“thereisnofatebutwhat*wemake”—Turbo-charged cracking comes to long passwords

http://arstechnica.com/security/201...rbo-charged-cracking-comes-to-long-passwords/.

Related article: Password breaker successfully tackles 55 character sequences.

-- Tom

 

Correcthorsebatterystaple hash should be at the top of that list.

 

This was made by using only words and small letters. Kind of dictionary based attack, but now with a hyper large text databases using almost all the imaginable sentences you'd prolly come up with.

But even insterting some capital letters will do the cracking harder, not to mention some gibberish, numbers, or "%!) type characters.

Now, if somebody had a link to a nice web page with info on password strength like:
If you use some non-words, but only small letters, the minimum length you need not to be cracked with estimated computer speed developing within 100 years, you need e.g. xxx characters. If you add a few capitals, you need 3x characters. If you add a few numbers, 2x characters. If you add some #¤&?=, 1x characters, etc. Some practical strength advice, that would be.

 

I'm always weary of password strength testers. So often they don't factor in common dictionary attacks and just estimate based on keyspace. (And I'm not even sure they factor in the law of averages.)

Those both told me correctbatteryhorsestaple would take a quintillion years to crack. (I realize it's not exactly in the top 10 most used passwords, but come on.)

The best advice/analysis I've seen comes in the links given here.

 

No password is safe from new breed of cracking software

No password is safe from new breed of cracking software.

Reference: Password-cracking software runs at 8 million guesses per second.

Related information: oclHashcat-plus cracks TrueCrypt.

I recommend you follow the link in the first article to the release notes to check on the new supported algorithms and GPUs. Passwords up to 55 characters in length are vulnerable to this tool.

-- Tom

 

for me it's disturbing

i did trust of truecrypt a lot

now i'm going to change my router password every week

 

See here.

 

I use a Random Number Generator with upper and lower case letters; numbers special characters Underscore and dashes and whatever else the web site allows and I keep the passwords long (20 characters or more), I don't trust online password strength testers.

 

do you use a program to create a random number? like pwgen 2

 

< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-25};echo;

--> KIh69uHzw70b1gJDP8beX7_8q

< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-50};echo;

--> ElQzDk80YmUd9cAJmuuhUFW9LMVd40Tny_ZulKBXMXJn0Bbg6j

 

Keepass has a pretty good password generator.

 

Keepass, both series 1xx and 2xx have random number password generators
[edit] dogbite you beat me to it

 

does someone use this tool to test how turbo is it?

 

From Password Haystacks (mentioned in post #4):

Diceware strong master password generation method