Your password strength

Forums › Off topic › Your password strength

1 | 2 | 3 | 4 | 5 | 6

1421 posts

Uber Geek
Inactive user

#2221604 21-Apr-2019 09:37

dafman:
A lot of discussion about brute force attacks, but in reality how many sites we log into are at risk of brute force attack?

Unless you have an unprotected database on some obscure server, most of us use passwords for the likes of email, social media, banking, cloud services etc, all of which will have protection against brute force attacks. If i stuff up my password for gmail more than a few times I'm stuffed, so I'm not particularly concerned about statistics of the time required for brute force attempts to crack my gmail password.

I use long passwords, unique by service, and protected for MFA where available, so I'm not particularly concerned about hackers trying to hack me at so many thousands of attempts per nano second.

The problem is facebook and others have lousy security and many sites are vulnerable to script injection or similar which gives a cracker your password.
A large corporate just got done for have passwords in a plain text file.

Jase2985

13459 posts

Uber Geek

ID Verified

Lifetime subscriber

#2221627 21-Apr-2019 10:55

Geektastic: But utterly impossible to remember unless you're Rainman...

you dont need to remember them though

i only rememeber 3 of my complex passwords, the rest the password manager remembers for me and its so much faster than having to type them in.

dafman

3925 posts

Uber Geek

Trusted

#2221631 21-Apr-2019 11:09

ANglEAUT:

Jase2985:

its hard to memorize 50+ passwords especially when they are complex and especially when you change them regularly.

Very true indeed

I have heaps of passwords, all unique. I keep them encryoted in Keepass (with a very long password) but can remember most of my common ones.

I use unconnected words that I can string together to remember. For example, looking out my window right now now I can see birds in our cabbage tree. So if I was changing a password, say for email this morning, I might use: outsideCabbagebirds.

Easy to remember (I think back to what was I doing when I last changed this password) and, according to 'how safe is my password' it will take about 6 trillion years to brute force hack.

TwoSeven

1623 posts

Uber Geek

Subscriber

#2221634 21-Apr-2019 11:23

Geektastic:
paulchinnz:
Hmm, ns8vfpobzmx098bf4coj with a number added to the end of it should just about be impenetrable...

But utterly impossible to remember unless you're Rainman...

And not vey strong, it is only 5 bits.

Software Engineer
(the practice of real science, engineering and management)
A.I. (Automation rebranded)
Gender Neutral
(a person who believes in equality and who does not believe in/use stereotypes. Examples such as gender, binary, nonbinary, male/female etc.)

...they/their/them...

paulchinnz

Circumspice
793 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2221712 21-Apr-2019 13:04

Strength is relative, but for the record, according to the article referenced by the OP, it'd take centuries to brute force ns8vfpobzmx098bf4coj

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2221713 21-Apr-2019 13:07

Remember this is all for nothing if the service provider (a forum, a pizza place) stores the passwords as plain text instead of hashing and encrypting it. You can't worry about the things you can't manage, so that's why it's important you don't reuse passwords and use a long one (where possible). These are things you can manage.

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2221716 21-Apr-2019 13:14

nunz:

BTW - THe password checker reference above says Password1234 takes 3000 years to guess. Password strength checkers are dodgy at best. JesusJohn3:16 takes millions of years to crack -- except it doesn't. Dashlanes ideas on password strength are a little dated.

Exactly, Password1234 may look strong but it is weak because it's been in leaks before so it's probably on the top of dictionaries. And in any brute force attempt, Bad Actors (TM) will first try Known Passwords, you know, just in case. So Password1234 can actually be broken in less time than it takes for you to blink.

GoodSync

GoodSync. Easily back up and sync your files with GoodSync. Simple and secure file backup and synchronisation software will ensure that your files are never lost (affiliate link).

surfisup1000

5288 posts

Uber Geek

#2221718 21-Apr-2019 13:17

dafman:

ANglEAUT:

Jase2985:

its hard to memorize 50+ passwords especially when they are complex and especially when you change them regularly.

Very true indeed

I have heaps of passwords, all unique. I keep them encryoted in Keepass (with a very long password) but can remember most of my common ones.

I use unconnected words that I can string together to remember. For example, looking out my window right now now I can see birds in our cabbage tree. So if I was changing a password, say for email this morning, I might use: outsideCabbagebirds.

Easy to remember (I think back to what was I doing when I last changed this password) and, according to 'how safe is my password' it will take about 6 trillion years to brute force hack.

the problem with keepass is that the website integration is not great. At least, when I was using it a few years ago.

nunz

1421 posts

Uber Geek
Inactive user

#2221764 21-Apr-2019 16:02

I right click the password entry and it auto types in the login forms.

Side note. 3 or 4 dictionary words together is not strong. Ill try to find the article where a cracker details an exploit but hashing multiple words is standard now as are large hash tables of words and variants. Todays cpu power eats that type of job up very quickly and produces comprehensive hash tables.

dafman

3925 posts

Uber Geek

Trusted

#2221793 21-Apr-2019 18:36

surfisup1000:

the problem with keepass is that the website integration is not great. At least, when I was using it a few years ago.

I keep my keepass file in dropbox and can access it via a windows app and an android app (keepass droid) both of which integrate well. I think for iOS there are more limitations.

timmmay

20578 posts

Uber Geek

Trusted

Lifetime subscriber

#2221829 21-Apr-2019 19:42

dafman:

I keep my keepass file in dropbox and can access it via a windows app and an android app (keepass droid) both of which integrate well. I think for iOS there are more limitations.

Same, but with free dropbox now you can only link 3 devices. Home PC, work PC, and phone reaches that limit. I've started sharing it between personal devices using Resilio Sync (BitTorrent Sync).

OwnCloud looks pretty nice for things like this, but I've never tried it. I might try some time, but my server is an AWS t2.nano reserved instance with 512MB RAM and 512MB of swap, I'm not sure it has the resources available. I might have a play with it one day though.

TwoSeven

1623 posts

Uber Geek

Subscriber

#2221858 21-Apr-2019 20:57

paulchinnz:
Strength is relative, but for the record, according to the article referenced by the OP, it'd take centuries to brute force ns8vfpobzmx098bf4coj

I would suggest a matter of days.

...they/their/them...

Batman

Mad Scientist
29761 posts

Uber Geek

Trusted

Lifetime subscriber

#2221927 21-Apr-2019 23:16

freitasm:

If you ever had doubts that reusing passwords is a costly mistake; that adding a number to the end of your previous password is stupid; if longer random-generated passwords are a burden, then read this article.

In the article it mentions crack times of passwords, ranging from 0.2 to 12 mins (from my first glance)

How do they know they have cracked the password ? Say from what I know how to log in to a website - you type in a guess password, click log in, and then get a response. Try a few times and get locked out. Is there a way for hackers to bypass this hassle and enter passwords thousands of times a second without getting locked out?

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2221929 21-Apr-2019 23:21

How many websites do this? Some websites don't limit at all. Some websites still store passwords in plaintext.

Forget about them. Do what you have to do to protect yourself.

nunz

1421 posts

Uber Geek
Inactive user

#2222036 22-Apr-2019 10:31

Batman:
freitasm:

If you ever had doubts that reusing passwords is a costly mistake; that adding a number to the end of your previous password is stupid; if longer random-generated passwords are a burden, then read this article.

In the article it mentions crack times of passwords, ranging from 0.2 to 12 mins (from my first glance)

How do they know they have cracked the password ? Say from what I know how to log in to a website - you type in a guess password, click log in, and then get a response. Try a few times and get locked out. Is there a way for hackers to bypass this hassle and enter passwords thousands of times a second without getting locked out?

Crackers will exploit a user db ... often sql injection via insecure web forms. This gives them hashed passwords.
They then run the hashes against known hash db and then run brute force on the rest.

Once they plain text the password they will know as the guessed hash matches the hash from the db.

They use rigs containing multiple graphics cards and fast drives or else hand it off to zombie nets for spread cpu processing.

1 | 2 | 3 | 4 | 5 | 6