DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Force Username for Administration

More
30 Nov 2009 16:12 #59123 by admin
Replied by admin on topic Force Username for Administration
And for the purposes of noting what Morpheus is ignoring, here it is a third time:


1. Username : admin
Password: u785jgu34%5437

vs.

2. Username : Jimmy (User defined)
Password: u785jgu34

Morpheus thinks that on the router No.2 is more secure.

i.e. that no matter how complex or long a password on your router is, having a username too is more secure?

Given suitably strong passwords, and assuming the examples above, both would require the same effort to crack. In fact, as Morpheus points out yourself, the fact that 'Jimmy' would be visible on-screen, is an additional weakness.




Forum Administrator

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 16:18 #59124 by admin
Replied by admin on topic Force Username for Administration
Oh, and probabilty wise, assuming x permissable ASCII characters and a string length n and a strong (non-dictionary) password, a brute force attack would require x to the power n iterations to reach a 1:1 proability.

It doesn't matter whether the string is in one password, or split across the username and password into two parts. The strength is the same.



Forum Administrator

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 16:48 #59125 by mordorf
Replied by mordorf on topic Force Username for Administration
Wrong!

If we take just the 26 letters of the English alphabet, add uppercase which takes us to 52 possible characters (just to keep it simple).

Take a 3 letter password, there are exactly 140608 possible permutations

Take a 6 letter password, there are exactly 19770609664 possible permutations

Take a 3 letter username and a 3 letter password, thats 140608^3 which is 2779905883635712 possible permutations.

For reference take a look here
http://www.mathsisfun.com/combinatorics/combinations-permutations-calculator.html

You need to understand the difference between combinations and permutations.

But like I said previously this thread isn't about authentication string length, never has been except in your mind!

I look forward to your apology!

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 20:02 #59128 by rothers
Replied by rothers on topic Force Username for Administration

Mordorf wrote:

Take a 3 letter username and a 3 letter password, thats 140608^3 which is 2779905883635712 possible permutations.


Not when I was at school it wasn't
Correct answer is of course:

52^6 = 19770609664

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 23:15 #59131 by admin
Replied by admin on topic Force Username for Administration

Mordorf wrote: I look forward to your apology!



Okay, I'm sorry that I assumed that you were interested in discussing this rather than blindly defending your error and to smokescreen the contra-evidence.

Mordorf wrote: Take a 3 letter username and a 3 letter password, thats 140608^3 which is 2779905883635712



Really?

A password string of 3+3 (i.e. 6!) characters with 52 variations of character is 6^52, which is 19,770,609,664 permutations.

Mordorf wrote: You need to understand the difference between combinations and permutations.



No you don't! This is a simple permutation.



Forum Administrator

Please Log in or Create an account to join the conversation.

More
03 Dec 2009 20:09 #59181 by churchill
Replied by churchill on topic Interesting
I`m crap at maths but I always thought that 2 layers was better than one.

This has made me think now because you both seem to know what your

on about.

We need a hacker to step in... :wink:

Just had a thought and that is, if the default user name was changeable then the potential chances of being attacked would be less.....I think? So more of a deterrent ?

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami