Jeff7
Lifer
- Jan 4, 2001
- 41,596
- 20
- 81
Raduque
Lifer
- Aug 22, 2004
- 13,140
- 138
- 106
Red Squirrel
No Lifer
I don't know why, but I have a bad feeling about putting a real password into a random internet webpage. LOL
I made one up that is the same idea as what I typically use. It said 107 years.
I made one up that is the same idea as what I typically use. It said 107 years.
I think it probably assumes that the guesser is going to exclude symbols first short of some outside knowledge giving reason to behave otherwise.
It makes sense to me at least, do you think there's more people with or without a symbol in their password? It's just playing the odds.
oogabooga
Diamond Member
- Jan 14, 2003
- 7,806
- 3
- 81
Wondering too. I use KeePass and it generates some password (I think Lower, upper, numbers, low level symbols (-=.!)) and it's unique per site. I feel pretty safe with it but maybe I'm crazy
Wondering too. I use KeePass and it generates some password (I think Lower, upper, numbers, low level symbols (-=.!)) and it's unique per site. I feel pretty safe with it but maybe I'm crazy
I also started using KeePass last year after my gmail account was hacked. The password wasn't incredibly complicated, but I think the real problem was that I was using the exact same password on many other sites such as forums that were probably much less secure than gmail. I'm guessing one of those was hacked, which gave the hacker my email and password.
Now that I have KeePass, I can create ridiculously complex passwords, at least to the extent that the site will allow them. I only have to remember one password to unlock the database. I suppose that creates a vulnerable point, but any password scheme has weaknesses. To me, this seemed like a better alternative than trying to remember many different complex passwords or using the exact same password in many places.
Jeff7
Lifer
- Jan 4, 2001
- 41,596
- 20
- 81
I'm thinking that the unfortunate problem we've run into is that, in the past, the threat was from a person guessing your password, because a computer didn't have the necessary processing power to brute-force an encrypted piece of data, so you didn't want to use a short and simple password. (Though "correct horse battery staple" probably wouldn't be the first thing I'd think to guess.) Now you've got OpenCL password crackers that can brute-force at impressive speeds while running on a consumer-level graphics card.
What I do hate is sites that only allow extremely simple passwords, or have stupid rules.
"Password must be 4-8 characters long, and include a capital letter, a number, and a punctuation mark."
Ok, but it's still a short password.
Or "Password must be 6-15 characters long, and must be letters only."
No digits? Even the basic ASCII set includes numbers and punctuation. A $1 PIC chip with 64 bytes of RAM can handle basic ASCII!
Yup. You can dramatically reduce the time it takes to guess a password if you reduce the available character set.
If you've got a password that's 1-8 characters long, and you know it's comprised of some sequence of the letters a, b, and c, then that's a pool of only 3 possible characters to choose from. Guessing all possible combinations wouldn't take too terribly long.
But you probably won't know what characters are in the password - or its length. A lot of people probably use all lowercase though, because it's easier to remember and type. So you'll want to guess those first.
If you throw a capital in there, that means that the guesser would need to include an additional 26 characters (capitals) in the pool of characters. Time to guess just went up by a lot.
Now add a digit - another 10 characters in the pool.
Now add punctuation - another...bunch of characters in the pool. (These might be included as part of a Shift+ character set, which would include capitals and punctuation.)
Now, if the site or application supports it, add a non-keyboard character, like à or ‡. I don't know what that adds to the pool, but good luck guessing it. I hope you have a nice PS3 cluster available for cracking something like that.
* - I'm assuming that you have a cracking program which has a pool of characters which is user-defined, tweakable by individual characters in the pool - for example, if I happen to see someone type a password, and I notice that they can type it left-handed, and without using Shift, I might be able to narrow the pool to the lowercase characters on the left half of the keyboard, plus the digits 1-5.
Last edited:
paperfist
Diamond Member
How do they actually use brute force on say a forum log-in?
I never understood how say if I was trying to log-in on this site I'd be able to run one of those before it locked you out for too many tries.
mikeymikec
Lifer
- May 19, 2011
- 21,009
- 16,259
- 136
It depends how they implement it; if it was through say storing information in cookies, the workaround is trivial. I can't imagine the security of a forum login system being terribly formidable.
But then, we live in a funny world. I could easily see some nerd levelling up on their security skills through coming up with unique and interesting ways of securing their forum software, whereas a twat designing the login system for a bank's online banking site who should really have read a few books on the topic first.
lxskllr
No Lifer
- Nov 30, 2004
- 60,060
- 10,547
- 126
It isn't typically against a login form, but a hacked database offline.
Mine's not bad.
I use a random sequence of seven characters (symbols, upper and lowercase) which I've had memorized for years. I then follow it with 102938!)@(#*
Who can figure that sequence out the fastest? Shouldn't take more than 10 seconds for a human.
I use a random sequence of seven characters (symbols, upper and lowercase) which I've had memorized for years. I then follow it with 102938!)@(#*
Who can figure that sequence out the fastest? Shouldn't take more than 10 seconds for a human.
snoopy7548
Diamond Member
- Jan 1, 2005
- 8,255
- 5,330
- 146
I put in a variation of my Keepass master password (same rules, but obviously different characters), and I got two tredecillon years. I never knew that existed.
I switched to a password manager a couple of years ago and I absolutely love it. I probably have around 100 passwords saved in that thing (all extremely strong, where allowed) and I only need to remember one password.
I switched to a password manager a couple of years ago and I absolutely love it. I probably have around 100 passwords saved in that thing (all extremely strong, where allowed) and I only need to remember one password.
ch33zw1z
Lifer
- Nov 4, 2004
- 39,752
- 20,326
- 146
Yup, I use safe in cloud still. Only need to remember two passwords total, the database password and the Google account password where I store it.
ultimatebob
Lifer
- Jul 1, 2001
- 25,134
- 2,450
- 126
About 131 billion years for the typical password length and complexity that I use. I'm OK with that.
ultimatebob
Lifer
- Jul 1, 2001
- 25,134
- 2,450
- 126
Except that the script kiddies read the infamous xkcd "correcthorsebatterystaple" comic as well, and now use combinations of dictionary words in their brute force attacks.
rh71
No Lifer
- Aug 28, 2001
- 52,844
- 1,049
- 126
42 minutes. Guess I'll be spending the next 42 hours changing passwords. I wish I saw this thread earlier today when I went through the trouble of updating my contact phone number on all relevant sites. Sonova...
BTW, it's interesting that "test" or "testtest" would be instant, but "testtesttest" is 4 weeks, and "testtesttesttest" is 35 thousand years. I guess I have my new password.
BTW, it's interesting that "test" or "testtest" would be instant, but "testtesttest" is 4 weeks, and "testtesttesttest" is 35 thousand years. I guess I have my new password.
paperfist
Diamond Member
Ah so total hack. I take it then most forum hacks are someone guessing the password.
lxskllr
No Lifer
- Nov 30, 2004
- 60,060
- 10,547
- 126
I'd suspect a lot of forum "hacks" are due to more important databases that were cracked, and people reusing login credentials. IOW, a lot of people will use their yahoo login for everything. Search a username, then use the same password from yahoo. Good chances of it working, especially in years past. Hopefully people are getting smarter about it, but I wouldn't put money on it.
mikeymikec
Lifer
- May 19, 2011
- 21,009
- 16,259
- 136
Semi-related: I had a customer say that they were recently told to change their password for xyz and because that password was similar/same as for a few other sites, they decided to go on a password-changing binge.
Now I would have thought that common sense would have kicked in and they would think "what's the best way to do this" (ie. better take some notes etc), but no. They just went ahead and started password resetting. Could they remember the new password for one of those sites? No.
Now I would have thought that common sense would have kicked in and they would think "what's the best way to do this" (ie. better take some notes etc), but no. They just went ahead and started password resetting. Could they remember the new password for one of those sites? No.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
Facebook
Twitter