Passwords- how long to hack yours

[sengsational]

Quote:

Originally Posted by Kwirk Anything the cracker knows about your predilections makes it easier. For example, one might guess that special characters tend to come at the beginning and/or end of passwords, and that certain special characters are much more commonly used than others. One might guess that the capital is only the first letter of many passwords, possibly following the only special character. One might guess that many users don't exceed the minimum number of characters. Those guesses, if correct, could make it possible to crack many passwords with much less effort (even if yours would be very safe).

Having had written many algorithms when the sender was trying to be as clear as possible, and having seen the complexity required just to get two parties that are acting cooperatively communicating without error, I'm not worried about a hacker figuring out if I tend to pad with asterisks, tildes, pounds signs, brackets and if I pad with 17 at the front and 10 in the back, or whatever my predilection. One risk that could affect someone, but it's a long-shot, is that if you always used 17 asterisks in front and 10 in the back, and only changed the 8 characters in the middle, and you used that on a poorly implemented site where they simply save your password and a hacker got a hold of that, AND, made the solid connection that you were a 17 / 10 asterisk person, then they'd "only" have a search space of 6,704,780,954,517,120 to try (8 characters, 95 possibilities for each). Let's just say that's not keeping me awake an night

[Kwirk]

Quote:

Originally Posted by sengsational ...Let's just say that's not keeping me awake an night

Nor should it. The most common danger is using an easily cracked password on a poorly secured site and then using it again on other sites (think banks).

Of course another danger is being a very rich target and using an easily guessed password, e.g. one based on the name of your dog or your children. Social media can be a great source of clues.

[Sunset]

Quote:

Originally Posted by Kwirk Nor should it. The most common danger is using an easily cracked password on a poorly secured site and then using it again on other sites (think banks). Of course another danger is being a very rich target and using an easily guessed password, e.g. one based on the name of your dog or your children. Social media can be a great source of clues.

Right, the hacker can simply click on forgot password, or phone into the bank claiming to have lost his phone. Then answer the challenge questions.

I put in random/crazy answers for my challenge questions, as my social information is publicly accessible.

[sengsational]

Quote:

Originally Posted by Sunset I put in random/crazy answers for my challenge questions, as my social information is publicly accessible.

I imaging the guy struggling with a 20 character, fully random password, and having "Blue" as the color of his first car Weakest link, and all that.

[mpeirce]

Quote:

Originally Posted by Kwirk The most common danger is using an easily cracked password on a poorly secured site and then using it again on other sites (think banks).

For important sites, its fairly common sense to not use the same passwords, but also make sure you aren’t using the same usernames. Most sites allow you to change them.

[Music Lover]

Quote:

Originally Posted by Kwirk Of course another danger is being a very rich target and using an easily guessed password, e.g. one based on the name of your dog or your children. Social media can be a great source of clues.

Thousands of people answer "quizzes" on Facebook all the time...what was your first car, name the city you grew up in, your first dog's name, etc., probably not realizing that they're giving away answers to security questions.

[NXR7]

Quote:

Originally Posted by bizlady Interesting article on passwords. Using 12 characters with at least one upper case capital letter, one number and one symbol could take a hacker 34000 years to break. On the other hand, 8 characters with one upper case capital letter and one number may take just an hour. Nice chart where you can check your potential vulnerability https://www.msn.com/en-us/money/insu...edgdhp&pc=U531

I hate articles like this because they are at least 1,000,000,000% wrong. My job prior to retiring was defending networks from attacks. Not the useless compliance and audit nonsense, the real hands-on blue team/red team stuff.

I retired two years ago and the automated password crackers that worked on stolen password files exceeded 6 billion tries per second (yes, with a "B"). I'm sure they're a lot faster nowadays.

No shorter password comprised of upper case, lower case, numbers and the usual "special characters" is going to withstand an attack of that speed for long. None.

The developers need to take special precautions when storing the passwords in a non-reversible format, "salted", and hashed. In addition a really slow (yes, slow) system such as BCRYPT needs to be used.

Why slow? On a per-user basis, the user will never notice that the login is slow. But when trying to crack a password automatically, a slow mechanism will put the brakes on that 6 billion-per-second cracker. See https://arstechnica.com/information-...Pierce%20wrote. for more info.

In addition, if you really want an almost uncrackable password you need to use what are known as "high ASCII" characters.

Go over to that numeric keypad on the right of your keyboard, hold down the ALT key on the keyboard and type three random digits above 127 and below 256 such as ALT 129 and then release the ALT key. That one will look like this:

ü

ALT 237 = φ

My favorite in passwords was ALT 255 which is the NULL character but looks like a space. But that one has caused some apps to crash so use it wisely.

The high ASCII table: https://theasciicode.com.ar/

Yes, longer is better than more complex if you cannot use high ASCII characters and yes, you can easily remember it.

Mary had a big lamb and it was very tasty.

42 characters, one upper case, one lower case, and a special character at the very end.

If you go with a "passphrase" like I wrote, do not use phrases or even passages out of books. Make one up or modify a well-known one.

Why? Dictionary-based crackers have taken entire well-known sayings and even a few books and entered them into their systems.

HTH,

Ray

[papaof2]

You can check a password "live" at Password Strength Checker and you can adjust it to fit the limits of wherever you need a password. 14 characters with upper and ower case, numbers and special characters and no adjecent repeats of the same type symbol - "Bt" is OK but not "BT" or "bt", "3e" but not "33" - is usually more than adequate. If it's the only key to a $5 million account, then perhaps a longer password would be better or you use two-part authentication - password plus a one-time PIN received via a text, phone call or email.

[RetMD21]

Quote:

Originally Posted by grasshopper On my laptops, chromebook and PC. I can only log into Vanguard with one of my 3 Yubikeys. No SMS, no email, no saved codes, I would have to call Vanguard "my voice is my password" if I lost all my keys.

Great I just turned off the text option for my account. You must have 2 of the 2FA devices activated and only "certain accounts" are eligible. I am glad that this is finally available.

[jollystomper]

Quote:

Originally Posted by NXR7 If you go with a "passphrase" like I wrote, do not use phrases or even passages out of books. Make one up or modify a well-known one. Why? Dictionary-based crackers have taken entire well-known sayings and even a few books and entered them into their systems.

I agree. My passphrases (based on the belief that "two can keep a secret,if one of them is dead" ), are based on situations in my life that I had not spoken to anyone about, modified with caps/special characters/something unique for the target site.

The more valuable the account the longer the passphrase. For example, My tech learning/information accounts do not have any info on me, and nothing is lost if they are hacked, so they get the less complicated passphrases.

[cranberryjoe]

The hacker community has access to millions of actual plaintext passwords gathered from various password database leaks. Looking at the patterns used, many people when required to use "at least one number" will add the number to the end of an otherwise weak password. Likewise, when they must use a symbol it's often at the end. And an upper case letter is usually at the beginning. So if you had a weak password like "secret" and you think "Secret123!" is way more secure, think again. The hackers will try every word in their database, capitalizing the words, adding various numbers to the end, etc. Or if you think you're clever and substitute 3 for e, ! for i, 0 for o, etc. the hackers are way ahead of you. They know all those tricks and they try them too. Sites that tell you your long not-random password will take 250 megabazillion years to crack don't account for the fact that hackers use heuristics to guess passwords rather than try all possible combinations, and they will guess that long password in a few hours. This is why a statistically random password is much better than one you derived from dictionary words and "dressed up" a bit with a few numbers and symbols.

Here's a now old but very interesting (and long) article about how some security experts and an actual (anonymous) hacker cracked some seemingly randomized passwords in just a few hours, without using brute force, and none of them were in the password database.

https://arstechnica.com/information-...our-passwords/

Quote:

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."

Quote:

A recently launched site from chipmaker Intel asks users "How strong is your password?," and it estimated it would take six years to crack the passcode "BandGeek2014". That estimate is laughable given that it was one of the first ones to fall at the hands of all three real-world crackers.

[NXR7]

Quote:

Originally Posted by papaof2 You can check a password "live" at Password Strength Checker and you can adjust it to fit the limits of wherever you need a password. 14 characters with upper and ower case, numbers and special characters and no adjecent repeats of the same type symbol - "Bt" is OK but not "BT" or "bt", "3e" but not "33" - is usually more than adequate. If it's the only key to a $5 million account, then perhaps a longer password would be better or you use two-part authentication - password plus a one-time PIN received via a text, phone call or email.

Another type of site I absolutely detest. If you really want to test a password do it over here: https://haveibeenpwned.com/Passwords

Troy Hunt, the administrator of that site has been fully vetted by the best agencies in the world. He has collected over 600 million passwords from hacked sites. If your password is in there it's guaranteed to be in someone's cracker database.

And...if you get malware on your device it's Game Over. Just like credit cards can be stolen directly off the point-of-sale terminal, your credentials can be swiped by malware running as you on your PC.

[schellem]

Quote:

Originally Posted by ERD50 I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it. Similar with forcing one symbol. There are ~ 33 symbols, but 62 number/Upper/lower case choices. Or 95 if the symbols are optional. So now two are easier to crack. And one upper case means one only has 26 choices versus the 95 . They have reduced the complexity on 3 of the 12 entries. -ERD50

I think when trying to guess passwords most start from a known list of common passwords rather than trying to guess each individual character in the password. Adding the special character(s) makes the common password list much less useful.

Here is a very interesting site to test password strength with https://www.grc.com/haystack.htm

Interesting to see that of these 2 passwords the first is so much easier to remember but 95 times harder to guess than the second since it's one character longer. Contrary to popular belief high entropy is not necessary for strong passwords.....all talked about in the above link.
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9

[sengsational]

The ARS Technica article, with the "complex" passwords that were cracked with dictionary plus huristics... All of those could have been prevented by putting a short (even 3 or 4 character), totally random (system generated random, not human random, which is never random) stuck at a random place in the string. What I'm saying is that a bit of true randomness will thwart huristics.


Ba#sJØí#ndGeek2014, anyone? The # are not needed... just for illustration.

[FI_RElater]

Quote:

Originally Posted by NXR7 I hate articles like this because they are at least 1,000,000,000% wrong. My job prior to retiring was defending networks from attacks. Not the useless compliance and audit nonsense, the real hands-on blue team/red team stuff. I retired two years ago and the automated password crackers that worked on stolen password files exceeded 6 billion tries per second (yes, with a "B"). I'm sure they're a lot faster nowadays. No shorter password comprised of upper case, lower case, numbers and the usual "special characters" is going to withstand an attack of that speed for long. None. The developers need to take special precautions when storing the passwords in a non-reversible format, "salted", and hashed. In addition a really slow (yes, slow) system such as BCRYPT needs to be used. Why slow? On a per-user basis, the user will never notice that the login is slow. But when trying to crack a password automatically, a slow mechanism will put the brakes on that 6 billion-per-second cracker. See https://arstechnica.com/information-...Pierce%20wrote. for more info. In addition, if you really want an almost uncrackable password you need to use what are known as "high ASCII" characters. Go over to that numeric keypad on the right of your keyboard, hold down the ALT key on the keyboard and type three random digits above 127 and below 256 such as ALT 129 and then release the ALT key. That one will look like this: ü ALT 237 = φ My favorite in passwords was ALT 255 which is the NULL character but looks like a space. But that one has caused some apps to crash so use it wisely. The high ASCII table: https://theasciicode.com.ar/ Yes, longer is better than more complex if you cannot use high ASCII characters and yes, you can easily remember it. Mary had a big lamb and it was very tasty. 42 characters, one upper case, one lower case, and a special character at the very end. If you go with a "passphrase" like I wrote, do not use phrases or even passages out of books. Make one up or modify a well-known one. Why? Dictionary-based crackers have taken entire well-known sayings and even a few books and entered them into their systems. HTH, Ray

Yeah, I mentioned upthread about high ASCII... but, unfortunately, enough systems don't allow them to be used. As I mentioned before, I'd had used them when systems didn't allow as long of a password (often limited to eight, sometimes (but rarely) up to twelve, as I'd wanted to be better locked down. Certain high ASCII characters couldn't be used (NULL was certainly one of them, and there were others) so one might need to check with their sysop/IT admin to determine limitations

[Music Lover]

Quote:

Originally Posted by ERD50 I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it. Similar with forcing one symbol. There are ~ 33 symbols, but 62 number/Upper/lower case choices. Or 95 if the symbols are optional. So now two are easier to crack. And one upper case means one only has 26 choices versus the 95 . They have reduced the complexity on 3 of the 12 entries. -ERD50

That's only true if there are designated places for numbers and characters. There isn't, so every single spot can either be a number, upper case letter, lower case letter, or a symbol. 10 + 26 + 26 + 33 = 95

[Kwirk]

Quote:

Originally Posted by schellem Interesting to see that of these 2 passwords the first is so much easier to remember but 95 times harder to guess than the second since it's one character longer. Contrary to popular belief high entropy is not necessary for strong passwords.....all talked about in the above link. D0g..................... PrXyc.N(n4k77#L!eVdAfp9

I don't put too much faith in that. The first password becomes rather trivial to find if a cracker is aware that users may follow a common password with a series of identical characters. Each common password is tested with (number of special characters easily entered)*(number of places to check, say up to the limit of password size for the site). That's probably no more than a few thousand extra checks per common password.

I have a lot of respect for Mr Gibson but hackers may also be aware of his advice. I'll take the second, more random password any day.

[timbervest]

Most secure websites either lock up after 3-4 wrong attempts and require a password reset which generally involves an email address or phone access. Also almost all of my sensitive online accounts require 2 factor authentication to my cellphone which reduces the potential for unauthorized access to almost zero.

[ERD50]

Quote:

Originally Posted by Music Lover That's only true if there are designated places for numbers and characters. There isn't, so every single spot can either be a number, upper case letter, lower case letter, or a symbol. 10 + 26 + 26 + 33 = 95

No, I still think (but I'm not 100% sure) it reduces the number of attempts, even though it can appear anywhere. If I get motivated, I'll do a small truth table to demonstrate.

But as I followed up, once you get to even an 8 char PW, the reduction that I think occurs is so slight percentage-wise, that it really doesn't matter anyhow. It's just academic at this point, but maybe still a little interesting.

-ERD50

[Sunset]

Quote:

Originally Posted by papaof2 You can check a password "live" at Password Strength Checker and you can adjust it to fit the limits of wherever you need a password. 14 characters with upper and ower case, numbers and special characters and no adjecent repeats of the same type symbol - "Bt" is OK but not "BT" or "bt", "3e" but not "33" - is usually more than adequate. If it's the only key to a $5 million account, then perhaps a longer password would be better or you use two-part authentication - password plus a one-time PIN received via a text, phone call or email.

I never test my password on any site. It's too risky.

A really clever hacker could set up a site, and then just add all the good passwords to a dictionary list to try on the next stolen password database/file.