New tool to check password strength

Discussion in 'other security issues & news' started by Hungry Man, May 28, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    https://passfault.appspot.com/password_strength.html#menu

    Pretty much shows how pointless bruteforcing is with even a mediocre password against a 180,000 dollar machine using dictionary attacks with word substitution etc. Pretty realistic.

    Example:
    http://howsecureismypassword.net/

    My weak "password10name" gives:
    whereas passfault gives:
    1 day



    Of course, even a simple password (my example from another topic-two random words and a friends birthday):
    DogShake52591

    would take a 180,000 dollar computer "1 decade, 8 years." Adding a "!" pushes that to "7591 centuries."

    Just goes to show that you don't need a 20 character password to be safe. Simple 12 character passwords are plenty for the average user and if you're expecting government intervention simply moving to 16 characters makes your password essentially uncrackable.
     
  2. Wow, the Windows (XP?) password hashing system is *weak*.

    (And using Blowfish makes the times go through the roof. Go figure.)
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    No clue what the Windows one is. It's not really clear.
     
  4. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yeah. howsecureismypassword.net just checks length and then gives tips based on things it notices like words.

    passfault tries to determine whether dictionary bruteforcing will work, which'll speed things up a ton.
     
  6. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    well,

    there's a bit of a difference between 1 day and 16 billions years.
    just saying.;)

    i also noticed that it (passfault) checks for vertical, horizontal and diagonal patterns.
     
  7. Brian_12

    Brian_12 Guest

    Last edited by a moderator: May 28, 2012
  8. Brian_12

    Brian_12 Guest

    Minimum password length redux by Ken Harthun

     
  9. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,922
    Location:
    USA
    These are always interesting but I would be hesitant to enter a password that I was actually considering using. Who knows whether or not these get logged and added to a database that someone may use to try to crack passwords with.
     
  10. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,916
    Location:
    USA
    I like the Idea better of a downloaded random password generator and a separate downloaded password strength meter that is firewall blocked
     
  11. Brian_12

    Brian_12 Guest

    Being a little paranoid?
     
  12. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    that thought crossed my mind.

    i entered a password very similar to my Master password.
    no way i'm gonna enter my real passwords into one of these thing.
     
  13. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,916
    Location:
    USA
    This is the same reason why I won't hand over my financial information to a online Money Mangier Free or paid.
     
  14. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,687
    Location:
    Philippines
    That was interesting. I tried a one I use, rrry results:

    4 centuries, 3 decades
    Total Passwords in Pattern:
    13 Quadrillion

    I tried a 8 character one I've use for ages, didn't like the results, added one character in the middle and it came up with:
    35 centuries
    Total Passwords in Pattern:
    107 Quadrillion
     
  15. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    That also crossed my mind :D There are lots of wordlists in p2p networks that allegedly use, beside dictionary's, stoled passwords. This would be a clever way to gather a few more.
     
  16. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Well, my opinion on the matter:

    1. I have serious trouble taking HowSecureIsMyPassword seriously. The results for extremely simple passwords are beyond this galaxy. If we took these results as true, it would be impossible to break anything.

    2. I've seen 180 thousand dollar+ machines in regular corporations. Some government machines go beyond that, and there are many more available to use.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I was thinking it would be clever if the page used to test the strength of your password was used to collect passwords to add to a brute force dictionary attack. A well known page like that would be a good honeypot for stealing passwords to add to a brute force dictionary. It could potentially collect millions of passwords to add to the dictionary. They could use it until someone discovered the malicious behavior. Its Https, and says its verified by google. Hmm.. the largest data collector in the world which in turn turns over its data to ..... Fill in the blank yourself lol I'm not saying that's whats happening, but i'm not putting my secure passwords in there lol
     
    Last edited: Jun 2, 2012
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I used a test password that should represent the approximate strength of my password, and it appears that I should be a mummy by the time they crack my password lol Its a really fun tool to play with. Nice find.
     
  19. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    That's happened before, actually. And really, anyone dumb enough to put passwords they actually use into the thing kind of have it coming, lol.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.