Your 8 char random password now means nothing

[TechyBen]

On 2/14/2019 at 7:06 PM, lacion said:

the new benchmark for hashcat means that now the entire keyspace or every possible combination of upper, lower, numbers, symbols of an 8 character password can be guessed in 2.5 hours using x8 2080 ti´s they now can do more than 100GH/s with a single compute unit, for comparison, a 1080ti can't even do half of that.

 

 

this now means that is within the realm of possibilities that any attacker that get his hands on any of the big site password leaks can churn you hashed password and get it within in days(or less depending on hardware) if your using a perfectly random password, if you use a name or a word within your password means they pretty much can get it instantly.

 

so if you have a complex save password of 8 characters or less is now time to go and change it everywhere as is no longer save especially given the latest password leaks (https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/)

source: 

the source code for this is now available on github

Jokes on them. I have 7000 alt accounts, and am in the middle of the customer list... change passwords every 2.49 hours... and shares in 2080tis that offer great hash performance! 

 

[TechyBen]

7 hours ago, CookieSmasherGus said:

Well fudge. All website now should update their minimum password requirements to be at least 10 random characters long, randomized, unique... Some don't even accept special characters. It's really frustrating 

Or longer/bigger hashes? Or does this not work? IIRC even quantum computing style hacks can be hardened against. You just have to know what your opponents processing power/scope is, and plan for that.

[TechyBen]

On 2/15/2019 at 2:37 AM, williamcll said:

You know what's going to be the worst?
Bank PIN numbers

Some banks accept 6 or more as a PIN. IIRC only way to test, is to... try and test/see when changing a PIN.

[TopHatProductions115]

Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords...

[lacion]

11 hours ago, TopHatProductions115 said:

Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords...

there is no solution that's a 100% secure. that's not possible as of today.

 

the most secure system mostly rely on key rotation, the more frequent key rotation is the more secure the data is, some time key rotation happen partitioned, meaning data is fragmented and encrypted with different keys minimizing exposure in case of a breach. but a breach will always be a scenario in any secure system.

[TopHatProductions115]

@lacion That solution seems viable. Is there a way to do this (in an automated fashion) for most common online services?

[lacion]

3 hours ago, TopHatProductions115 said:

@lacion That solution seems viable. Is there a way to do this (in an automated fashion) for most common online services?

as far as I know, there is no easy way to do this with websites. if by services you mean SaaS like cloud providers or API providers, there are ways to do this programmatically.

 

a known tool to do this is hashicorp's vault.

[Sauron]

17 hours ago, TopHatProductions115 said:

Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords...

Increasing password length isn't the only solution, you can also increase the compute time of the encryption algorythm. While it may seem like delaying the inevitable, complexity can be increased exponentially. For this to be a problem there also needs to be a leak, which means you'll probably be alerted and change your password in time.

[Windows7ge]

I use a random password generator I wrote (nothing special, I just wanted my own). I set it to the max length the website allows (often 24) and include all character types the website accepts. Then I just keep a hidden record of them.

 

So if it's not good enough that others don't know my passwords I don't even know what my passwords are.

 

It does bother me though that some websites don't accept special characters. That's all the reason to make them as long and random as possible.

[lacion]

On 2/21/2019 at 5:04 PM, Windows7ge said:

I use a random password generator I wrote (nothing special, I just wanted my own). I set it to the max length the website allows (often 24) and include all character types the website accepts. Then I just keep a hidden record of them.

 

So if it's not good enough that others don't know my passwords I don't even know what my passwords are.

 

It does bother me though that some websites don't accept special characters. That's all the reason to make them as long and random as possible.

AKA a password manager.

[YaBoiWill]

I wrote a bit of script to make my passwords, I just say how many characters I want and it spits them out. Simples

[79wjd]

 

On 2/21/2019 at 10:54 AM, Sauron said:

you'll probably be alerted and change your password in time.

That's a bit of a bold statement to make given that breaches aren't always disclosed immediately (legally many US companies have, what, 30 days to disclose a breach?) if at all. 

 

Overlap that with the fact that it's pretty easy to miss notice of a breach if you happen to not check the news for a couple days.

[elfensky]

Luckily for me, all my passwords are a 20 character string. Still though, damn. Dat performance.

[Windows7ge]

1 hour ago, lacion said:

AKA a password manager.

Yeah...a password manager...let's go with that...