30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability.
forum
Is your password safe?
posted
Total Posts
32
Very nice explanation, if you don't mind I'll piggy back some more and add a bit of information.
Ok I'm going to explain this as someone who in works (somewhat) in infosec I will try to explain this.
(I've done plenty of password recovery/cracking. I also personally have a 50GB dictionary wordlist, and 3 TB of Rainbow Tables)
Most passwords are not stored in Plain Text. When they are stored they are put through what is called a "hashing algorithm". You put a password in and you get a random string out the other side. But it doesn't work the other way around. You can't put that string back in and get the original password. This is a security feature put in place so that you can't just find the passwd file and see a list of plain text passwords.
Passwords are then usually "salted" with some other form of data to make the hashed string unique to that particular password. "salting" is a measure put in place to make the use of "rainbow tables" less effective.
So when you have a "hash" and you know what type of algorithm and salt is used, you are basically going to try to recreate the hashing event as many times as you can with as many different inputs/passwords as possible (either brute force/mask or a dictionary attack). If/When you manage to recreate the hash with your input you will have your password.
Tl;dr password cracking is getting a hash value(MD5,sha1,sha256,sha512,AES,etc...) then taking a word/wordlist/rainbow table and converting that to a hash value and comparing the two-hashes. If they match that means you found your password.
But the strongest password in the world won't save you if the site has case-insensitive authentication, or Lower-upper-bounds password limits, or even "required special characters" Because most humans work in patterns. ex: your password requires a special character or numbers most people do "hunter2!" or "hunter1234".
Also the programs used to decrypt hashes normally allow you to set specific rules ex: Replace all 'e'=3 or 'o'=0 a='@' and lets say you need to have a capital letter you can set parameters that capitalize the first letter of every string etc. If someone is dedicated enough with plenty of time they can set algorithm that checks for every possible combination of a word in every case against all parameters. eg "HunteR2" ->"hunter2" ->"Hunter2" -> "hUnerter2" -> "huNter2" you get the point.
I'm not saying you need to have 30 character password with alternating cases and characters because who the hell wants to type that.
One of the most practical password security methods is just don't reuse the same password for EVERYTHING, so if 1 thing gets compromised everything else doesn't either.
I might have said some things that are questionable but I'm like half asleep and I was drinking last night.
Ok I'm going to explain this as someone who in works (somewhat) in infosec I will try to explain this.
(I've done plenty of password recovery/cracking. I also personally have a 50GB dictionary wordlist, and 3 TB of Rainbow Tables)
Most passwords are not stored in Plain Text. When they are stored they are put through what is called a "hashing algorithm". You put a password in and you get a random string out the other side. But it doesn't work the other way around. You can't put that string back in and get the original password. This is a security feature put in place so that you can't just find the passwd file and see a list of plain text passwords.
Passwords are then usually "salted" with some other form of data to make the hashed string unique to that particular password. "salting" is a measure put in place to make the use of "rainbow tables" less effective.
So when you have a "hash" and you know what type of algorithm and salt is used, you are basically going to try to recreate the hashing event as many times as you can with as many different inputs/passwords as possible (either brute force/mask or a dictionary attack). If/When you manage to recreate the hash with your input you will have your password.
Tl;dr password cracking is getting a hash value(MD5,sha1,sha256,sha512,AES,etc...) then taking a word/wordlist/rainbow table and converting that to a hash value and comparing the two-hashes. If they match that means you found your password.
But the strongest password in the world won't save you if the site has case-insensitive authentication, or Lower-upper-bounds password limits, or even "required special characters" Because most humans work in patterns. ex: your password requires a special character or numbers most people do "hunter2!" or "hunter1234".
Also the programs used to decrypt hashes normally allow you to set specific rules ex: Replace all 'e'=3 or 'o'=0 a='@' and lets say you need to have a capital letter you can set parameters that capitalize the first letter of every string etc. If someone is dedicated enough with plenty of time they can set algorithm that checks for every possible combination of a word in every case against all parameters. eg "HunteR2" ->"hunter2" ->"Hunter2" -> "hUnerter2" -> "huNter2" you get the point.
I'm not saying you need to have 30 character password with alternating cases and characters because who the hell wants to type that.
One of the most practical password security methods is just don't reuse the same password for EVERYTHING, so if 1 thing gets compromised everything else doesn't either.
I might have said some things that are questionable but I'm like half asleep and I was drinking last night.
ehh.. Why?Railey2 wrote:
I appreciate passwords being changed to things that somehow honor my name.
My passwords for sites like
http://www.superduperfunnycutepicturelikethislink.com would probably be breakable in 1 to 2 seconds on a Commodore 64
But my password for financial sites and things of that nature, I would consider pretty safe, although I could perhaps up them a notch, there was once upon a time where they were considered very solid, but I think as things change, they probably lost some strenght.
I'll look into renewing those shortly.
http://www.superduperfunnycutepicturelikethislink.com would probably be breakable in 1 to 2 seconds on a Commodore 64
But my password for financial sites and things of that nature, I would consider pretty safe, although I could perhaps up them a notch, there was once upon a time where they were considered very solid, but I think as things change, they probably lost some strenght.
I'll look into renewing those shortly.
All my passwords are from 12+25 chars...
It have both lowercase and capitals, numbers and special characters.
Pretty safe I guess
It have both lowercase and capitals, numbers and special characters.
Pretty safe I guess
I just got prompted to change my osu password. Is osu storing our password in plain text? There shouldn't be a way to check a passwords strength retroactively after its been salted and hashed...
Well, it's the password that I can easily remember and holy, that's alot of possible combination needed.Railey2 wrote:
30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability. It has 1,111,111,111,111,111,111,111,111,111,110 possible combinations if I am not mistaken, so you can be sure that nobody is every going to guess that one. You can also be reasonably sure that you will forget it or scramble up the numbers. Or that you have to spend a decent amount of time to learn it. In my opinion its not worth the effort. You can be safe with 9 letters already, if you go right about it.
How fast is it to crack a password like "12345678"?
Less than 5 seconds or almost instanteous?
Shohei Ohtani
My client got blocked cause the password was too weak >>____>>
6 letters, have changed it now xD
6 letters, have changed it now xD
Immediately lmao.Rilene wrote:
Well, it's the password that I can easily remember and holy, that's alot of possible combination needed.Railey2 wrote:
30 pw-length - only numbers, is unnecessarily long, but it surely does its job. Still, it is overkill and I wouldn't take it just for reasons of practicability. It has 1,111,111,111,111,111,111,111,111,111,110 possible combinations if I am not mistaken, so you can be sure that nobody is every going to guess that one. You can also be reasonably sure that you will forget it or scramble up the numbers. Or that you have to spend a decent amount of time to learn it. In my opinion its not worth the effort. You can be safe with 9 letters already, if you go right about it.
How fast is it to crack a password like "12345678"?
Less than 5 seconds or almost instanteous?
12345678 is the worst password then in terms of security but best password in terms of memorization
still curious about 111222333444555666777888999 password though
still curious about 111222333444555666777888999 password though
The combinations for that long password are too damn high but its still not safe due to its structure, can be brute forced.
Oh yeah, numbers only have only 10 combination, 27^10 but.. Yeah, brute forcing.
Then my computer teacher told me wrong about leet speak and using words from dictionary in password.
If password has letters, capital letters and numbers and at least 30 digits... 30^62... 3.81520424E+91, well.. How many billion and trillions is that? Or just in normal numbers.
Then my computer teacher told me wrong about leet speak and using words from dictionary in password.
If password has letters, capital letters and numbers and at least 30 digits... 30^62... 3.81520424E+91, well.. How many billion and trillions is that? Or just in normal numbers.
Good that we got pen and paper to notice your passwords. Lesson is pretty boring atm so it's a good chance to make some changes.
38152042400000000000000000000000000000000000000000000000000000000000000000000000000000000000Rilene wrote:
Oh yeah, numbers only have only 10 combination, 27^10 but.. Yeah, brute forcing.
Then my computer teacher told me wrong about leet speak and using words from dictionary in password.
If password has letters, capital letters and numbers and at least 30 digits... 30^62... 3.81520424E+91, well.. How many billion and trillions is that? Or just in normal numbers.
..not much!
I should probably improve my passwords soon.
oh my goshLoliFlan wrote:
38,152,042,400,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
Would be cracked almost instantlyRilene wrote:
12345678 is the worst password then in terms of security but best password in terms of memorization
still curious about 111222333444555666777888999 password though
Not long because I found this in one of my bad lists.
Also I believe this was in one of the default wordlists you can get with kali
wow, then plain numeric password is a bad passwordA Medic wrote:
Would be cracked almost instantlyRilene wrote:
12345678 is the worst password then in terms of security but best password in terms of memorization
still curious about 111222333444555666777888999 password though
Not long because I found this in one of my bad lists.
Also I believe this was in one of the default wordlists you can get with kali
sottovoce
Does anyone bother to brute force passwords? I doubt it, you are very unlikely to be targetted like this, the attacker has to specifically pick you, know your account name, and circumvent whatever measures are put in place to stop it. For example, you'll often be locked out of an account after failing the password several times in a row. On top of this, it takes a massive amount of computing power to do efficiently.
Unless you have reason to suspect you might be targetted, I wouldn't spend even 1 second worrying about being bruteforced. Someone better REALLY want to play on your osu! account.
You're far more likely to fall victim to a database leak or a keylogger.
You can check if your information has been leaked here: https://haveibeenpwned.com/
Unless you have reason to suspect you might be targetted, I wouldn't spend even 1 second worrying about being bruteforced. Someone better REALLY want to play on your osu! account.
You're far more likely to fall victim to a database leak or a keylogger.
You can check if your information has been leaked here: https://haveibeenpwned.com/
Being targetted on osu! is unlikely but if you are a celebrity on social networks or you have a extremely sensitive and important data.sottovoce wrote:
Does anyone bother to brute force passwords? I doubt it, you are very unlikely to be targetted like this, the attacker has to specifically pick you, know your account name, and circumvent whatever measures are put in place to stop it. For example, you'll often be locked out of an account after failing the password several times in a row. On top of this, it takes a massive amount of computing power to do efficiently.
Unless you have reason to suspect you might be targetted, I wouldn't spend even 1 second worrying about being bruteforced. Someone better REALLY want to play on your osu! account.
You're far more likely to fall victim to a database leak or a keylogger.
You can check if your information has been leaked here: https://haveibeenpwned.com/
They will likely to hack you and brute-forcing hacking works better on offline, by that it means... Computer directly to computer, not computer to computer over the internet.