Slashdot Mirror
How Many Seconds Would It Take To Crack Your Password?
DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."
I wonder if he's caching every string entered into a dictionary file...
That's silly. I just use my SS#. That has a LOT of digits. Who is going to guess that?
https://xkcd.com/936/
What kind of qualifier is that? If the computing power was "almost unlimited" you could crack any password you want since it is essentially unbounded in its parallelism. They are obviously making some concrete assumption about computing resources (which the article does not specify, as far as I can tell).
https://www.grc.com/haystack.htm
Whenever somebody mentions GRC I get a craving for cookies. Syncookies, to be precise..
What system would allow someone to make thousands of attempts per second to login?
There's still websites out there that limit you to 8 characters maximum. When Citi held my student loans (studentloans.com), their website would just use the first 8 characters of whatever password you entered.... of course, the field would accept more and they wouldn't tell you this so the first time you went to log in, it was a very WTF moment because you'd get a Password Incorrect error even though the password matched the one you signed up with. It was one of the main reasons I was actually happy when they sold my loan to Sallie Mae six months ago.
Anytime I read articles like this, I just assume someone is trying to see something...
The best way to limit an attack like this is to limit how fast the attempts can be made. Rerun his "test" when the server only allows one password submit ever 10 seconds and see how long it takes. More secure you say?? Well, after 5 bad attempts, lock the account for 30 minutes?? Please, however, never lock the account entirely like SOME companies do. That makes a script kiddies actions my problem...
Good passwords can never stop common sense computing procedures...
Not to be suspicious, but "doublecheck you password strength! Just enter your passwords below...." even from a relatively trusted source is a little tough to trust....
I use binary for passwords, thus my password is 168 character long, only down side is it only has 10 digits!
0111100101101111011101010010000001101
text in the middle
0010110111001110011011001010110111001
text in the middle
1100110 11010010111010001101001011101
text in the middle
100110010100100000011000110110110001
text in the middle
1011110110010000100001
More text because /. filter throws an error, I wonder how much more text I have to type?
"Filter error: That's an awful long string of letters there."
"Filter error: That's an awful long string of letters there."
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
My password would take 8.52 hundred thousand centuries to crack in an Massive Cracking Array Scenario. Not bad. Add the fact that every password I have is different, I should be safe. An uppercase character added would take 1.41 hundred million centuries. Maybe it's time I put in an uppercase too :)
Can I light a sig ?
Password input should be more dynamic and involve the backspace key and pause lengths. Instead of static, plain text inputs, the fields should be more like character recording devices.
You initial input might be: pa$$word
Then a delete series: pa$$
Then a minimum of three second pause.
Then more typing: pa$$DonGEATER
The series of keystrokes, backspaces, and pauses is recorded and then compared with your password recording.
Too bad there are still so many services that will not allow special characters in a password during registration. I have to juggle 4 different types of passwords because of this retarded limitation. If you operate such a site/service, please fix it.
And raise you a xkcd 792
handheld devices
your site is veru informative thank you
http://handheldforbillingdevices.blogspot.in/
http://www.facebook.com/pages/Elite-Palm-It-Solutions-PVT-LTD/300469306713237
https://twitter.com/#!/ElitePalm
Sure, if you have some unknown password, and your brute strength computer can get a yes/no answer to each guess just as quickly as the guesses can be generated, then most passwords are shockingly insecure and can be cracked in fractions of a second. However, in many real-world situations, each guess has some minimum time or cost associated with it, which severely limits the real-world speed of a brute strength attack. For instance, if you are trying to guess the password to a WiFi network, each attempted connection takes several milliseconds at least, and multiple guesses can't happen simultaneously. What is more, there are also a large number of password-protected scenarios where too many failed attempts, or attempts that come in too-quick succession, result in being locked out.
So, yeah, a 6-character password may be crackable in 0.0000224 seconds - in an ideal, offline case backed by serious computing power. That might be the case of, say, the NSA trying to decrypt a copy of your hard-drive. In many real-world cases, these numbers are pretty meaningless except as relative measures of strength. But there have been good analytical tools for that since the days of Claude Shannon.
What a great way to generate a new wordlist...
Six character password time to crack with a keylogger:
0.00000000000000001 seconds
Alpha numeric passphrase with symbols time to crack with a keylogger:
0.00000000000000001 seconds
Why bother waiting 3 weeks for a brute force attack? Passwords just are not that secure.
I worked on a random desktop rollout contract that was paying stupid amounts of money, and one evening I observed one of my fellow contractors entering his password.
clickity clickity clickity clickity...
I said "wow... hardcore password", he replied "yeah, I worked on a contract before this where we had to manually put in the MS Office CD Key across a few hundred desktops, so I've memorised it. It's now my go-to password"
Must have been the only time I've seen an MS CD-Key actually being wanted.
Pasting the first CD Key I could find on serials.ws (V4933-88FR7-9P3KK-D2QF4-9M9CM) into the GRC tool produced:
Online Attack Scenario:
(Assuming one thousand guesses per second) 68.45 thousand trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 6.84 hundred million trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 6.84 hundred thousand trillion trillion centuries
Anyway, in actual practice: passphrases using 2-3 words. I've found that 4 words and above is a bit much. And writing down your password/passphrase on a post-it is not a bad thing so long as your obfuscate it!
Worst-case scenario with almost unlimited computing power
And with a lever big enough I could move the world.
That aside, I can hardly think of a system I use (websites included) that don't either lock an account after so many attempts or at least put a time delay on further tries. Brute force attempts just don't cut it with some simple common-sense security steps taken.
Soon we will see an article about how many hard passwords in recently leaked databases were "cracked" using this little test because users were gullible enough to test their real passwords...
"I love my job, but I hate talking to people like you" (Freddie Mercury)
I checked my password, and found that it will take 25.76 million trillion centuries. Hooray - no one that's never read XKCD will ever guess my password.
Obligatory: http://xkcd.com/936/
Take it to the limit, everybody to the limit, come on, everybody fhqwhgads.
Use keepass with the default settings of 25 characters, digits and symbols. It should be safe for a while. I'm syncing it top my android phone too.
Considering my bank's PIN is 4 digits, and it hasn't been cracked yet, something must be working...
Every idiot seems abuzz about the possibility of a new MacBook Pro, likely to be announced next week at Apple's Worldwide Developers Conference (WWDC).
Many fart that the world as we know it may end it if the new MacBooks don't have a Retina display. Cripers.
Fucking Time magazine ran the headline, "What If Apple's New MacBook Pros Don't Have Retina Displays?"â"implying that it would be a disaster and could be a gigantic letdown. Puh-leeze.
The lame-brain reason for the super-high resolution screen is so you can get some detail on a 3.5-inch cell phone screen or on a smaller display in a cameras viewfinder. Ever since the introduction of the so-called Retina display, all we hear about is Retina this and Retina that.
I put my AMOLED Android screen next to Apple's Retina display all the time and my display looks better. Nobody denies it. So what's the fuss and why does everyone now want this Retina display on a larger format?
I sure as hell don't. For one thing, it would be a disaster for performance. Those extra pixels have to be addressed, you know, and since you do not want text that appears to be one pica high, a lot of effort would go into the scaling of everything. In a side-by-side comparison at a three-foot distance, it is doubtful that the Retina display on a 15-inch screen would look much different than 1920x1080.
The late-great Panasonic once shouted from the rooftop that at any normal viewing distance from a flat panel TV, nobody could tell the difference between 720p and 1080p unless the display was bigger than 50-inches. I'm certain, though, that all the iPhone mavens would want a Retina display TV because I hear a loud buzz demanding 4K TVs. These are sets that would typically be anywhere from 4096x1714 to 3996x2160 to 4096x3112. Really? You want that? "Yeah, man!"
Yeah, I suppose if you are right on top of the set, you'd notice. Of course, no broadcaster is going to invest in such gear for decades; they all hated upgrading to HD. And who's got the bandwidth for mass distribution of this sort of signal? I suppose this is all beside the point.
Maybe a Nikon or Canon D-SLR will eventually be geared to shoot a 24-megapixel (say 8000x3000) movie at 60 frames per second and we can all "ooooh" and "ahhh" at the beautiful movie when someone shows it on a Retina display laptop at the office.
But you know, if you want genuine super-high resolution, you can go outside and look at a nature, right? I wonder if anyone realizes that anymore. Does anyone go outdoors and see a tree and remark, "Wow, look at the resolution of that bark! How many pixels do you think this is?"
I think the invention of the Retina display has made the discussion ridiculous, just like Mac users are.
Comment removed based on user account deletion
http://xkcd.com/7/
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.
The one for my email - trillions of years. Dumb sites emailing me my own private data means it needs to be secure.
Slashdot, football forums, BBC - minutes. I honestly don't give a shit about these sites.
Random websites that force you to sign up in order to download a crappy wav file - I'll just tell you, just to save you the hassle. username = no@example.com, password is nonononono.
My banking password? Minutes. Why? Because passwords are shite and obsolete. I use extra forms of authentication on banking websites.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
Q:So, from the answer above, that means that our passwords should always contain at least one of each type of character?
A:Yes, that's exactly what it means. Take, for example, the very weak password “news.” If another lowercase character was added to it (for example to form “newsy”), the total password search space is increased by 26 times. But if, instead, an exclamation point was added, (making it “news!”), the total search space is increased by a whopping 1,530 times! That's how important it is to choose passwords having at least one of every type of character. If anyone ever does try to crack your password, you will have eliminated all shorter searches.
Funny thing is, almost every example I've seen of how to increase the complexity of your password uses the example of putting an exclamation mark or a 1 on the end. Based on what I know about people, that's exactly what they'll do, which doesn't increase the search space by as much as the author thinks, and might even convince the user to use a shorter password with a ! on the end of it, which is worse.
Oops! *hurries to change password*
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Well I entered in "Go to my office and look at the post-it on my terminal" and it said that will take "4.97 hundred billion trillion trillion trillion trillion trillion trillion centuries"
This article is misleading. Most sites will lock you out after so many failed attempts.
Trillions of centuries online, 65.90 thousand centuries with the Massive Cracking Array Scenario, and yet somehow I don't want to use it.
I wrote a nice long reply rebutting every single point then lost it when I hit backspace and focus was in the wrong part of the window. Grrr.
The author gets lots of things confused:
- He seems unaware that a rainbow table is equally effective against a good password as a bad one.
- He seems to think a dictionary attack comprises wholly and exclusively of words taken from a dictionary with no added numbers, symbols or punctuation. Bruce Schneier doesn't seem to agree with this, and I'm far more inclined to believe Mr. Schneier.
- He believes that a likely avenue for attack is constantly guessing a given user's password on a website. Any half-sane web service will block you long before you've tried a few thousand passwords against one username.
- He fails to note that in the case of LinkedIn, the list of password hashes itself was leaked - and this is Bad News.
- He also fails to note that in the case of LinkedIn, the password hashes were unsalted - Much Worse News.
- He also fails to note that if an unsalted list of password hashes is leaked, then it doesn't really matter how strong your password is, it's going to get found rather quickly. There's very little you or I can do about this. You could refuse to use systems that have such terrible security, but usually you only learn their security is this bad when it's far too late.
- He tops it off by recommending 10 character passwords with symbols and/or numbers. In other words, he falls foul of the problem described by Randall Munroe in XKCD some time ago.
Rainbow tables and Brute force could not do it in a reasonable amount of time. But this was a couple of years ago on a old decomissioned server with only 8 Xeon processors. 1 week later and still nothing.
Do not look at laser with remaining good eye.
Obviously, it would be S T U P I D to enter your password there.
According to the site
test would take 7.92 minutes to crack,
password would take 6.91 years,
abcd123 would take 2.56 years and
correct horse battery staple would take 12.41 trillion trillion trillion centuries.
Quite interesting.
Very nice, MD5 hashes can be cracked quickly in massive parallel on GPU hardware. This only matters after the hashes have already been stolen.
Actual security should be more systemic -- the cost of a wrong guess is more than a nanosecond of GPU. There are at least network delays, and in many cases lockouts. The latter make random guessing too costly/slow, especially progressive systems that allow 5 wrongs immediately, 10 in an hour, 20 in a day, and lock hard (manual intervention) above that.
My father had one of the early ATM cards but had me operate the machinery. It had an 8 digit assigned PIN, but dropped quickly to 4 when it was realized the 8 were hard to remember, and swallowing the card after 3 wrong guesses was more than adequate.
While this is true, Microsoft only uses the first 8 characters.
So long passwords are pointless on Microsoft products.
CAPTCHA = pictures
Obligatory xkcd
correcthorsebatterystapler
Search Space Depth (Alphabet): 26
Search Space Length (Characters): 26 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length) 6,
402,364,363,415,443,603,
228,541,259,936,211,926
Search Space Size (as a power of 10): 6.40 x 1036
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 2.04 trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 20.36 thousand trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 20.36 trillion centuries
--
BMO
And only got the response: "That's the kinda thing an idiot would have on his luggage."
It actually is stronger. Dictionary attack for single words pass is effective, but for 3+ words it is not, and if you add word separators like you have, it's even stronger.
Also, oblig. xkcd: http://xkcd.com/936/
The Zeitgeist Movement
So your super-duper trillion-century password should work great until someone runs an injection attack and downloads the website's plain-text password database
Doesn't just *allowing* the use of numbers and special characters automatically increase the search space size, regardless of whether the user takes advantage of them? It's the fact that cracking systems will focus on all letters first which makes them weaker, right?
Your favorite sig sucks
If your password is subject to.more than one guess per second the system is already pwned. The most important thing is not to have super secure passwords but to protect the system so the crackers can't get access to the hash files in the first place. If the crackers have your hash files, what else do they have?
This password security checker is much more accurate.
I'm not a programmer so this may be a dumb question, but do cracking programs somehow go around the normal web interfaces we all usually have to use? Because many that I use only allow a certain number of tries or the refresh time after each unsuccessful attempt is not instant. Sure if you put the program in a standalone it could do the cracking fairly quickly but that's not always real world is it unless you have some direct access to the server?
I'm irked to no end by articles that suggest the use of impossibly long to remember passwords. Can we please be told to use pass phrases instead?
Much about everyone knows witty quotes, religious quotes, song lyrics, movie lines, etc. Surely they can successfully use these as pass phrases? Good luck brute forcing something like this:
Proverbs 21:19 -- It is better to live alone in the desert than with a crabby, complaining wife.
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 23.36 billion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries
Real hackers have multiple video cards running 24/7/365 cracking passwords.
I've see documents/videos online showing that 12 character (any keyboard character) passwords are 100% cracked in 26 hours. They start by using dictionaries with dynamic character replacement - forget your L33t crap, it doesn't help.
Also, nobody is trying to brute force passwords over network connections except for the top 500 passwords for ssh/admin/web connections. Just use fail2ban to stop those jokers. They get access to the DB and bring it local for their cracking pleasure. Every DB that has ever been leaked has been used by these guys - basically any unsalted password under 20 characters is already known.
There is no substitute for random, long, passwords. None.
Get over it.
* Use a password manager.
* Use a unique, long, unknown password for every account that you can.
* Never type in those passwords. Let the program do it.
* Avoid centralized password solutions on the internet - FB, Tweeter, google, LastPass come to mind.
Mom always said to not keep all your eggs in 1 basket, right? Did you hear her? Today she would be saying don't keep all your eggs in 1 basket that someone else holds on the internet.
Mom is wise.
Soooooo....enter your password into this completely legitimate and not-at-all-a-harvesting-tool password checker and we'll tell you if it's secure?
Ima get right on that.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Man, Gibson has completely lost it--and it was always a bit dubious if he ever had it to begin with.
I'm sure the NSA has a very complex model of password structure based on every password they have every captured or broken. They would certainly try longer passwords with high symbol repetition rates before shorter passwords with uniform distribution over large symbol sets.
The correct asymptotic answer involves Kolmogorov complexity theory: what's the shortest program (on a chosen universal computer) which prints out each of those strings? Hint: the program that prints out d0g................. is probably not a long one.
But wait ... you first seed the machine with every password known to the NSA that has ever been cracked or stolen. This does not count as part of the program length. Now test the passwords in roughly the same order as the associated minimal generating program. This isn't tractable, but even a ham-fisted approximation is less stupid than Gibson's assumptions.
More to the point, non-uniform scheduling is not the most trivial coding challenge in the massively parallel implementation.
But then if he had the wits to also print out the answers in joules and not just years he would realize that the economics quickly tips to favour investing in a distributed password cracking scheduling algorithm on the order of the complexity of a 3000+ computer chess engine or 6-man EGTB generator.
that's why i also use it on my luggage.
with almost unlimited computing power for brute-forcing the decryptt: 6 alphanumeric characters takes 0.0000224 seconds
With "almost unlimited" computing power any password will almost take "almost no time" to decrypt.
sic transit gloria mundi
Seriously, any system that allows 1000's or millions of attempts to access the same account repeatedly with failing passwords is an inherently flawed system.
I don't like systems that give you 3 attempts and then lock you out, that is unnecessary, but an secure system should expect that "human" entered password will take at least 10 + seconds between attempts and that no "human" would spend several hours/days trying to enter repeatedly failing passwords.
There is a current "myth" that I am required to change my passwords frequently and use stupid rules to construct a password. I think the systems need to change to understand the fundamental difference between human input and computer generated input and then deal with the attack accordingly.
I also read somewhere that using 4 REAL randomly associated words is far more secure then some password full of symbols, characters and digits.
I think password systems need to change, not the way people pick a password, I can't believe any system should exist that allows brute force hacking schemes.
I haven't thought of anything clever to put here, but then again most of you haven't either.
There's a fundamental error in how steve's doing this. It assumes either the attacker knows the key space you're using or searches all smaller key spaces first. Instead, an attacker is more likely to use a word list with a set of permutations. that may mean that Password1! breaks even though it has a nice key space. On the other hand, passssword may not break because it's simply too computation intensive to check adding the entire key space into the middle of the dictionary in every location. You'd have to search every number, letter (upper/lower), and character inbetween every other letter in the word and then do it again with combinations of two characters for every word in your dictionary. (BTW, I can't take credit for this insight. It was presented at defcon a few years ago. As a sidenote, at the presentation, I believe someone indicated some password crackers will try characters inbetween the sylables. To generalize this, you can use a pattern to create your password with a very small keyspace and unless the pattern and keyspace is known to your attacker (either because you leaked it or you chose a common pattern) your password can be safe.
I do security
I mean how legit is it for someone to have such a thing? Do they even exist? Are they the size of a football field? Can it be done on an Iphone?
I have to wonder why anyone listens to Steve Gibson about anything, ever. He goes back a long way, making sweeping claims about things he kind of understands based on research done by actual security professionals. Has he gotten better at things in the last decade or so? He always had a tendency to hear something, run off on a tangent creating press releases and small tools, and then get shouted down by the security community at large. Examples including who did the heavy lifting: Raw Sockets (l0pht/@stake IIRC [and whoever the initial researcher was, they did NOT spin it as the apocalypse, as Gibson did), WMF (Ilfak Guilfanov), SYN Cookies (djb), DNS (Dan Kaminsky), and this article right here.
Slashdot always seems to be his willing dupe and publicizes whatever he is concerned with at the moment.
I like music
Apparently Steve and I share the same taste in food, if not passwords. The pic being taken at Rudy's Can't Fail Cafe in Oakland CA who make a mean Guinness milkshake, yum. Highly recommended to those in the area.
I'm not entirely sure why people require complex passwords. If you use the linked https://www.grc.com/haystack.htm you'll find that an easy-to-remember pass-phrase is much stronger than any kind of line noise!
Addendum:
Not only would the NSA have such a model, but it would be conditioned on any number of details they might know about you: your nationality, ethnic background, date of birth, education, profession, operating system, and keyboard skills. Factors of ten are worth having.
Worse, if they've siphoned many of your other passwords over the intertubes--perhaps passwords you don't actually care much about--they would still attempt to detect structural patterns to bias the password search order for more complex passwords you do care about. Ideally there's a sharp schema discontinuity.
I pretty much use apg on my OpenBSD box for any password I care about (an uncompromised entropy source and RNG also matters). As a compromise, I've set apg to generate what I would estimate as about 60 bits per password, then I filter and discard the ugliest ones, shaving a few bits to finger compatibility. With this practice, after conditioning my profile on quasi-elite best practice, cross entropy won't provide much additional boon.
Password inflation runs about ten bits per decade, while my brain deflates about three bits per decade. The center cannot hold. Already I can barely hold in mind my semi-mnemonic apg-generated 60-bit passwords long enough to use them twice.
You password is only as good as the system recording it. You could have a 30 character complex password and if the site can be comprised by a simple SQL injection and stored in plain text then it really doesn't matter now does it? All this shenanigans lately around password hash files and security needs to be put back on the providers.
is: "What 1s Th3 p4ssw0rd Tod@y"
The spaces are in there. And no it is not on any important system or account. I use it if I set up a test system for a while (a week or two at most) that I have to share with other people. Everyone can remember that password. The funny thing was we had a company come in to test out security. They did not get that password after trying for a 24/7 for a week.
Assuming near omnipotence I can travel around the world in .000034 seconds, lift 12,232,235,656 pounds, and come up with the most pointless slashdot article all at once. Thoughts?
After just a few attempts on most accounts, you would be locked out for some period of time. In a static test environment, I am sure that it is theoretically possible, but not if you exist in reality.
With the Internet latency alone, with most accounts with passwords, it is not even close.
Stupiid
But, IMHO, not too much, statistically.
I expect most of the people putting the mandatory uppercase letter at the beginning of the pass and the mandatory number (usually a '1') at the end.
A password I just randomly chose (1mg0nn@fuckyourm0m) would take roughly 4 billion centuries to crack.
Sometimes childish 1337$p3@k is fucking awesome.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Just use LastPass
Generate random, max sized passwords with the site's char rules. Done and done.
The only downside is the iPhone/Android app is a little clumsy, and some Flash/CSS forms don't have HTML fields that the LastPass app can autofill, but for 98% of the sites, you really can't beat it.
and: $1 a month.
Hats off to the venerable Steve Gibson for an excellent teaching aid. If nothing else he presents an interactive tool that begins to highlight how stoopid your pet's name, spouse's birthday, or favorite song title is. For most folks, current company excepted, trying to explain how to measure number space for a given password length & character set is a useless exercise. That said, the Password Haystack motivated me to harden my passwords. 1.65 hundred centuries using a Massive Cracking Array Scenario works for me. Can you say "Bluffdale 84065"?
"5 random lower case characters + one upper case = 52^6"
no, it's 26^6 * 6. since you know there is only one upper case. if there are N upper case then it becomes more difficult.
If you knew the password was five A's and one B. then it is just 6. ...
AAAAAB
AAAABA
AAABAA
statistically you can work out the probability for each of N capital letters. Let us assume that because this article and several others like it, are only suggesting that people add a single capital letter. then the search space doesn't really get bigger. for a 10 character password it is only a single order of magnitude. For a 30 second search on an all lower-case it takes 5 minutes for one known to have one upper case. Helpful, but not really all that impressive.
likely the attack will just search most likely to least likely. so: dictionary words, random lower, 1 upper, 1 number, 1 symbol, lower + upper + numbers
as you add together the time it approaches the worse case search through the entire space.
the tool 'pwgen' produces pretty good passwords, numbers and upper. but it does pick them out in a certain way, so if you knew people were using pwgen for their passwords (that's unlikely to happen) you could dramatically reduce the search space despite the program's "strong" passwords they are selected according to some criteria to make them easier for a human to memorize. example passwords:
Quob5foh Theeji6c OhGhie2E xi0omiNg oGhai6bu uB9Caisi Thahvei0 Iecohl8z
weiGh3ie LahGoh3t uR3SaiJa ie0ja2Ah doS1looh Oa1maiph dei6OhQu AeNei8Ch
“Common sense is not so common.” — Voltaire
It would be 26^6 if and only if you knew exactly where the upper case letter was, which is an unreasonable assumption.
No, it's not. Most people capitalize the first letter of a word out of habit. If you're doing an attack based on dictionary words, it's obvious to check that before any of the rest. Then, the next most likely thing to check is that the person used only a single capital letter in the word in another position because typing multiple, unnaturally placed capitals is slow and tedious. Lastly, check for all-caps, exploiting the CAPS LOCK key.
Thus, 7 * 26^6 will net you the vast majority of variations on a word much faster than an exhaustive 52^6 needle in a haystack search. This is also true for common substitutions, like 4 for a, 1 for i, 3 for e, etc. and for numbers tacked on at the beginning or end of words
So, "[a]dding one extra capital, number, or symbol" in fact "does not significantly increase password that strength much" if you use the most common methods everyone else uses. GP is correct for the common case, because password crackers are written by people who actually think about the human element. You have to use such things intelligently for them to matter.
Check out http://passfault.com/passwords.shtml as well, it does something similiar but also includes dictionary attacks in the calculation.
Any LiveCD with chntpasswd(8) should do the trick. Choose one that only gives you a command line (Trinity, IIRC) and memory won't be a problem.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
The first 6 digits are the BIN Number (Bank Identification Number) or the Issuer Identification Number (in the US)
Go look for the ISO Standard... ISO/IEC 7812
Your assumptions about the starting digits is also wrong.
The first digit identified the type of industry as is shown if you go here
->>>> http://en.wikipedia.org/wiki/Bank_card_number
Or here
http://www.computersolving.com/computer-tips-tricks/what-your-credit-card-numbers-mean/
Dumb theory. In the real world the cracker has to wait for a response from the system. If the cracker tries too many times, too fast or such then the system just locks the cracker's IP out and if this keeps happening locks the account out for a timeout. This makes it take centuries instead of seconds.
It's a good thing you posted the old xkcd example. As the website itself says at the bottom (which no one reads, I guess), this is not actually a measure of how strong your password is. According to the figures you just showed, this example password has 123 bits of entropy when that search space is converted to base 2. (Wow! Right?)
But if you go back and read the xkcd comic, you'll notice that the author pegs it as only 44 bits of entropy. Why? Well, it's nothing but a list of common dictionary words. If you look at the 2000 most common words, that's only 11 bits of entropy a piece. With four words, that's 44 bits total as their entropy is multiplied together. That comes out to a millennium in the slow scenario, a few minutes in the fast scenario, and half a second in massive array scenario.
That's still more than good enough in the real world, but to go from trillions of centuries to half a second is quite the downgrade if someone is using an intelligent password cracker.
The real danger of posting this site without warnings is the complacency this gives users of much shorter, dictionary-based passwords. After all "password" theoretically has 38 bits of entropy in a brute-force 8-letter lower-case search. But it's not going to last that long, is it?
would take:
Online Attack Scenario:
(Assuming one thousand guesses per second) 14.14 million trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 1.41 hundred billion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.41 hundred million centuries
same number of characters, same number and organization of numbers and letter. Just different numbers and letters.
The Kruger Dunning explains most post on
http://img705.imageshack.us/img705/6066/passwordo.jpg
against a remote site doesn't any decent site usually lock an account after 3 - 5 attempts
... can only be expressed through interpretive dance.
I don't bank online, I don't do anything particularly secure online, and I don't really care who accesses my accounts. My password has been the same for the better part of a decade, and with the exception of my email, everything I use has pretty much the same password.
My password is supposedly trivial to crack. It is an 8-digit dictionary word, all lowercase. No numbers, no symbols, simple.
According to this utility, your average Anonymous script kiddie would still take 6.97 years to crack it.
Well call me unworried.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
Rgx[P492é0Ã9BLkÃÃ
I still haven't found a password strength checker as good as this one. It takes into account 1337 speak and concatenations of dictionary words in a really nice way.
It took us two tries to crack an iPhone.
1234
chicks birthday. (may have done DD/MM and MM/YY can't remember)
I guess what I am trying to say, is the the amount of time it takes is directly proportional to the information I know about you. Which given social media, and the like is a lot.
Thinking some evil empire is going to "brute force" your 2048 bit encrypted pass phrase is stupid. It is more likely going to be some jerk that either phishes it, spoofs it, keylogs it, social engineers, etc... whereby basically it takes zero seconds to crack your code, because you just gave it to someone willingly.
This isn't some Russian hacker with a nuclear powered pentium 5 linux RISC chip out to crack your codes. Much more likely, no codes will be broken, a security vulnerability will be taken advantage of giving access to yours and 2.2 million other passwords.
People need to get their perspective corrected.
abcdefghijklmnopqrstuvwxyz ?
I doubt it.
With Massive Cracking Array Scenario it would take 24.55 billion trillion trillion centuries to get my login password and 1.21 hundred trillion centuries to get the password for encrypted stuff.
And since my passphrases use stuff not found in dictionaries, anybody trying to crack them just might want to have some good book to read while waiting. Or two.
Or just crack them using the wrench method.
Want a password that is relatively easy to remember and hard to guess?
Since the western world is so medicalized, chances are that you are taking some pills regularly. It can't be that hard to remember what you take, unless you are old enough to have forgotten that Enigma code you were trying to crack back in your youth at the army base.
"Esomeprazol Sandoz 40 mg, one capsule per day!" = 30.36 million trillion trillion trillion trillion trillion centuries using MCAS.
Your random online attacker might get bored before his dumbass dictionary attack gets that one.
I decided to test this method against the GRC tester and it was flawless. Try it for yourself --choose 4 RANDOM words 5 characters in length. Works amazingly well. Avoiding popular phrases (common sense; no bible verse, songs, book or movie quotes, etc...) and meaningful groupings (seveneighttwelve) goes a helluva long way to making a very secure passphrase.
Except... And this is the problem...
Popular "security best practices" SPECIFICALLY prevent you from using, what would otherwise be, a secure password.
They always want mixed case alphanumeric at minimum. And, a significant number of websites have maximum length limits too.
Hrmmm, I wonder if "they" purposely choose the illusion of security because they know that "we" are stupid and lazy...*
"They" and "we" in no way represent any person or entity, living or dead...yadda yadda yadda, blah blah blah...
"Helping to keep you two steps ahead of the Thought Police!"
The big gain in entropy when using multiple words is from password length. Having symbols, case changes and unusual characters all increase entropy but over a certain length there are just to many combinations of lower case letters for brute force to be effective. Why complicate it further and risk slower typing speed/mistyping?
How about this to increase password security, simply a 5 second pause between attempts? and a need to click a random set of buttons or letters to try again. GOOD LUCK THEN CRACKING IT FAST...
and Behold the Mystical Power of EXPONENTS!! Prepare to be amazed!! We will magically create numbers so big they are Unimaginable!!
Light cup, beer drink, thin so chain, neck turtle fat, man I won't say it again
Hurry! everyone put their passwords down and I'll let you know how long they take to crack!
If you disable an account after failed attempts, you get three tries.
If you disable an account for an hour after failed attempts- and alert the owner, you may get 9 tries.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
2.41 x 10^44 or 7.66 hundred billion trillion centuries for an offline attack.
All I do (for the last 12 years) is "Myeyesarebrown&slashdot" or "Myeyesarebrown&twitter" or "Myeyesarebrown&banking"
Even if the cracker was smart and knew the sitename at the end, the base entropy is still 884,000,000,000,000,000,000,000,000,000 bits or about 28.11 thousand trillion centuries to crack.
And, a significant number of websites have maximum length limits too.
Sites and services that artificially limit the character set and length of passwords annoy the hell out of me.
on a passphrase of 63 characters, through a triple cascade encryption?
Obviously, this is an offline setup.
Operation Guillotine is in effect.
too many variables not considered
or six minutes... wow that was helpful.
10 characters with a symbol: Possible combinations: 171.3 sextillion (171,269,557,687,901,638,419; 1.71 x 1020)
Sure enough, the cow costume was hanging up next to the superhero outfit and sailors uniform. (S,Spud)
It says my WEP password is tough to crack, billions of centuries. I feel much safer now.
Shouldn't any reasonable calculation that attempts to illustrate password strength beyond a year take in to account the increasing compute power of the past 30 years or so?
I've been using the same password for the last 30 years and it's NEVER been compromised:
At school I made up a word, decided how I'd write it and pronounce it and never told anyone (yes, I can keep a secret). In the last 30 years or so that I've needed a password, I use the first half of the word (19 characters - or as many characters as the requesting system will accept) for nearly every password (except dumbass services who think they are protecting my privacy by declaring their password structure rules and insisting I follow their nonsense) and have only used the full 44-character word on one login system.
The short form according to grc would take 2.53 thousand centuries to crack using the massive array scenario; the full form, would take six hundred trillion trillion trillion centuries.
Secure enough for my liking, thank you.
No matter of the strength of code at the end of the day all passwords are breakable so instead of arguing of the time it takes to break a code why not find what makes it so easy to break and fix itd