forum

Is your password safe?

posted
Total Posts
32
Topic Starter
Railey2
- For you, after multiple twitch accounts and profiles of renowned players have been hacked

There are different ways to crack peoples passwords. One popular way is called "brute-forcing". The method is rather simple and straightforward:
Just try every single possible password there is (and hope that one will fit).
Of course not manually, no. Computers are way faster at carrying out that job for you, plus they don't get tired and don't want to get paid.


But how does this work?

Maybe you guessed it already: How apt a password is in resisting this hacking-method, depends on mainly 2 things.

  1. password length
  2. number of possible characters. (special characters like +/#/* are good, also CAPITALS and numb3rs.)


Examples
SPOILER
for example, lets say you only use lower case letters as your password and the hacker assumes that you only use lower case letters. With that, b) will be 26.
If your password length is 1, your possible passwords to pick from will be 26: the number of letters. Your password will look like this, for instance: z
If your password length is 2, your possible passwords to pick from will be 26*26 = 676
for length 3, you already have 17,576 possible passwords, and so on. It increases exponentially.



So then, you say: I should be safe if I used something like.. lets say 8 letters, right? Thats already 26^8 possible passwords, which is like a fuckton of them (26*26*26*26*26*26*26*26) = 200 Billion, approximately.

well yes it is a fuckload of passwords, but we underestimate how good computers are at this game. To sum it up, even the lowest of potatoes nowadays can crunch at least 100,000 passwords a second. Is your PC any good? Then it can probably do 10,000,000 a second. With that, an 8 letters password is successfully guessed after approximately 6 hours - basically over night.

Got an 8 letters or lower password somewhere? Change it. Now. Seriously.





Moving on to scary things that technology can do:
Thought 10,000,000 sounded like a lot? Think again. This one checks in at a mind-blowing 350,000,000,000 passwords a second.

If you caught yourself counting zeros, then no.. I didn't make a mistake. 350 billion it is.


350 billion? I don't understand what that means in practice
SPOILER
With that, it would take a stunning 9,94 seconds to get your precious 8 letter password.
9 letters isn't safe either: Takes 9 minutes.
10 letters isn't safe, got that one done in just about 2 hours
11 letters is finally safe: 121 days to get that one. Although if your name is obama and you try to protect your twitter-account, I really wouldn't bet on that one either. Word is out there that some scary machines in foreign countries can do much better than 350 billion a second.
And that is if someone tries using no other rule than "try randomly", which in all honesty is a pretty low-level rule to go by.


Here is a nice chart for everyone who wants to know how long it takes to break a particular password.
Alternatively you can calculate (password length^number of possible characters)/(number of guesses per second*60*60*24) for the number of days it takes someone to crack your password. Consider everything above 5 to be reasonable safe. If you have a dedicated stalker, lets say 15. If you are a celebrity, better go with 150.

Lastly, if your password has words in it, be warned. Most computers don't just brute-force randomly, but instead come equipped with dictionaries. So if your password has a word in it, or two words combined with no alterations like random numbers or CAPS characters at random places, your password will be done for in a matter of seconds.

As I hinted at before, trying completely random combinations is actually lots of wasted effort. The machine I linked before, hacked 90 percent of the 6.5 million registered LinkedIn-profiles. Surprise: Most people don't know how to pick their password. Now imagine what happens if someone lets a thing like that run wild on PayPal accounts. Good brute-forcers don't just try randomly. They consider the most advanced stuff, like popular word-combinations, at what positions you are most likely to capitalize letters, what numbers you are most likely to add to your password and where (hint: don't use 1's at the beginning or end of your password. Especially not at the end.)


Examples for safe passwords
SPOILER
- pjAj3Oj4oaf

- tOTa!#llysafe8

- CraCkIng471




Examples for shit passwords
SPOILER
- CoffeecupRevolution (as said before, there are brute-forcing-programs that use dictionaries. They also count on you to capitalize the first letter of a word. So this will count as (number of words in the dictionary)^(number of words used in the password), as possibly combinations (roughly). Weak. Doesn't last a minute.)

- kjfpaoqi (simply too short)

- 9199159312 (seems long enough, but given that there are only 10 different numbers, theres not enough possible combinations for this one to make it safe. (11111111110 to be exact - even my laptop could get through to this one within a reasonable time.)

- cl3v3rp4ssword (think this one would do the job? Sadly, l33tspeak is well known and well considered by all sorts of algorithms. A brute-force program that runs a dictionary and makes slighter modifications to words, will get this one too. Might not even take an hour, given that its only 2 words and 3 most obvious modifications. Changing A -> 4 and E -> 3 can not be considered a safe modification. It is better than nothing, but still a weak protection.



Will choosing one of the safe passwords prevent you from getting hacked? No, there is other methods to get passwords, but the one I described is the most common one. You can't avoid getting hacked by doing this, but you can avoid getting brute-force-hacked. This is about as good as you can do if you stay away from suspicious porn-sites and don't get keyloggers and all sorts of viruses on your PC. (*cough* shoutout to Linux *cough*)

Don't make avoidable mistakes. Getting brute-forced can be avoided. Be the 10% on LinkedIn.
Also don't be an idiot and give your password to others. A secret between 3 men is only safe when 2 men are dead. Benjamin Franklin knew that, and now you do too.

I appreciate passwords being changed to things that somehow honor my name.


Edit:

ColdTooth wrote:

Does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?
The short answer is yes.

It might also be worth noting, that if I get a hold of your email and password here, I will check the same email-password combination for Facebook, PayPal, Youtube, Amazon, Netflix, Skype, Origin, various email-providers, Steam and all other sites that I could for some reason be interested in. I might get lucky! Never ever use the same password twice, especially if it is a weak one. That would be a deadly mistake.



A longer and more informational video on the topic
SPOILER

loe4boe wrote:

I'll leave this here if someone is intrested.


Generally, if you have something to add to this topic, I will try to edit it in later. Thanks for the heads-up, loe4boe, pointing out that l33t is not a good way to protect yourself. I edited that in too, and made a couple minor changes on the side.


I guess thats it then. Spread the word and correct me if I got things terribly wrong somewhere! Have a good one.
ColdTooth
Might sound like a dumb question from me, but does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?
Topic Starter
Railey2

ColdTooth wrote:

Might sound like a dumb question from me, but does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?
This is a reasonable question and sadly the answer is yes. You should assume that it works with all. The full truth is a little more complicated than that, since there are a couple more things to know about bruteforcing, but overall: Assume that it works consistently on every single online-service that at some point requires you to type in a password.

It might also be worth noting, that if I get hold of your email and your password here, I will check the same email-password combination for Facebook, PayPal, Youtube, Amazon, Netflix, Skype, Origin, various email-providers, Steam and various other sites that I could for some reason be interested in. I might get lucky!
ZenoDiac

ColdTooth wrote:

Might sound like a dumb question from me, but does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?
A large part of the password security in the first place also lies within the company that you have your password registered with.
Some corporations invests in cyber security to protect their users from brute-force attacks and other types of hacking styles.

But there is always a possibility to be hacked,
which is why most companies now-a-days force users to make passwords alphanumeric and 8 characters minimum; it just ensures to make things extra difficult for hackers to obtain passwords when they manage to get past cyber security systems.

As mentioned, using $ymbols, numb3rs and CAPS mixed in with your lower-case letters literally amplifies your password strength, even if you don't increase the length. So as a good rule of thumb, try to include them.
Dazdy_old
Useful information. While I already knew this, it could be of great use to users here, so thanks!
leepdesu
Changing my password to R41L3yŘ0čK$

In all seriousness good post.
Dusalty
As long as your password is longer than 8 characters and cannot be found from any dictionary it is pretty safe. Combining dictionary words with each other, adding random numbers, case switching or turning it to leet speak doesn't really help.

I'll leave this here if someone is intrested.
Rilene
Is >30 digits password safe?
Just numbers, letters and few capitalization.

After seeing this, I tried but...
Topic Starter
Railey2
30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability.
A Medic
Very nice explanation, if you don't mind I'll piggy back some more and add a bit of information.

Ok I'm going to explain this as someone who in works (somewhat) in infosec I will try to explain this.
(I've done plenty of password recovery/cracking. I also personally have a 50GB dictionary wordlist, and 3 TB of Rainbow Tables)

Most passwords are not stored in Plain Text. When they are stored they are put through what is called a "hashing algorithm". You put a password in and you get a random string out the other side. But it doesn't work the other way around. You can't put that string back in and get the original password. This is a security feature put in place so that you can't just find the passwd file and see a list of plain text passwords.

Passwords are then usually "salted" with some other form of data to make the hashed string unique to that particular password. "salting" is a measure put in place to make the use of "rainbow tables" less effective.

So when you have a "hash" and you know what type of algorithm and salt is used, you are basically going to try to recreate the hashing event as many times as you can with as many different inputs/passwords as possible (either brute force/mask or a dictionary attack). If/When you manage to recreate the hash with your input you will have your password.

Tl;dr password cracking is getting a hash value(MD5,sha1,sha256,sha512,AES,etc...) then taking a word/wordlist/rainbow table and converting that to a hash value and comparing the two-hashes. If they match that means you found your password.


But the strongest password in the world won't save you if the site has case-insensitive authentication, or Lower-upper-bounds password limits, or even "required special characters" Because most humans work in patterns. ex: your password requires a special character or numbers most people do "hunter2!" or "hunter1234".

Also the programs used to decrypt hashes normally allow you to set specific rules ex: Replace all 'e'=3 or 'o'=0 a='@' and lets say you need to have a capital letter you can set parameters that capitalize the first letter of every string etc. If someone is dedicated enough with plenty of time they can set algorithm that checks for every possible combination of a word in every case against all parameters. eg "HunteR2" ->"hunter2" ->"Hunter2" -> "hUnerter2" -> "huNter2" you get the point.

I'm not saying you need to have 30 character password with alternating cases and characters because who the hell wants to type that.

One of the most practical password security methods is just don't reuse the same password for EVERYTHING, so if 1 thing gets compromised everything else doesn't either.

I might have said some things that are questionable but I'm like half asleep and I was drinking last night.
Manysi

Railey2 wrote:

I appreciate passwords being changed to things that somehow honor my name.
ehh.. Why?
Dusalty
Let's make new password. Our password is: "HonorRailey2". Instead of pressing the correct keys when writing the password let's press the ones above them (if there's no keys above let's press keys from bottom row). Now our password is: "Y9nh94¤q8o36z"

Flanster
Emayecue
My passwords for sites like

http://www.superduperfunnycutepicturelikethislink.com would probably be breakable in 1 to 2 seconds on a Commodore 64

But my password for financial sites and things of that nature, I would consider pretty safe, although I could perhaps up them a notch, there was once upon a time where they were considered very solid, but I think as things change, they probably lost some strenght.

I'll look into renewing those shortly.

Wuxo
All my passwords are from 12+25 chars...
It have both lowercase and capitals, numbers and special characters.
Pretty safe I guess
shilawen
I just got prompted to change my osu password. Is osu storing our password in plain text? There shouldn't be a way to check a passwords strength retroactively after its been salted and hashed...
Rilene

Railey2 wrote:

30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability. It has 1,111,111,111,111,111,111,111,111,111,110 possible combinations if I am not mistaken, so you can be sure that nobody is every going to guess that one. You can also be reasonably sure that you will forget it or scramble up the numbers. Or that you have to spend a decent amount of time to learn it. In my opinion its not worth the effort. You can be safe with 9 letters already, if you go right about it.
Well, it's the password that I can easily remember and holy, that's alot of possible combination needed.

How fast is it to crack a password like "12345678"?
Less than 5 seconds or almost instanteous?
Shohei Ohtani
you guys should post your passwords in this thread and I'll evaluate if they're strong or not
Bara-
My client got blocked cause the password was too weak >>____>>
6 letters, have changed it now xD
Lagel
I hope so...
Flanster

Rilene wrote:

Railey2 wrote:

30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability. It has 1,111,111,111,111,111,111,111,111,111,110 possible combinations if I am not mistaken, so you can be sure that nobody is every going to guess that one. You can also be reasonably sure that you will forget it or scramble up the numbers. Or that you have to spend a decent amount of time to learn it. In my opinion its not worth the effort. You can be safe with 9 letters already, if you go right about it.
Well, it's the password that I can easily remember and holy, that's alot of possible combination needed.

How fast is it to crack a password like "12345678"?
Less than 5 seconds or almost instanteous?
Immediately lmao.
Rilene
12345678 is the worst password then in terms of security but best password in terms of memorization

still curious about 111222333444555666777888999 password though
Flanster
The combinations for that long password are too damn high but its still not safe due to its structure, can be brute forced.
Rilene
Oh yeah, numbers only have only 10 combination, 27^10 but.. Yeah, brute forcing.

Then my computer teacher told me wrong about leet speak and using words from dictionary in password.

If password has letters, capital letters and numbers and at least 30 digits... 30^62... 3.81520424E+91, well.. How many billion and trillions is that? Or just in normal numbers.
Stefan
Good that we got pen and paper to notice your passwords. Lesson is pretty boring atm so it's a good chance to make some changes.
Flanster

Rilene wrote:

Oh yeah, numbers only have only 10 combination, 27^10 but.. Yeah, brute forcing.

Then my computer teacher told me wrong about leet speak and using words from dictionary in password.

If password has letters, capital letters and numbers and at least 30 digits... 30^62... 3.81520424E+91, well.. How many billion and trillions is that? Or just in normal numbers.
38152042400000000000000000000000000000000000000000000000000000000000000000000000000000000000

..not much!
Gumpy

I should probably improve my passwords soon.
Rilene

LoliFlan wrote:

38,152,042,400,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
oh my gosh
A Medic

Rilene wrote:

12345678 is the worst password then in terms of security but best password in terms of memorization

still curious about 111222333444555666777888999 password though
Would be cracked almost instantly

Not long because I found this in one of my bad lists.

Also I believe this was in one of the default wordlists you can get with kali

Rilene

A Medic wrote:

Rilene wrote:

12345678 is the worst password then in terms of security but best password in terms of memorization

still curious about 111222333444555666777888999 password though
Would be cracked almost instantly

Not long because I found this in one of my bad lists.

Also I believe this was in one of the default wordlists you can get with kali

wow, then plain numeric password is a bad password
sottovoce
Does anyone bother to brute force passwords? I doubt it, you are very unlikely to be targetted like this, the attacker has to specifically pick you, know your account name, and circumvent whatever measures are put in place to stop it. For example, you'll often be locked out of an account after failing the password several times in a row. On top of this, it takes a massive amount of computing power to do efficiently.
Unless you have reason to suspect you might be targetted, I wouldn't spend even 1 second worrying about being bruteforced. Someone better REALLY want to play on your osu! account. ;)

You're far more likely to fall victim to a database leak or a keylogger.
You can check if your information has been leaked here: https://haveibeenpwned.com/
Rilene

sottovoce wrote:

Does anyone bother to brute force passwords? I doubt it, you are very unlikely to be targetted like this, the attacker has to specifically pick you, know your account name, and circumvent whatever measures are put in place to stop it. For example, you'll often be locked out of an account after failing the password several times in a row. On top of this, it takes a massive amount of computing power to do efficiently.
Unless you have reason to suspect you might be targetted, I wouldn't spend even 1 second worrying about being bruteforced. Someone better REALLY want to play on your osu! account. ;)

You're far more likely to fall victim to a database leak or a keylogger.
You can check if your information has been leaked here: https://haveibeenpwned.com/
Being targetted on osu! is unlikely but if you are a celebrity on social networks or you have a extremely sensitive and important data.
They will likely to hack you and brute-forcing hacking works better on offline, by that it means... Computer directly to computer, not computer to computer over the internet.
Please sign in to reply.

New reply