PDA

View Full Version : How safe is your password?


denachtenmai
7th Dec 2017, 09:32
The password for my computer would take this long to crack:eek:

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.74 centuries

https://www.grc.com/haystack.htm

Have fun.

Exrigger
7th Dec 2017, 09:38
Online Attack Scenario:
(Assuming one thousand guesses per second) 64.65 billion centuries

Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 6.46 hundred centuries

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 64.65 years

I think that should do.

andytug
7th Dec 2017, 09:48
The longer you can make it the better. Special characters etc don't really make it much better.
Was part of a course I went on, we were shown "rainbow tables" available online, basically a giant list of every possible password for a password of a certain length. As the password gets longer the size of the table (number of possible passwords) goes up exponentially, by the time you get to 18-20 characters it's into the terabytes.
Unfortunately a lot of websites restrict to 8 characters or so, which could be brute forced by most home computers given time and by online cloud computing in seconds.
Best is supposed to be a phrase memorable only to you "batteryhorsestaple" is the usually quoted example.

Cazalet33
7th Dec 2017, 09:58
So someone sets up up website which invites suckers to type in their password;

Then the suckers get to find out how "secure" their password i̶s̶ was.

I see.:cool:

Hussar 54
7th Dec 2017, 09:59
The most recent site for which I had to create a password insisted that it had to be at least eight characters.

So my password for that site is ' Snowwhiteandthesevendwarfs '....Or is that too easily ' guessable ' ??

Sallyann1234
7th Dec 2017, 10:18
Password cracking by multiple guessing - either manual or automated - only works if unlimited attempts are allowed.

Any sensible access system will (a) build in a small delay before responding, to defeat rapid retries, and (b) only allow a limited number of attempts before locking out.

Ancient Mariner
7th Dec 2017, 10:26
So someone sets up up website which invites suckers to type in their password;

Then the suckers get to find out how "secure" their password i̶s̶ was.

I see.:cool:

My thoughts exactly. No guessing or cracking required.
Per

larssnowpharter
7th Dec 2017, 10:51
One wonders how many passwords or pin codes for ex-servicemen involve their service number. I know I'm guilty.🤔

denachtenmai
7th Dec 2017, 10:53
So someone sets up up website which invites suckers to type in their password;

Then the suckers get to find out how "secure" their password i̶s̶ was.

I see.

Check up on who Steve Gibson is before opining.;)

https://www.grc.com/

Gertrude the Wombat
7th Dec 2017, 12:25
The password for my computer would take this long to crack:eek:
Only with a brute force attack using no intelligence at all. I doubt anybody does that in real life - pretty well any other approach is vastly faster.

Tech Guy
7th Dec 2017, 12:37
Online Attack Scenario:
(Assuming one thousand guesses per second) 17.35 thousand trillion trillion centuries

Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 1.74 hundred million trillion centuries

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.74 hundred thousand trillion centuries

ehwatezedoing
7th Dec 2017, 12:40
Online Attack Scenario:
(Assuming one thousand guesses per second) 17.35 thousand trillion trillion centuries

Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 1.74 hundred million trillion centuries

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.74 hundred thousand trillion centuries

Thats impressive but how long it take you each time to type your password :confused:

ian16th
7th Dec 2017, 12:50
Check up on who Steve Gibson is before opining.;)

https://www.grc.com/


The owner of Bulkhaul and Middlesbrough FC.

Steve_Gibson_(businessman) (https://en.wikipedia.org/wiki/Steve_Gibson_(businessman))

Ancient Mariner
7th Dec 2017, 12:57
Check up on who Steve Gibson is before opining.;)

https://www.grc.com/

Based on the childish lay out of his website he's American.
I think I'll keep my passwords to myself.
Per

charliegolf
7th Dec 2017, 13:20
'password' as a password really isn't as good as I thought it was!

G-CPTN
7th Dec 2017, 13:22
'password' as a password really isn't as good as I thought it was!

'your password' is better . . .

Seldomfitforpurpose
7th Dec 2017, 13:44
So someone sets up up website which invites suckers to type in their password;

Then the suckers get to find out how "secure" their password i̶s̶ was.

I see.:cool:

Why is this the exact first thing that came into my mind :eek:

Sallyann1234
7th Dec 2017, 14:28
Based on the childish lay out of his website he's American.
I think I'll keep my passwords to myself.
Per
Actually Steve Gibson is well known and respected in the industry. He has been actively researching security since the 1980s and produced a number of very useful tools, some of which have received awards.

If the website may appear 'childish' that is only because it is very old and hasn't been updated with modern frills.

Of course no one in their right mind would share their real password, but you can safely offer an analogue for testing that has similar characteristics to the real one.

But as I said above, brute force hacking of passwords is futile if the target will only allow six attempts at one second intervals before blocking further attempts.

Calculations of how long brute force attacks would take at so many attempts for second are purely academic and of no practical use.

G-CPTN
7th Dec 2017, 14:44
As a person of advancing years with short-term memory leakage, I find it irritating when infrequently-visited sites insist on not allowing re-use of previously-used passwords.

I have enough difficulty remembering passwords for these sites, never mind creating new ones that I can remember.

Sallyann1234
7th Dec 2017, 14:51
As a person of advancing years with short-term memory leakage, I find it irritating when infrequently-visited sites insist on not allowing re-use of previously-used passwords.

I have enough difficulty remembering passwords for these sites, never mind creating new ones that I can remember.

You need a password manager. Then you only have to remember one secure password.

The Best Password Managers of 2017 - Password Managers - Products (http://uk.pcmag.com/password-managers-products/4296/guide/the-best-password-managers-of-2017#)

ShyTorque
7th Dec 2017, 14:55
I just use my name.

It dosnet mtater bceuase I'm dylsexci

Seldomfitforpurpose
7th Dec 2017, 14:57
I just use my name.

It dosnet mtater bceuase I'm dylsexci

That was not your given name when we met all those years ago on SH :p

ShyTorque
7th Dec 2017, 15:43
That was not your given name when we met all those years ago on SH :p

No, wasn't it "Sir?" (You get it in three guesses, He, he)!

Thankfully you never knew my middle name anyway. :ok:

Seldomfitforpurpose
7th Dec 2017, 15:44
Now that did make me giggle :ok:

ShyTorque
7th Dec 2017, 15:52
Now that did make me giggle :ok:


So you did know my middle name? :p

Sent you a pm, btw.

11Fan
7th Dec 2017, 16:06
I generally use the word incorrect as my password, and if I forget, my computer reminds me.

Your password is incorrect. Please try again.

BlankBox
7th Dec 2017, 16:12
...stick this in...

!!!!!!aA!!!!!!

...see watcha get... :E

Pontius Navigator
7th Dec 2017, 16:16
Online Attack Scenario:
(Assuming one thousand guesses per second) 64.65 billion centuries

Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 6.46 hundred centuries

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 64.65 years

I think that should do.
One hundred thousand trillion centuries is what one of my passwords gave:

My old mans a dustman

Sadly I can't remember whether I used an apostrophe or spaces. Worse, I can remember which backup set it applied too. Anyway, that drive is now no more.

Pontius Navigator
7th Dec 2017, 16:20
Based on the childish lay out of his website he's American.
I think I'll keep my passwords to myself.
Per
No childish, but free of all the folderols that allow such sits to be hacked. I have used his Spinrite program for over 25 years. Early iterations allowed you to double the capacity of a 40 Meg hard drive.

charliegolf
7th Dec 2017, 16:33
As a person of advancing years with short-term memory leakage, I find it irritating when infrequently-visited sites insist on not allowing re-use of previously-used passwords.

I have enough difficulty remembering passwords for these sites, never mind creating new ones that I can remember.

Me too. I alternate 2 generally secure ones (this month's with a 1 added for next month). Then I can always work it out.:ok:

CG

denachtenmai
7th Dec 2017, 16:35
Actually Steve Gibson is well known and respected in the industry.

Exactly Sallyan, I've been using his stuff for years, especially "shields up"

This was meant to be a bit of fun not to degenerate into a battle about suckers and their passwords being reaped.

One thing it does show though is the difference that just putting a couple of characters in increases the cracking time.

G-CPTN
7th Dec 2017, 17:05
So, AbCdEfGhIjKlMnOpQrStUvWxYz would be a good one?

ehwatezedoing
7th Dec 2017, 17:39
This one should be better :}
ΕρΤυΘιΟπΑσΔφΓηΞκΛζΧψΩβΝμ

Ancient Mariner
7th Dec 2017, 18:27
So, qAbCdEfGhIjKlMnOpQrStUvWxYz would be a good one?

Add , and , and you're good.
Per

andytug
7th Dec 2017, 20:52
So, AbCdEfGhIjKlMnOpQrStUvWxYz would be a good one?
Very good..... but good luck typing it in when the site shows it as a bunch of asterisks not the actual letters.. :)

G-CPTN
7th Dec 2017, 21:05
My usual passwords include numerals and both upper case and lower case letters - almost impossible to get right on a tablet.

Terry Dactil
7th Dec 2017, 22:41
Be horrified by just how easy it is for professionals to find passwords.

Computer Science at the University of Nottingham:
https://www.dropbox.com/s/8skopxc6qzhk2jl/passwords.JPG?dl=1

You can see the 'Computerphile' videos on the link below.
https://www.youtube.com/watch?v=3NjQ9b3pgIg&t=9s

Pontius Navigator
8th Dec 2017, 09:21
And of course there are sites that do not permit symbols which seriously reduces the options.

And there are countless commercial sites that require a password with no obvious benefit.

I use a password vault that both generates and stores passwords. I need only remember one and simply copy/paste in a website.

Zombywoof
8th Dec 2017, 10:08
no one in their right mind would share their real password, but you can safely offer an analogue for testing that has similar characteristics to the real one.Take the PW you wish to test and Rot13 it. ;)

cattletruck
8th Dec 2017, 10:22
There are two human weaknesses to having a good strong password:
1) Being told to change it frequently.
2) Having to access many disparate systems.
Both the above will wear you down, after all you are (I hope), human.

There has to be a better way.... and hopefully it's not a suggestion by those security boffins.

Ex Cargo Clown
8th Dec 2017, 10:39
Once worked for a bank that had three seperate systems, with three different passwords that had to be changed at diferent intervals, 21-30 days generally. All's it did was encourage you to write the passwords down. Or sticking them in my mobile under "assumed" names