Domain: howsecureismypassword.net
Stories and comments across the archive that link to howsecureismypassword.net.
Comments · 11
-
XKCD is correct
Entropy is key to a good Password. Increasing the password length is one of the easiest ways to increase entropy in a password. Very few people can remember a password like "Xl5xX8lB4XI5" which would take a single computer about 25 thousand years*
However, using long words "alligatorterrorizesnewyorkcity" would take 22 septillion years*
* according to https://howsecureismypassword....
That being said, I also agree that generating new passwords should be done with a Password Manager, however the first password is always the hardest. Which is why three long seemingly random words is much easier and safer, IMHO.
-
Re:Seemed pretty obvious this was the case
A strong password CAN be easily remembered. How about remembering 10 and 11?
"Ten!!!!!!!!!!!"
That's 10 and eleven "!" characters.
https://howsecureismypassword....Length is really the primary consideration and once you get to 10+ characters the repetition isn't necessarily an issue.
But to your point about the cloud, I agree. I truly despise how all the vendors (Google, Apple, Microsoft among others) are driving data to cloud storage. It's so difficult just to save a file to the local device...every other prompt is trying to get you to save to their server farm.
-
Re: There we go again
I think sentences would be OK. Because of proper case and punctuation, a dictionary hack would take some time.
Also, a brilliant idea I came up with is to use web sites that relate, in some way, to the app or web page I'm trying to get into.
For instance for Facebook, a sentence
... "I love Facebook but it takes up a lot of my time."or
The sentence would take about 40 tresvigintillion years to crack on a PC. The web site, as password, would take about 837 quintillion years (both estimates are according to this site.)
-
Re:Rodney McKay's password?
You're limited the keyspace to just 10^n. A typical desktop will take hours to break it, a concerted effort on dedicated hardware (parallel processing on CUDA or simlar hardware) will do it in minutes.
Adding just one lowercase letter will make the keyspace required to brute force 36^n. This means it will take 3.6 x as long per character to break.
http://howsecureismypassword.net/ See for yourself. -
Re:TRWTFYou make it sound so easy...which its not. Reverse engineering hashing algorithms still require a lot juice, and a lot of luck, and even more patience. For example:
A related-key attack can break up to 9 rounds of 256-bit AES. A chosen-plaintext attack can break 8 rounds of 192- and 256-bit AES, and 7 rounds of 128-bit AES, although the workload is impractical at 2128 - 2119. Basically you have a better chance of being struck by lightening, on the same day you win the Lottery, than being able to break it!
http://www.howsecureismypassword.net
It would take 631 thousand years to crack just one of my passwords - and considering you may need to crack at least one other before you got to that one, I would say, go ahead and try - I'll wait........... -
Take some comfort...
It government-backed policing agencies cannot bypass this, at least it shows (to some degree) that AES-256 doesn't have some fundamental flaw or "back-door" in its algorithm that was intentionally left undisclosed. Take some comfort in knowing that everyone who attempts to crack the archive (excluding the use of jail, torture, installing keyloggers, fining you millions in taxes that you never owed, etc) still has to take the brute-force/dictionary-based attacks. Here's an good example:
http://howsecureismypassword.net/ -
No love for password managers?
I'm surprised the common public hasn't really gotten into password managers like lastpass or keepass yet.
For example, I use lastpass. I have it set up so it logs off every time I close my browser, and I can set a delay time on how long after I close my browser it logs off as well. I only really have to log in with my master password once, and then everything is great after that.
Seeing as lastpass will autofill every form or password field on every website, and can even generate completely random passwords, from all forms of characters and symbols at any length, it seems odd to me that most wouldn't like to use it. It's very point-and-click-y and doesn't really provoke much in the way of effort, sans setting it up once and letting it do it's thing.
Plus, you only have to remember one password. The master password. And if you tell me that you can't remember a single complex password, then I challenge you to try. It's really not that hard. With only one password to remember, it's hardly a big deal to strain yourself to remember it. Plus, if you do it properly, the rest of your passwords that are stored will be 64+ some characters in length (assuming there's no size limit) and will be 100% random. Since you never bother to look at the generated passwords, you never remember them, and never know them, which is probably the safest way to keep it.
In any case, I'm shocked that people still think they can get away with garbage passwords nowadays. I could probably break into the entirety of my parent's and sister's accounts just by guessing passwords that I think they'd use. My parent's especially on that list. Then again, here I am preaching to the choir (I hope) and it's likely they'll never change their ways and set up a decent password longer than 6 or 8 characters.
(Since this was a long post, here, have fun playing the how secure is my password game. Longest amount of years = biggest e-peen)
-
Re:TrueCrypt
According to http://howsecureismypassword.net/ my password would take a million years to brute force.
But, as you gave your password to this site it is now stored in their database so they won't have to brute force it anymore.
-
Re:TrueCrypt
I would be leery about that. Most people don't use a passphrase large enough to seriously resist brute force attacks (20 characters minimum is what TC recommends). Plus, even encrypted data is still useful, because an adversary can brute force it at their leisure when stored remotely. Keeping the passwords stored on a device that would require physical access to gives a lot better security and keeps the baddies from getting access in the first place.
According to http://howsecureismypassword.net/ my password would take a million years to brute force. Not to worried about getting it brute forced. Without access to these passwords everywhere (phone/laptop/public computers/tablet) they are useless to me. What good is great security if you have no way to use what that security protects?
-
Trend is not good
I use 12-character passwords. http://howsecureismypassword.net/ [howsecurei...ssword.net] estimates that my root password would take 25 million years to hack.
Well, I also use a 12 character password, with at least one upper-case, at least one lower-case, at least one numeric, and at least one non-alphameric character. That web site estimates a mere 4 million years for a desktop PC to crack it. However, it does not indicate whether that's using the CPU or a GPU. Several orders of magnitude might vanish from that estimate if it is based on use of the CPU and a cracker uses a decent GPU. The remaining safety factor may become uncomfortably slim before long, given the performance improvements expected in GPUs and the parallelism inherent in password cracking.
The other posters are correct: passwords should be a necessary step in authentication, but by themselves should not be sufficient for authentication. After all, we can't expect to keep using longer and longer passwords (or pass-phrases). A few years ago, I was content with 8 character passwords for root (and sudo) accounts, and often containing only two character classes. Now it's 12 characters, containing four classes of character. Clearly, this trend is not good, as my memory for passwords is not improving at the same rate.
-
Re:And?
Seriously, if someone has your password hash, it's game over anyway and it doesn't matter if it takes 2 weeks or 2 months to guess the passwords...
The whole point of a hash is that it's supposed to offer last-ditch security if it's compromised. Otherwise why not just store in plaintext? I don't want any sysadmin near a server holding my information if they take the attitude that the server will never be compromised. Assume the server will be compromised, and take measures to minimize the damage when that unholy day comes.
I use 12-character passwords. http://howsecureismypassword.net/ estimates that my root password would take 25 million years to hack. I'll put the hash right here: f1593fdf843f6161b377d5d8adf7ad03
... let me know when you've cracked it.