Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Many Seconds Would It Take To Crack Your Password?

samzenpus posted more than 2 years ago | from the guessing-game dept.

Encryption 454

DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."

cancel ×

454 comments

Huh. (5, Funny)

Anonymous Coward | more than 2 years ago | (#40255299)

I wonder if he's caching every string entered into a dictionary file...

Re:Huh. (1)

Anonymous Coward | more than 2 years ago | (#40255495)

Steve Gibson is legit, but I still wouldn't type in my Capitol One password or my NSA password.

Re:Huh. (0)

Anonymous Coward | more than 2 years ago | (#40255659)

I'm wondering why he would bother wasting his time using my anonimous nickname accounts on websites like /. and other tech '2.0' magazines. It's not as if he can't create his own account or do anything useful for himself by deleting/blocking/screwing my nickname usage... I could create a new one easily?

I'm not stupid enough to provide him with my more important account passwords or giving him a clue what they could be, based on the passwords I provided.

It feels good knowing I created passwords that would take trillions of years to crack. It's sad that he can't fanthom how long it takes for reliable quantum computers to be developped that can crack it in units of Planck time. I guess the joke's realy on him if he wanted to feel good by outsmarting others.

Re:Huh. (4, Insightful)

jonadab (583620) | more than 2 years ago | (#40255747)

You don't ask about your actual password. You check one that's similarly complex.

However, I noticed that he's not *checking* a dictionary file when evaluating password strength. The actual strength of a password like "spastic-elongated-kremlinitude" is pretty good, but his checker's figure of four hundred thousand trillion trillion centuries to crack with a high-end cluster is optimistic beyond the bounds of all reason. That would be naively building it up character by character, and *nobody* does naive character-by-character brute forcing for passwords that long. That's like building a skyscraper without power tools.

Ha! (5, Funny)

2.7182 (819680) | more than 2 years ago | (#40255303)

That's silly. I just use my SS#. That has a LOT of digits. Who is going to guess that?

Re:Ha! (5, Funny)

agentgonzo (1026204) | more than 2 years ago | (#40255335)

"SS#" is a rubbish password with just three characters. It takes only 0.00000209 seconds to crack it according to the tool.

Re:Ha! (1)

agentgonzo (1026204) | more than 2 years ago | (#40255341)

Similarly "my SS#" takes only 3.82 seconds.

Re:Ha! (4, Funny)

TeknoHog (164938) | more than 2 years ago | (#40255463)

"my SS#" my #ss.

Re:Ha! (5, Funny)

ciderbrew (1860166) | more than 2 years ago | (#40255565)

You had your #ss cracked ages ago...



really no need for that :)

Re:Ha! (5, Funny)

rolfwind (528248) | more than 2 years ago | (#40255593)

Really? Mine takes much longer than that. You should post it. Don't worry, it will appear as ***-**-*** on our screens just like mine did on yours just now. I just want to copy and paste it in the Steve Gibson's Interactive Brute Force Password Search Space Calculator to verify what you said.

Re:Ha! (1, Funny)

flyingfsck (986395) | more than 2 years ago | (#40255361)

The USA/Canada SS is a bit short, but using a credit card number as a password would be much better. It is pre-printed on a sturdy piece of plastic, always handy in your wallet and you can easily get a new one by telling your bank that some dodgy web shop got compromized...

Re:Ha! (5, Informative)

zill (1690130) | more than 2 years ago | (#40255809)

Haven't had my first coffee yet, so my sarcasm detector isn't working. In case you're serious:
Visa always start with 4; MasterCard always start with 5.
If the attacker knows who you bank with, then they have issuer number (4-6 digits).
You lose one digit due to the checksum.

For example, suppose the attacker knows you have a Visa from Chase, then they only have guess 7 digits. That's weaker than a 3 character alphanumeric password.

Re:Ha! (1)

lipanitech (2620815) | more than 2 years ago | (#40255365)

the best one I have ever seen is the persons 10 digit phone number

Re:Ha! (3, Interesting)

2.7182 (819680) | more than 2 years ago | (#40255555)

Actually, I do find it handy to hash (in my head) a childhood friend's phone number with some other easy to remember information. Anyone see any problem with this?

obligatory xkcd.... (-1)

Anonymous Coward | more than 2 years ago | (#40255307)

https://xkcd.com/936/

Re:obligatory xkcd.... (2)

trnk (1887028) | more than 2 years ago | (#40255325)

I'll see your xkcd 538 (4, Informative)

Bananatree3 (872975) | more than 2 years ago | (#40255373)

And raise you a xkcd 792 [xkcd.com]

I think this one says it all (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#40255551)

http://xkcd.com/7/ [xkcd.com]

Re:obligatory xkcd.... (2)

Antarius (542615) | more than 2 years ago | (#40255461)

And moving from the "traditionally strong" password to employing XKCD's suggestions, I go from 2.29 Minutes on the "Massive Cracking Array Scenario" to 1.07 million trillion trillion trillion centuries.

I just have to hope that nobody comes around with a $5 wrench...

Re:obligatory xkcd.... (0)

Anonymous Coward | more than 2 years ago | (#40255541)

Assuming of course that they use completely dumb brute force and not a dictionary....

Re:obligatory xkcd.... (4, Insightful)

Skarecrow77 (1714214) | more than 2 years ago | (#40255815)

let's say you know 100% for sure that somebody is using xkcd's method.

there are 15,222 words in the english language according to oxford english dictionary. how many are common 5, 6, and 7 letter words? hard to say for sure. I think 3000 or 4000 would be a good conservative guess, what do you think? let's say 3000 to err on the side of caution.

how many combinations of common 5,6, and 7 letter words does that give us to build a password based on xkcd's suggestion?
3000^4
that's 8.1 x 10^13 discrete combinations, counting the ability to reuse the same word.

I'm asuming you didn't build a plaintext dictionary with all those possible combinations... at 1 byte per letter, and an average of 6 bytes per component word, that's 4.86 x 10^14 bytes, or a 442 terrabyte dictionary file. where the hell are you storing that?

no, i'm assuming you probably built a program specifically to build combinations of component words and brute force using that. sure that will eventually work, after it goes through its 8.1 x 10^13 itterartions (worst case)... but hell, why are you trying to crack that hard a password when there are thousands out people out there whose password is just "Password1"? the club doesn't make your car theftproof, it just makes it less inviting to the thief than the car next to it. you don't need to outrun the lion, you just need to outrun the slowest person in your group.

and this is all assuming:
1. you somehow -know- which password generation method the person is using
2. they didn't do what I do with that method, and throw a few uppercase and numbers in there anyway.

Re:obligatory xkcd.... (1)

Alain Williams (2972) | more than 2 years ago | (#40255533)

https://xkcd.com/936/

I took the advice from XKCD and I now use nonsense pass-phrases, eg ''purple grass grows on my bedroom ceiling''. It is not too hard to remember, does not contain special characters (other than spaces) since they are hard to remember. grc.com says that that pass-phrase has a search space of 6.94 x 10^70 and that the Massive Cracking Array Scenario (one hundred trillion guesses per second) would take 2.21 hundred billion trillion trillion trillion centuries -- that is good enough for me.

Re:obligatory xkcd.... (1)

amnezick (1253408) | more than 2 years ago | (#40255661)

really? your password is a 5 dimensional word structure. except it has an "alphabet" of ~100k elements. A KMP search over that would be hilariously fast on a special-built GPU array. Replace spaces with something else from the "punctuation alphabet" and you may have a winner

Re:obligatory xkcd.... (0)

Anonymous Coward | more than 2 years ago | (#40255811)

Try ASCII art:
@-'-,-- A rose for you
or :( Ponies make me happy :D

My attempt for a secure password
aA4$eE3#iI1!oO0)uUü

Sadly most sites don't take my best passwords.

Re:obligatory xkcd.... (1)

Sarten-X (1102295) | more than 2 years ago | (#40255837)

But there's realistically no way to know that from an attacker's perspective. The password could be words, or it could be a string of random letters. If the system allows symbols, symbols will need to be included in the search space.

This tool calculates the brute-force time on a character basis. It says that dictionary attacks still work and should be mitigated by policy and practice.

Re:obligatory xkcd.... (0)

Anonymous Coward | more than 2 years ago | (#40255703)

does not contain special characters (other than spaces) since they are hard to remember

special characters can be quite easy to remember. pick a number that is easy for you to remember and use that in your pass phrase. simply hold shift while typing that number and presto, you have symbols in your pass phrase.

Re:obligatory xkcd.... (1)

Anonymous Coward | more than 2 years ago | (#40255841)

I am /supposed/ to hold the shift key while typing numbers on my french keyboard you insensitive clod !

Almost Unlimited? (1)

cryptizard (2629853) | more than 2 years ago | (#40255311)

What kind of qualifier is that? If the computing power was "almost unlimited" you could crack any password you want since it is essentially unbounded in its parallelism. They are obviously making some concrete assumption about computing resources (which the article does not specify, as far as I can tell).

Re:Almost Unlimited? (0)

Anonymous Coward | more than 2 years ago | (#40255353)

If you click thru to the GRC password tool, it does actually qualify things as "assuming one hundred trillion guesses per second"

Re:Almost Unlimited? (5, Funny)

TwentyCharsIsNotEnou (1255582) | more than 2 years ago | (#40255399)

If the computing power was "almost unlimited" you could crack any password you want since it is essentially unbounded in its parallelism.

Well, almost any password.

Re:Almost Unlimited? (1)

froggymana (1896008) | more than 2 years ago | (#40255509)

What kind of qualifier is that? If the computing power was "almost unlimited" you could crack any password you want since it is essentially unbounded in its parallelism. They are obviously making some concrete assumption about computing resources (which the article does not specify, as far as I can tell).

They also make the assumption that you will not be the unlucky soul to have your password cracked on the first try.

Link (3, Informative)

Anonymous Coward | more than 2 years ago | (#40255319)

https://www.grc.com/haystack.htm

Re:Link (0)

Anonymous Coward | more than 2 years ago | (#40255645)

According to that site, the password "aaaaaaaaaaaaaaaaaaaa" is very secure. It is also easy to remember. I think I'll use that one in the future. ;-)

cookies.. (1)

burne (686114) | more than 2 years ago | (#40255321)

Whenever somebody mentions GRC I get a craving for cookies. Syncookies, to be precise..

Poor security (0)

Anonymous Coward | more than 2 years ago | (#40255329)

What system would allow someone to make thousands of attempts per second to login?

Re:Poor security (1)

Captain Hook (923766) | more than 2 years ago | (#40255423)

Thats where someone has already got a copy of the password protected item locally, for example, they have a password protected zip file which they can attempt to open repeatedly as fast as their own hardware can run.

Re:Poor security (0)

Anonymous Coward | more than 2 years ago | (#40255443)

It means offline attacks against hashes I think.

Re:Poor security (0)

Anonymous Coward | more than 2 years ago | (#40255475)

Same AC again here. He is actually talking about 1000 attempts per second for an online attack. I am a moron, apparently so is the person who wrote the article. Statement revoked.

Re:Poor security (5, Insightful)

arth1 (260657) | more than 2 years ago | (#40255465)

What system would allow someone to make thousands of attempts per second to login?

That's not the problem. The problem is that the lists of user logins and corresponding hashed passwords get in the wrong hands, whether it be due to bad design and/or coding, insecure software, or unfaithful servants. When you have that list, you run brute force against it to get the actual passwords.

Breaking into servers is much more attractive than breaking individual user accounts, simply because the yield is so much higher. Make a good trojan delivered through good social engineering, and you may catch 1% of the users. Breach the server, and you get the account info of all of them, and by running a crack session, you likely have 20-50% of the passwords within hours. Choose a very hard to crack password, and they may never get it even if they have the hash.

This happens a lot more than what we think. A server breach doesn't have to leave traces that anyone actually sees. We mostly know about the cases where the culprits brag about it or publish lists, which is unlikely to be more than the tip of the iceberg.
Companies are going to insist that their data is safe until proven otherwise, but you're stupid if you believe them.

Sony, Steam, LinkedIn, eHarmony - there are hundreds of server breaches with stolen user/hash lists that we know about. And likely an enormous amount we don't know about.

Re:Poor security (1)

sticks_us (150624) | more than 2 years ago | (#40255831)

Nice post. Too bad I used my last mod points yesterday.

The most ridiculously strong password is 100% worthless if your online data (via the server itself) is compromised, which happens way more than we'll ever know about.

Even more creepy are the perfectly legal and "legit" uses of your data (make sure you read everything in the EULA I guess) that are knowingly and willingly handed off to various third parties.

Websites (4, Interesting)

SJHillman (1966756) | more than 2 years ago | (#40255331)

There's still websites out there that limit you to 8 characters maximum. When Citi held my student loans (studentloans.com), their website would just use the first 8 characters of whatever password you entered.... of course, the field would accept more and they wouldn't tell you this so the first time you went to log in, it was a very WTF moment because you'd get a Password Incorrect error even though the password matched the one you signed up with. It was one of the main reasons I was actually happy when they sold my loan to Sallie Mae six months ago.

Re:Websites (5, Funny)

Gideon Wells (1412675) | more than 2 years ago | (#40255415)

My one bank does that. It irks me to no end. Kind of like an unmatched (.

Re:Websites (5, Funny)

SJHillman (1966756) | more than 2 years ago | (#40255439)

)

You're gonna break stuff if you keep leaving unmatched (

Re:Websites (5, Funny)

Anonymous Coward | more than 2 years ago | (#40255469)

)

Fucker.

Re:Websites (0, Redundant)

deego (587575) | more than 2 years ago | (#40255547)

LOL. He left a dangling (, didn't he?

Re:Websites (5, Funny)

kahless62003 (1372913) | more than 2 years ago | (#40255607)

c-c-c-combo breaker!)

Re:Websites (1)

kidgenius (704962) | more than 2 years ago | (#40255629)

) he did.

Re:Websites (0)

Anonymous Coward | more than 2 years ago | (#40255691)

Oh shit...

Re:Websites (1)

flyingfsck (986395) | more than 2 years ago | (#40255711)

/*==> Better now?

Re:Websites (1)

hcs_$reboot (1536101) | more than 2 years ago | (#40255429)

Of course web sites don't show the encrypted password and the rule in TFS doesn't apply, as it takes millions times more to try a password from a remote web site. Not mentioning the rules the site may implement that prevent more than 3 trials.

Re:Websites (0)

Anonymous Coward | more than 2 years ago | (#40255761)

Hashes get leaked often.

Re:Websites (1)

Anonymous Coward | more than 2 years ago | (#40255511)

My favorite are the websites that allow you to enter 16 character passwords ......but only the first 8 count.......

and no one let you know....

Re:Websites (5, Informative)

Sinister Stairs (25573) | more than 2 years ago | (#40255517)

I was going to post the same thing. It's not uncommon to have sites that also limit your password to letters & numbers only.

(As an aside, the most heinous are the websites where you Forgot your password? and they email it right back to you in plaintext.)

Re:Websites (2)

arth1 (260657) | more than 2 years ago | (#40255653)

(As an aside, the most heinous are the websites where you Forgot your password? and they email it right back to you in plaintext.)

No, I think the most heinous ones are those who require you to answer "security questions" that you can't choose yourself.
It's not very hard to find out your mother's maiden name or what high school you went to.

The only sane choice is to make up answers, but it's harder to remember lies than truth, and a lot of sites that commit this atrocity, so you may end up having to write a list of all the questions and answers.

Never mind that these types of questions tend to exclude or alienate a lot of people due to cultural ignorance - not all mothers have maiden names (or were married, for that matter!), and not all school systems have all students go to high schools.
Guess which country's web sites is worst at displaying biased ignorance like this? No prizes for getting the answer right...

Re:Websites (1)

jonadab (583620) | more than 2 years ago | (#40255801)

> (As an aside, the most heinous are the websites where
> you Forgot your password? and they email it right back
> to you in plaintext.)

They can only do that if you give them your real email address. To be safe, I always give them a Mailinator address. That way my real email address isn't compromised and nobody can email me junk password reminders and advertisements and whatnot.

This obvious is once again ignored... (3, Interesting)

tgatliff (311583) | more than 2 years ago | (#40255337)

Anytime I read articles like this, I just assume someone is trying to see something...

The best way to limit an attack like this is to limit how fast the attempts can be made. Rerun his "test" when the server only allows one password submit ever 10 seconds and see how long it takes. More secure you say?? Well, after 5 bad attempts, lock the account for 30 minutes?? Please, however, never lock the account entirely like SOME companies do. That makes a script kiddies actions my problem...

Good passwords can never stop common sense computing procedures...

Re:This obvious is once again ignored... (1)

SJHillman (1966756) | more than 2 years ago | (#40255381)

I used to belong to a credit union that was great... except for their web interface. It would lock me out completely after three failed attempts and I'd have to drive to their closest branch (40 minutes away) and wait in line for someone (not a teller) to unlock it. Horrible system. It got worse when I tried adding them to Mint.com, which caused it to lock me out for no discernible reason.

Re:This obvious is once again ignored... (1)

darjen (879890) | more than 2 years ago | (#40255675)

This is the reason I don't use my credit union as my primary account. As much as I like supporting the smaller local financiers, their web interface is not up to snuff. And I cannot add them to Mint because they use a two-tier authentication system where you have to type an additional password displayed on the screen (not even a captcha, just a number displayed as text). It is important to me to have the ability of keeping track of my finances via Mint.com. I put everything on my debit card so I can track my spending and see where it all goes.

Re:This obvious is once again ignored... (0)

Anonymous Coward | more than 2 years ago | (#40255473)

And once again: this won't help if an attacker gets a copy of the file containing password hashes.

Re:This obvious is once again ignored... (0)

Anonymous Coward | more than 2 years ago | (#40255521)

No!
The point isn 't that someone will sit there trying passwords, the point is that someone might steal the encrypted passwords and try to work out on their own system what your password was. They are not going to lock themselves out after 3 tries :)

Re:This obvious is once again ignored... (5, Insightful)

zill (1690130) | more than 2 years ago | (#40255535)

All that is useless when the server gets compromised and the username/hashed password list gets sold to the highest bidder.

Re:This obvious is once again ignored... (1)

jamesh (87723) | more than 2 years ago | (#40255543)

Hell yes. The summary is so stupid i'm not going even bother reading the article. It might make sense to say password X takes 42 times longer to crack than password Y, but to put a real time against the cracking attempt only makes sense if the cracker has access to the hash of your password, in which case you have already lost.

That said, account lockouts and login delays only make sense for a targeted attack. For a widespread brute force attack it doesn't matter - you can saturate your pipeline and still only hit a given host rarely (assuming i'm correct in thinking that making a single login attempt on a million hosts gives the same statistical result as making millions of login attempts on one host)

Has anyone actually doublechecked his security? (4, Funny)

Bananatree3 (872975) | more than 2 years ago | (#40255339)

Not to be suspicious, but "doublecheck you password strength! Just enter your passwords below...." even from a relatively trusted source is a little tough to trust....

Re:Has anyone actually doublechecked his security? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40255405)

That's why you enter something lexically similar to it and not the actual password.
If your /. password is 3 mid-length words and the number 54 added to it, you type in that many letters and the number 11.

Got "trillion trillions centuries" here :)
Which really means "lasts until some idiot stores it as plain text."

Re:Has anyone actually doublechecked his security? (1)

Bananatree3 (872975) | more than 2 years ago | (#40255433)

Excellent suggestion!

Re:Has anyone actually doublechecked his security? (1)

jamesh (87723) | more than 2 years ago | (#40255577)

Not to be suspicious, but "doublecheck you password strength! Just enter your passwords below...." even from a relatively trusted source is a little tough to trust....

I've always wondered... do those facebook/google/linkedin/twitter links on the page allow them to determine your facebook account name if you are logged in?

Re:Has anyone actually doublechecked his security? (0)

Anonymous Coward | more than 2 years ago | (#40255655)

Please,

The thought of Steve using his powers for evil is fucking terrifying.

Binary... (1)

edgrale (216858) | more than 2 years ago | (#40255343)

I use binary for passwords, thus my password is 168 character long, only down side is it only has 10 digits!

0111100101101111011101010010000001101
text in the middle
0010110111001110011011001010110111001
text in the middle
1100110 11010010111010001101001011101
text in the middle
100110010100100000011000110110110001
text in the middle
1011110110010000100001

More text because /. filter throws an error, I wonder how much more text I have to type?
"Filter error: That's an awful long string of letters there."
"Filter error: That's an awful long string of letters there."

See you at the end of time (3, Insightful)

equex (747231) | more than 2 years ago | (#40255347)

My password would take 8.52 hundred thousand centuries to crack in an Massive Cracking Array Scenario. Not bad. Add the fact that every password I have is different, I should be safe. An uppercase character added would take 1.41 hundred million centuries. Maybe it's time I put in an uppercase too :)

Re:See you at the end of time (1)

hcs_$reboot (1536101) | more than 2 years ago | (#40255453)

Fortunately, nobody cares about your password :-)

Re:See you at the end of time (0)

Anonymous Coward | more than 2 years ago | (#40255455)

Unless the "tool" recorded your password and sent it elsewhere via AJAX.

Re:See you at the end of time (0)

Anonymous Coward | more than 2 years ago | (#40255623)

Interestingly my "normal" base password that I use with different things added for different sites takes 1.74 centuries for the massive cracking array scenario.

However my password for slashdot - which was randomly generated for me by KeePass and which I don't know at all (I just have KeePass do the autotype thing and it puts it in for me) takes "11.52 thousand trillion centuries" for the massive cracking array scenario according to the site.

Password input is too simple (0)

Anonymous Coward | more than 2 years ago | (#40255349)

Password input should be more dynamic and involve the backspace key and pause lengths. Instead of static, plain text inputs, the fields should be more like character recording devices.

You initial input might be: pa$$word
Then a delete series: pa$$
Then a minimum of three second pause.
Then more typing: pa$$DonGEATER

The series of keystrokes, backspaces, and pauses is recorded and then compared with your password recording.

Re:Password input is too simple (2)

arth1 (260657) | more than 2 years ago | (#40255563)

You forget that if a procedure is too cumbersome for the users, it won't be used.

Same with a procedure that deviates so much from standard practice that what the users already know is wrong.

Your suggestion fails on both counts.

Character X is not allowed! (2, Informative)

Anonymous Coward | more than 2 years ago | (#40255359)

Too bad there are still so many services that will not allow special characters in a password during registration. I have to juggle 4 different types of passwords because of this retarded limitation. If you operate such a site/service, please fix it.

elite palm (-1)

Anonymous Coward | more than 2 years ago | (#40255387)

handheld devices [handheldforbilling.com]
                            your site is veru informative thank you
                            http://handheldforbillingdevices.blogspot.in/
                                  http://www.facebook.com/pages/Elite-Palm-It-Solutions-PVT-LTD/300469306713237
                                        https://twitter.com/#!/ElitePalm

There's time, then there's real-world time (1)

necro81 (917438) | more than 2 years ago | (#40255411)

Sure, if you have some unknown password, and your brute strength computer can get a yes/no answer to each guess just as quickly as the guesses can be generated, then most passwords are shockingly insecure and can be cracked in fractions of a second. However, in many real-world situations, each guess has some minimum time or cost associated with it, which severely limits the real-world speed of a brute strength attack. For instance, if you are trying to guess the password to a WiFi network, each attempted connection takes several milliseconds at least, and multiple guesses can't happen simultaneously. What is more, there are also a large number of password-protected scenarios where too many failed attempts, or attempts that come in too-quick succession, result in being locked out.

So, yeah, a 6-character password may be crackable in 0.0000224 seconds - in an ideal, offline case backed by serious computing power. That might be the case of, say, the NSA trying to decrypt a copy of your hard-drive. In many real-world cases, these numbers are pretty meaningless except as relative measures of strength. But there have been good analytical tools for that since the days of Claude Shannon.

Interactive password tester? (4, Insightful)

pev (2186) | more than 2 years ago | (#40255427)

What a great way to generate a new wordlist...

Re:Interactive password tester? (0)

Anonymous Coward | more than 2 years ago | (#40255583)

Thanks, I'm glad you like it. Use it often and tell all your friends.

Time To Crack (0)

Anonymous Coward | more than 2 years ago | (#40255435)

Six character password time to crack with a keylogger:
0.00000000000000001 seconds
Alpha numeric passphrase with symbols time to crack with a keylogger:
0.00000000000000001 seconds

Why bother waiting 3 weeks for a brute force attack? Passwords just are not that secure.

MS Office CD Key (5, Interesting)

Anonymous Coward | more than 2 years ago | (#40255445)

I worked on a random desktop rollout contract that was paying stupid amounts of money, and one evening I observed one of my fellow contractors entering his password.

clickity clickity clickity clickity...

I said "wow... hardcore password", he replied "yeah, I worked on a contract before this where we had to manually put in the MS Office CD Key across a few hundred desktops, so I've memorised it. It's now my go-to password"

Must have been the only time I've seen an MS CD-Key actually being wanted.

Pasting the first CD Key I could find on serials.ws (V4933-88FR7-9P3KK-D2QF4-9M9CM) into the GRC tool produced:

Online Attack Scenario:
(Assuming one thousand guesses per second) 68.45 thousand trillion trillion trillion centuries

Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 6.84 hundred million trillion trillion centuries

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 6.84 hundred thousand trillion trillion centuries

Anyway, in actual practice: passphrases using 2-3 words. I've found that 4 words and above is a bit much. And writing down your password/passphrase on a post-it is not a bad thing so long as your obfuscate it!

Worst-case scenario? (0)

Anonymous Coward | more than 2 years ago | (#40255447)

Worst-case scenario with almost unlimited computing power
 
And with a lever big enough I could move the world.
 
That aside, I can hardly think of a system I use (websites included) that don't either lock an account after so many attempts or at least put a time delay on further tries. Brute force attempts just don't cut it with some simple common-sense security steps taken.

Seems more like a study about user stupidity to me (1)

Lazy Jones (8403) | more than 2 years ago | (#40255479)

Soon we will see an article about how many hard passwords in recently leaked databases were "cracked" using this little test because users were gullible enough to test their real passwords...

Re:Seems more like a study about user stupidity to (1)

Cro Magnon (467622) | more than 2 years ago | (#40255637)

Oops! *hurries to change password*

My Password is Super Effective (2)

VorpalRodent (964940) | more than 2 years ago | (#40255481)

I checked my password, and found that it will take 25.76 million trillion centuries. Hooray - no one that's never read XKCD will ever guess my password.

Obligatory: http://xkcd.com/936/ [xkcd.com]

keepass (0)

Anonymous Coward | more than 2 years ago | (#40255491)

Use keepass with the default settings of 25 characters, digits and symbols. It should be safe for a while. I'm syncing it top my android phone too.

What about bank PINs? (0)

Anonymous Coward | more than 2 years ago | (#40255539)

Considering my bank's PIN is 4 digits, and it hasn't been cracked yet, something must be working...

Retina display, Mac user: Why they go together (-1)

Anonymous Coward | more than 2 years ago | (#40255545)

Every idiot seems abuzz about the possibility of a new MacBook Pro, likely to be announced next week at Apple's Worldwide Developers Conference (WWDC).

Many fart that the world as we know it may end it if the new MacBooks don't have a Retina display. Cripers.

Fucking Time magazine ran the headline, "What If Apple's New MacBook Pros Don't Have Retina Displays?"â"implying that it would be a disaster and could be a gigantic letdown. Puh-leeze.

The lame-brain reason for the super-high resolution screen is so you can get some detail on a 3.5-inch cell phone screen or on a smaller display in a cameras viewfinder. Ever since the introduction of the so-called Retina display, all we hear about is Retina this and Retina that.

I put my AMOLED Android screen next to Apple's Retina display all the time and my display looks better. Nobody denies it. So what's the fuss and why does everyone now want this Retina display on a larger format?

I sure as hell don't. For one thing, it would be a disaster for performance. Those extra pixels have to be addressed, you know, and since you do not want text that appears to be one pica high, a lot of effort would go into the scaling of everything. In a side-by-side comparison at a three-foot distance, it is doubtful that the Retina display on a 15-inch screen would look much different than 1920x1080.

The late-great Panasonic once shouted from the rooftop that at any normal viewing distance from a flat panel TV, nobody could tell the difference between 720p and 1080p unless the display was bigger than 50-inches. I'm certain, though, that all the iPhone mavens would want a Retina display TV because I hear a loud buzz demanding 4K TVs. These are sets that would typically be anywhere from 4096x1714 to 3996x2160 to 4096x3112. Really? You want that? "Yeah, man!"

Yeah, I suppose if you are right on top of the set, you'd notice. Of course, no broadcaster is going to invest in such gear for decades; they all hated upgrading to HD. And who's got the bandwidth for mass distribution of this sort of signal? I suppose this is all beside the point.

Maybe a Nikon or Canon D-SLR will eventually be geared to shoot a 24-megapixel (say 8000x3000) movie at 60 frames per second and we can all "ooooh" and "ahhh" at the beautiful movie when someone shows it on a Retina display laptop at the office.

But you know, if you want genuine super-high resolution, you can go outside and look at a nature, right? I wonder if anyone realizes that anymore. Does anyone go outdoors and see a tree and remark, "Wow, look at the resolution of that bark! How many pixels do you think this is?"

I think the invention of the Retina display has made the discussion ridiculous, just like Mac users are.

12345? (2)

jimbo-nally (655135) | more than 2 years ago | (#40255569)

President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.

Which password? (1)

Inda (580031) | more than 2 years ago | (#40255589)

The one for my email - trillions of years. Dumb sites emailing me my own private data means it needs to be secure.

Slashdot, football forums, BBC - minutes. I honestly don't give a shit about these sites.

Random websites that force you to sign up in order to download a crappy wav file - I'll just tell you, just to save you the hassle. username = no@example.com, password is nonononono.

My banking password? Minutes. Why? Because passwords are shite and obsolete. I use extra forms of authentication on banking websites.

Re:Which password? (2)

kiehlster (844523) | more than 2 years ago | (#40255697)

I and many of my friends send that junk to bob@aol.com. I don't know who he is, but he's got to have the largest database of generic passwords in the world.

always contain at least one one type of character (1)

jamesh (87723) | more than 2 years ago | (#40255625)

Q:So, from the answer above, that means that our passwords should always contain at least one of each type of character?

A:Yes, that's exactly what it means. Take, for example, the very weak password “news.” If another lowercase character was added to it (for example to form “newsy”), the total password search space is increased by 26 times. But if, instead, an exclamation point was added, (making it “news!”), the total search space is increased by a whopping 1,530 times! That's how important it is to choose passwords having at least one of every type of character. If anyone ever does try to crack your password, you will have eliminated all shorter searches.

Funny thing is, almost every example I've seen of how to increase the complexity of your password uses the example of putting an exclamation mark or a 1 on the end. Based on what I know about people, that's exactly what they'll do, which doesn't increase the search space by as much as the author thinks, and might even convince the user to use a shorter password with a ! on the end of it, which is worse.

Post-it (5, Funny)

jmccue (834797) | more than 2 years ago | (#40255647)

Well I entered in "Go to my office and look at the post-it on my terminal" and it said that will take "4.97 hundred billion trillion trillion trillion trillion trillion trillion centuries"

Only if the site dosen't lock you out. (1)

Str1der (524776) | more than 2 years ago | (#40255695)

This article is misleading. Most sites will lock you out after so many failed attempts.

"a" repeated 20 times. (1)

Clueless Moron (548336) | more than 2 years ago | (#40255737)

Trillions of centuries online, 65.90 thousand centuries with the Massive Cracking Array Scenario, and yet somehow I don't want to use it.

It's a terrible article. (5, Insightful)

jimicus (737525) | more than 2 years ago | (#40255745)

I wrote a nice long reply rebutting every single point then lost it when I hit backspace and focus was in the wrong part of the window. Grrr.

The author gets lots of things confused:

  - He seems unaware that a rainbow table is equally effective against a good password as a bad one.
  - He seems to think a dictionary attack comprises wholly and exclusively of words taken from a dictionary with no added numbers, symbols or punctuation. Bruce Schneier doesn't seem to agree with this [schneier.com] , and I'm far more inclined to believe Mr. Schneier.
  - He believes that a likely avenue for attack is constantly guessing a given user's password on a website. Any half-sane web service will block you long before you've tried a few thousand passwords against one username.
  - He fails to note that in the case of LinkedIn, the list of password hashes itself was leaked - and this is Bad News.
  - He also fails to note that in the case of LinkedIn, the password hashes were unsalted - Much Worse News.
  - He also fails to note that if an unsalted list of password hashes is leaked, then it doesn't really matter how strong your password is, it's going to get found rather quickly. There's very little you or I can do about this. You could refuse to use systems that have such terrible security, but usually you only learn their security is this bad when it's far too late.
  - He tops it off by recommending 10 character passwords with symbols and/or numbers. In other words, he falls foul of the problem described by Randall Munroe in XKCD [xkcd.com] some time ago.

I have tried... (1)

Lumpy (12016) | more than 2 years ago | (#40255771)

Rainbow tables and Brute force could not do it in a reasonable amount of time. But this was a couple of years ago on a old decomissioned server with only 8 Xeon processors. 1 week later and still nothing.

Obviously, it would be S T U P I D (1)

Anonymous Coward | more than 2 years ago | (#40255785)

Obviously, it would be S T U P I D to enter your password there.

According to the site

test would take 7.92 minutes to crack,

password would take 6.91 years,

abcd123 would take 2.56 years and

correct horse battery staple would take 12.41 trillion trillion trillion centuries.

Quite interesting.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...