Passwords- how long to hack yours

[bizlady]

Interesting article on passwords. Using 12 characters with at least one upper case capital letter, one number and one symbol could take a hacker 34000 years to break.

On the other hand, 8 characters with one upper case capital letter and one number may take just an hour.

Nice chart where you can check your potential vulnerability

https://www.msn.com/en-us/money/insurance/how-safe-is-your-password/ar-AARl6pS?ocid=msedgdhp&pc=U531

 

[Gumby]

Very interesting. Thanks.

 

[euro]

Yes, pretty scary. I finally broke down and started using the 1Password utility. It typically creates random passwords of 20-22 characters, upper/lower case and special characters mixed. So, basically ironclad. Near perfect, BUT:

1. There are still a surprising number of institutions,vendors, etc who have password limitations. Some don’t allow more than 8 or 10 characters, some (federal gubmint, hello….!) won’t allow special characters, some don’t even do upper/lower case). So for those you can’t use the strong random password but have to “dumb it down” manually, which is a bit tedious and certainly annoying

2. Usually, you auto fill or copy/paste the password, so it’s complexity is not an issue. However, think a situation like, say, an TV fire stick or roku box and you want to set up streaming services. Now you are stuck having to type in various passwords character by character with a very awkward typing interface. Doable, but very tedious.

There is a downside to everything, I guess, but overall I’m happy I switched to 20+ character password. I can now share them across all my devices and with family members as I see fit

 

[target2019]

In 1 password most of my pw's are in the lower right of that table, meaning 34,000 years to crack. My master pass is like that too.

 

[The Cosmic Avenger]

Yes, pretty scary. I finally broke down and started using the 1Password utility. It typically creates random passwords of 20-22 characters, upper/lower case and special characters mixed. So, basically ironclad. Near perfect, BUT:

1. There are still a surprising number of institutions,vendors, etc who have password limitations. Some don’t allow more than 8 or 10 characters, some (federal gubmint, hello….!) won’t allow special characters, some don’t even do upper/lower case). So for those you can’t use the strong random password but have to “dumb it down” manually, which is a bit tedious and certainly annoying

Ugh, the worst is when they don't provide tooltips, you only get an error message AFTER you try to create a password...actually, I've run into a site or two that won't tell you, or actually TRUNCATES your password! (I had to figure that one out by a lot of trial and error.) It is really annoying, because my default is now 30 characters, including all character types, but at least with LastPass you can uncheck the "symbols" box when you generate a password.

2. Usually, you auto fill or copy/paste the password, so it’s complexity is not an issue. However, think a situation like, say, an TV fire stick or roku box and you want to set up streaming services. Now you are stuck having to type in various passwords character by character with a very awkward typing interface. Doable, but very tedious.

There is a downside to everything, I guess, but overall I’m happy I switched to 20+ character password. I can now share them across all my devices and with family members as I see fit

I feel your pain on #2, as I like my streaming services and home theater devices. Roku does have an app that includes a remote control emulator, and you can paste text into it. I even use it for searches of more than 2-3 characters, because it's so much faster than navigating around the on-screen keyboard. TiVo has one, too, but I don't know about the Amazon Fire stick.

 

[Dreamer]

That is a very interesting article. Thanks for posting. I will probably lengthen the passwords for financial places.

 

[Chuckanut]

2. Usually, you auto fill or copy/paste the password, so it’s complexity is not an issue. However, think a situation like, say, an TV fire stick or roku box and you want to set up streaming services. Now you are stuck having to type in various passwords character by character with a very awkward typing interface. Doable, but very tedious.

Or you can do the web based initial logon process that bypasses having to enter a long password using a remote control with little buttons. If provided, of course. Both Netflix and HULU providthat very nice feature. It's a real convenience.

 

[The Cosmic Avenger]

Or you can do the web based initial logon process that bypasses having to enter a long password via a remote control.

I assume you mean the 6-character alphanumeric activation code that many streaming services use. The problem is, each device can have a slightly different version of the app, and some don't use the activation code. It's complicated, and I don't understand it completely, but I do know that my two different model Rokus (one is pretty old) and my Samsung smart TV can all have differences, like some offer "Skip Recap/Intro/Credits", and some don't for the same content. From what I understand, the device manufacturers kind of build their own interface based on the streaming service's API.

Anyway, yes, that is a wonderful alternative when it's available, but I've had to enter passwords enough that I've used a lot of phone apps instead of the remote controls, and I've also found some old WebTV/MSNTV IR keyboards will often work with many other devices, even though WebTV isn't around any more!

 

[ExFlyBoy5]

I am all about using a physical key. That's all I ask for. Simple, secure, easy...but so slow to adopt.

 

[Sunset]

....

1. There are still a surprising number of institutions,vendors, etc who have password limitations. Some don’t allow more than 8 or 10 characters, some (federal gubmint, hello….!) won’t allow special characters, some don’t even do upper/lower case). So for those you can’t use the strong random password but have to “dumb it down” manually, which is a bit tedious and certainly annoying

2. Usually, you auto fill or copy/paste the password, so it’s complexity is not an issue. However, think a situation like, say, an TV fire stick or roku box and you want to set up streaming services. Now you are stuck having to type in various passwords character by character with a very awkward typing interface. Doable, but very tedious.

...

I've run into the limit on passwords, incredibly terrible idea when it's short.

A few sites won't allow me to paste in passwords , so I have to type them in like TreasuryDirect.gov and years ago a brokerage account. Very annoying.

 

[USGrant1962]

Interesting article. But is password hacking even a thing for web users IRL? Passwords cannot be "hacked" in a vacuum, the hacker needs to bounce every one of the billions of combinations off the website being attacked, using your userID/email (brute force attack). Every website with even minimal security kicks you after 5 or so wrong attempts, and the more secure ones lock you down.

The source site conflates "stolen" and "compromised" credentials with "cracked" passwords. These are not the same thing.

 

[jim584672]

Interesting article. But is password hacking even a thing for web users IRL? Passwords cannot be "hacked" in a vacuum, the hacker needs to bounce every one of the billions of combinations off the website being attacked, using your userID/email (brute force attack). Every website with even minimal security kicks you after 5 or so wrong attempts, and the more secure ones lock you down.

The the source site conflates "stolen" and "compromised" credentials with "cracked" passwords. These are not the same thing.

What usually happens is a hacker gets hold of the password file of all passwords at the site by somehow signing in as an admin. Any site that knows anything about security will never store passwords directly, they will be stored in a way that not even the site knows the password. If they are stored in a vulnerable way that is the problem.

 

[Sunset]

Interesting article. But is password hacking even a thing for web users IRL? Passwords cannot be "hacked" in a vacuum, the hacker needs to bounce every one of the billions of combinations off the website being attacked, using your userID/email (brute force attack). Every website with even minimal security kicks you after 5 or so wrong attempts, and the more secure ones lock you down.

The the source site conflates "stolen" and "compromised" credentials with "cracked" passwords. These are not the same thing.

Even if a website doesn't lockout a person from multiple attempts at a password, the delay in response will make all hacking attempts take too long except for the very simple passwords.

In general though the issue is still the same, a stolen database of passwords, can be worked on quickly and crack many of them.
Then the hacker can go to the website and enter the correct password.

 

[pacergal]

Good article, thanks.

 

[Kwirk]

In general though the issue is still the same, a stolen database of passwords, can be worked on quickly and crack many of them.
Then the hacker can go to the website and enter the correct password.

And, they can try the same password at various other sites (such as banks) because they know many people reuse passwords.

 

[homestead]

How does the rapid password guessing work for hackers? Don't most sites lock the account after 3 wrong login attempts. Seems like this would stop guessing attempts.

 

[sengsational]

How does the rapid password guessing work for hackers? Don't most sites lock the account after 3 wrong login attempts. Seems like this would stop guessing attempts.

Most of the hand-wringing about password complexity and length is about offline attacks, where the hacker exfiltrates the database.

But even an offline attack isn't as fast as the article suggests if the web site is using best practices. Best practices are that passwords are salted and hashed, and only the hash is stored. So the hackers must know HOW the passwords are hashed (the procedure is different, for instance, the web site can go 20 "rounds" or 21 or any number...the hacker must figure this out or be hopelessly locked out. The hacker will also need to have the salt, which is typically secured separately from the hash. Some web sites use a hash that takes significant processing power, taking pure brute force hacking essentially off the table. Of course if the hacker has access to the hashes, AND has access to your source code to know how you're building the hash (again, source code is typically secured differently or not in the same location as the hashes), then it becomes feasible to start brute force cracking. But before they try that, they'd probably get the guys with non-random passwords (the rainbow table approach). So like most security, physical or computer, if you make it just a little harder for the bad guy to attack you over the guy who's not doing the basics, you'll probably avoid any problems. I use completely randomly generated 8 character passwords with all character sets and am not worried about it. I use a password manager, but this reasonable length lets me type it in if I have to, which I occasionally have to do.

 

[Gumby]

.... So like most security, physical or computer, if you make it just a little harder for the bad guy to attack you over the guy who's not doing the basics, you'll probably avoid any problems. ...

That's how I've always seen it. I don't have to be faster than the lion, just faster than the guy running next to me.

 

[mpeirce]

Yes, pretty scary. I finally broke down and started using the 1Password utility. It typically creates random passwords of 20-22 characters, upper/lower case and special characters mixed. So, basically ironclad. Near perfect, BUT:

...


2. Usually, you auto fill or copy/paste the password, so it’s complexity is not an issue. However, think a situation like, say, an TV fire stick or roku box and you want to set up streaming services. Now you are stuck having to type in various passwords character by character with a very awkward typing interface. Doable, but very tedious.

If you are using an iPhone and an Apple TV you can use the iPhone as a keyboard input device for the Apple TV. Way easier typing on the iPhone keyboard.

Also, this lets you access either the built in password manager or third party ones like 1Password.

 

[homestead]

Most of the hand-wringing about password complexity and length is about offline attacks, where the hacker exfiltrates the database.

But even an offline attack isn't as fast as the article suggests if the web site is using best practices. Best practices are that passwords are salted and hashed, and only the hash is stored. So the hackers must know HOW the passwords are hashed (the procedure is different, for instance, the web site can go 20 "rounds" or 21 or any number...the hacker must figure this out or be hopelessly locked out. The hacker will also need to have the salt, which is typically secured separately from the hash. Some web sites use a hash that takes significant processing power, taking pure brute force hacking essentially off the table. Of course if the hacker has access to the hashes, AND has access to your source code to know how you're building the hash (again, source code is typically secured differently or not in the same location as the hashes), then it becomes feasible to start brute force cracking. But before they try that, they'd probably get the guys with non-random passwords (the rainbow table approach). So like most security, physical or computer, if you make it just a little harder for the bad guy to attack you over the guy who's not doing the basics, you'll probably avoid any problems. I use completely randomly generated 8 character passwords with all character sets and am not worried about it. I use a password manager, but this reasonable length lets me type it in if I have to, which I occasionally have to do.

Thanks!, that makes sense. I used to be admin for several unix systems and I was able to copy passwd files from one system to another. I couldn't see the passwords but I could see the usernames. So it would have been possible to write a script to create a process for each username and systematically guess the password. Of course this would find the short passwords first.

 

[KarenC]

Yes, pretty scary. I finally broke down and started using the 1Password utility. It typically creates random passwords of 20-22 characters, upper/lower case and special characters mixed. So, basically ironclad. Near perfect, BUT:

[…]

2. Usually, you auto fill or copy/paste the password, so it’s complexity is not an issue. However, think a situation like, say, an TV fire stick or roku box and you want to set up streaming services. Now you are stuck having to type in various passwords character by character with a very awkward typing interface. Doable, but very tedious.

[…]

For instances where I know I'll have to type in the password myself, I switch the 1Password password generator from "Characters" to "Words" to make generated passwords easier to remember/enter. (See the relevant xkcd comic.)

 

[rk911]

i typically use 32-characters or the maximum number lf characters allowed (whichever is the greater number) using upper/lower case alpha, numbers and special characters randomly generated by a password mgr. i also turn on 2FA where available.

 

[ERD50]

... Using 12 characters with at least one upper case capital letter, one number and one symbol could take a hacker 34000 years to break.

I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it.

Similar with forcing one symbol. There are ~ 33 symbols, but 62 number/Upper/lower case choices. Or 95 if the symbols are optional. So now two are easier to crack.

And one upper case means one only has 26 choices versus the 95 . They have reduced the complexity on 3 of the 12 entries.

-ERD50

 

[mountainsoft]

I typically use long word based passwords with silly combinations, such as Turkey-Lumber-429, or One#4#The#Tomatoes. Even though I use a password manager, there are times when I can't paste in a code or have to remember it when I'm away from home. These are easier to remember and easier to type in than a long cryptic random code like Lkpa&49s*fgQRR22. It's also easy to come up with really long passwords that are human readable.

 

[FI_RElater]

I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it.

Similar with forcing one symbol. There are ~ 33 symbols, but 62 number/Upper/lower case choices. Or 95 if the symbols are optional. So now two are easier to crack.

And one upper case means one only has 26 choices versus the 95 . They have reduced the complexity on 3 of the 12 entries.

-ERD50

In my earlier days, when setting up passwords (truely, back in the stone age) I used what is referred to as "high ASCII" characters within it (usually just one or two).... (many sites didn't allow longer password length so this added to possible security)

It had the advantage of increasing the character numbers that "could" be possible very dramatically... but also because ___most hackers NEVER included them in the possible characters... it likely would never get hacked by crude brute force attempts !!!

The current downside... nobody allows usig "high ASCII" in passwords in current passwords