How many seconds would it take to break your password?
-
The good news is, even shaving 6-9 orders of magnitude off the solving time for my most secure password means I'll probably still be dead by the time it would get cracked (even without the 50 year delay). And then I don't care what they do with whatever the password protects. I think that's a good rule of thumb: a password is secure if you'll be dead before it can be cracked.
Yeah, most of my passwords for relatively unimportant stuff are 10-20 characters. I think the longest password I know by heart is around 50 characters long. :-D
-
Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Or check the list below and see who big a difference between a few billion possible combinations a few sextillion possibilities really is. [ITworld]
-
I wonder if this takes into account Moore's Law (if we are able to sustain that as time goes on) and quantum computing. After 50 years, computers will be something like a million to a billion times faster, and so will be able to crack passwords much faster.
By then I would think 'passwords' as we know them will be obsolete. We can already have systems process your face agaisnt 250 mil in under a second, we can even combine that with IR imaging. Honestly who knows what some crazy genologist/crytpologist/biologist.../ist will come up with. My theory is someday the system will just know you are you. The only way to fake it would be to knock you out and have you sit in front of it strung up like pinochio. And heck even then the system may dedect you are under durress and call the goon squad for ya. Keep in mind there is always other technology that is advancing due to Moore's law right along side of computation. They are not advancing directly because of it which creates a crazy exponential growth of tech because of the indirect connects between the fields.
Computers have been intelligent for a long time now. It just so happens that the program writers are about as effective as a room full of monkeys trying to crank out a copy of Hamlet.
-
That assumes that the policy is enforced and that the attacker knows the policy. If the policy is a minimum of eight characters, at least one uppercase, at least one lowercase, at least one digit, and at least one symbol and the attacker knows this (a reasonable assumption) then he won't try anything outside those parameters and will therefore reduce his efforts. On the other hand, if it's not enforced then he'll never guess that my password is "badger". :cool: In my opinion, allowing and recommending a wide variety of characters is a good idea, but requiring a wide variety of characters is not. Make the attacker search the largest haystack you can; don't limit it.
-
PIEBALDconsult wrote:
On the other hand, if it's not enforced then he'll never guess that my password is "badger".
A dictionary attack would be able to get that pretty easily still, and that's likely to be one of their first attempts.
No, if the attacker expects the password to have digits and symbols then he won't try anything without them.
-
Yeah, most of my passwords for relatively unimportant stuff are 10-20 characters. I think the longest password I know by heart is around 50 characters long. :-D
AspDotNetDev wrote:
50 characters long
I'd just copy and paste from Notepad -- from my Passwords.txt file. :rolleyes:
-
...or disable the account after n consecutive login failures. Pretty standard stuff. IMHO the article is more hype than not. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
AspDotNetDev wrote:
50 characters long
I'd just copy and paste from Notepad -- from my Passwords.txt file. :rolleyes:
I used to do something like that. Now I use KeePass. It's too much trouble to remember hundreds of passwords.
-
Ravi Bhavnani wrote:
disable the account after n consecutive login failures
X| That causes too much trouble.
Right. But some systems also offer a security policy to auto-reenable disabled accounts after m units of time have elapsed since the last perceived dictionary attack. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
No, if the attacker expects the password to have digits and symbols then he won't try anything without them.
But if its not enforced most people will choose not to use them, so I still think he'd try that first, especially because it would be relatively fast (I think I read somewhere English has around 600,000 words or something like that, so even at only 1000 per second that's like 10 minutes, and it works for many people's passwords). Which is of course why my secure password is utter gibberish with no meaning to anyone existing outside my head. (And the people inside my head can't get to computers so no worries there.)
-
...or disable the account after n consecutive login failures. Pretty standard stuff. IMHO the article is more hype than not. /ravi
My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com
-
That works for stuff like websites, but what about something like an encrypted file? There's not much you can do to prevent a brute force attack on those.
-
Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Or check the list below and see who big a difference between a few billion possible combinations a few sextillion possibilities really is. [ITworld]
the link says, that using a bigger alphabet is more secure, but this is just plain wrong it is better to increase the number of characters, even, if they are simple (lowercase letters) simple math: say 'k' is the size of your alphabet and 'n' shall be the size of your password. then there are k^n possibilities. increasing n is much more valueble than increasing k. just try it out: f = @(n,k) k^n; f(6,40) = 4.0960e+09 f(6,41) = 4.7501e+09 f(7,40) = 1.6384e+11 f(10,60) = 6.0466e+17 f(10,61) = 7.1334e+17 f(11,60) = 3.6280e+19 f(20,60) = 3.6562e+35 f(20,61) = 5.0886e+35 f(21,60) = 2.1937e+37 as you see, increasing the first parameter (length) makes like 100 times more possibilites, while adding one more symbol is like not even doubling. so, a good password is a passphrase, take 3-5 random (and easy to remember) words and stick them together. the idea to use passphrases came from http://xkcd.com/936/[^]
-
the link says, that using a bigger alphabet is more secure, but this is just plain wrong it is better to increase the number of characters, even, if they are simple (lowercase letters) simple math: say 'k' is the size of your alphabet and 'n' shall be the size of your password. then there are k^n possibilities. increasing n is much more valueble than increasing k. just try it out: f = @(n,k) k^n; f(6,40) = 4.0960e+09 f(6,41) = 4.7501e+09 f(7,40) = 1.6384e+11 f(10,60) = 6.0466e+17 f(10,61) = 7.1334e+17 f(11,60) = 3.6280e+19 f(20,60) = 3.6562e+35 f(20,61) = 5.0886e+35 f(21,60) = 2.1937e+37 as you see, increasing the first parameter (length) makes like 100 times more possibilites, while adding one more symbol is like not even doubling. so, a good password is a passphrase, take 3-5 random (and easy to remember) words and stick them together. the idea to use passphrases came from http://xkcd.com/936/[^]
Kevin Drzycimski wrote:
it is better to increase the number of characters
Yes, that's true too. :thumbsup:
-
That works for stuff like websites, but what about something like an encrypted file? There's not much you can do to prevent a brute force attack on those.
lewax00 wrote:
an encrypted file
And encrypt at least twice. :cool:
-
I used to do something like that. Now I use KeePass. It's too much trouble to remember hundreds of passwords.
I use LastPass's random password generation for most websites. I can't think of a more secure password - nobody knows it, not even me! :laugh: And of course I use my longest most secure password (that I can remember) is on my LastPass account so I don't have an obvious weak point there.
-
By then I would think 'passwords' as we know them will be obsolete. We can already have systems process your face agaisnt 250 mil in under a second, we can even combine that with IR imaging. Honestly who knows what some crazy genologist/crytpologist/biologist.../ist will come up with. My theory is someday the system will just know you are you. The only way to fake it would be to knock you out and have you sit in front of it strung up like pinochio. And heck even then the system may dedect you are under durress and call the goon squad for ya. Keep in mind there is always other technology that is advancing due to Moore's law right along side of computation. They are not advancing directly because of it which creates a crazy exponential growth of tech because of the indirect connects between the fields.
Computers have been intelligent for a long time now. It just so happens that the program writers are about as effective as a room full of monkeys trying to crank out a copy of Hamlet.
Collin Jasnoch wrote:
Honestly who knows what some crazy genologist/crytpologist/biologist.../ist will come up with.
I think I'm going to go invent cryptobiology now. Nevermind, a Google search gave me about 60,000 results for that word...I need to think of something even more obscure...
-
Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Or check the list below and see who big a difference between a few billion possible combinations a few sextillion possibilities really is. [ITworld]
It occurred to me that an organization could have a system constantly trying to break everyone's passwords -- anyone whose password is broken gets some sort of punishment (along with having to change the password).
-
Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Or check the list below and see who big a difference between a few billion possible combinations a few sextillion possibilities really is. [ITworld]
Now, that is a good question. My cat has a Codeproject account, and as is my norm these days, his password is a Guid. (Because I can paste it from my encrypted password store on the PC) How long to break it?
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 5.10 million trillion trillion trillion centuriesMy password is not a Guid (because I have to enter it from the keyboard on my phone occasionally) How long to break it?
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 0.000202 secondsMaybe I should find a way to remember Guids? :laugh:
Ideological Purity is no substitute for being able to stick your thumb down a pipe to stop the water
