Passwords that are Simple--and Safe

Discussion in 'other security issues & news' started by Thankful, Jul 20, 2010.

Thread Status:
Not open for further replies.
  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I prefer phrases with punctuation.

    "My l33t, wordpass"

    A good simple phrase with a few permutations allows me to assign some permutations to what I deem as non-critical things, such as a forum account, while other permutations might be a little more complex for say a banking account. This way I have one basic pass-phrase, but it is mixed up for specific uses. Worst case scenario is I have to remember my 6 permutations and eventually one of them is correct.

    There used to be a website that would tell you how long it would take to figure out your password - I'll be darned if I can find that website now, but it is interesting to see how long a simple phrase with punctuations can make the attempt.

    Sul.
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,944
    Location:
    U.S.A.
    Sully, Password Recovery Speeds.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thanks.

    According to that, my typical 10-12 character length would exceed

    7.2 Quadrillion possible combinations taking a supercomputer more than 83½ Days to crack.

    Know any crackers with supercomputers in the basement?

    Sul.
     
  5. burebista

    burebista Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    208
    Location:
    Romania
    Or here you have a nice Excel spreadsheet called Brute Force Attack Estimator.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    This is also a good site to test passwords.

    [noparse]-www.unwrongest.com/projects/password-strength-[/noparse]




    LowWaterMark note: A number of posts replied to this thread were a discussion of whether the above webpage contains an imbedded link to a site that serves a malware file, doing some type of redirection. The link was flagged by avast! antivirus web protection module. See this thread for the analysis of the site and imbedded links.
     
    Last edited by a moderator: Jul 25, 2010
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Iron gave me a warning about this site possibly containing malware ... Danger Will Robinson, Danger lol.

    Sul.
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Does it apply to CPU or GPU, because GPU can cracks passwors much more faster, especially if they are 4 of them in SLI. ;)
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm curious as to what situations would occur where my password could be guessed?

    For more years than I can remember, I've used this method:

    prefix + space + suffix + character

    where:

    • the prefix is easily remembered, such as: garbage
    • the suffix is 3-4 letters that identify the site, such as wfar for Wells Fargo Bank
    • the character is something like, ?
    resulting in: garbage wfar?

    I just checked the above PW on the site Pete referenced:

    psswd.gif


    ----
    rich
     
  10. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    rich: I have often wondered how effective a space (or two?) would be as long as it's in a somewhat unexpected position. Like garbage turning into gar bage. Add a punctuation mark or two wherever you desire and you end up with an easy to remember word but nothing in any dictionary.

    Thoughts?
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    Here is an example of a password I might use:

    0p;/1qaz#EDC5tgb (note, I don't use it)

    Time to crack per site:

    Forceable in 420805123888006 years, 6 months

    Best part is I don't even have to remember it, or write it down.

    Pete
     
  12. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    A site I tried to become a member on just didn't allow anything else then letters in the password.
    Wich resulted in that I did not become a member.:)
     
  13. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    i tried that site and if i only type 20,25 "K"'s it syas 376452765 years 2 moths...isn't it?...
     
  14. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I wrote a program (for Linux) that generates passwords and tells you the entropy and how long it would take various types of computers to crack it. So, I had it generate a 10 character password (using all 94 printable ASCII characters) and such a password has an entropy of about 64 bits. It would take a Cray XT5 about 1 year to crack a 64 bit password (again, the password has to be random -- a 10 character password like "mypassword" will have far less entropy).

    Screenshot:

    http://img571.imageshack.us/img571/4338/screenshotpypass.png
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Han,

    Speaking for myself: I've always felt this password thing is blown out of proportion.

    A common breach is when someone (usually in an organization) gains physical access to the computer and uses a brute force method to crack the password. Not likely to happen here. It only works, of course, when the person has a weak password.

    I've not tested mine on a site until now with the site Pete mentioned; and if the above scenario happened, it would take the perpetrator many years to crack mine.

    A common exploit involves those who don't change their router's default password. Yet, this exploit, a remote code execution exploit from the web, requires the installation of trojan -- not likely to happen here, and I don't have a router.

    Other exploits just didn't pertain to me, such as the Conficker worm which had hardcoded a list of common passwords which enabled the worm to easily infiltrate networks in organizations because users had *very* weak passwords.

    Again, just speaking for myself.

    Your suggestion would seem to be a good approach. I assume you would have a different word for each password?

    Using a common prefix, as I showed in my previous post, allows me to easily remember my passwords, and my sufixes are easily associated with my sites. Using the space as I have between the prefix and suffix increases the length of time by many years required to crack it, as I learned from the site.

    ----
    rich
     
    Last edited: Jul 21, 2010
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Using your post for an example, hope you don't mind. When it says "Forceable in 420805123888006 years, 6 months" I assume that is the time it would take to run through EVERY possible combination. It would be just as likely to get your password first as it would be to get it last, so realistically it would take some amount of time in between.
    Given an amount of time that large I am sure it is unlikely to ever get cracked, but you always have to consider the possibility that it could happen much sooner than that.

    Also, I don't think I would want to enter a password I might actually use on a website to tell me how secure it is because I just gave it to someone with a chance that it could be intercepted somehow.

    Maybe I'm being a little paranoid on both counts but I think the possibilities have to be considered.
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    That thought has always gone through my mind. A site like that might actually be collecting passwords, never know.

    Myself, I don't get too paranoid about it. I use a pass-phrase for anything that is remotely sensitive. For other things like this forum, what is there to steal if someone did get the password? I use a simpler password for these sort of things. And contrary to what the experts say, I rarely change my passwords.

    I do know lots of people though who should frequently change thier password and make harder ones than Mike123.

    Sul.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    Don't mind a bit.

    Couple of things.

    1. Having played with legitimate password recovery programs, when the brute force they start with a set number of characters all the same, and then start thru all the combinations of one character, then the 2nd, etc. They still have to cope with the length of the of the password.

    2. using the method I use to generate this password, it's easy to generate quite a few unique passwords. They all test the same.

    3. I only use those passwords on critical sites, I go to. Suppose I told you that actually was the password I use. Since I do everything in Sandboxie, and it's deleted when exit there is no trace left. It would be tough for you to figure out where I use it.

    Pete
     
  19. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    This is not true. A brute force password tester would follow a sequence of fixed rules. The probability that a set of rules for testing passwords would generate your password first is really really really low.



    This one I agree with.


    Peter2150, how do you remember that password ?


    Here is another password related thread of mine in which I ask some questions:
    https://www.wilderssecurity.com/showthread.php?t=277416
    :D


    The thread deals with the issue of cracking your password when you have the password hash available.
    In short: Operating systems store a "hash" which is kind of a signature of your passwords. When you try to log in, they compute the signature of your enetered password and match it to the stored signature.

    So, the question becomes, if someone gets hold of your password hash (say your laptop gets in the wrong hands for 5 minutes, or the the stored password hash in one of your websites login databases gets compromised similarly; how long would it take someone to crack, ie. obtain the original password.

    In such a scenario, the hacker could use a precomputed table of password hashes vs passwords and use it to look up the password. These tables are called Rainbow Tables, and one can obtain 1-2TB rainbow tables for ~$500.
    If your password is long (eg 20chars, incl cap letters, puntuation etc), then it wont be present in current rainbow tables (they contain at most 14 char tables to fit in 2TB tables).

    If the password hashes are obtained from a computer running linux, then its pretty much useless to use rainbow tables as Linux uses "salts". That is if the password is "mypassword", it will store the password has of something like
    "%55*&!$HshwJQBmypassword" making your 10 char password into a 24 char password for rainbow tables.

    MS Windows does NOT use salts. Moreover, if your password is less than 15 chars in XP, it is incredibly easy to crack it using the password hash as XP uses something called LMHash, an easily reversible hash algorithm, unless you tell it to only use NTHash, which is not reversible.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    I don't really want to go into how I generate that password, but the simple answer to your question is:

    I don't. (not written down, or stored anywhere, either.)

    Pete
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    do like me, just make your password the same as your user name.:D
     
  22. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    now how many just tried to login as trjam trjam.:cautious:
     
  23. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    Do not see the problem in fixing a password.

    If we just settle on a password group of 4 numeric or 4 alpha characters or a mixture of both, the combinations are astronomic.

    The English alphabet has 26 letters and a numeric range of 0-9 has 10 digits.

    Given this choice, I could fix a group of four characters that even the CIA code breakers would have to work overtime solving. Ordinary people ? Not in a million years.

    What is the purpose of this thread ?

    John B
     
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    the purpose is, he is a memebr here and entitled to start a thread that meets and follows the guidelines set forth in the agreement that all members agreed to when becoming members here. Simple enough for me.:cautious:
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I guess that by the time mine would be cracked, the sun would be extinguished, as would all life. At least those that are not unicellular. ;)
     
Loading...
Thread Status:
Not open for further replies.