What password length is considered the most optimal and secure as of right now?

[Amias]

Criminal 1: "the efficiency of our dictionary attacks is going down, what do we do?"

Criminal 2: "I gotcha fam"

 

<2 weeks later>

 

On 2/3/2021 at 8:09 PM, Slayerking92 said:

https://howsecureismypassword.net/
Is 0 Yoctoseconds good or bad?

 

Criminal 2: "give me a few months to build you a better dictionary"

Criminal 1: "You genius"

[Spindel]

long is more important than complex

long and complex is better than only long

complex is useless if you forget it (or like in most offices have it on a post it on the monitor). 

 

Also have different passwords for different places, don't reuse the same password (se sentence below to why). 

 

Nothing is unhackable, but you probably will be hacked by to social engineering or a leaked database from some place that stores passwords in plain text (apparently that is a thing if we look at leaks the last couple of years) rather than brute force.

 

"hackthishackthis" is more secure than "H4ckth!5" even if the latter is more complex.

 

 

EDIT:// I know I didn't answer how long it should be, but the point is better to focus on long than complex. 

 

 

[kucharczykt]

If you learn how to crack and hack then you will know what's easily crackable and what's not. Assuming that you don't want to learn not so ethical hacking I reccomend using something like last pass with a strong password(e.g. the binary code for animie t*ddies) and write it down and keep it in a safe space whether that be in a filing cabinet, for fridge, or a safe.

[dkoudijs]

On 1/19/2021 at 7:22 AM, mariushm said:

The length is not relevant, the COMPLEXITY is.

 

You have no idea how the websites store the passwords ... usually they create a hash out of the entered password, which is just 20-32 bytes.

So someone could find a 100 character password that would produce the same 20-32 byte hash as your 10-20 character password, it's just quite difficult, takes a lot of time.

 

Websites that force you to enter at least n characters, maximum n characters,  at least one uppercase, at least one digit ... are basically stupid, because they're just limiting the number of unique possible passwords one could use, and furthermore they're pushing people into giving up exactly when the password matches the requirements (so for example, if a website says at least 8 characters, then the user will enter a 8 character password... or at most 8-12 characters

A hacker can now calculate all possible hashes because he knows the password is at least 8 at most 10... and then the maximum number of combinations is further reduced by the need to have at least one letter uppercase, at least a digit ... otherwise hacker would have to calculate hashes for anything between let's say 4 letters and 20 letters.

 

reminds me of xkcd comic, i remembered battery horse staple from months ago when I probably heard it mentioned again :

 

thanks for bringing up this comic. I use this stradgey for my passwords, tossing in the random special char inbetween the real words.

[RoseLuck462]

15 characters, mix of capitol, lower case, numbers, and special symbols.

[thrasher_565]

start changing numbers and letter in to qr cods... tray and hack that!

[thrasher_565]

On 2/4/2021 at 1:11 PM, 2K6Ejmt6IV72L8fwHZ5sPhtP6L said:

 I tried to use 256 character passwords with capital, lowercase, numbers, and symbols. Unfortunately, most sites don't like that, so I had to drop it down to a disgusting 32 characters with capital, lowercase, and numbers only.

just like your name

[BlueChinchillaEatingDorito]

On 1/19/2021 at 7:13 AM, wkdpaul said:

As a sys admin I see this often where people take a simple word with a few numbers slapped at the end, then they do +1 when they need to change the password. That right there is a big issue. People can't remember passwords because they've been trained to have complex passwords, so they put in something simple (to them) with +1 at the end ... I've personally switched to contextual sentences and it's much easier to remember. If you know more than one language, adding words in different language also help for complexity, as long as it doesn't make it harder to remember.

Awkward moment when I do that with my (admin) AD account.  When you're forced to change it every 90 days, there comes a point where you run out of ideas. 

[thrasher_565]

On 1/19/2021 at 7:13 AM, wkdpaul said:

 

 

As a sys admin I see this often where people take a simple word with a few numbers slapped at the end, then they do +1 when they need to change the password. That right there is a big issue. People can't remember passwords because they've been trained to have complex passwords, so they put in something simple (to them) with +1 at the end ...

SH!t i have to change my pass...

 

i just have a dump pass that is essay that i use for dont care sites and good pass for sites i do care.

Edited February 6, 2021 by thrasher_565

[thrasher_565]

a lot of hacking is vary low meaning say you make a wow forms user name and they hack that and use that to guess your game account password. with out any brute force programs

[thrasher_565]

i no ill have a qr code pass and ill make you guess witch one it is and if you guess wrong it will give you a virus... muahaha

[WkdPaul]

9 hours ago, BlueChinchillaEatingDorito said:

Awkward moment when I do that with my (admin) AD account.  When you're forced to change it every 90 days, there comes a point where you run out of ideas. 

Yeah, that's why I don't agree with this, 90 days is too short, and when you take into account the fact that this is often a rule on multiple systems that aren't related means you sometimes have multiple passwords, all of this is the reason people turn to easy to remember passwords, and it's often how accounts get compromised.

 

That and clueless users that fall for phishing emails ...

[WhitetailAni]

1 minute ago, wkdpaul said:

That and clueless users that fall for phishing emails ...

My AP Human Geography teacher 2 weeks ago told us that one of the Nigerian Prince emails got through the district feature.

By the time it got reported, though, one of the teachers had already fallen for it.

How old is that scam now?

[Justaphysicsnerd]

On 1/19/2021 at 5:19 PM, Actual_Criminal said:

What i'm trying to figure out is, what is the shortest password I can have using non-random (so words/phrases) alphanumeric characters (plus one symbol) that is virtually impossible to crack and decipher?

69 characters

[Kisai]

11 hours ago, thrasher_565 said:

a lot of hacking is vary low meaning say you make a wow forms user name and they hack that and use that to guess your game account password. with out any brute force programs

Nah, most MMO users that get hacked, were doing something against the game ToS in the first place, which is why they claim they were hacked, and not that they gave their password to the gold farmer to transfer things. I've never heard of MMO user who was hacked who didn't do something stupid to get hacked. It's never an exploitable bug in the game, it's always something like the user went "how do I get free gold" and entered their game account login into some phishing site. Kids are stupid sometimes. So are adults.

 

2FA your accounts, there is no excuse. Preferably not with a cell phone text message, as that leaves your cell phone number as a weak link, and mobile phone companies can be socially engineered to execute simswaps.

 

 

[Kisai]

2 hours ago, wkdpaul said:

Yeah, that's why I don't agree with this, 90 days is too short, and when you take into account the fact that this is often a rule on multiple systems that aren't related means you sometimes have multiple passwords, all of this is the reason people turn to easy to remember passwords, and it's often how accounts get compromised.

 

That and clueless users that fall for phishing emails ...

 

Unfortunately, when you work for larger and larger companies, you end up with a dozen different systems with different password complexity and expiry rules, and it's just too much time wasted to have different passwords, so some script in some mass data entry system somewhere resets all your passwords to the same password, regardless of the system's rules.

 

When I worked for the telco, they came up with a system for resetting all the passwords, but it wouldn't work with two systems if your password was longer than 8 characters, and wouldn't work on one if if symbols were in it (presumably because the script stripped it for sanity reasons.)

 

[Dillpickle23422]

honestly, i look up a random word generator, then generate 3-5 random words, and combine them into one phrase with numbers and capitals, like this (not my actual password)

 

Cup88bUcketNight$

[thrasher_565]

9 hours ago, Kisai said:

Nah, most MMO users that get hacked, were doing something against the game ToS in the first place, which is why they claim they were hacked, and not that they gave their password to the gold farmer to transfer things. I've never heard of MMO user who was hacked who didn't do something stupid to get hacked. It's never an exploitable bug in the game, it's always something like the user went "how do I get free gold" and entered their game account login into some phishing site. Kids are stupid sometimes. So are adults.

 

2FA your accounts, there is no excuse. Preferably not with a cell phone text message, as that leaves your cell phone number as a weak link, and mobile phone companies can be socially engineered to execute simswaps.

 

 

i disagree but that's ok.

[Kisai]

17 minutes ago, thrasher_565 said:

i disagree but that's ok.

I do know of two specific games that had hacking problems, but that wasn't in the context of account takeovers, it was literately because they were english localizations of Japanese and Korean MMO games and somehow the Western players were willing to hack the packets to give themselves access to things that would break or corrupt the game.  I can think of two game "mods" to one game that switched game id's for cash shop items and players massively abused it. It's like, please, game developers, you're only hastening the death of your own game by putting cash shop items in the game that aren't checked to be valid to use.

[thrasher_565]

1 minute ago, Kisai said:

I do know of two specific games that had hacking problems, but that wasn't in the context of account takeovers, it was literately because they were english localizations of Japanese and Korean MMO games and somehow the Western players were willing to hack the packets to give themselves access to things that would break or corrupt the game.  I can think of two game "mods" to one game that switched game id's for cash shop items and players massively abused it. It's like, please, game developers, you're only hastening the death of your own game by putting cash shop items in the game that aren't checked to be valid to use.

kinda like hacked items in diablo 2... i no for a fact that people will gather people pass and accounts from forms and try them on the game account. like wow.

[ShennyG]

The most secure password is 'password'. 

[Amias]

On 1/19/2021 at 11:49 AM, Actual_Criminal said:

I understand a randomly generated pattern of characters is the MOST safe option, but I have over 8 emails and many accounts etc and don't trust the password generators/managers just in case my computer dies. I also know 2FA is a thing and I use it, but my question still stands.

 

For online accounts, any password not 123456 is just as valid as any other.

 

You cannot brute force online sign in's, they have password attempt limits and other factors that eliminate this (IP address, locations, device IDs etc etc). Breach this and your account is either locked, time-outed or second authorisation required to continue.

 

No super computer in the world can crack these sign in's. Only a downloaded files/physical item encryption can be brute force. 

 

The biggest threat to your online safety is following a dodgy link and signing into a phishing website. Then it doesn't matter if your password is 134634623462 characters long. They have it.

 

2FA and a password that satisfies some level of uniqueness is 100% secure these days. That is ... until you or the website give it away.

[Edmond Dantes]

8 to 12

[Guest willies leg]

Passwords are merely a programming construct and are not security.

I love all these "password dumps"

I'll tell you what, if they've been hacked to where the database of users and passwords are dumped, they've already got full access to everything.

Passwords only keep the script kiddies out.

[papajo]

If what you try to use your password for is not of special interest to a stranger (e.g a hefty bank account )  then dont bother just use something not easy to guess and or bruteforce by a 13 year old who googles "how to become a haquer" so like more than 6 digitis having atleast one symbol atleast one number and both uppre and lower case characters if you can use characters from your motherlanguage (if it is not a latin based one e.g Greek ) then even better 

 

 

If a hacker doesnt know you has no reason to look for you (like you are a company owner or prominent public person of some sort) chances are the only way for you to become a victim is if he/she randomly picks on your account (e.g facebook)  there are 2.8 billion facebook accounts out there for example and I doubt the number of hackers out there is more than a small number of millions so just looking at it statistically,you probably wont get noticed by a hacker (especially a skilled one) the chances for you to get noticed under the above mentioned circumstances are similar for you to be hit by a lighting. 

 

 

the other (even more unlikely) way to become a potential victim is by something called sniffing hackers sniff out ranges of IP address (and ports) to find vulnerabilities 

 

Again a) the thing you are using that password must have a known vulnerability for this to work b) as above there are 4,294,967,296 IPv4 address out there (well give or take since most of them are allocated dynamically ) and each vulnerability (when sniffing) is scanning a particular set of ports (which adds even more time) so even if a botnet of supercomputers with a industry grade fat internet connection (which again in terms of speed is depented on the end location ping which adds even more delay no matter the bandwidth at hand) could scan every port of those IPs at a rate of 1 IP per second (which is nonsense nothing out there could do that this fast but just for arguments sake) 

 

It would need about 136 years to scan all the IPs and that's at the ridiculous impossible rate of sniffing all ports on 1 ip per second. 

 

On top of that all skilled hackers that could actually do you harm (besides being a small number compared to accounts in a particular social media or IPs etc) know at least in a ballpark sense what to strike or where to look for so they pick particular ports and ranges of IPs that interest them (and again unless you are a prominent public person or a rich share holder or something like that  this wont happen) but even the scenario of you happen to be unlucky to be in range they scan (mainly to hack something else but finding you as well) is ridiculously small maybe the odds are close or fall behind the ones of you wining the lottery. 

 

 

But this happens you would say hackers e.g target big social media and expose nudes or hack into companies and get credit card information or whatever they wont hunt me in particular but I could be a similar victim... well yes... but the way hackers manage to do that stuff exploits vulnerabilities at a higher level of the network in question they dont hack individual passwords so in that case no matter how long and complicated your password will be you will still be victimized having said that these things are not so frequent either.