Re: Your dog is more popular than your daughter
Yes, but it seems that boys are more popular than dogs and girls less popular than dogs. Odd choice.
Hundreds of thousands of hashed corporate passwords have been cracked within minutes by penetration testers using graphics processing units. The 626,718 passwords were harvested during penetration tests over the last two years conducted across corporate America by Trustwave infosec geeks. The firm's threat intelligence …
@ ZSn "Not sure", agree.
How can they crack GoodLuckGuessingThisPassword by brute force? Considdering letters only: one has to guess max 52^23=2.8E42 times which takes centuries. (or crack a PW of 140 bits entropy).
Perhaps a Markov chain attacks works with these words. Might gain a factor 3(?) up front, but with the same performance for an exhaustive serach.
Even if a combine-words-in-dictionary attack on a passphrase was undertaken with a 7776 word Diceware dictionary: it would take max 7776^5=2.8 E19 guesses. Or at ~20 billion/sec (if possible for phrases) some 40 years on average.
I have not seen math for non-random phrases, that could be attacked by grammar based approaches. Perhaps they know how to do that?
I know far to many users who use Password<number>.
They don't seem to get it that its a stupid password, as well as they don't understand why I am very annoyed by the cracked screen on their laptop, which magically appeared but also seems to be the same size as the paperwork they have in their other hand.
Since I never access important/secure sites away from home I use a locally based password generator/manager. I set it up to generate a 20 printable character passwords. At least 60% of the sites I try this on will not allow it - too long, objectionable characters etc. Not that any of these tell you beforehand what the restrictions are. 16 character alphanumeric works on most sites but even that is rejected by some as too long.
Much as I dislike it, I think 2 factor authentication has to be the way to go for sites requiring genuine security and everyone else should accept at least 32 printable characters.
Once or twice I have actually sent emails to webmasters at particularly bad sites (max 8 chars etc) saying that I have refrained from registering because the password policy was inherently insecure. I've never had a reply, though.
I set it up to generate a 20 printable character passwords. At least 60% of the sites I try this on will not allow it - too long, objectionable characters etc. Not that any of these tell you beforehand what the restrictions are. 16 character alphanumeric works on most sites but even that is rejected by some as too long.
Yup, but that's still better than the bastards that 'accept' it, silently truncate it down to their max length and leave you wondering why you can't log in.
The passwords that really annoy me are on recruitment websites that insist on mindlessly secure password JUST TO APPLY FOR A F****G JOB!!!! The first time I go to the website I use my usual throw-away password, which is rejected, and then have to go through a sequence of trying to get it to accept a password. Some weeks later I follow up another vacancy to the same website and then have to try and remember: was this with a capital letter? a terminal number? a capital letter and two terminal numbers? some crazy punctuation as well? f*** it, if you're going to these lengths to stop people applying for your jobs, you've succeeded.
So you have a password based on a phrase, using simple number substitution, e.g. s becomes 5.
On a computer keyboard use Shift+5 for upper case S. Then you get a nice new phone and have to enter the password. What is the character you type for Shift+5?
Answer: It's % but how many people know the ten characters used on the numeric keys, and some are different depending on language and machine, " and @ are transposed on Macs compared to PCs in the UK
... password replacement policies were based on time needed to brute-force an existing password? Say, you are new employee about to set your network password first time (because the one you received on welcome, comes with "must change" setting). You try "Password1" and since this is "cracked" by validator in real time it is not even accepted, since check for minimum password complexity can be run synchronously, as soon as you press Enter. So you try something a bit more complex and it is accepted, but within few hours or few days you receive an email explaining that you need to change your password again because it has been deemed too weak by automated password complexity assessment (i.e. cracked by security team). This comes with obligatory picture borrowed (legally, of course) from xkcd and a longer explanation about how password complexity works. Sounds like pain?
But here is a good part: if you read the instructions carefully, you will figure out how to set a password that you won't ever have to change (bar emergencies). You simply make it complex enough!
Now, if only one password was needed at work ...
One, they can send numerous zombies to simultaneously try the same account, creating a race condition. Two, many brute-force efforts come AFTER they purloin the shadow files (analogue: they take the still-closed safe with them) at which point they can crack at it at their leisure.
Most password hacking relies on having a system that allows continuous retries until a password works. ALL password systems should work on the basis of an incorrect entry equaling a wait time for each retry with the wait time increasing exponentially for each incorrect entry. First inccorect entry. 30 seconds. Second 5 minutes. Third 30 minutes and so on.
This post has been deleted by its author
Who can humanly keep track of all the passwords needed in todays world? It's not realistic to use password security because of ALL the MOUNTAINS of passwords that are needed. Not even the human brain can keep track of it all. I know I use as little passwords as necessary...it's just not realistic to think people are going to create new 8 character obscure passwords for every little task in their lives.
I used the names of the towns on Oahu, Hawaii, plus the obligatory number of special characters, tacked on the end, to log on to my computer. Plenty of names longer than 10 characters with the padding.
Of course, I had a printed cheat sheet with all my many passwords in the drawer with the security files I used.
No way, with all the various differing password rules for the different log-ins I needed, could I remember them all.
It's all well and good to not change passwords as frequently, but in order for it to work you have to enforce a long password length - long enough to be longer than it would take a hacker with full access to your hashes to crack the hashes with the a GPU setup similar to what you've outlined in the article. Always ASSUME that your hashes are in the hands of the bad guys, because chances are, they are.
I guess what I'm saying is, there is no substitute for doing the math. And re-doing the math every few months as the number of hashes that can be checked in a short time increases.
One of the things that really annoys me about this - of course these stupid rules "upper+lower case, digit, special symbol" do not yield a good password. Not at all. And there are lots of good passwords that are lower case only, eg. wcbhfeae (easy to remember, isn't it?) is not that bad.
Ranking passwords by these categories is completely senseless.
/Zane