Hashed Passwords

[walkerasindave]

Hey everyone,

 

I've been watching the Linus videos for a year or so now and love them, keep up the great work guys.  Have also been lucking in the forums for months and have finally got around to creating an account after the Password discussion on the WAN Show.

 

I thought I'd write a quick post as they were suggesting on the WAN that passphrases are the best thing to use as passwords.

 

The problem I've had with passwords for a long time, no matter what format (standard passwords, strong random passwords, passphrases), is remembering what password I have used for what website/service.  I am most definitely an advocate of using a completely different password for every single different website.  On the low chance that one gets hacked everything else is still secure.  The problem with this, even with the more secure passphrases, is remember what passphrase you used on what site.  Using the same passphrase on multiple sites is just as bad as using a simple password.

 

I have just started using a clever technique to generate unique, strong, completely random 20+ character passwords that are unique for every site but memorable. 

 

But how can WL0Y'QREj7fJzQ8AgJID be memorable?

 

This is where hashing comes in.  Hashing can take one or more bits of information and repeatedly hash it into the same string of characters.  So the basis of the system I use uses the domain name of the particular website and a secret master key to hash a repeatble password.  (The above is a hash of "test.com" as the domain and "test" as the master key).  The hash will always be the same for the same domain and master key.  This means you don't even have to use any "Remember My Password" services built into browsers these days, instead just use the same master key while the domain changes for each website you need a password.

 

Suposedly these hashes are irreversible so even if one of the generated passwords is found by someone they won't be able to reverse engineer them to your master key. 

 

I wrote a quick hashing app that does it for me but there are lots of browser addons that can do this built into your browser, for example the Firefox Password Hasher.

 

For me this is the most secure solution I've found.  What do people think of using hashed passwords?  How secure are they?  Are they actually irreversible?

[Hazy125]

http://project-rainbowcrack.com/table.htm

 

 

 

Hashes can be cracked... With this stuff

[Canoas]

It's easy to make uncrackable passwords. Here's what your password should have:

9 total characters

1 upper case

1 number

1 obscure character, like ☺ (alt+1)

Then you add a 2-3 letter from the website's name, like the first character + second vowel (or only vowel, if that's the case) + last letter from the extension. So linustechtips.com becomes "lum". So now you have a 12 character password unique to each website. Even if they somehow get your password, if you had used ltt (for linustechtips) then it would be easy to replicate it for other websites, but something like lum will not be distinguishable from the rest of the password.

this means they need to use the full 256 bits for 12 characters to crack your password. This will take years even for a quantum computer. No cracker in the entire world can crack this password, and none will ever try. Crackers don't bruteforce the entire 256 bits, they can just narrow it down to alphanumeric characters and will get the majority of the passwords. Going from 128 bits to 256 bits doubles the possibilities for each character, so even just a 9 character 256 bit password is 512 times harder to crack than a 9 character 128bit one. Since at least 80% of the passwords are 128 bit it'll be a huge waste of time to redo the whole process at least another 512 times just for a small number of passwords, even completely disregarding the fact that a 12 character password would require thousands of years to crack if all you have is a high end pc.

[tom564]

Hey everyone,

 

I've been watching the Linus videos for a year or so now and love them, keep up the great work guys.  Have also been lucking in the forums for months and have finally got around to creating an account after the Password discussion on the WAN Show.

 

I thought I'd write a quick post as they were suggesting on the WAN that passphrases are the best thing to use as passwords.

 

The problem I've had with passwords for a long time, no matter what format (standard passwords, strong random passwords, passphrases), is remembering what password I have used for what website/service.  I am most definitely an advocate of using a completely different password for every single different website.  On the low chance that one gets hacked everything else is still secure.  The problem with this, even with the more secure passphrases, is remember what passphrase you used on what site.  Using the same passphrase on multiple sites is just as bad as using a simple password.

 

I have just started using a clever technique to generate unique, strong, completely random 20+ character passwords that are unique for every site but memorable. 

 

But how can WL0Y'QREj7fJzQ8AgJID be memorable?

 

This is where hashing comes in.  Hashing can take one or more bits of information and repeatedly hash it into the same string of characters.  So the basis of the system I use uses the domain name of the particular website and a secret master key to hash a repeatble password.  (The above is a hash of "test.com" as the domain and "test" as the master key).  The hash will always be the same for the same domain and master key.  This means you don't even have to use any "Remember My Password" services built into browsers these days, instead just use the same master key while the domain changes for each website you need a password.

 

Suposedly these hashes are irreversible so even if one of the generated passwords is found by someone they won't be able to reverse engineer them to your master key. 

 

I wrote a quick hashing app that does it for me but there are lots of browser addons that can do this built into your browser, for example the Firefox Password Hasher.

 

For me this is the most secure solution I've found.  What do people think of using hashed passwords?  How secure are they?  Are they actually irreversible?

 

I have actually heard this be mentioned before and it is good if people do not know that this is the method that you use.  As if people know your method and your master key gets compromised they have access to all of your accounts.  I believe i saw a variation of this to add a little bit more obscurity and use a piece of information from the whois record that will not change for the domain such as registered date. 

 

http://project-rainbowcrack.com/table.htm

 

 

 

Hashes can be cracked... With this stuff

People are moving away from using rainbow tables to crack hashes as they are no longer as efficient as other means.  Rainbow tables also rely on the hash actually being in the table which should not be the case if you use a unique string and salt. 

[JaeDee884]

i just smash out random letters, numbers and symbols and remember it. 

[Snake]

Hashes are really easy to crack. Check out hashcat that is used to crack hashes.

[xzero]

Or you could use something like lastpass / keepass.

 

Also all hashed passwords are crackable, its just a matter of how long it will take to do so.

[Blade of Grass]

grab a book, select a random page, use the page number and first word, lather, rinse, repeat.

[Canoas]

grab a book, select a random page, use the page number and first word, lather, rinse, repeat.

that's incredibly easy to crack.

[IronSoldier]

Pick a word. E.G Chicken. Then add 3 memorable digits. E.G Chicken246 . Seems safe enough for me.

[Luc401]

8BFC5PoPLKK4Q is my wifi password how do you think some people remember that lol...After awhile you just learn it..

[looney]

This is what I do as far as passwords go: http://linustechtips.com/main/topic/34306-test-your-password/?p=440527

[criso8]

I read an article about this a while ago. They can literally brute force a password that is only 6 characters long in like 10 min with a good gpu. If someone wants your password they will get it if they try hard enough. And then there are companies that don't even protect you and leave passwords in plain text and all it takes is a hacker. I think there needs to be a universal password standard. Too many times I make a password for something and it tells me that it doesn't fit their format. Like linus said, I think the best solution would be a really long string or a few words put together. It should be an internet wide standard so you don't have to remember a 10 passwords for each site you use.

[Xorbot]

 

But how can WL0Y'QREj7fJzQ8AgJID be memorable?

 

 

 

Random character passwords can easily be memorable if you force yourself to type it in every time.

[looney]

I think there needs to be a universal password standard. Too many times I make a password for something and it tells me that it doesn't fit their format.

Would be just as nice for the crackers as they can program these standards into their algorithm making it significantly easier to crack.

[looney]

Random character passwords can easily be memorable if you force yourself to type it in every time.

true, but in that case it would be a one key fits all kind of password.

[Chevaishr]

i once made an uncrackable password ... i mean no one could guess it and if some one began to use brute force on it the aliens would die off before it would be cracked. heck even i could no longer log on to windows. all you have to do is while setting up your password is to go and drink some water and then have your cat come into your room and walk all over/purrrrr on your keyboard then leave and when you return type out your password without looking at the screen and press enter and continue. (honestly don't know i got past the thing to type the password again)   

[tom564]

One problem is that you could have the single most secure password and use it for everything but it would only take one site to be not following best practices or that has been hijacked to compromise all of your passwords.

[walkerasindave]

I have actually heard this be mentioned before and it is good if people do not know that this is the method that you use.  As if people know your method and your master key gets compromised they have access to all of your accounts.  I believe i saw a variation of this to add a little bit more obscurity and use a piece of information from the whois record that will not change for the domain such as registered date.

 

True, maybe even add a couple of random letters into the master key as in Canoas method, so even the master key is obscured.

 

Or you could use something like lastpass / keepass.

 

Also all hashed passwords are crackable, its just a matter of how long it will take to do so.

 

I'm quite wary of using password storage solutions as the encryption by definition is reversible and the very fact that the password is stored somewhere.  With on demand hashing the generated passwords are never stored.

 

 

Random character passwords can easily be memorable if you force yourself to type it in every time.

 

True but for could you remember 30+ different random character passwords and which site they are for?

 

One problem is that you could have the single most secure password and use it for everything but it would only take one site to be not following best practices or that has been hijacked to compromise all of your passwords.

 

Exactly why I have gone with hashing, so every password is different and still secure.

[Canoas]

true, but in that case it would be a one key fits all kind of password.

 

 

True but for could you remember 30+ different random character passwords and which site they are for?

 

You just think of a random character password for every website and then add a 2-3 letter from the website's name, like the first character + second vowel (or only vowel, if that's the case) + last letter from the extension. For example, linustechtips.com becomes "lum", and you just add "lum" to the end of your password. This way you have a unique random charcater password for each website than is very easy to remember.

[looney]

You just think of a random character password for every website and then add a 2-3 letter from the website's name, like the first character + second vowel (or only vowel, if that's the case) + last letter from the extension. For example, linustechtips.com becomes "lum", and you just add "lum" to the end of your password. This way you have a unique random charcater password for each website than is very easy to remember.

Yes, as long as they only crack one or two passwords you should be fine and its easy to remember.

 

But I still prefer my method simply because the passwords are never in any way related to each other.

[Lays]

take a word, cut it in half and add letters in the middle+end thats usually what i do lol

[Blade of Grass]

that's incredibly easy to crack.

False.

I have passwords that, from that method, "will take a sentillion years to crack" according to https://howsecureismypassword.net/

I forgot to mention to capitalized letters and add a space, but without that "it would take 127 quadrillion years" to crack

[Canoas]

False.

I have passwords that, from that method, "will take a sentillion years to crack" according to https://howsecureismypassword.net/

I forgot to mention to capitalized letters and add a space, but without that "it would take 127 quadrillion years" to crack

That website is incredibly unreliable. It says "Password123" will take 412 years to crack! 412 years? It must be a really secure password then, I'm going to use it now. Seriously, it'll take less than a second. I'm not even joking, that password will literally take less than a second to be cracked. It's one of the first passwords any cracker will try.

The first method any cracker uses, before bruteforcing, is the dictionary method where they combine every single word in the dictionary plus common "made up" words or strings and numbers. MonkeyDragon1337 will get cracked in less than an hour with an average PC, and in a few minutes by a professional cracker. Cracking those passwords is a complete joke, never use them. Again, never use words in your password.

 

Yes, as long as they only crack one or two passwords you should be fine and its easy to remember.

 

But I still prefer my method simply because the passwords are never in any way related to each other.

Yeah, but they'll never crack any password whatsoever. A decent 10 character password plus those 3 characters for the website at the end is uncrackable. As long as you use an uncommon character like ☺ then they'll need to be using the axtended ascii code to even manage to get it and even if they are using it then they'll still spend at least a few hundred years with the most potent computers available to the public. A 13 character with the extended ascii code means 256^13 = 2*10^31. Why would they even waste time and attempt to crack such a password when over 80% of the passwords don't use the extended ascii code and are under 10 characters? They don't. No one does.

 

 

For those interested, here's a good article explaining how crackers actuall crack passwords and the methods they use. These guys invited 3 professional crackers and gave each a list of 16449 MD5 encrypted passwords. In about an hour they could crack 80% of those passwords with a decent gaming computer. It's a very interesting read.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

[Blade of Grass]

That website is incredibly unreliable. It says "Password123" will take 412 years to crack! 412 years? It must be a really secure password then, I'm going to use it now. Seriously, it'll take less than a second. I'm not even joking, that password will literally take less than a second to be cracked. It's one of the first passwords any cracker will try.

The first method any cracker uses, before bruteforcing, is the dictionary method where they combine every single word in the dictionary plus common "made up" words or strings and numbers. MonkeyDragon1337 will get cracked in less than an hour with an average PC, and in a few minutes by a professional cracker. Cracking those passwords is a complete joke, never use them. Again, never use words in your password.

You're telling me that "50PrePAring 72PlAnk's" is not a secure password? (of course this is not one I used but I just made it up using my method)