But as I pointed out before, the simple step of locking the user out for 30 minutes after a third wrong attempt, will hold any automatic system up for months or years, even if your password is a simple word.
The only way round that would be to have thousands of computers working on the same password simultaneously.
(or is that what you mean by "massively parallel"?)
You're thinking simplistically here. Crackers don't try to enter text in the input box where you're typing your password.
They try to compromise websites to get their user/pass databases which they download locally to their machines and then attack. There is no 3 failed attempt lockout in this scenario.
You're thinking simplistically here. Crackers don't try to enter text in the input box where you're typing your password.
They try to compromise websites to get their user/pass databases which they download locally to their machines and then attack. There is no 3 failed attempt lockout in this scenario.
there's not. but it's still very difficult to brute force passwords.
when a site is compromised and it's password data released nobody ever manages to crack all the passwords. it's not possible, just the low hanging fruit.
it is also worth remembering that BananaBurgerZebraShoes is much harder to brute force that $M_2%zT# and much easier to remember.
there's not. but it's still very difficult to brute force passwords.
when a site is compromised and it's password data released nobody ever manages to crack all the passwords. it's not possible, just the low hanging fruit.
it is also worth remembering that BananaBurgerZebraShoes is much harder to brute force that $M_2%zT# and much easier to remember.
A good password is a mid length phrase/quote/lyric, ideally with numbers in it. "shesupallnighttogetlucky" will take 30.11 trillion centuries to exhaust, whereas add some numbers "4thoseabout2rockwesaluteyou" and it jumps to 3.43 billion trillion centuries. Just pick your favourite song/movie and use some numbers.
A good password is a mid length phrase/quote/lyric, ideally with numbers in it. "shesupallnighttogetlucky" will take 30.11 trillion centuries to exhaust, whereas add some numbers "4thoseabout2rockwesaluteyou" and it jumps to 3.43 billion trillion centuries. Just pick your favourite song/movie and use some numbers.
I disagree.
Anything like song lyrics, anything that gives a reason that someone else would have that password makes it less secure.
google shesupallnighttogetlucky 120 results.
google BananaBurgerZebraShoes none
you need to read the notes on that passwords site. the bit labelled 'IMPORTANT!!!... ....is NOT a “Password Strength Meter.”'
if a password can not be brute forced it can not be brute forced. the extent to which it can't be brute forced is meaningless.
You're thinking simplistically here. Crackers don't try to enter text in the input box where you're typing your password.
They try to compromise websites to get their user/pass databases which they download locally to their machines and then attack. There is no 3 failed attempt lockout in this scenario.
Well, that's kinda what I said in my initial post, if I can quote myself.
I don't think a 'strong' password is as important as having a different password for each important site.
Most responsible sites will lock the user out for a period, if they enter a wrong password more than one or two times, and that should completely defeat the automatic software.
I think most hacking occurs when they find your password through other means. Either because the site has stored it insecurely, or you've used the same password for everything.
So the security of your password depends more on how securely the site has encrypted it's password database, rather than any property of your password itself.
Or are some passwords more difficult to de-encrypt than others, as flagpole suggests?
I would have thought once you've cracked the encryption the site has used you're left with a list of usable passwords?
Or am I being too simplistic again?
Or are some passwords more difficult to de-encrypt than others, as flagpole suggests?
I would have thought once you've cracked the encryption the site has used you're left with a list of usable passwords?
Or am I being too simplistic again?
Passwords should never be stored in a form that can be decrypted. They should be stored as a one-way hash.
Cracking the password then consists of generating the one-way hash for each guess and comparing it with the stored value. If they match then you have guessed the password. Getting one password doesn't help you with getting any of the others.
Some hashing methods are better than others. MD5, which is commonly used, is not very good as it is quick to calculate. This means that the attacker can try millions or even billions of guesses per second. Something like sha2 which is much slower to calculate can mean that the attacker can only try a few thousand guesses per second.
Well, that's kinda what I said in my initial post, if I can quote myself.
So the security of your password depends more on how securely the site has encrypted it's password database, rather than any property of your password itself.
Or are some passwords more difficult to de-encrypt than others, as flagpole suggests?
I would have thought once you've cracked the encryption the site has used you're left with a list of usable passwords?
Or am I being too simplistic again?
the algorithms for storing passwords are all well known and non reversible.
they are just basic hashing functions like md5, sha256, etc. your password is never stored for any decent site, in plain text. when you set up the password it's run through the algorithm and stored, each subsequent time you enter your password it is run through the same algorithm and compared. md5 for example produces a 128bit string as in so 2^128 possible combinations or like 3x10^38. it is not strictly necessary to guess the actual password as there maybe more than one string that has the same hash, but it will likely be longer than the actual password.
an attack scenario is that a site looses it's password database, the hackers have time to work on it
the only difference is if they are salted and hashed or just hashed.
a weakness is that as the algorithms are well known all the hashes of any password dictionary words are well known for example google eb0b2e30221efaeb87c9ff9307eb11b6. by no means are all hashes known just all the ones for words that people use as passwords.
when a password is salted, before the algorithm is applied, a random string is generated by the computer something exotic like £.Fh#2:nW9_ and stored along with the password. this is applied to the password usually by a simple append and then the algorithm is applied. this means that when a database is stolen the hacker can't simply search the database for known hashes, there wont be any, or try to brute force the entire algorithm with a dictionary.
to clarify, the salt is not really about making the password longer or more complicated, it's about making it unique. a password that has never been used before.
the algorithms for storing passwords are all well known and non reversible.
they are just basic hashing functions like md5, sha256, etc. your password is never stored for any decent site, in plain text. when you set up the password it's run through the algorithm and stored, each subsequent time you enter your password it is run through the same algorithm and compared. md5 for example produces a 128bit string as in so 2^128 possible combinations or like 3x10^38. it is not strictly necessary to guess the actual password as there maybe more than one string that has the same hash, but it will likely be longer than the actual password.
an attack scenario is that a site looses it's password database, the hackers have time to work on it
the only difference is if they are salted and hashed or just hashed.
a weakness is that as the algorithms are well known all the hashes of any password dictionary words are well known for example google eb0b2e30221efaeb87c9ff9307eb11b6. by no means are all hashes known just all the ones for words that people use as passwords.
when a password is salted, before the algorithm is applied, a random string is generated by the computer something exotic like £.Fh#2:nW9_ and stored along with the password. this is applied to the password usually by a simple append and then the algorithm is applied. this means that when a database is stolen the hacker can't simply search the database for known hashes, there wont be any, or try to brute force the entire algorithm with a dictionary.
to clarify, the salt is not really about making the password longer or more complicated, it's about making it unique. a password that has never been used before.
So basically my understanding of encryption is seriously lacking.
But I think my password policy of using random words or phrases, sometimes with numbers tacked on the end, is as good as any?
Realistically if your password is strong enough to last 2-3 days worth of cracking attempts then it'll probably be safe as they'll have 99% of the rest and will have enough logins/password combo's to try
So basically my understanding of encryption is seriously lacking.
But I think my password policy of using random words or phrases, sometimes with numbers tacked on the end, is as good as any?
the two most important things are:
that a password is unique. that nobody else has ever used that password before. there are huge lists available of passwords. i have a couple of gigabytes of hundreds of millions of passwords. if you're password is on that list you can forget it. those billions of billions of combinations have just been shrunk to the size of the password list. anything that produces a result when you google it is a no no.
that a password is long: as i said above BananaBurgerZebraShoes is a lot harder to brute force than $M_2%zT# up to 10,000,000,000,000,000,000,000,000,000 times harder. and it's a lot easier to remember.
that a password is unique. that nobody else has ever used that password before. there are huge lists available of passwords. i have a couple of gigabytes of hundreds of millions of passwords. if you're password is on that list you can forget it. those billions of billions of combinations have just been shrunk to the size of the password list. anything that produces a result when you google it is a no no.
that a password is long: as i said above BananaBurgerZebraShoes is a lot harder to brute force than $M_2%zT# up to 10,000,000,000,000,000,000,000,000,000 times harder. and it's a lot easier to remember.
however, knowing how much google delves into this forum, i reckon "BananaBurgerZebraShoes" will be appearing in google in a short while.
however, knowing how much google delves into this forum, i reckon "BananaBurgerZebraShoes" will be appearing in google in a short while.
already has.
obviously i'm not actually suggesting that specifically BananaBurgerZebraShoes itself is a perfect password
but even if some how an attacker knew that your password were 4 dictionary words there are still more combinations of 4 dictionary words than there are say 8 random digits.
we probably all know about 100,000 words so that is 10^20 combinations. same as an 11 digit nonesense password like $M_2%zT#7^d
if they don't know it's 4 dictionary words and why would they then it's the same as a random string of the same length.
if they don't know it's 4 dictionary words and why would they then it's the same as a random string of the same length.
It depends what the password sorting algorithm does, a good algorithm would combine dictionary words along with a few random symbols and changed letters. I agree though that a long string that you can remember is better than a short string made up of gibberish.
Ultimately the password should not be hackable by brute force methods as the site or whatever should disqualify after a number of fails, if it doesn't do that then there is an issue. Obviously this is different for say the password for an encrypted hard drive but ideally then the password would be disabled for a lengthy time after a fail.
For sites like forums, games i use my base/basic password, same for every site.
For retail sites where ive used my credit card i use the same password as above but add a little onto it.
For my bank i use the combined password as above and also add a little onto it.
So i have 3-4 levels of password for ease of remembering them.
The hardest part for me is remembering my usernames across the internet. Ive got like 10 usernames ive used over the last 14 years, and thats not counting sites that requires an email address as your username.
So password example (these are made-up passwords, not mine):
7whatever - is lowest level password, for foruims etc
7whatever500 - is mid level password
7whatever500manchester - is highest level password
............it is also worth remembering that BananaBurgerZebraShoes is much harder to brute force that $M_2%zT# and much easier to remember.
Not necessarily. I have no idea how many common four/five/six letter words there are, but say it's 10,000. Then using three four-letter (or 5 or 6) words there are 10000 ^ 3 possible passwords - one trillion, or 10^12
A lot, but 1/1000th as many as 75 ^ 8 varieties of upper case, lower case and other characters (10^15).
On a similar basis, using the initial letters of the first line of a song sounds good, but how many actual possibilities are there : 100,000, 1 million - not a lot in this context.
Err...feel free to check the maths - I find it easy to be out by a factor of 10 in these cases!
The thing to remember there is no 'word' in a password its a string of characters so in theory BananaBurgerZebraShoes will take as much effort as any other password of the same length as there is no way to know whats being used to generate the password hash but obviously taking a few guesses such as removing numbers/special chars will reduce the size of the keyspace but its a risk that you could of replaces the o in shoes with a zero and thus will waste all your processing time on that effort and then have to go into more brutal decrypting
As most passwords are stolen from sites rather than just being hacked, being paranoid about the whole thing and going over the top, is waste of stress!!!;)
Not necessarily. I have no idea how many common four/five/six letter words there are, but say it's 10,000. Then using three four-letter (or 5 or 6) words there are 10000 ^ 3 possible passwords - one trillion, or 10^12
A lot, but 1/1000th as many as 75 ^ 8 varieties of upper case, lower case and other characters (10^15).
On a similar basis, using the initial letters of the first line of a song sounds good, but how many actual possibilities are there : 100,000, 1 million - not a lot in this context.
Err...feel free to check the maths - I find it easy to be out by a factor of 10 in these cases!
I did check the maths. Before I posted. The oed say there are 170,000 words. That is not including derivations, things with ing ed ion ly on the end. So I used an estimate of 100,000.
There is also of course no way to know how a password was generated when you are trying to crack it.
As most passwords are stolen from sites rather than just being hacked, being paranoid about the whole thing and going over the top, is waste of stress!!!;)
I think wading in to a two page thread assuming that you can correct everyone without reading any of the posts is a little naïve.
Particularly when you are wrong and the information you need is already in the thread.
I think wading in to a two page thread assuming that you can correct everyone without reading any of the posts is a little naïve.
Particularly when you are wrong and the information you need is already in the thread.
he/she has a point though.
these days any password breach has usually come from a site being compromised and the hacker gaining access to the user database rather than your actual password being guessed/cracked.
Comments
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.54 hundred thousand centuries
:cool:
You're thinking simplistically here. Crackers don't try to enter text in the input box where you're typing your password.
They try to compromise websites to get their user/pass databases which they download locally to their machines and then attack. There is no 3 failed attempt lockout in this scenario.
there's not. but it's still very difficult to brute force passwords.
when a site is compromised and it's password data released nobody ever manages to crack all the passwords. it's not possible, just the low hanging fruit.
it is also worth remembering that BananaBurgerZebraShoes is much harder to brute force that $M_2%zT# and much easier to remember.
And some suggestions: http://arstechnica.com/security/2013/07/how-elite-security-ninjas-choose-and-safeguard-their-passwords/
Dave
A good password is a mid length phrase/quote/lyric, ideally with numbers in it. "shesupallnighttogetlucky" will take 30.11 trillion centuries to exhaust, whereas add some numbers "4thoseabout2rockwesaluteyou" and it jumps to 3.43 billion trillion centuries. Just pick your favourite song/movie and use some numbers.
I disagree.
Anything like song lyrics, anything that gives a reason that someone else would have that password makes it less secure.
google shesupallnighttogetlucky 120 results.
google BananaBurgerZebraShoes none
you need to read the notes on that passwords site. the bit labelled 'IMPORTANT!!!... ....is NOT a “Password Strength Meter.”'
if a password can not be brute forced it can not be brute forced. the extent to which it can't be brute forced is meaningless.
Well, that's kinda what I said in my initial post, if I can quote myself.
So the security of your password depends more on how securely the site has encrypted it's password database, rather than any property of your password itself.
Or are some passwords more difficult to de-encrypt than others, as flagpole suggests?
I would have thought once you've cracked the encryption the site has used you're left with a list of usable passwords?
Or am I being too simplistic again?
Cracking the password then consists of generating the one-way hash for each guess and comparing it with the stored value. If they match then you have guessed the password. Getting one password doesn't help you with getting any of the others.
Some hashing methods are better than others. MD5, which is commonly used, is not very good as it is quick to calculate. This means that the attacker can try millions or even billions of guesses per second. Something like sha2 which is much slower to calculate can mean that the attacker can only try a few thousand guesses per second.
they are just basic hashing functions like md5, sha256, etc. your password is never stored for any decent site, in plain text. when you set up the password it's run through the algorithm and stored, each subsequent time you enter your password it is run through the same algorithm and compared. md5 for example produces a 128bit string as in so 2^128 possible combinations or like 3x10^38. it is not strictly necessary to guess the actual password as there maybe more than one string that has the same hash, but it will likely be longer than the actual password.
an attack scenario is that a site looses it's password database, the hackers have time to work on it
the only difference is if they are salted and hashed or just hashed.
a weakness is that as the algorithms are well known all the hashes of any password dictionary words are well known for example google eb0b2e30221efaeb87c9ff9307eb11b6. by no means are all hashes known just all the ones for words that people use as passwords.
when a password is salted, before the algorithm is applied, a random string is generated by the computer something exotic like £.Fh#2:nW9_ and stored along with the password. this is applied to the password usually by a simple append and then the algorithm is applied. this means that when a database is stolen the hacker can't simply search the database for known hashes, there wont be any, or try to brute force the entire algorithm with a dictionary.
to clarify, the salt is not really about making the password longer or more complicated, it's about making it unique. a password that has never been used before.
It was 2 in the morning
So basically my understanding of encryption is seriously lacking.
But I think my password policy of using random words or phrases, sometimes with numbers tacked on the end, is as good as any?
that a password is unique. that nobody else has ever used that password before. there are huge lists available of passwords. i have a couple of gigabytes of hundreds of millions of passwords. if you're password is on that list you can forget it. those billions of billions of combinations have just been shrunk to the size of the password list. anything that produces a result when you google it is a no no.
that a password is long: as i said above BananaBurgerZebraShoes is a lot harder to brute force than $M_2%zT# up to 10,000,000,000,000,000,000,000,000,000 times harder. and it's a lot easier to remember.
however, knowing how much google delves into this forum, i reckon "BananaBurgerZebraShoes" will be appearing in google in a short while.
already has.
obviously i'm not actually suggesting that specifically BananaBurgerZebraShoes itself is a perfect password
but even if some how an attacker knew that your password were 4 dictionary words there are still more combinations of 4 dictionary words than there are say 8 random digits.
we probably all know about 100,000 words so that is 10^20 combinations. same as an 11 digit nonesense password like $M_2%zT#7^d
if they don't know it's 4 dictionary words and why would they then it's the same as a random string of the same length.
It depends what the password sorting algorithm does, a good algorithm would combine dictionary words along with a few random symbols and changed letters. I agree though that a long string that you can remember is better than a short string made up of gibberish.
Ultimately the password should not be hackable by brute force methods as the site or whatever should disqualify after a number of fails, if it doesn't do that then there is an issue. Obviously this is different for say the password for an encrypted hard drive but ideally then the password would be disabled for a lengthy time after a fail.
For retail sites where ive used my credit card i use the same password as above but add a little onto it.
For my bank i use the combined password as above and also add a little onto it.
So i have 3-4 levels of password for ease of remembering them.
The hardest part for me is remembering my usernames across the internet. Ive got like 10 usernames ive used over the last 14 years, and thats not counting sites that requires an email address as your username.
So password example (these are made-up passwords, not mine):
7whatever - is lowest level password, for foruims etc
7whatever500 - is mid level password
7whatever500manchester - is highest level password
Not necessarily. I have no idea how many common four/five/six letter words there are, but say it's 10,000. Then using three four-letter (or 5 or 6) words there are 10000 ^ 3 possible passwords - one trillion, or 10^12
A lot, but 1/1000th as many as 75 ^ 8 varieties of upper case, lower case and other characters (10^15).
On a similar basis, using the initial letters of the first line of a song sounds good, but how many actual possibilities are there : 100,000, 1 million - not a lot in this context.
Err...feel free to check the maths - I find it easy to be out by a factor of 10 in these cases!
I did check the maths. Before I posted. The oed say there are 170,000 words. That is not including derivations, things with ing ed ion ly on the end. So I used an estimate of 100,000.
There is also of course no way to know how a password was generated when you are trying to crack it.
I think wading in to a two page thread assuming that you can correct everyone without reading any of the posts is a little naïve.
Particularly when you are wrong and the information you need is already in the thread.
he/she has a point though.
these days any password breach has usually come from a site being compromised and the hacker gaining access to the user database rather than your actual password being guessed/cracked.