Passwords that are Simple--and Safe

I think the point I was trying to make was misunderstood. I don't expect it would get your password on the first try. It just doesn't seem any more likely that it would be the last possible combination either. If one of these password testers claims it would take 8 days for my password to be cracked, I was assuming that would be how long it would take to guess all possible combinations. My point was that is was a false assumption that you would be safe that long, as the odds are greatest it will fall somewhere in the middle of all total possibilities. I wasn't trying to promote the idea it would be guessed first, it just seems that the odds of it being last wouldn't be any greater than first, therefore the the time it would take to brute force would be best case, or worst case depending on which side of it you are on.

 

I fully understand your impeccable description of Forum membership entitlement and the binding agreement we all undertake to follow, but I also am entitled to ask "What is the purpose of this thread ?".

It is a legitimate question considering that a simple combination of just 4 characters out of a total of 36 characters results in an enormous number of combinations, far beyond the capabilities of DIY code crackers. The British lottery has 49 characters, the chance of winning with a group of 6 is about 14 million to one.

I think m00nbl00d in post 26 covers the point adequately. Not much else to say really.

John B

 

Yes, I agree with you.

Also, this argument obviously extends to having heiristic algorithms to cracking human passwords, i.e. if you are including special characters like %* etc, then its unlikely that in a password of 12 characters, all will be these special characters. Thus using heuristics, algorithms can narrow down the search space.

 

I dont get it, why is 36^4 ~2,000,000 an enourmous number ?

The point is in the british lotto, you get only a small number of chances to buy the tickets. For cracking passwords, you get billions of chances every second with a decent GPU password cracking setup.

 

Howdy,

I guess if you had 2 million bucks in your bank, you just "may" consider it as an enormous number.

Please keep this thread in perspective. We are not concerned with the CIA, Pentagon, the Russian Secret Service or dealing with a magnitude of Light Years to the next star.

We are talking of just simple passwords used by simple people - like us. Possibly only as security against children. So I guess that 14 million, 2 million, 200,00, or 90,000 are HUGE numbers. Even 100`s to one is BIG enough.

If you a had just a simple combination bicycle lock with a 4 or 6 character code and a 36 character set, then without your GPU or other scientific aids, you would not have enough life left to solve it. Kiddies are not armed with all the trappings of modern technology, just their eyes and fingers.

Keep your GPU password cracking device for a more rewarding occupation than hacking into little old John Doe`s Email account.

John B

 

As well, the O.P. has provided a link where there are some thoughts put forth about alternatives to what is considered standard password procedure.

The thread seems to fit the exact definition of purpose for this forum's very existence.

 

I try to keep my computers secure, not just from children, but from viruses, botnets and other malware designed and programmed by adults who are professionals.

 

Password cracking is not money. 2 million possibilities is *nothing* when talking about modern desktop computers. That entire password space can be checked in less than a second with a desktop GPU.

 

And also with a quad core laptop, as modern cores do billions of operations per second

 

With the method of only allowing certain # of failed attempts, it will take more time to wait between attempts than to actually find the key.

I always appreciate this aspect when I remember my password, and dislike it when I forgot how I structured it.

I wonder how many banks etc have this limitation. I know mine has only 3 failed attempts then the login is disabled.

What exactly are the password crackers being used on? Is the concern primarily local hardware?

Sul.

 

I do not think this thread is about the boring activities of multi-Trillions of bytes per second password cracking devices, who cares ?

But to the enthusiasts who casually think that 2 million is nothing - try counting up to it ! The whole aspect is absurd and ridiculous when applied to the ordinary PC punter and hacker-cracker.

To put this rather off topic password cracking fascination to bed - I have a password of 4 numeric characters. If your magnificent robot is so good at coming up with every password ever concocted from Fort Knox to me, then - tell me mine !

There are 210 combinations, you can easily get all of them, but YOU WILL NEVER come up with a match to mine. Good Luck.

John B

 

It isn't.

Posting that you "have a password of 4 numeric characters" puts nothing 'to bed', nor is there anything "off topic" about password cracking in a thread related to password security.

This is not your thread. You didn't start it. And while it's perfectly acceptable for you to post them, no one specifically requested your thoughts or opinions on the subject.

You're not the one who gets to decide when it's time to 'put this thread to bed'.
If the topic holds no interest for you, move along. Real simple.

 

There are three aspects that are of concern.
1.
Find someone's, anyone's password. Typically used to hack into someone's anyone's account.
There, the problem service providers (the ones doing the login checking) is that many people may choose simple passwords, and with a password cracking website that only tries the simple passwords, but for all the accounts (with 3 attempts per username). If websites allow very simple passwords like "qwerty" eventually one username will have qwerty as the password.

2.
The hacker somehow gets access to the service providers database for a short while, as a result he has all the password hashes (but not the passwords). Now, his job is to figure out as many passwords as he can from the password hashes. Note that the service provider may not even be aware that the password hashes have been stolen.
Since the hacker has the hashes, he has months to figure out the passwords on his own hardware.

3.
The hacker wants to hack into a specific username. He may or may not have the password hash of this username. He may or may not have specific information about the user which will tell him the users password preferences.


Password hashes being compromised is not a silly issue. Think of all the websites, they sometimes transmit password hashes over the netword to connect to other services internally. Or maybe a programmer gets an image of the hash file when he dumps the entire system into his laptop to work at home, and that laptop gets stolen. Or maybe the company dumps the harddrive when it crashes, but the data is recovered by hacker parties off the dead harddrive etc.

In case of personal attacks, maybe you are a businessman and you leave your laptop in your hotel room. The cleaning crew comes, and boots the laptop off a rescue CD and copies the password hash file, so that you are unaware when you return that anything bad has happened.

 

A determined 10 year old kid could crack your 4 digit password easily with just net access, given time.
Eg., Try 30 combinations every day by trying to log in.
He/she will have your password in 12 months.

 

Sully, as always you have actually won the prize. There is NO way that these hyper-sonic Gigabytes per second followers can crack a walnut, let alone a simple 4 digit password from a 210 set selection, unless they can couple their monster to my machine. If they could do that, there would be no need for their scientific cybernetic marvel, they could simply READ it.

Forget the futuristic gobble-de-gook of Area 51, we are only supposed to be discussing everyday keyboard thumpers with two eyes, eight fingers and two thumbs.

I cannot see little Billy or his sister Mary logging on to their favourite porn site after Mum has changed her password which they previously cribbed from her notepad.

AND your point above - how in hell can anybody crack a password having a huge number of combinations when they only get 4 tries before being clobbered by a cut-off limit ?

It would need the Administrator to reset the machine and they surely ain`t gonna ask him/her.

John B

 

They could not. They could read the password hash, but not the password. THIS is where password cracking comes in.

And this board is full of people who are interested in protecting their computers from more than just incompetent kids.
This is my last post to you on this subject.

 

Right you are.
Something I've never understood is credit card company American Express.
To access my online account with them, the password allows for a maximum of 8 non case-sensitive, alpha-numeric characters, and no punctuation characters allowed. The only roadblock I see is the account lock-out after so many unsuccessful tries. But why in the world would a major credit card company limit their account holders to such simple passwords? Beats me.

 

just by adding a space at the end changes password crack from 1.5 years to 1100 years

 

Anyone can generate a password that takes billions of hours to crack, but then isn't this overkill for the common home pc user? Even the company (over 10,000 employees) I work for allows a minimum of 6 and maximum of only 8 mixed upper/lower case alpha plus numbers because they became sick of people forgetting their passwords and needing them reset. This policy, in place for over a year, has yet to cause any security issues.

...he,he my 2000th post earlier today

 

I hate that too.
I hated it even more a couple of years back when they didnt even have SSL login.

Have you complained to them?

 

Yes, I have. And they point to the account lock-out after so many unsuccessful tries, saying, too, that they have "many additional security measures in place". I'm sure that they do.

 

Right, and I forgot to mention that my employer has a "three strikes you're out" policy, after which only a call to IT will get it reset.

 

Yes, that is what American Express does too.