How Many Seconds Would It Take To Crack Your Password? 454
DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."
Huh. (Score:5, Funny)
I wonder if he's caching every string entered into a dictionary file...
Re:Huh. (Score:4, Insightful)
However, I noticed that he's not *checking* a dictionary file when evaluating password strength. The actual strength of a password like "spastic-elongated-kremlinitude" is pretty good, but his checker's figure of four hundred thousand trillion trillion centuries to crack with a high-end cluster is optimistic beyond the bounds of all reason. That would be naively building it up character by character, and *nobody* does naive character-by-character brute forcing for passwords that long. That's like building a skyscraper without power tools.
Re:oblig xkcd (Score:4, Interesting)
So your solution to the problem that nobody can remember randomized-per-character passwords is to massively increase the character set that people need to memorize? That's not helpful. The XKCD example was to show that it's possible to create easy to remember passwords that still have a whole bunch of entropy; the status of ASCII versus Unicode doesn't change anything at all in this regard. If anything, it makes the case for XKCD-style passwords even stronger.
Re: (Score:3)
Maybe, maybe not. I haven't checked.
I have a couple pass phrase dictionaries and they have found a not insignificant number of pass phrases.
Most of the time, I just need to find a password that hashes to the same as your password. That might not seem important, but when your password/pass phrase is longer than the hash and you are reduced to brute forcing the password a collision is not less likely just because you added more characters.
md5 and sha1 are optimized to reduce collisions in the ASCII code space
Re: (Score:3)
Re:Huh. (Score:4, Insightful)
Pretty much everything you wrote is wrong other than your first line.
5 random lower case characters + one upper case = 52^6. It would be 26^6 if and only if you knew exactly where the upper case letter was, which is an unreasonable assumption. Adding an upper case letter would eliminate a straight lower-case dictionary attack entirely and double the pool of possible characters from 26 to 52. There are 6 places, so 52^6.
You make the same mistake in several other locations.
To address your other claim, "Adding one extra capital, number or symbol to a password does not increase password strength that much." ... You make this claim only because your math is so hilariously wrong.
Re:Huh. (Score:5, Insightful)
5 random lower case characters + one upper case = 26^6 * 6.
6 random case random characters = 26^6 * 2^6 = 52^6.
Check your own math first.
Re:Huh. (Score:4, Informative)
Actually, no. 52^6 is 6 random mixed case characters - a much larger search space than 5 lower + 1 upper. The number you are looking for is much smaller = 26^6 * 6. Here's why - with 5 lower + 1 upper, you have 6 alpha characters = 26^6. If exactly one of them is uppercase, then the search space is only expanded by -- change the first character to upper, change the second to upper, etc = 26^6 * 6. If you think there are passwords outside of that search space, then try to come up with a 5 lower + 1 upper password that cannot be found by looking at ALL combinations of 6 lower and make one of them upper.
Gibson makes this type of error when he claims that haystacks are a good password technique. He forgets that 1) people are lazy and 2) hackers tune their search strategy because of #1. People who use haystacks do so because they want something easy to remember. So they probably use a dictionary word with minor alterations (all lower+numbers, make one of them uppercase) and then add a bunch of periods. But they can't just add a random bunch of periods - they have to use a number that they can remember (in addition to remembering the password itself), so it's probably no more than 10 (probably 7). A search strategy tuned to this will find passwords much faster than he claims = do the normal 36^n search space of lowercase + numbers, then for each of them, change one of the letters to uppercase. then for each of these passwords (all lower + all of the change one to upper), add 1-10 periods to the end. Assuming the base word is no longer than 8 and the number of periods is no longer than 10, the search space is at most 36^8 * 9 (no lower + at most 8 ways to make one upper) * 10 (number of periods) = much lower than 96^18.
Of course, you can manipulate the algorithm, but most people are lazy and besides, you have to remember the algorithm you created. If you are not using an easy haystack, you might as well use a nice strong password with a nice password vault.
Re:Huh. (Score:4, Insightful)
Even taking Gibson's original category of all-lowercase alphanumeric, his time-to-crack figure is silly (in that it's not realistic):
36^6 = 2,176,782,336 possible combinations
0.0000224 seconds to crack (given by grc)
2,176,782,336 / 0.0000224 ~= 97,200,000,000,000
So, somebody is going to devote a supercomputer capable of trying 97.2 trillion passwords per second to cracking a password for some service that I'd use? Right...
For an idea of how big of a machine you'd need to try 97.2 trillion passwords per second, Toms had two high-end GPUs in SLI doing 1.5 billion per second, which means even with GPU acceration you'd need roughly 65,000 machines...
Re: (Score:3)
Why would a large enterprise or government want to crack any of my accounts? The XKCD example of a $5 wrench is a joke, but the underlying message is accurate. It's a lot cheaper for a government to just give me a court order for my passwords than it is to devote a giant supercomputer to cracking my email.
Re:Huh. (Score:4, Insightful)
Grandparent: 5 random lower case characters + one upper case = 26^6 * 6 NOT 52 ^ 6
Parent: 5 random lower case characters + one upper case = 52^6. It would be 26^6 if and only if you knew exactly where the upper case letter was, which is an unreasonable assumption. Adding an upper case letter would eliminate a straight lower-case dictionary attack entirely and double the pool of possible characters from 26 to 52. There are 6 places, so 52^6.
The grandparent poster has done the calculation correctly, if it is assumed that the cracker knows that there is exactly one uppercase character.
We're all agreed that if there is a 6-letter all-lower-case password, there are 26^6 possible passwords (26 possible character choices in each of six positions), right? For five lower case letters and one upper case letter, we draw five lower case letters (26^5 possibilities) and one upper case letter (26^1 possibilities, because it can't be a lower case letter), and we have 6 choices as to where in the password we place the upper case letter: 26^5 * 26^1 * 6 = 26^6 * 6 possible passwords.
Alternatively, consider our six-letter all-lower-case password and its 26^6 possibilities. We have a dictionary that starts aaaaaa, aaaaab, aaaaac and ends with zzzzzz. If we add exactly one (no more, no fewer) capital letter, then each entry in our original dictionary is replaced by six new passwords, one with a single capital letter in each position: Aaaaaa, aAaaaa, aaAaaa, aaaAaa, aaaaAa, aaaaaA, then Aaaaab, aAaaab, aaAaab, aaaAab, aaaaAb, aaaaaB, and so forth--again giving us 26^6 * 6 possible passwords.
That said, it would be unusual for our hypothetical cracker to have access to that sort of specific information about a password. Why would he know that there was exactly one upper case letter? Far more likely would be some sort of rudimentary password screen that required our password to contain a mix of capital and lower case letters--that is, at least one upper case, and at least one lower case. In that more-likely scenario, the parent's calculation is closer to the mark. Each of six positions could have any one of 52 values (26 upper- and 26 lower-case letters), giving 52^6 possibilities, from which we subtract 2*26^6 options, representing the forbidden all-lower-case and all-caps passwords, leaving 52^6-2*26^6 possible choices.
Re: (Score:3)
And if you don't understand the basic concepts behind the topic, applying any amount of mathematics will not overcome the initial limitation.
When brute forcing passwords you don't (typically) know anything about them. It's extremely unlikely you will know "5 small letters and one capital letter" no matter how pretty it makes the calculation. You have to search the random address space based on your criteria in increasing orders of complexity.
Searching the lower case space is trivial compared to lower+uppe
Re: (Score:3)
Or, they'd just have to know something about human nature and the fact that humans tend toward lower entropy passwords. With any password guesser that's even slightly smarter than brute force, entropy matters. I remember using 'crack' [wikipedia.org] back in my college days (officially sanctioned -- we were testing password security as part of a security audit), and it h
Re: (Score:3)
what pisses me off is that truecrypt disabled extended ascii for "portability".
I used to use a mu character "" (funny, it shows in preview but not post, http://en.wikipedia.org/wiki/Mu_(letter) [wikipedia.org]) in one of my TC volumes. I can still open that volume with a new version of TC, but if I create a new volume TC won't let me use the mu, because it may not work on *all* systems. I don't care about all systems I care about all systems I am using. Bonus points if it happens to not work on an attackers system.
using
Re:Huh. (Score:5, Insightful)
Based on what? You're arguing that Gibson is wrong, but your reasoning amounts to saying "nuh-uh".
The attacker knows that there are 6 characters in a password. Or does he? I'd want a hashing algorithm that hides the password length by turning any password length into e.g. a 64-character hash.
Even assuming he knows it's 6 chars, how can he know there are 5 lowercase + 1 uppercase? Assuming the hash doesn't give clues (which would be a weakness in the hash function) I see no way the attacker can infer 5 lowercase + 1 uppercase (and guess correctly at which position the uppercase will be).
Therefore he has to assume a search space of lowercase+uppercase for all positions, which leads to 52^6.
Re: (Score:3)
How can he assume there are no special characters ? Numbers ? If he can assume only lower+upper, should not he also be using a best guest distribution of the upper case letters ? While it can be a totally random password, most of the users won`t use those. As such, optimizing the problem can reduce the average percentage of the search space by a lot!
Re: (Score:3)
Optimizing the search space does not remove the components, it just search strategically through the whole ordeal. Just has searching through a-z is quite interesting because a lot of password are in there won`t prevent you from searching through aA-zZ afterward should the problem still not be solved.
Re:Huh. (Score:5, Informative)
If someone is bruteforcing your password, they can make no assumptions. (alphabet size)^(number of spaces)
Where (alphabet size) = group your char is in. eg "!" is is part of a 10 char group, so using ! gives your alphabet an extra 10.
I Lets see, upper and lower, that's 26*2, then "[]", that's another 12, "3", that's 10, * makes it another 10, "~+" is at least 6 but not sure which group. OK... that's an alphabet size of 90 and is 17 chars long. 90^17 = 1.6677181699666569e+33. Almost as strong as a GUID, but easier to remember.
Re:Huh. (Score:4, Insightful)
The man is an idiot. Adding one extra capital, number or symbol to a password does not increase password strength that much. The algorithm assumes that all places in the password can be all characters.
Disagreeing with you doesn't make him an idiot.
Since we don't know what position a capital letter might occupy, I think we can agree that this expands the MAXIMUM search range above 26^6 and below 52^6+1. That's the teaching point the tool is designed for. It is not designed to be an accurate estimator, but more of a shock value tool to get the attention of users. It has some value in that role.
Re: (Score:3)
He doesn't disagree with me. He is wrong. Of course idiot is still a strong term, I only used it because he present poor password advise as if he knew what he was talking about.
Re:Huh. (Score:5, Funny)
Mine is huge but then again I found an easy way to get a huge password...anybody seen how big the serial is on your average bass? Its got uppercase, lowercase, numbers and symbols and its pretty long and since I know my babies and never sell them its a pretty easy set of long passwords to keep up with.
If I ever catch a bass with a serial number, I'll give up fishing. Do you work in some genetics testing lab or something?
Ha! (Score:5, Funny)
Re:Ha! (Score:5, Funny)
Re: (Score:2)
Re:Ha! (Score:5, Funny)
Re:Ha! (Score:5, Funny)
really no need for that
Re:Ha! (Score:5, Funny)
Re: (Score:3)
asshash?
Re:Ha! (Score:5, Funny)
Really? Mine takes much longer than that. You should post it. Don't worry, it will appear as ***-**-*** on our screens just like mine did on yours just now. I just want to copy and paste it in the Steve Gibson's Interactive Brute Force Password Search Space Calculator to verify what you said.
Re:Ha! (Score:5, Funny)
hunter2
Re: (Score:2, Funny)
Re:Ha! (Score:5, Informative)
Visa always start with 4; MasterCard always start with 5.
If the attacker knows who you bank with, then they have issuer number (4-6 digits).
You lose one digit due to the checksum.
For example, suppose the attacker knows you have a Visa from Chase, then they only have guess 7 digits. That's weaker than a 3 character alphanumeric password.
Re:Ha! (Score:4, Interesting)
Link (Score:3, Informative)
https://www.grc.com/haystack.htm
Re:Link (Score:4, Funny)
Link in link form. [grc.com]
Re: (Score:3)
Re: (Score:3)
I'd never be able to remember if it was 16 "a"s or if it was 17 "a"s.
cookies.. (Score:2)
Whenever somebody mentions GRC I get a craving for cookies. Syncookies, to be precise..
Websites (Score:5, Interesting)
There's still websites out there that limit you to 8 characters maximum. When Citi held my student loans (studentloans.com), their website would just use the first 8 characters of whatever password you entered.... of course, the field would accept more and they wouldn't tell you this so the first time you went to log in, it was a very WTF moment because you'd get a Password Incorrect error even though the password matched the one you signed up with. It was one of the main reasons I was actually happy when they sold my loan to Sallie Mae six months ago.
Re:Websites (Score:5, Funny)
My one bank does that. It irks me to no end. Kind of like an unmatched (.
Re:Websites (Score:5, Funny)
)
You're gonna break stuff if you keep leaving unmatched (
Re:Websites (Score:5, Funny)
)
Fucker.
Re:Websites (Score:5, Funny)
Re:Websites (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Websites (Score:5, Informative)
I was going to post the same thing. It's not uncommon to have sites that also limit your password to letters & numbers only.
(As an aside, the most heinous are the websites where you Forgot your password? and they email it right back to you in plaintext.)
Re: (Score:3)
(As an aside, the most heinous are the websites where you Forgot your password? and they email it right back to you in plaintext.)
No, I think the most heinous ones are those who require you to answer "security questions" that you can't choose yourself.
It's not very hard to find out your mother's maiden name or what high school you went to.
The only sane choice is to make up answers, but it's harder to remember lies than truth, and a lot of sites that commit this atrocity, so you may end up having to write a list of all the questions and answers.
Never mind that these types of questions tend to exclude or alienate a lot of people due to
Re: (Score:3)
I once engineered my answers so I could remember them ...
Mother's Maiden name : Brown
Favourite colour : Brown
First Pet's Name : Brown
This obvious is once again ignored... (Score:4, Interesting)
Anytime I read articles like this, I just assume someone is trying to see something...
The best way to limit an attack like this is to limit how fast the attempts can be made. Rerun his "test" when the server only allows one password submit ever 10 seconds and see how long it takes. More secure you say?? Well, after 5 bad attempts, lock the account for 30 minutes?? Please, however, never lock the account entirely like SOME companies do. That makes a script kiddies actions my problem...
Good passwords can never stop common sense computing procedures...
Re: (Score:2)
I used to belong to a credit union that was great... except for their web interface. It would lock me out completely after three failed attempts and I'd have to drive to their closest branch (40 minutes away) and wait in line for someone (not a teller) to unlock it. Horrible system. It got worse when I tried adding them to Mint.com, which caused it to lock me out for no discernible reason.
Re: (Score:2)
This is the reason I don't use my credit union as my primary account. As much as I like supporting the smaller local financiers, their web interface is not up to snuff. And I cannot add them to Mint because they use a two-tier authentication system where you have to type an additional password displayed on the screen (not even a captcha, just a number displayed as text). It is important to me to have the ability of keeping track of my finances via Mint.com. I put everything on my debit card so I can track m
Re:This obvious is once again ignored... (Score:5, Insightful)
Re: (Score:2)
Hell yes. The summary is so stupid i'm not going even bother reading the article. It might make sense to say password X takes 42 times longer to crack than password Y, but to put a real time against the cracking attempt only makes sense if the cracker has access to the hash of your password, in which case you have already lost.
That said, account lockouts and login delays only make sense for a targeted attack. For a widespread brute force attack it doesn't matter - you can saturate your pipeline and still on
Has anyone actually doublechecked his security? (Score:5, Funny)
Re:Has anyone actually doublechecked his security? (Score:5, Insightful)
That's why you enter something lexically similar to it and not the actual password. /. password is 3 mid-length words and the number 54 added to it, you type in that many letters and the number 11.
If your
Got "trillion trillions centuries" here :)
Which really means "lasts until some idiot stores it as plain text."
Re: (Score:2)
Re: (Score:3)
Note to self, Anonymous Coward's login password is 15 characters long, and ends with any two-digit number different from 54 and 11.
Re: (Score:2)
Not to be suspicious, but "doublecheck you password strength! Just enter your passwords below...." even from a relatively trusted source is a little tough to trust....
I've always wondered... do those facebook/google/linkedin/twitter links on the page allow them to determine your facebook account name if you are logged in?
Binary... (Score:2)
I use binary for passwords, thus my password is 168 character long, only down side is it only has 10 digits!
0111100101101111011101010010000001101
text in the middle
0010110111001110011011001010110111001
text in the middle
1100110 11010010111010001101001011101
text in the middle
100110010100100000011000110110110001
text in the middle
1011110110010000100001
More text because /. filter throws an error, I wonder how much more text I have to type?
"Filter error: That's an awful long string of letters there."
"Filter error:
See you at the end of time (Score:4, Insightful)
Re: (Score:2)
Character X is not allowed! (Score:2, Informative)
Too bad there are still so many services that will not allow special characters in a password during registration. I have to juggle 4 different types of passwords because of this retarded limitation. If you operate such a site/service, please fix it.
Obligatory XKCD comics (Score:2)
There's time, then there's real-world time (Score:2)
Interactive password tester? (Score:5, Insightful)
What a great way to generate a new wordlist...
MS Office CD Key (Score:5, Interesting)
I worked on a random desktop rollout contract that was paying stupid amounts of money, and one evening I observed one of my fellow contractors entering his password.
clickity clickity clickity clickity...
I said "wow... hardcore password", he replied "yeah, I worked on a contract before this where we had to manually put in the MS Office CD Key across a few hundred desktops, so I've memorised it. It's now my go-to password"
Must have been the only time I've seen an MS CD-Key actually being wanted.
Pasting the first CD Key I could find on serials.ws (V4933-88FR7-9P3KK-D2QF4-9M9CM) into the GRC tool produced:
Online Attack Scenario:
(Assuming one thousand guesses per second) 68.45 thousand trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 6.84 hundred million trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 6.84 hundred thousand trillion trillion centuries
Anyway, in actual practice: passphrases using 2-3 words. I've found that 4 words and above is a bit much. And writing down your password/passphrase on a post-it is not a bad thing so long as your obfuscate it!
Seems more like a study about user stupidity to me (Score:2)
Re: (Score:2)
Oops! *hurries to change password*
My Password is Super Effective (Score:3)
I checked my password, and found that it will take 25.76 million trillion centuries. Hooray - no one that's never read XKCD will ever guess my password.
Obligatory: http://xkcd.com/936/ [xkcd.com]
12345? (Score:2)
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.
Which password? (Score:2)
Slashdot, football forums, BBC - minutes. I honestly don't give a shit about these sites.
Random websites that force you to sign up in order to download a crappy wav file - I'll just tell you, just to save you the hassle. username = no@example.com, password is nonononono.
My banking password? Minutes. Why? Because passwords are shite and obsolete. I use extra forms of authentication on banking web
Re: (Score:3)
Re: (Score:3)
The one for my email - trillions of years. Dumb sites emailing me my own private data means it needs to be secure.
Having a locked mailbox to prevent anyone from reading your postcards might be considered a false sense of security. Not that the lock is a bad idea, it's just that something else that's also important may have been overlooked.
always contain at least one one type of character (Score:2)
Q:So, from the answer above, that means that our passwords should always contain at least one of each type of character?
A:Yes, that's exactly what it means. Take, for example, the very weak password “news.” If another lowercase character was added to it (for example to form “newsy”), the total password search space is increased by 26 times. But if, instead, an exclamation point was added, (making it “news!”), the total search space is increased by a whopping 1,530 times! That's how important it is to choose passwords having at least one of every type of character. If anyone ever does try to crack your password, you will have eliminated all shorter searches.
Funny thing is, almost every example I've seen of how to increase the complexity of your password uses the example of putting an exclamation mark or a 1 on the end. Based on what I know about people, that's exactly what they'll do, which doesn't increase the search space by as much as the author thinks, and might even convince the user to use a shorter password with a ! on the end of it, which is worse.
Post-it (Score:5, Funny)
"a" repeated 20 times. (Score:2)
It's a terrible article. (Score:5, Insightful)
I wrote a nice long reply rebutting every single point then lost it when I hit backspace and focus was in the wrong part of the window. Grrr.
The author gets lots of things confused:
- He seems unaware that a rainbow table is equally effective against a good password as a bad one.
- He seems to think a dictionary attack comprises wholly and exclusively of words taken from a dictionary with no added numbers, symbols or punctuation. Bruce Schneier doesn't seem to agree with this [schneier.com], and I'm far more inclined to believe Mr. Schneier.
- He believes that a likely avenue for attack is constantly guessing a given user's password on a website. Any half-sane web service will block you long before you've tried a few thousand passwords against one username.
- He fails to note that in the case of LinkedIn, the list of password hashes itself was leaked - and this is Bad News.
- He also fails to note that in the case of LinkedIn, the password hashes were unsalted - Much Worse News.
- He also fails to note that if an unsalted list of password hashes is leaked, then it doesn't really matter how strong your password is, it's going to get found rather quickly. There's very little you or I can do about this. You could refuse to use systems that have such terrible security, but usually you only learn their security is this bad when it's far too late.
- He tops it off by recommending 10 character passwords with symbols and/or numbers. In other words, he falls foul of the problem described by Randall Munroe in XKCD [xkcd.com] some time ago.
Re:It's a terrible article. (Score:4, Informative)
In his podcast, Steve clearly knows these things. He collected a number of "hacker" tools and studied them before he wrote haystack. I have not looked at his code, so I can't say what he build. But I recall that he said this was a very basic tool that ran on the local machine using Javascript.
I've had users enter their old passwords and they are universally shocked. It's a pretty good teaching tool for your average office worker.
Re:It's a terrible article. (Score:5, Informative)
>then it doesn't really matter how strong your password is
Well, thats not quite true. A password with 128 bits of entropy is still going to be strong even when hashed unsalted.
Leaked hash material is really only helpful for finding poor passwords via one of the brute force methods. Lack of salts, or poor salting, is only helpful for rainbow table or rainbow dictionary type attacks.
Choosing a good password will still help you. The only problem is websites that do one of the various bad behaviors:
* forcing an capital or digit reduces entropy
* limititng the max length reduces entropy.
I have tried... (Score:2)
Rainbow tables and Brute force could not do it in a reasonable amount of time. But this was a couple of years ago on a old decomissioned server with only 8 Xeon processors. 1 week later and still nothing.
Cost of wrong guesses (Score:3)
Very nice, MD5 hashes can be cracked quickly in massive parallel on GPU hardware. This only matters after the hashes have already been stolen.
Actual security should be more systemic -- the cost of a wrong guess is more than a nanosecond of GPU. There are at least network delays, and in many cases lockouts. The latter make random guessing too costly/slow, especially progressive systems that allow 5 wrongs immediately, 10 in an hour, 20 in a day, and lock hard (manual intervention) above that.
My father had one of the early ATM cards but had me operate the machinery. It had an 8 digit assigned PIN, but dropped quickly to 4 when it was realized the 8 were hard to remember, and swallowing the card after 3 wrong guesses was more than adequate.
Web delay? (Score:4, Informative)
Wait, what? (Score:5, Insightful)
With "almost unlimited" computing power any password will almost take "almost no time" to decrypt.
Is GRC some kind of trusted resource now? (Score:4, Insightful)
Slashdot always seems to be his willing dupe and publicizes whatever he is concerned with at the moment.
Re: (Score:2)
I'll see your xkcd 538 (Score:5, Informative)
Re: (Score:3)
I just have to hope that nobody comes around with a $5 wrench...
Re:obligatory xkcd.... (Score:5, Insightful)
let's say you know 100% for sure that somebody is using xkcd's method.
there are 15,222 words in the english language according to oxford english dictionary. how many are common 5, 6, and 7 letter words? hard to say for sure. I think 3000 or 4000 would be a good conservative guess, what do you think? let's say 3000 to err on the side of caution.
how many combinations of common 5,6, and 7 letter words does that give us to build a password based on xkcd's suggestion?
3000^4
that's 8.1 x 10^13 discrete combinations, counting the ability to reuse the same word.
I'm asuming you didn't build a plaintext dictionary with all those possible combinations... at 1 byte per letter, and an average of 6 bytes per component word, that's 4.86 x 10^14 bytes, or a 442 terrabyte dictionary file. where the hell are you storing that?
no, i'm assuming you probably built a program specifically to build combinations of component words and brute force using that. sure that will eventually work, after it goes through its 8.1 x 10^13 itterartions (worst case)... but hell, why are you trying to crack that hard a password when there are thousands out people out there whose password is just "Password1"? the club doesn't make your car theftproof, it just makes it less inviting to the thief than the car next to it. you don't need to outrun the lion, you just need to outrun the slowest person in your group.
and this is all assuming:
1. you somehow -know- which password generation method the person is using
2. they didn't do what I do with that method, and throw a few uppercase and numbers in there anyway.
Re: (Score:3)
My personal favourite is to translate some of the words into random languages after I have made the passphrase. It's not difficult to learn a few foreign words, but since the attacker doesn't know which languages you used he gets the fun task of trying ALL languages that use the latin script. Since there is more than 100 languages using latin characters in the world, even a moderate dictionary size of 10000 or so would give you a total of more than a million words, resulting in the generated passphrase havi
Re: (Score:2)
https://xkcd.com/936/
I took the advice from XKCD and I now use nonsense pass-phrases, eg ''purple grass grows on my bedroom ceiling''. It is not too hard to remember, does not contain special characters (other than spaces) since they are hard to remember. grc.com says that that pass-phrase has a search space of 6.94 x 10^70 and that the Massive Cracking Array Scenario (one hundred trillion guesses per second) would take 2.21 hundred billion trillion trillion trillion centuries -- that is good enough for me.
Re: (Score:2)
This tool calculates the brute-force time on a character basis. It says that dictionary attacks still work and should be mitigated by policy and practice.
Re:Almost Unlimited? (Score:4, Funny)
If the computing power was "almost unlimited" you could crack any password you want since it is essentially unbounded in its parallelism.
Well, almost any password.
Re: (Score:2)
What kind of qualifier is that? If the computing power was "almost unlimited" you could crack any password you want since it is essentially unbounded in its parallelism. They are obviously making some concrete assumption about computing resources (which the article does not specify, as far as I can tell).
They also make the assumption that you will not be the unlucky soul to have your password cracked on the first try.
Re: (Score:2)
Re:Poor security (Score:5, Insightful)
What system would allow someone to make thousands of attempts per second to login?
That's not the problem. The problem is that the lists of user logins and corresponding hashed passwords get in the wrong hands, whether it be due to bad design and/or coding, insecure software, or unfaithful servants. When you have that list, you run brute force against it to get the actual passwords.
Breaking into servers is much more attractive than breaking individual user accounts, simply because the yield is so much higher. Make a good trojan delivered through good social engineering, and you may catch 1% of the users. Breach the server, and you get the account info of all of them, and by running a crack session, you likely have 20-50% of the passwords within hours. Choose a very hard to crack password, and they may never get it even if they have the hash.
This happens a lot more than what we think. A server breach doesn't have to leave traces that anyone actually sees. We mostly know about the cases where the culprits brag about it or publish lists, which is unlikely to be more than the tip of the iceberg.
Companies are going to insist that their data is safe until proven otherwise, but you're stupid if you believe them.
Sony, Steam, LinkedIn, eHarmony - there are hundreds of server breaches with stolen user/hash lists that we know about. And likely an enormous amount we don't know about.
Re: (Score:2)
Nice post. Too bad I used my last mod points yesterday.
The most ridiculously strong password is 100% worthless if your online data (via the server itself) is compromised, which happens way more than we'll ever know about.
Even more creepy are the perfectly legal and "legit" uses of your data (make sure you read everything in the EULA I guess) that are knowingly and willingly handed off to various third parties.
Re: (Score:3)
You forget that if a procedure is too cumbersome for the users, it won't be used.
Same with a procedure that deviates so much from standard practice that what the users already know is wrong.
Your suggestion fails on both counts.
Re: (Score:3)
It's actually a great prank by a French Grande Ecole.
Here's what you get when you enter one:
Security assessment for password "Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM"
Thanks for disclosing password "Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM" to us!
Password Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM
Score
0 % - Insecure
Assessment
You just disclosed password "Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM" to an untrusted third party (us). You have no way to find out what we intend to do with it. Maybe we logged it and intend to publish it or to use it against you? For this reason, password "Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM" is now compromised. It is therefore insecure and should not be used in any situation.
Suggestions
Do not disclose your passwords to any untrusted third party for any reason.
If you are actually using password "Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM", stop using it and change it immediately.
Change any other password you may have compromised in this way before you used the Estatis Password Security Checker.