New tool to check password strength

[Hungry Man]

https://passfault.appspot.com/passwo...ngth.html#menu

Pretty much shows how pointless bruteforcing is with even a mediocre password against a 180,000 dollar machine using dictionary attacks with word substitution etc. Pretty realistic.

Example:
http://howsecureismypassword.net/

My weak "password10name" gives:

Quote:

About 778 thousand years

whereas passfault gives:
1 day



Of course, even a simple password (my example from another topic-two random words and a friends birthday):
DogShake52591

would take a 180,000 dollar computer "1 decade, 8 years." Adding a "!" pushes that to "7591 centuries."

Just goes to show that you don't need a 20 character password to be safe. Simple 12 character passwords are plenty for the average user and if you're expecting government intervention simply moving to 16 characters makes your password essentially uncrackable.

Wow, the Windows (XP?) password hashing system is *weak*.

(And using Blowfish makes the times go through the roof. Go figure.)

[Hungry Man]

No clue what the Windows one is. It's not really clear.

[moontan]

Quote:

Originally Posted by Hungry Man

https://passfault.appspot.com/passwo...ngth.html#menu

Pretty much shows how pointless bruteforcing is with even a mediocre password against a 180,000 dollar machine using dictionary attacks with word substitution etc. Pretty realistic.

Example:
http://howsecureismypassword.net/

tried the same pass in both.

the one on top said 1 day, the one below 16 billions years?

[Hungry Man]

Yeah. howsecureismypassword.net just checks length and then gives tips based on things it notices like words.

passfault tries to determine whether dictionary bruteforcing will work, which'll speed things up a ton.

[moontan]

well,

there's a bit of a difference between 1 day and 16 billions years.
just saying.

i also noticed that it (passfault) checks for vertical, horizontal and diagonal patterns.

Thanks for sharing, HM. This is a great alternative to Password Meter: http://www.passwordmeter.com/

Brian

Minimum password length redux by Ken Harthun

Quote:

Obviously, PassFault’s algorithm is flawed, as can be seen in the results above. This is evident from the last three lines of the table.

I’m going to stick with 12 characters as an average minimum password length and 15 characters for critical data.

[xxJackxx]

These are always interesting but I would be hesitant to enter a password that I was actually considering using. Who knows whether or not these get logged and added to a database that someone may use to try to crack passwords with.

[Carver]

I like the Idea better of a downloaded random password generator and a separate downloaded password strength meter that is firewall blocked

Quote:

Originally Posted by xxJackxx

Who knows whether or not these get logged and added to a database that someone may use to try to crack passwords with.

Being a little paranoid?

[moontan]

Quote:

Originally Posted by xxJackxx

These are always interesting but I would be hesitant to enter a password that I was actually considering using. Who knows whether or not these get logged and added to a database that someone may use to try to crack passwords with.

that thought crossed my mind.

i entered a password very similar to my Master password.
no way i'm gonna enter my real passwords into one of these thing.

[Carver]

Quote:

Originally Posted by xxJackxx

These are always interesting but I would be hesitant to enter a password that I was actually considering using. Who knows whether or not these get logged and added to a database that someone may use to try to crack passwords with.

This is the same reason why I won't hand over my financial information to a online Money Mangier Free or paid.

[chrisretusn]

That was interesting. I tried a one I use, rrry results:

4 centuries, 3 decades
Total Passwords in Pattern:
13 Quadrillion

I tried a 8 character one I've use for ages, didn't like the results, added one character in the middle and it came up with:
35 centuries
Total Passwords in Pattern:
107 Quadrillion

[AlexC]

Quote:

Originally Posted by xxJackxx

These are always interesting but I would be hesitant to enter a password that I was actually considering using. Who knows whether or not these get logged and added to a database that someone may use to try to crack passwords with.

That also crossed my mind There are lots of wordlists in p2p networks that allegedly use, beside dictionary's, stoled passwords. This would be a clever way to gather a few more.

[dw426]

Well, my opinion on the matter:

1. I have serious trouble taking HowSecureIsMyPassword seriously. The results for extremely simple passwords are beyond this galaxy. If we took these results as true, it would be impossible to break anything.

2. I've seen 180 thousand dollar+ machines in regular corporations. Some government machines go beyond that, and there are many more available to use.

[Cutting_Edgetech]

I was thinking it would be clever if the page used to test the strength of your password was used to collect passwords to add to a brute force dictionary attack. A well known page like that would be a good honeypot for stealing passwords to add to a brute force dictionary. It could potentially collect millions of passwords to add to the dictionary. They could use it until someone discovered the malicious behavior. Its Https, and says its verified by google. Hmm.. the largest data collector in the world which in turn turns over its data to ..... Fill in the blank yourself lol I'm not saying that's whats happening, but i'm not putting my secure passwords in there lol

[Cutting_Edgetech]

I used a test password that should represent the approximate strength of my password, and it appears that I should be a mummy by the time they crack my password lol Its a really fun tool to play with. Nice find.

[dw426]

Quote:

Originally Posted by Cutting_Edgetech

I was thinking it would be clever if the page used to test the strength of your password was used to collect passwords to add to a brute force dictionary attack. A well known page like that would be a good honeypot for stealing passwords to add to a brute force dictionary. It could potentially collect millions of passwords to add to the dictionary. They could use it until someone discovered the malicious behavior. Its Https, and says its verified by google. Hmm.. the largest data collector in the world which in turn turns over its data to ..... Fill in the blank yourself lol I'm not saying that's whats happening, but i'm not putting my secure passwords in there lol

That's happened before, actually. And really, anyone dumb enough to put passwords they actually use into the thing kind of have it coming, lol.