If your passwords are less than 8 characters long, change them immediately, a new study says

"Short and simple passwords can be cracked in a matter of seconds. Long and complicated ones? Trillions of years...

...even an eight-character password — with a healthy mix of numbers, uppercase letters, lowercase letters and symbols — can be cracked within eight hours...Anything shorter or less complex could be cracked instantly, or within a few minutes,..

...a password that’s 18 characters in length – and which uses a mix of numbers, lowercase and uppercase letters, and symbols – could take up to 438 trillion years for the average hacker to crack,..

...a password with 11 characters – again, using a mix of numbers, uppercase and lowercase letters, and symbols – could still take hackers 34 years to crack..."

https://www.cnbc.com/2022/03/20/stu...-less-than-8-characters-long-change-them.html

 

Private user passwords are usually not cracked, but stolen from the providers where they are stored. That's much more effective.

 

Good point, but shouldn't passwords always be encrypted? And the longer the password, the longer it takes to crack them. But yeah, I wouldn't rely on passwords too much, 2FA via security key or authenticator is the future.

 

They should be, but often they are not. Therre have been many big name companies in the last few years that were hacked and found to have passwords stored in plain text. This should be your number 1 reason to never use the same password multiple places.

 

Not encrypted, but hashed with salt. It is still oversimplification, because it is good to use techniques that increase amount of time to bruteforce or dictionary attack them.
All that additional security measures are not enough if password is really short or it is just a one word from dictionary.

 

And not one answer on topic.
A new sub-topic has been created and is thriving well.

If your passwords are less than 8 characters long, change them immediately, a new study says

A new study? On password security?
I'm sure this subject has been covered no less than [approx] 5,000 times in this forum.
A blatant advertorial that has succeeded in its aim.

 

I'm not sure if I folllow you, I don't think we went completely off topic.

Oh so this isn't the same? Never really understood it. But now that I think of it, I don't think any of my accounts have ever been compromised in 25 years of using the internet, even with all of those leaked passwords in the past few years. I guess that's why I never had the urge to use 2FA. But I'm soon planning to buy a YubiKey.

 

So, you don't think there's a difference between creation and storage

 

Never had a Playstation 3? I couldn't use it for weeks after that one.

 

No, it isn't. Encryption is easily reversable for those who have secret (password or key).

 

Agreed. It's like a post on a motor sport forum, "Don't put gasoline in your diesel car." (Too many folks actually did/do that.)

For CNBC's target audience, as well as other news and social media, articles on passwords have validity.

But what I find absent in just about all of these password centric authentication discussions in geek forums is how stupid it was about 20 or so years ago, some idiot(s) thought it was a good idea to force the use of the account's email address as a user name which eventually evolved into a near-ubiquitous defacto.

Sorry about the off topic.

Not really.

 

https://palant.info/2021/12/29/how-did-lastpass-master-passwords-get-compromised/

 

I'm not sure if I'm following you, was it hacked? I'm just saying that strangely enough I don't think any of my accounts have ever been compromised even without 2FA. Think of webmail, online shopping and social media. Of course I would never use online banking without some form of 2FA.

 

I think people wanted to point out that it's sometimes not even about the strength of passwords if they are stored in plain text, this happened with online broker Robinhood for example.

OK I see, good point.

 

It was hacked a few years ago. The passwords were in plain text. They were down for quite some time afterwards.

 

OK I see. And no, I never even owned a PlayStation or Xbox, I always stuck to PC gaming.

 

I guess it has been 10 years. Time files when you're getting old. The timeline from then:
https://www.networkworld.com/article/2202583/playstation-network-hack-timeline.html
This is a good example of why you should never reuse passwords.
But again per the original topic, if you password is too short or simple, change it. If you reuse it, change them all. There are free password managers.