Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
lacion

Your 8 char random password now means nothing

Recommended Posts

2 hours ago, colonel_mortis said:

Yeah, I ran that on my low power laptop. The point is how much slower Blowfish is than NTLM. Even at 43551 H/s, it would take >25 days to brute force an 8 character entirely lower case password, and >3 million years 2.5 millenia to brute force an 8 character mixed upper/lower/numeric password.

Not really on the matter but I have always found it kind of funny how people talk about passwords or similar being brute forced in X time. Usually what they mean is that with their hardware it would take that X time to go through every single possibility there is while in practice it would take around half of that time for the password to crack, because mathematics and probability.

Link to post
Share on other sites
Just now, Thaldor said:

Not really jumping on the matter but I have always found it kind of funny how people talk about passowrds or similar being brute forced in X time. Usually what they mean is that with their hardware it would take that X time to go through every single possibility there is while in practice it would take around half of that time for the password to crack, because mathematics and probability.

Yeah, it's an often overlooked subtlety, though I have already halved those numbers (268/43551/86400 = 55.5 days to test all passwords, so an average cracking time assuming a completely random password of 27.25 days).


I don't work for Floatplane Media, so any Floatplane comments that I make are my own and may be incorrect or in conflict with the official view.

 

For Floatplane support, please use the wizard linked in this topic

Link to post
Share on other sites

Worst thing is.... A governmental website here only allows passwords up to 8 characters. Insane.


CPU: Intel Core i7 875k / GPU: Radeon HD7970 GHz 3GB  / RAM: Crucial Ballistix Sport 8GBx2 DDR3-1600
MOBO: ASUS P7P55D-e LX / SSD: Intel 520 120GB / Case: Cooler Master HAF912 / PSU: Corsair TX850w / OS: Windows 10 Pro

Link to post
Share on other sites
6 hours ago, Firewrath9 said:

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

This is assuming you have a database dump of the hashed passwords


<Make me a sandwich.> <No! Make it yourself!> <Sudo make me a sandwich.> <FINE.> What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D  CoC F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

Which is why I use full ASCII passwords the length of 128+ characters for everything that matters. Good luck brute forcing that. What sucks the most is when retarded services limit your password creation options, like not allowing special characters other than _ or - or even lengths beyond 8 or 10 characters.

Link to post
Share on other sites
13 hours ago, Giganthrax said:

Dang it. 

 

I would hope that organizations like PayPal, amazon, etc. that have access to our credit card & PayPal info are protected against this, though?

2FA when possible and increase your password characters.


Magical Pineapples


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Link to post
Share on other sites

They can't brute force login forms like this because every well designed system blocks when X number of failed attempts are made to prevent just this. They need to get password storage data directly first.

Link to post
Share on other sites
14 hours ago, corrado33 said:

When I let the program run.... it eventually came up with a 20 GB text file. Yes, you read that correctly. A 20..... GB.... text file. I had to find a program to even open the damn thing let alone read it. (Vim works great for large files btw). Eventually, by including more strict conditions, (like not allowing the player to buy a farm then immediately sell it.) I got the file down to something more manageable (like 7 GB or so), then I ran my analysis program on it to determine which combination of moves was the best. That took all night, but eventually I solved it, and it made me so happy. But the scale of the whole project just amazed me. These dictionaries for passwords can be freaking MASSIVE. Turns out the answer was exactly the strategy that most people in the game already used. But I got  a lot of similar strategies so I was still happy.

sounds like a perfect use case of a neural network


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites

I do not even remember my passwords. I just remember algorithm i used to generate password in my head. This way when i want to log in on some website i regenerate password with that algorithm in my head and type it in.


Computer users fall into two groups:
those that do backups
those that have never had a hard drive fail.

Link to post
Share on other sites
14 hours ago, ADM-Ntek said:

and that is why things like sentences are much better passwords long as hell and easier to remember.

depends on how you do them, it's not uncommon to start with a dictionary attack to see what fits then move on to more time consuming methods later, and don't think that 1337 5p34k$ are going to protect you, they either get next priority or lumped in with dictionary attacks


r5 2400G | Noctua Nh l9x65 am4 | MSI b450i gaming ac | G.Skill Ripjaws V 2x8GB ddr4-3000 | 256GB Samsung 950 pro nvme | 1TB Adata su800 | 4TB HGST drive | Silverstone SX500-LG | Silverstone ML08

HTPC i3 7300 | Gigabyte GA-B250M-DS3H | 8GB cheap ram | Adata XPG SX8000 128GB M.2 | Many HDDs | Msi rx 560 aero itx | Rosewill FBM-01 | Corsair CXM 450W

Link to post
Share on other sites
On 2/14/2019 at 8:19 PM, TetraSky said:

Worst thing is.... A governmental website here only allows passwords up to 8 characters. Insane.

My bank, BMO, only offers six characters, letters and/or numbers. Not even capitals or underscore. Also there's only soft 2FA, you get security questions if it's a new IP address. Can't even make the questions yourself, it's something like "name of your first friend". 


i7 7700k @ 4.2GHz

Asus Strix OC 1080Ti

ROG Maximus IX Hero

EVGA G2 850W

32GB DDR4 (16x2) @ 3000Mhz

X62 Kraken

Creative Soundblaster Zx

Windows 10 Pro x64

Phanteks Primo

Link to post
Share on other sites

So whats better now? 

"Chicken Television sunshine Christmas" 

Or

"M4-R4cE#2F4/me" 

 

37 Characters but with random words vs. 15 characters with random shit and special characters? 

 

Or a combination 

"Chicken#Television/sunshine@Christmas"

?


Gaming HTPC:

R7 1700X@stock - Cryorig C7 - Asus ROG B350-i - Asus GTX 1080 Strix - 16gb G.Skill Ripjaws V 3333mhz - Silverstone SX500-LG - 500gb 960 EVO - Fractal Design Node 202 - Samsung 60KS7090 - Logitech G502 - Thrustmaster T500RS - Noblechairs Icon


Desktop PC:
i7 2600k @stock - H100i GTX - Asus P8Z77-i Deluxe - Asus GTX 1050Ti Strix - 16gb HyperX Fury 1866mhz - EVGA 750G2 - 250gb 840 EVO - 6TB WD My Book Duo (Reds) - Enthoo Evolv ITX - Dell U3415W - Benq XL2411T - Qpad MK-85 Brown - Logitech MX518 - Blue Yeti Platinum - Noblechairs Icon 


Boss-NAS [Build Log]:
R5 2400G - Noctua NH-D14 - Asus Prime X370-Pro - 16gb G.Skill Aegis 3000mhz - Seasonic Focus Platinum 550W - Fractal Design R5* - 
250gb 970 Evo - 2x500gb 860 Evo (Raid0) - 6x4TB WD Red (RaidZ2)

 

Audio Gear:

Hifiman HE-400i - Kennerton Magister - Beyerdynamic DT880 250Ohm - AKG K7XX - Fostex TH-X00 - O2 Amp/DAC Combo - 
Klipsch RP280F - Klipsch RP160M - Klipsch RP440C - Yamaha RX-V479

 

Reviews and Stuff:

GTX 780 DCU2 // 8600GTS // Hifiman HE-400i // Kennerton Magister
Folding all the Proteins! // Boincerino

Useful Links:
Do you need an AMP/DAC? // Recommended Audio Gear // PSU Tier List 

Link to post
Share on other sites
1 hour ago, FloRolf said:

So whats better now? 

"Chicken Television sunshine Christmas" 

Or

"M4-R4cE#2F4/me" 

 

37 Characters but with random words vs. 15 characters with random shit and special characters? 

 

Or a combination 

"Chicken#Television/sunshine@Christmas"

?

Don't use pure words from one language. A dictionary attack will resolve this quickly. Though it has to be noted, that the attacker doesn't know how many words are in your specific password. The longer the sentence the more possibilities there are. Still, the first passphrase is not good, since it relies on only English words correctly writte separated with spaces. The third one is better than the first one but still not good. Out of the 3 examples the second one is by far the most secure one though hard to remember. Leet Speak won't help much with your words, common patterns are covered by good dictionaries. 

 

You can use a proper password manager with random passwords of >12 characters in length protected by itself with a strong password an U2F 2FA. If you don't want to rely on password managers (you should though, because there's no way you'll remember strong passwords by the hundreds which is what you'd need to nowadays; some of them also support U2F sticks) use long phrases consisting of words from different languages mixed with special characters and odd misspellings. 

 

Do not use 2FA via SMS - ever! While this requires an attacer to target you specifically your security is still at risk.

Link to post
Share on other sites

I feel like this is entirely solved by 16 digit passwords, combined with limited password entries before lockout.

 

Good luck guessing a 16 digit password with only 3 tries before it locks.


Computer's don't make errors. What they do, they do on purpose. By now your name and particulars have been fed into every laptop, desktop, mainframe and supermarket scanner that collectively make up the global information conspiracy, otherwise known as The Beast.

 

You just be careful. Computers have already beaten the Communists at chess. Next thing you know, they'll be beating humans.

Link to post
Share on other sites
On 2/16/2019 at 1:52 PM, Trik'Stari said:

Good luck guessing ... password with only 3 tries before it locks.

this was proven wrong like 3 times in the thread


MSI GX660 + i7 920XM @ 2.8GHz + GTX 970M + Samsung SSD 830 256GB

Link to post
Share on other sites

We generate a seed based upon the Epoc (date period) that the user signs up on. This seed is stores in a seperate service (geographically different). So if you did get hold of the hashes of the passwords, there are thousands of different seeds, each of which is cryptographically secure.

 

So, good luck trying to brute force that.

Link to post
Share on other sites

Glad I use 25-50 char passwords and randomly change it every 10-30 days. ftw.

 

 

 

Actually I dont change them that often,


Tech News Posting Guidelines - READ BEFORE POSTING | Community Standards | Forum Staff

LTT Folding Users Tips, Tricks and FAQ | F@H Contribution | My Rig | Project Steamroller

 

Spoiler

 †  

 

Character is like a Tree and Reputation like its Shadow. The Shadow is what we think of it; The Tree is the Real thing.

~ Abraham Lincoln

You have enemies? Good. That means you've stood up for something, sometime in your life.

~ Winston Churchill

Docendo discimus - "the best way to learn is to teach" ~ Benjamin Jantz

 

I am a StarCitizen are you? My ships: Aegis Eclipse, Aegis Sabre, Aegis Gladius, Aopoa Nox, KI P52 Merlin, KI P72 Archimedes and the RSI Constellation Aquila.

 

My Phones are a Nokia Lumia 925 with WM10 and a Microsoft Lumia 950 XL with WM10 running the Fast Ring insider updates. Broke :(

Samsung Note 9 and a Samsung S9+

 

About Myself:   https://linustechtips.com/main/profile/229093-sansvarnic/?tab=field_core_pfield_46

 

  CHRISTIAN MEMBER 

 

 

Link to post
Share on other sites

So how long would it take for my 15 character random passwords to get brute forced?


My sound system costs more than my PC.        Check out my S340 build log "White Heaven"        The "LIGHTCANON" flashlight build log        Project AntiRoll (prototype)        Custom speaker project

Spoiler

Intel i7 4790k | ASUS GTX770 | ASUS Sabertooth Z97 Mark S | Corsair Vengeance Pro 32GB | NZXT S340 | Seasonic Platinum 760 | modded H100i | Ducky ONE White TKL RGB | Logitech MX Master 2S | 2x Samsung 850 Pro 512GB | WD Red 4TB Samsung 58" 4k TV | 2x Behringer NEKKST K8 | BIC Acoustech H-100II | Scarlett 2i4 | 2x AT2020

 

Link to post
Share on other sites

 

On 2/14/2019 at 4:06 PM, lacion said:

 

so if you have a complex save password of 8 characters or less is now time to go and change it everywhere as is no longer save 

 

On 2/14/2019 at 4:10 PM, corrado33 said:

For example: For an 8 character password only including upper and lower case letters (52 characters), that's 52 nPr 8 = 3E13 combinations. Add 10 symbols in there and that's 62 nPr 8 1.3E14 possible combinations.

That's assuming the password is restricted to be 8 characters without special symbols in the first case, and to be exactly 8 characters with or without special symbosl in teh second case. The number of combinations when your password can have different lengths is way, way higher.

 

Something people tend to forget is that brute-forcing a password does not depend on the password, but on the space of admissible passwords (that misconception is how we end up with misconceptions like forcing you to use numbers being a good thing). The particular password you choose is entirely irrelevant, and the time it takes to crack your password is a random variable whose expected value increases in the number of admissible combinations. The latter puts an upper bound on how long it can take, and on average it will take longer the more combinations there are, but you can still be unlucky and have your password guessed at the 2nd attempt. In that regard, "1234" or "password" are as safe as "correct horse staple battery" to brute force: as safe as the number of admissible passwords.

You may say this is wrong, because an algorithm will prioritize "1234" given what we know about people setting passwords. That is correct; however, if you establish such hierarchies then it no longer is brute force strictly speaking, but an algorithm based on a human behavior model.

 

On 2/14/2019 at 4:10 PM, corrado33 said:

Now, make the password 9 characters long and you get 52 nPr 9 1.33E15 possible combinations and 62 nPr 9 = 7.36E15

So a 9 character password that has no special characters is better than an 8 character password with special characters.

Again, an exactly 9 characters is better than an exactly 8 characters password, and a max 9 characters i better than a max 8 characters password system. But choosing an 8 characters password or a 9 characters password when, say, 32 characters are possible, are equally good (that is, unless the system is flawed enough to directly reveal the password's length, at which point they may as well give away the password itself :P)

 

On 2/14/2019 at 4:10 PM, corrado33 said:

 

EDIT: It's also worth noting that using words and sentences, as mentioned in the XKCD may not be entirely safe either. Words can be treated as "units" so instead of saying that a 9 character word is 9 pieces of complexity, it can be treated as 1. A 4 word password can be cracked the same way a 4 character password could with a dictionary attack. (Although words are more secure because there are more of them...)

Eh... No. There are a little more words than characters, since words already are formed by many combinations of characters, so 4 words would never be as bad as 4 characters. And even abstracting from that, using words would not simplify the cracker's task at all unless he already knows the password is made of words, which takes us back to the admissible space issue: forcing people to use actual words decrease the resistance to brute force attacks as it adds constraints, reducing the size of the admissible space. On the other hand, using words in an unconstrained password of max length N is as safe from brute force as not using them.

 

If someone writes an algorithm that starts with all combinations that form words in some language before moving to meaningless combinations, then you would get cracked faster by using words; however, the opposite is true for alternative algorithms than don't look at words (for instance, 1234 is not a word :P). In either case, we would be deviating from brute force strictly speaking, and the conclusion would not be that some type of passwords is better than others, but simply that doing the opposite to what the cracker algorithm does is best - a cat-and-mouse situation.

 

On 2/14/2019 at 4:10 PM, corrado33 said:

 

Best advice: Use a memorable combination of words that's long but also has random symbols sprinkled throughout. E.G. Ca#_1UMP;Ov@r[Mo0NN

Cat Jump Over MooNN, easy to remember, then you just need to remember "pound for t, 1 for J (or just remember it as "lump" and laugh every time), the ";" then "Ovar" with @ and a 0 for the 2nd 'o' and double Ns.

From a brute force point of view, that's as safe as "MyUserIsCorrado33", though.

 

On 2/14/2019 at 4:10 PM, corrado33 said:

EDIT: I played around with this once. Remember the game "Balloons tower defense?" Well I wanted to calculate the order to buy buildings to make the most money in the end-game. So I brute forced every action the player could take in relation to a certain building (the farms). Basically the player could either buy another farm, upgrade existing farms, or sell farms. I let this play out for 40 moves. 

 

When I let the program run.... it eventually came up with a 20 GB text file. Yes, you read that correctly. A 20..... GB.... text file.

I'm not surprised, that's a very inefficient way of finding the solution to an optimization problem :) 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Buy VPN

×