quickly... (Hebrew rendered in the English alphabet).
>>>>
>>>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>>>>
>>>> The other method is of course using the characteristic of ASCII/EBCDIC!
>>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
>>>> method will definitely work, but needs time! ;)
>>>
>>> That was back then - since then people have learned (I hope) to use real
>>> passwords such as the one I put up.
>>
>> Many do and many don't.
>>
>> As long as people need to type in passwords they aren't going to use long
>> and complicated strings.
>
> Either use a password manager (as I do) or become clever in the
> composition of the passwords. So earlier I posted a pretty random one
> appropriate to a password manager.
>
> Alternately strong passwords that are memorable can look something like:
>
> merrY$penGuin@2four78

Why make it memorable? (Not that I'd ever remember what you just chose) I just save them all in a text file, and also let the browser remember them. If someone breaks into my house the last thing I'd care about is getting into some online accounts.

It happens that Commander Kinsey formulated :
> On Sun, 19 Feb 2023 05:54:34 -0000, Mr. Man-wai Chang
> <toylet.toylet@gmail.com> wrote:
>
>> On 19/2/2023 1:18 am, FromTheRafters wrote:
>>>
>>> Modified Brute Force attack.
>>>
>>> Twice Modified Brute Force attack.
>>>
>>> Brute Force attack.
>>
>>
>> People might not know the meaning of "brute force". Picking phyical
>> locks might be easier to understand. :)
>
> Everybody knows what brute force is.

A cryptography 'jargon' term for an exhaustive key search.

On 3/1/2023 3:32 PM, Commander Kinsey wrote:
> On Sat, 18 Feb 2023 13:35:15 -0000, Mr. Man-wai Chang
> <toylet.toylet@gmail.com> wrote:

>>
>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>
> They're not human.
>

Really? If you think that then nobody is and since a lot of the computer
hardware and code was developed by them you should not be using any of it.