Passwords that are Simple--and Safe

http://www.technologyreview.com/computing/25826/

 

I prefer phrases with punctuation.

"My l33t, wordpass"

A good simple phrase with a few permutations allows me to assign some permutations to what I deem as non-critical things, such as a forum account, while other permutations might be a little more complex for say a banking account. This way I have one basic pass-phrase, but it is mixed up for specific uses. Worst case scenario is I have to remember my 6 permutations and eventually one of them is correct.

There used to be a website that would tell you how long it would take to figure out your password - I'll be darned if I can find that website now, but it is interesting to see how long a simple phrase with punctuations can make the attempt.

Sul.

 

Thanks.

According to that, my typical 10-12 character length would exceed

7.2 Quadrillion possible combinations taking a supercomputer more than 83½ Days to crack.

Know any crackers with supercomputers in the basement?

Sul.

 

Or here you have a nice Excel spreadsheet called Brute Force Attack Estimator.

 

Iron gave me a warning about this site possibly containing malware ... Danger Will Robinson, Danger lol.

Sul.

 

Does it apply to CPU or GPU, because GPU can cracks passwors much more faster, especially if they are 4 of them in SLI.

 

I'm curious as to what situations would occur where my password could be guessed?

For more years than I can remember, I've used this method:

prefix + space + suffix + character

where:

• the prefix is easily remembered, such as: garbage
  
• the suffix is 3-4 letters that identify the site, such as wfar for Wells Fargo Bank
  
• the character is something like, ?

resulting in: garbage wfar?

I just checked the above PW on the site Pete referenced:

​

----
rich

 

rich: I have often wondered how effective a space (or two?) would be as long as it's in a somewhat unexpected position. Like garbage turning into gar bage. Add a punctuation mark or two wherever you desire and you end up with an easy to remember word but nothing in any dictionary.

Thoughts?

 

A site I tried to become a member on just didn't allow anything else then letters in the password.
Wich resulted in that I did not become a member.

 

i tried that site and if i only type 20,25 "K"'s it syas 376452765 years 2 moths...isn't it?...

 

I wrote a program (for Linux) that generates passwords and tells you the entropy and how long it would take various types of computers to crack it. So, I had it generate a 10 character password (using all 94 printable ASCII characters) and such a password has an entropy of about 64 bits. It would take a Cray XT5 about 1 year to crack a 64 bit password (again, the password has to be random -- a 10 character password like "mypassword" will have far less entropy).

Screenshot:

http://img571.imageshack.us/img571/4338/screenshotpypass.png

 

Hello, Han,

Speaking for myself: I've always felt this password thing is blown out of proportion.

A common breach is when someone (usually in an organization) gains physical access to the computer and uses a brute force method to crack the password. Not likely to happen here. It only works, of course, when the person has a weak password.

I've not tested mine on a site until now with the site Pete mentioned; and if the above scenario happened, it would take the perpetrator many years to crack mine.

A common exploit involves those who don't change their router's default password. Yet, this exploit, a remote code execution exploit from the web, requires the installation of trojan -- not likely to happen here, and I don't have a router.

Other exploits just didn't pertain to me, such as the Conficker worm which had hardcoded a list of common passwords which enabled the worm to easily infiltrate networks in organizations because users had *very* weak passwords.

Again, just speaking for myself.

Your suggestion would seem to be a good approach. I assume you would have a different word for each password?

Using a common prefix, as I showed in my previous post, allows me to easily remember my passwords, and my sufixes are easily associated with my sites. Using the space as I have between the prefix and suffix increases the length of time by many years required to crack it, as I learned from the site.

----
rich

 

Using your post for an example, hope you don't mind. When it says "Forceable in 420805123888006 years, 6 months" I assume that is the time it would take to run through EVERY possible combination. It would be just as likely to get your password first as it would be to get it last, so realistically it would take some amount of time in between.
Given an amount of time that large I am sure it is unlikely to ever get cracked, but you always have to consider the possibility that it could happen much sooner than that.

Also, I don't think I would want to enter a password I might actually use on a website to tell me how secure it is because I just gave it to someone with a chance that it could be intercepted somehow.

Maybe I'm being a little paranoid on both counts but I think the possibilities have to be considered.

 

That thought has always gone through my mind. A site like that might actually be collecting passwords, never know.

Myself, I don't get too paranoid about it. I use a pass-phrase for anything that is remotely sensitive. For other things like this forum, what is there to steal if someone did get the password? I use a simpler password for these sort of things. And contrary to what the experts say, I rarely change my passwords.

I do know lots of people though who should frequently change thier password and make harder ones than Mike123.

Sul.

 

This is not true. A brute force password tester would follow a sequence of fixed rules. The probability that a set of rules for testing passwords would generate your password first is really really really low.

This one I agree with.


Peter2150, how do you remember that password ?


Here is another password related thread of mine in which I ask some questions:
https://www.wilderssecurity.com/showthread.php?t=277416



The thread deals with the issue of cracking your password when you have the password hash available.
In short: Operating systems store a "hash" which is kind of a signature of your passwords. When you try to log in, they compute the signature of your enetered password and match it to the stored signature.

So, the question becomes, if someone gets hold of your password hash (say your laptop gets in the wrong hands for 5 minutes, or the the stored password hash in one of your websites login databases gets compromised similarly; how long would it take someone to crack, ie. obtain the original password.

In such a scenario, the hacker could use a precomputed table of password hashes vs passwords and use it to look up the password. These tables are called Rainbow Tables, and one can obtain 1-2TB rainbow tables for ~$500.
If your password is long (eg 20chars, incl cap letters, puntuation etc), then it wont be present in current rainbow tables (they contain at most 14 char tables to fit in 2TB tables).

If the password hashes are obtained from a computer running linux, then its pretty much useless to use rainbow tables as Linux uses "salts". That is if the password is "mypassword", it will store the password has of something like
"%55*&!$HshwJQBmypassword" making your 10 char password into a 24 char password for rainbow tables.

MS Windows does NOT use salts. Moreover, if your password is less than 15 chars in XP, it is incredibly easy to crack it using the password hash as XP uses something called LMHash, an easily reversible hash algorithm, unless you tell it to only use NTHash, which is not reversible.

 

do like me, just make your password the same as your user name.

 

now how many just tried to login as trjam trjam.

 

Do not see the problem in fixing a password.

If we just settle on a password group of 4 numeric or 4 alpha characters or a mixture of both, the combinations are astronomic.

The English alphabet has 26 letters and a numeric range of 0-9 has 10 digits.

Given this choice, I could fix a group of four characters that even the CIA code breakers would have to work overtime solving. Ordinary people ? Not in a million years.

What is the purpose of this thread ?

John B

 

the purpose is, he is a memebr here and entitled to start a thread that meets and follows the guidelines set forth in the agreement that all members agreed to when becoming members here. Simple enough for me.

 

I guess that by the time mine would be cracked, the sun would be extinguished, as would all life. At least those that are not unicellular.