- For you, after multiple twitch accounts and profiles of renowned players have been hacked

There are different ways to crack peoples passwords. One popular way is called "brute-forcing". The method is rather simple and straightforward:
Just try every single possible password there is (and hope that one will fit).
Of course not manually, no. Computers are way faster at carrying out that job for you, plus they don't get tired and don't want to get paid.


But how does this work?
Maybe you guessed it already: How apt a password is in resisting this hacking-method, depends on mainly 2 things.

1. password length
2. number of possible characters. (special characters like +/#/* are good, also CAPITALS and numb3rs.)

Examples


So then, you say: I should be safe if I used something like.. lets say 8 letters, right? Thats already 26^8 possible passwords, which is like a fuckton of them (26*26*26*26*26*26*26*26) = 200 Billion, approximately.

well yes it is a fuckload of passwords, but we underestimate how good computers are at this game. To sum it up, even the lowest of potatoes nowadays can crunch at least 100,000 passwords a second. Is your PC any good? Then it can probably do 10,000,000 a second. With that, an 8 letters password is successfully guessed after approximately 6 hours - basically over night.

Got an 8 letters or lower password somewhere? Change it. Now. Seriously.




Moving on to scary things that technology can do:
Thought 10,000,000 sounded like a lot? Think again. This one checks in at a mind-blowing 350,000,000,000 passwords a second.

If you caught yourself counting zeros, then no.. I didn't make a mistake. 350 billion it is.


350 billion? I don't understand what that means in practice

Here is a nice chart for everyone who wants to know how long it takes to break a particular password.
Alternatively you can calculate (password length^number of possible characters)/(number of guesses per second*60*60*24) for the number of days it takes someone to crack your password. Consider everything above 5 to be reasonable safe. If you have a dedicated stalker, lets say 15. If you are a celebrity, better go with 150.

Lastly, if your password has words in it, be warned. Most computers don't just brute-force randomly, but instead come equipped with dictionaries. So if your password has a word in it, or two words combined with no alterations like random numbers or CAPS characters at random places, your password will be done for in a matter of seconds.

As I hinted at before, trying completely random combinations is actually lots of wasted effort. The machine I linked before, hacked 90 percent of the 6.5 million registered LinkedIn-profiles. Surprise: Most people don't know how to pick their password. Now imagine what happens if someone lets a thing like that run wild on PayPal accounts. Good brute-forcers don't just try randomly. They consider the most advanced stuff, like popular word-combinations, at what positions you are most likely to capitalize letters, what numbers you are most likely to add to your password and where (hint: don't use 1's at the beginning or end of your password. Especially not at the end.)


Examples for safe passwords



Examples for shit passwords


Will choosing one of the safe passwords prevent you from getting hacked? No, there is other methods to get passwords, but the one I described is the most common one. You can't avoid getting hacked by doing this, but you can avoid getting brute-force-hacked. This is about as good as you can do if you stay away from suspicious porn-sites and don't get keyloggers and all sorts of viruses on your PC. (*cough* shoutout to Linux *cough*)

Don't make avoidable mistakes. Getting brute-forced can be avoided. Be the 10% on LinkedIn.
Also don't be an idiot and give your password to others. A secret between 3 men is only safe when 2 men are dead. Benjamin Franklin knew that, and now you do too.

I appreciate passwords being changed to things that somehow honor my name.


Edit:

ColdTooth wrote:

Does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?

The short answer is yes.

It might also be worth noting, that if I get a hold of your email and password here, I will check the same email-password combination for Facebook, PayPal, Youtube, Amazon, Netflix, Skype, Origin, various email-providers, Steam and all other sites that I could for some reason be interested in. I might get lucky! Never ever use the same password twice, especially if it is a weak one. That would be a deadly mistake.



A longer and more informational video on the topic

Generally, if you have something to add to this topic, I will try to edit it in later. Thanks for the heads-up, loe4boe, pointing out that l33t is not a good way to protect yourself. I edited that in too, and made a couple minor changes on the side.


I guess thats it then. Spread the word and correct me if I got things terribly wrong somewhere! Have a good one.

Might sound like a dumb question from me, but does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?

ColdTooth wrote:

Might sound like a dumb question from me, but does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?

This is a reasonable question and sadly the answer is yes. You should assume that it works with all. The full truth is a little more complicated than that, since there are a couple more things to know about bruteforcing, but overall: Assume that it works consistently on every single online-service that at some point requires you to type in a password.

It might also be worth noting, that if I get hold of your email and your password here, I will check the same email-password combination for Facebook, PayPal, Youtube, Amazon, Netflix, Skype, Origin, various email-providers, Steam and various other sites that I could for some reason be interested in. I might get lucky!

ColdTooth wrote:

Might sound like a dumb question from me, but does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?

A large part of the password security in the first place also lies within the company that you have your password registered with.
Some corporations invests in cyber security to protect their users from brute-force attacks and other types of hacking styles.

But there is always a possibility to be hacked,
which is why most companies now-a-days force users to make passwords alphanumeric and 8 characters minimum; it just ensures to make things extra difficult for hackers to obtain passwords when they manage to get past cyber security systems.

As mentioned, using $ymbols, numb3rs and CAPS mixed in with your lower-case letters literally amplifies your password strength, even if you don't increase the length. So as a good rule of thumb, try to include them.

Useful information. While I already knew this, it could be of great use to users here, so thanks!

Changing my password to R41L3yŘ0čK$

In all seriousness good post.

As long as your password is longer than 8 characters and cannot be found from any dictionary it is pretty safe. Combining dictionary words with each other, adding random numbers, case switching or turning it to leet speak doesn't really help.

I'll leave this here if someone is intrested.

Is >30 digits password safe?
Just numbers, letters and few capitalization.

After seeing this, I tried but...

30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability.

Very nice explanation, if you don't mind I'll piggy back some more and add a bit of information.

Ok I'm going to explain this as someone who in works (somewhat) in infosec I will try to explain this.
(I've done plenty of password recovery/cracking. I also personally have a 50GB dictionary wordlist, and 3 TB of Rainbow Tables)

Most passwords are not stored in Plain Text. When they are stored they are put through what is called a "hashing algorithm". You put a password in and you get a random string out the other side. But it doesn't work the other way around. You can't put that string back in and get the original password. This is a security feature put in place so that you can't just find the passwd file and see a list of plain text passwords.

Passwords are then usually "salted" with some other form of data to make the hashed string unique to that particular password. "salting" is a measure put in place to make the use of "rainbow tables" less effective.

So when you have a "hash" and you know what type of algorithm and salt is used, you are basically going to try to recreate the hashing event as many times as you can with as many different inputs/passwords as possible (either brute force/mask or a dictionary attack). If/When you manage to recreate the hash with your input you will have your password.

Tl;dr password cracking is getting a hash value(MD5,sha1,sha256,sha512,AES,etc...) then taking a word/wordlist/rainbow table and converting that to a hash value and comparing the two-hashes. If they match that means you found your password.


But the strongest password in the world won't save you if the site has case-insensitive authentication, or Lower-upper-bounds password limits, or even "required special characters" Because most humans work in patterns. ex: your password requires a special character or numbers most people do "hunter2!" or "hunter1234".

Also the programs used to decrypt hashes normally allow you to set specific rules ex: Replace all 'e'=3 or 'o'=0 a='@' and lets say you need to have a capital letter you can set parameters that capitalize the first letter of every string etc. If someone is dedicated enough with plenty of time they can set algorithm that checks for every possible combination of a word in every case against all parameters. eg "HunteR2" ->"hunter2" ->"Hunter2" -> "hUnerter2" -> "huNter2" you get the point.

I'm not saying you need to have 30 character password with alternating cases and characters because who the hell wants to type that.

One of the most practical password security methods is just don't reuse the same password for EVERYTHING, so if 1 thing gets compromised everything else doesn't either.

I might have said some things that are questionable but I'm like half asleep and I was drinking last night.

Railey2 wrote:

I appreciate passwords being changed to things that somehow honor my name.

ehh.. Why?

Let's make new password. Our password is: "HonorRailey2". Instead of pressing the correct keys when writing the password let's press the ones above them (if there's no keys above let's press keys from bottom row). Now our password is: "Y9nh94¤q8o36z"

My passwords for sites like

http://www.superduperfunnycutepicturelikethislink.com would probably be breakable in 1 to 2 seconds on a Commodore 64

But my password for financial sites and things of that nature, I would consider pretty safe, although I could perhaps up them a notch, there was once upon a time where they were considered very solid, but I think as things change, they probably lost some strenght.

I'll look into renewing those shortly.

All my passwords are from 12+25 chars...
It have both lowercase and capitals, numbers and special characters.
Pretty safe I guess

I just got prompted to change my osu password. Is osu storing our password in plain text? There shouldn't be a way to check a passwords strength retroactively after its been salted and hashed...

Railey2 wrote:

30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability. It has 1,111,111,111,111,111,111,111,111,111,110 possible combinations if I am not mistaken, so you can be sure that nobody is every going to guess that one. You can also be reasonably sure that you will forget it or scramble up the numbers. Or that you have to spend a decent amount of time to learn it. In my opinion its not worth the effort. You can be safe with 9 letters already, if you go right about it.

Well, it's the password that I can easily remember and holy, that's alot of possible combination needed.

How fast is it to crack a password like "12345678"?
Less than 5 seconds or almost instanteous?

you guys should post your passwords in this thread and I'll evaluate if they're strong or not

My client got blocked cause the password was too weak >>____>>
6 letters, have changed it now xD

I hope so...

Rilene wrote:

Railey2 wrote:

30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability. It has 1,111,111,111,111,111,111,111,111,111,110 possible combinations if I am not mistaken, so you can be sure that nobody is every going to guess that one. You can also be reasonably sure that you will forget it or scramble up the numbers. Or that you have to spend a decent amount of time to learn it. In my opinion its not worth the effort. You can be safe with 9 letters already, if you go right about it.

Well, it's the password that I can easily remember and holy, that's alot of possible combination needed.

How fast is it to crack a password like "12345678"?
Less than 5 seconds or almost instanteous?

Immediately lmao.

12345678 is the worst password then in terms of security but best password in terms of memorization

still curious about 111222333444555666777888999 password though

The combinations for that long password are too damn high but its still not safe due to its structure, can be brute forced.

Oh yeah, numbers only have only 10 combination, 27^10 but.. Yeah, brute forcing.

Then my computer teacher told me wrong about leet speak and using words from dictionary in password.

If password has letters, capital letters and numbers and at least 30 digits... 30^62... 3.81520424E+91, well.. How many billion and trillions is that? Or just in normal numbers.

Good that we got pen and paper to notice your passwords. Lesson is pretty boring atm so it's a good chance to make some changes.

Rilene wrote:

Oh yeah, numbers only have only 10 combination, 27^10 but.. Yeah, brute forcing.

Then my computer teacher told me wrong about leet speak and using words from dictionary in password.

If password has letters, capital letters and numbers and at least 30 digits... 30^62... 3.81520424E+91, well.. How many billion and trillions is that? Or just in normal numbers.

38152042400000000000000000000000000000000000000000000000000000000000000000000000000000000000

..not much!

I should probably improve my passwords soon.

LoliFlan wrote:

38,152,042,400,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000

oh my gosh

Rilene wrote:

12345678 is the worst password then in terms of security but best password in terms of memorization

still curious about 111222333444555666777888999 password though

Would be cracked almost instantly

Not long because I found this in one of my bad lists.

Also I believe this was in one of the default wordlists you can get with kali

A Medic wrote:

Rilene wrote:

12345678 is the worst password then in terms of security but best password in terms of memorization

still curious about 111222333444555666777888999 password though

Would be cracked almost instantly

Not long because I found this in one of my bad lists.

Also I believe this was in one of the default wordlists you can get with kali

SPOILER

wow, then plain numeric password is a bad password

Does anyone bother to brute force passwords? I doubt it, you are very unlikely to be targetted like this, the attacker has to specifically pick you, know your account name, and circumvent whatever measures are put in place to stop it. For example, you'll often be locked out of an account after failing the password several times in a row. On top of this, it takes a massive amount of computing power to do efficiently.
Unless you have reason to suspect you might be targetted, I wouldn't spend even 1 second worrying about being bruteforced. Someone better REALLY want to play on your osu! account.

You're far more likely to fall victim to a database leak or a keylogger.
You can check if your information has been leaked here: https://haveibeenpwned.com/

sottovoce wrote:

Does anyone bother to brute force passwords? I doubt it, you are very unlikely to be targetted like this, the attacker has to specifically pick you, know your account name, and circumvent whatever measures are put in place to stop it. For example, you'll often be locked out of an account after failing the password several times in a row. On top of this, it takes a massive amount of computing power to do efficiently.
Unless you have reason to suspect you might be targetted, I wouldn't spend even 1 second worrying about being bruteforced. Someone better REALLY want to play on your osu! account.

You're far more likely to fall victim to a database leak or a keylogger.
You can check if your information has been leaked here: https://haveibeenpwned.com/

Being targetted on osu! is unlikely but if you are a celebrity on social networks or you have a extremely sensitive and important data.
They will likely to hack you and brute-forcing hacking works better on offline, by that it means... Computer directly to computer, not computer to computer over the internet.