Your 8 char random password now means nothing

[UncleJarvis]

Pats his pc with banking info PW=Iloveyou123 now is Iloveyou123!

[TetraSky]

Worst thing is.... A governmental website here only allows passwords up to 8 characters. Insane.

[Sauron]

6 hours ago, Firewrath9 said:

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

This is assuming you have a database dump of the hashed passwords

[Beskamir]

People still use passwords instead of passphrases?! Come on people why do you suck at security this much?

[williamcll]

You know what's going to be the worst?
Bank PIN numbers

[RejZoR]

Which is why I use full ASCII passwords the length of 128+ characters for everything that matters. Good luck brute forcing that. What sucks the most is when retarded services limit your password creation options, like not allowing special characters other than _ or - or even lengths beyond 8 or 10 characters.

[desertcomputer]

13 hours ago, Giganthrax said:

Dang it. 

 

I would hope that organizations like PayPal, amazon, etc. that have access to our credit card & PayPal info are protected against this, though?

2FA when possible and increase your password characters.

[RejZoR]

They can't brute force login forms like this because every well designed system blocks when X number of failed attempts are made to prevent just this. They need to get password storage data directly first.

[vorticalbox]

14 hours ago, corrado33 said:

When I let the program run.... it eventually came up with a 20 GB text file. Yes, you read that correctly. A 20..... GB.... text file. I had to find a program to even open the damn thing let alone read it. (Vim works great for large files btw). Eventually, by including more strict conditions, (like not allowing the player to buy a farm then immediately sell it.) I got the file down to something more manageable (like 7 GB or so), then I ran my analysis program on it to determine which combination of moves was the best. That took all night, but eventually I solved it, and it made me so happy. But the scale of the whole project just amazed me. These dictionaries for passwords can be freaking MASSIVE. Turns out the answer was exactly the strategy that most people in the game already used. But I got  a lot of similar strategies so I was still happy.

sounds like a perfect use case of a neural network

[ADM-Ntek]

and that is why things like sentences are much better passwords long as hell and easier to remember.

[Linus_torvalds]

I do not even remember my passwords. I just remember algorithm i used to generate password in my head. This way when i want to log in on some website i regenerate password with that algorithm in my head and type it in.

[Cyracus]

14 hours ago, ADM-Ntek said:

and that is why things like sentences are much better passwords long as hell and easier to remember.

depends on how you do them, it's not uncommon to start with a dictionary attack to see what fits then move on to more time consuming methods later, and don't think that 1337 5p34k$ are going to protect you, they either get next priority or lumped in with dictionary attacks

[Andreas Lilja]

On 2/14/2019 at 8:19 PM, TetraSky said:

Worst thing is.... A governmental website here only allows passwords up to 8 characters. Insane.

My bank, BMO, only offers six characters, letters and/or numbers. Not even capitals or underscore. Also there's only soft 2FA, you get security questions if it's a new IP address. Can't even make the questions yourself, it's something like "name of your first friend". 

[FloRolf]

So whats better now? 

"Chicken Television sunshine Christmas" 

Or

"M4-R4cE#2F4/me" 

 

37 Characters but with random words vs. 15 characters with random shit and special characters? 

 

Or a combination 

"Chicken#Television/sunshine@Christmas"

?

[bowrilla]

1 hour ago, FloRolf said:

So whats better now? 

"Chicken Television sunshine Christmas" 

Or

"M4-R4cE#2F4/me" 

 

37 Characters but with random words vs. 15 characters with random shit and special characters? 

 

Or a combination 

"Chicken#Television/sunshine@Christmas"

?

Don't use pure words from one language. A dictionary attack will resolve this quickly. Though it has to be noted, that the attacker doesn't know how many words are in your specific password. The longer the sentence the more possibilities there are. Still, the first passphrase is not good, since it relies on only English words correctly writte separated with spaces. The third one is better than the first one but still not good. Out of the 3 examples the second one is by far the most secure one though hard to remember. Leet Speak won't help much with your words, common patterns are covered by good dictionaries. 

 

You can use a proper password manager with random passwords of >12 characters in length protected by itself with a strong password an U2F 2FA. If you don't want to rely on password managers (you should though, because there's no way you'll remember strong passwords by the hundreds which is what you'd need to nowadays; some of them also support U2F sticks) use long phrases consisting of words from different languages mixed with special characters and odd misspellings. 

 

Do not use 2FA via SMS - ever! While this requires an attacer to target you specifically your security is still at risk.

[Trik'Stari]

I feel like this is entirely solved by 16 digit passwords, combined with limited password entries before lockout.

 

Good luck guessing a 16 digit password with only 3 tries before it locks.

[Neftex]

On 2/16/2019 at 1:52 PM, Trik'Stari said:

Good luck guessing ... password with only 3 tries before it locks.

this was proven wrong like 3 times in the thread

[corsairian]

So you're saying my 9 character passwords are still secure? Aww sweet. 

[kango_v]

We generate a seed based upon the Epoc (date period) that the user signs up on. This seed is stores in a seperate service (geographically different). So if you did get hold of the hashes of the passwords, there are thousands of different seeds, each of which is cryptographically secure.

 

So, good luck trying to brute force that.

[SansVarnic]

Glad I use 25-50 char passwords and randomly change it every 10-30 days. ftw.

 

 

 

Actually I dont change them that often,

[Enderman]

So how long would it take for my 15 character random passwords to get brute forced?

[SpaceGhostC2C]

 

On 2/14/2019 at 4:06 PM, lacion said:

 

so if you have a complex save password of 8 characters or less is now time to go and change it everywhere as is no longer save 

 

On 2/14/2019 at 4:10 PM, corrado33 said:

For example: For an 8 character password only including upper and lower case letters (52 characters), that's 52 nPr 8 = 3E13 combinations. Add 10 symbols in there and that's 62 nPr 8 1.3E14 possible combinations.

That's assuming the password is restricted to be 8 characters without special symbols in the first case, and to be exactly 8 characters with or without special symbosl in teh second case. The number of combinations when your password can have different lengths is way, way higher.

 

Something people tend to forget is that brute-forcing a password does not depend on the password, but on the space of admissible passwords (that misconception is how we end up with misconceptions like forcing you to use numbers being a good thing). The particular password you choose is entirely irrelevant, and the time it takes to crack your password is a random variable whose expected value increases in the number of admissible combinations. The latter puts an upper bound on how long it can take, and on average it will take longer the more combinations there are, but you can still be unlucky and have your password guessed at the 2nd attempt. In that regard, "1234" or "password" are as safe as "correct horse staple battery" to brute force: as safe as the number of admissible passwords.

You may say this is wrong, because an algorithm will prioritize "1234" given what we know about people setting passwords. That is correct; however, if you establish such hierarchies then it no longer is brute force strictly speaking, but an algorithm based on a human behavior model.

 

On 2/14/2019 at 4:10 PM, corrado33 said:

Now, make the password 9 characters long and you get 52 nPr 9 1.33E15 possible combinations and 62 nPr 9 = 7.36E15

So a 9 character password that has no special characters is better than an 8 character password with special characters.

Again, an exactly 9 characters is better than an exactly 8 characters password, and a max 9 characters i better than a max 8 characters password system. But choosing an 8 characters password or a 9 characters password when, say, 32 characters are possible, are equally good (that is, unless the system is flawed enough to directly reveal the password's length, at which point they may as well give away the password itself )

 

On 2/14/2019 at 4:10 PM, corrado33 said:

 

EDIT: It's also worth noting that using words and sentences, as mentioned in the XKCD may not be entirely safe either. Words can be treated as "units" so instead of saying that a 9 character word is 9 pieces of complexity, it can be treated as 1. A 4 word password can be cracked the same way a 4 character password could with a dictionary attack. (Although words are more secure because there are more of them...)

Eh... No. There are a little more words than characters, since words already are formed by many combinations of characters, so 4 words would never be as bad as 4 characters. And even abstracting from that, using words would not simplify the cracker's task at all unless he already knows the password is made of words, which takes us back to the admissible space issue: forcing people to use actual words decrease the resistance to brute force attacks as it adds constraints, reducing the size of the admissible space. On the other hand, using words in an unconstrained password of max length N is as safe from brute force as not using them.

 

If someone writes an algorithm that starts with all combinations that form words in some language before moving to meaningless combinations, then you would get cracked faster by using words; however, the opposite is true for alternative algorithms than don't look at words (for instance, 1234 is not a word ). In either case, we would be deviating from brute force strictly speaking, and the conclusion would not be that some type of passwords is better than others, but simply that doing the opposite to what the cracker algorithm does is best - a cat-and-mouse situation.

 

On 2/14/2019 at 4:10 PM, corrado33 said:

 

Best advice: Use a memorable combination of words that's long but also has random symbols sprinkled throughout. E.G. Ca#_1UMP;Ov@r[Mo0NN

Cat Jump Over MooNN, easy to remember, then you just need to remember "pound for t, 1 for J (or just remember it as "lump" and laugh every time), the ";" then "Ovar" with @ and a 0 for the 2nd 'o' and double Ns.

From a brute force point of view, that's as safe as "MyUserIsCorrado33", though.

 

On 2/14/2019 at 4:10 PM, corrado33 said:

EDIT: I played around with this once. Remember the game "Balloons tower defense?" Well I wanted to calculate the order to buy buildings to make the most money in the end-game. So I brute forced every action the player could take in relation to a certain building (the farms). Basically the player could either buy another farm, upgrade existing farms, or sell farms. I let this play out for 40 moves. 

 

When I let the program run.... it eventually came up with a 20 GB text file. Yes, you read that correctly. A 20..... GB.... text file.

I'm not surprised, that's a very inefficient way of finding the solution to an optimization problem  

 

[Tilaron]

All my passwords are 16 characters, are muh gigabytes still safe?

[2FA]

23 minutes ago, SpaceGhostC2C said:

From a brute force point of view, that's as safe as "MyUserIsCorrado33", though.

Yep, people are confusing brute force attacks with dictionary attacks.

[colonel_mortis]

16 minutes ago, SpaceGhostC2C said:

Again, an exactly 9 characters is better than an exactly 8 characters password, and a max 9 characters i better than a max 8 characters password system. But choosing an 8 characters password or a 9 characters password when, say, 32 characters are possible, are equally good (that is, unless the system is flawed enough to directly reveal the password's length, at which point they may as well give away the password itself )

If the brute force algorithm just randomly chooses passwords from the space of permitted passwords, that's true, but that's not a useful assumption.

If the password length is limited to 32 characters, the length of real passwords is not uniformly distributed across the space of permitted passwords. To a first degree approximation, shorter passwords are more common, and when combined with the fact that the search space goes up exponentially a random search doesn't make sense. Trying passwords from shortest to longest is still a brute force attack, but it is more likely to find a password earlier in the search. Under this search scheme, which I would argue is much more likely to be used by someone who really did want to brute force your password without a dictionary, a 9 character password is much more secure than an 8 character password (specifically, 26x if the password is known to be all lowercase letters, with the difference increasing as the alphabet does).

20 minutes ago, SpaceGhostC2C said:

That's assuming the password is restricted to be 8 characters without special symbols in the first case, and to be exactly 8 characters with or without special symbosl in teh second case. The number of combinations when your password can have different lengths is way, way higher.

Assuming an alphanumeric password, there are 62⁸=218340105584896 different 8 character passwords, and 62+62²+62³+62⁴+62⁵+62⁶+62⁷+62⁸ = 221919451578090 different passwords of up to 8 characters, which is 1.6% more. The difference of including shorter passwords is negligible (but it makes the maths less nice, so it's often omitted from back of the envelope calculations).