Posted February 20, 2019 On 2/14/2019 at 7:06 PM, lacion said: the new benchmark for hashcat means that now the entire keyspace or every possible combination of upper, lower, numbers, symbols of an 8 character password can be guessed in 2.5 hours using x8 2080 ti´s they now can do more than 100GH/s with a single compute unit, for comparison, a 1080ti can't even do half of that. this now means that is within the realm of possibilities that any attacker that get his hands on any of the big site password leaks can churn you hashed password and get it within in days(or less depending on hardware) if your using a perfectly random password, if you use a name or a word within your password means they pretty much can get it instantly. so if you have a complex save password of 8 characters or less is now time to go and change it everywhere as is no longer save especially given the latest password leaks (https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/) source: the source code for this is now available on github Jokes on them. I have 7000 alt accounts, and am in the middle of the customer list... change passwords every 2.49 hours... and shares in 2080tis that offer great hash performance! Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 7 hours ago, CookieSmasherGus said: Well fudge. All website now should update their minimum password requirements to be at least 10 random characters long, randomized, unique... Some don't even accept special characters. It's really frustrating Or longer/bigger hashes? Or does this not work? IIRC even quantum computing style hacks can be hardened against. You just have to know what your opponents processing power/scope is, and plan for that. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 On 2/15/2019 at 2:37 AM, williamcll said: You know what's going to be the worst? Bank PIN numbers Some banks accept 6 or more as a PIN. IIRC only way to test, is to... try and test/see when changing a PIN. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 20, 2019 Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords... Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 21, 2019 Author 11 hours ago, TopHatProductions115 said: Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords... there is no solution that's a 100% secure. that's not possible as of today. the most secure system mostly rely on key rotation, the more frequent key rotation is the more secure the data is, some time key rotation happen partitioned, meaning data is fragmented and encrypted with different keys minimizing exposure in case of a breach. but a breach will always be a scenario in any secure system. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 21, 2019 @lacion That solution seems viable. Is there a way to do this (in an automated fashion) for most common online services? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 21, 2019 Author 3 hours ago, TopHatProductions115 said: @lacion That solution seems viable. Is there a way to do this (in an automated fashion) for most common online services? as far as I know, there is no easy way to do this with websites. if by services you mean SaaS like cloud providers or API providers, there are ways to do this programmatically. a known tool to do this is hashicorp's vault. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 21, 2019 17 hours ago, TopHatProductions115 said: Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords... Increasing password length isn't the only solution, you can also increase the compute time of the encryption algorythm. While it may seem like delaying the inevitable, complexity can be increased exponentially. For this to be a problem there also needs to be a leak, which means you'll probably be alerted and change your password in time. Don't ask to ask, just ask... please sudo chmod -R 000 /* Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 21, 2019 I use a random password generator I wrote (nothing special, I just wanted my own). I set it to the max length the website allows (often 24) and include all character types the website accepts. Then I just keep a hidden record of them. So if it's not good enough that others don't know my passwords I don't even know what my passwords are. It does bother me though that some websites don't accept special characters. That's all the reason to make them as long and random as possible. Guides & Tutorials: PROXMOX - Rebuilding ZFS RAID rpool After Disk Failure Mass Deploying Customized Windows 10/11 Installs Building a GNU/Linux Based Windows Deployment Server GNU/Linux Installer Server: Installation & Configuration How to: Use (i)PXE to Install Windows from a Network Why Memorize IP's When You Can Self-Host DNS Instead? Ventoy - The USB Multi-Boot Utility! Introduction to PXE/iPXE Network Boot Featuring FreeBSD & Ubuntu Server Don't see what you need? Check the Full List or *PM me, if I haven't made it I'll add it to the list. *NOTE: I'll only add it to the list if the request is something I know I can do. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 22, 2019 Author On 2/21/2019 at 5:04 PM, Windows7ge said: I use a random password generator I wrote (nothing special, I just wanted my own). I set it to the max length the website allows (often 24) and include all character types the website accepts. Then I just keep a hidden record of them. So if it's not good enough that others don't know my passwords I don't even know what my passwords are. It does bother me though that some websites don't accept special characters. That's all the reason to make them as long and random as possible. AKA a password manager. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 22, 2019 I wrote a bit of script to make my passwords, I just say how many characters I want and it spits them out. Simples I make intelligent lights do cool things Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 22, 2019 On 2/21/2019 at 10:54 AM, Sauron said: you'll probably be alerted and change your password in time. That's a bit of a bold statement to make given that breaches aren't always disclosed immediately (legally many US companies have, what, 30 days to disclose a breach?) if at all. Overlap that with the fact that it's pretty easy to miss notice of a breach if you happen to not check the news for a couple days. PSU Tier List | CoC Gaming Build | FreeNAS Server Spoiler i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core Spoiler FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 22, 2019 Luckily for me, all my passwords are a 20 character string. Still though, damn. Dat performance. “I like being alone. I have control over my own shit. Therefore, in order to win me over, your presence has to feel better than my solitude. You're not competing with another person, you are competing with my comfort zones.” - portfolio - twitter - instagram - youtube Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted February 22, 2019 1 hour ago, lacion said: AKA a password manager. Yeah...a password manager...let's go with that... Guides & Tutorials: PROXMOX - Rebuilding ZFS RAID rpool After Disk Failure Mass Deploying Customized Windows 10/11 Installs Building a GNU/Linux Based Windows Deployment Server GNU/Linux Installer Server: Installation & Configuration How to: Use (i)PXE to Install Windows from a Network Why Memorize IP's When You Can Self-Host DNS Instead? Ventoy - The USB Multi-Boot Utility! Introduction to PXE/iPXE Network Boot Featuring FreeBSD & Ubuntu Server Don't see what you need? Check the Full List or *PM me, if I haven't made it I'll add it to the list. *NOTE: I'll only add it to the list if the request is something I know I can do. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now