• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how secure is my password

 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33713
316
Eclipse IDE Java VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HowSecureIsMyPassword.net is interesting. My "insecure" password that I use for mailing lists and the like lists as 10 days to hack. What I previously thought of as my secure passwords for email and online banking came in at 3 days. I have two factor authentication on for gmail so this isn't really a problem. I changed both passwords anyway. The new secure password for banking comes in at a billion years.

And no, I didn't use my actual passwords. I used security equivalent ones.
 
Steve Luke
Bartender
Pie
Posts: 4181
21
IntelliJ IDE Java Python
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
THat is a cool site. My 'insecure password would take 19 seconds to crack, and the slightly more secure version would take 20 minutes. My secure password takes 92 years. I have been replacing all those options with passwords from a random generator, samples of which took 100s of thousands of years.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64205
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My bank account password equivalent will take 364 quintillion years to crack.

My laptop password will take 19 seconds.

Guess which one I'll be changing?
 
Steve Luke
Bartender
Pie
Posts: 4181
21
IntelliJ IDE Java Python
  • 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Guess which one I'll be changing?

The first one, anything over a billion shows a lack of free spirit and willingness to take risk that the ladies just find off-putting ;)
 
fred rosenberger
lowercase baba
Bartender
Pie
Posts: 12022
25
Chrome Java Linux
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
my work nt account password would take 345 thousand years.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33713
316
Eclipse IDE Java VI Editor
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Fred: Good idea. A variant of my most secure work password: 157 billion years. As you might imagine, there are a lot of rules about what needs to be in that password. Oh, and we get to change it every month. I actually tested with a variant of a previous one because I'm paranoid.
 
Martin Vajsar
Sheriff
Pie
Posts: 3747
62
Chrome Netbeans IDE Oracle
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How do we know the site doesn't build some neat password database?
 
Saurabh Pillai
Ranch Hand
Posts: 524
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think critical online services should block your account after number of failed attempts and for that reason Crackers are not going to go for individual accounts but the whole database.
 
Steve Luke
Bartender
Pie
Posts: 4181
21
IntelliJ IDE Java Python
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Martin Vajsar wrote:How do we know the site doesn't build some neat password database?
You don't, so don't enter your real password, enter a password with comparable complexity.
 
Seetharaman Venkatasamy
Ranch Hand
Posts: 5575
Eclipse IDE Java Windows XP
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i didnt type there my password. otherwise 100000 years become 1 millionth second to crack.... we need to find out symbol dynamically i.e,there should not be a keyboard
 
Martin Vajsar
Sheriff
Pie
Posts: 3747
62
Chrome Netbeans IDE Oracle
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Steve Luke wrote:
Martin Vajsar wrote:How do we know the site doesn't build some neat password database?
You don't, so don't enter your real password, enter a password with comparable complexity.

The key questions is whether all users do it this way. I'd say the ranch users don't behave the same as a typical user in this regard...
 
Steve Luke
Bartender
Pie
Posts: 4181
21
IntelliJ IDE Java Python
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
True, there is still a missing piece to the puzzle though: where the passwords are applicable and what username they are applicable to. You could guess the passwords would apply to common sits (FB, EBay, etc...) but you still have to link them to usernames for them to be useful.
 
Seetharaman Venkatasamy
Ranch Hand
Posts: 5575
Eclipse IDE Java Windows XP
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Steve Luke wrote:but you still have to link them to usernames for them to be useful.

SSO is like credit card . Yes , I forget to add IMO in front of this typing...
 
fred rosenberger
lowercase baba
Bartender
Pie
Posts: 12022
25
Chrome Java Linux
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
our work passwords can be one of two flavors...either:

minimum of 8 characters, with one or more symbols, and a mixture of upper and lower case, change every 3 months

or

minimum of 15 characters, change once a year

I choose the latter. I pick a phrase from a song, or a line from a book, or something like that. Its easy to remember, and after a day, easy to type in. And there are quite a few selections to choose from.

 
Pat Farrell
Rancher
Posts: 4660
5
Linux Mac OS X VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
fred rosenberger wrote:
minimum of 8 characters, with one or more symbols, and a mixture of upper and lower case, change every 3 months
or
minimum of 15 characters, change once a year


Lots of companies have policies that require frequent changes of passwords, most of the time, its self defeating. @fred's seems reasonable. But I dont' see any rational way to enforce it, as once the passphrase has been passed through though the one-way hash, no one knows how long it was.

The problem with changing passwords is that you need a human to remember them. Humans only remember things that they use. So a hard to break password is also hard to remember. If you make the user change the password frequently, they won't have used it enough to burn it into the brain. Then they do the obvious things, like put the password in a sticky note on the monitor.

We really need to invent something besides passwords. They simply don't work.
 
Arun Giridhar
Ranch Hand
Posts: 181
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It would take a desktop PC about 2 seconds to crack your password
 
Martin Vajsar
Sheriff
Pie
Posts: 3747
62
Chrome Netbeans IDE Oracle
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Arun Giridhar wrote:It would take a desktop PC about 2 seconds to crack your password

I'm a bit skeptical about the "time it would take to crack the password". It is actually the time to produce all passwords of the same length and similar complexity, and it sometimes also assumes the attacker knows the complexity class of your password beforehand (eg. "numbers only" or "characters only"). However, time to determine whether the generated passwords match the real one is not considered. I really don't know how that is usually done, but I'm pretty sure it doesn't take zero time.
 
Pat Farrell
Rancher
Posts: 4660
5
Linux Mac OS X VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Martin Vajsar wrote:
Arun Giridhar wrote:It would take a desktop PC about 2 seconds to crack your password

I'm a bit skeptical about the "time it would take to crack the password".


Your skepticism is warranted over the exact times presented, but they have the order of magnitude correct, so whether its "2 second" or 9 seconds makes no difference.
No one uses a desktop PC CPU to do this, you use GPU cards.

Martin Vajsar wrote: However, time to determine whether the generated passwords match the real one is not considered. I really don't know how that is usually done, but I'm pretty sure it doesn't take zero time.


You look up the results in a 'rainbow table', there are many online. The lookup can be O(1) but the constants are large, as you typically hash into the table. Since the table can be pre-sorted, you can access it in O(ln N), which is pretty fast, but sure is not zero.

The major problem (other than that passwords/passphrases are a bad idea) is that humans pick common words. So all 8 letter passwords do not have even 26^8 possibilities, rather than have maybe 10,000 words with a bit of LEET-speak mangling.
 
Jelle Klap
Bartender
Posts: 1951
7
Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's all a bit 'meh' as far as I'm concerned. Sure a strong password is extremely important, but the strength indication this website offers is a bit riddiculous if you ask me. It only applies if a hacker can get a hold of the database that holds the password, and then maybe if the passwords are stored as unsalted MD5 hashes a desktop could perform a lookup fairly quickly using a rainbow table. If a website has a half decent security setup it will generate salted hashes using an iterated hashing approach with something like SHA-256, or using a key derrivation function like PBKDF2 or bcrypt / scrypt. However I do agree paranoia pays off when it comes to passwords, so never ever trust the security of any website. I use a mobile apps version of KeePass on a USB stick to generate and keep track of the more sensitive stuff. Oh and also this: http://xkcd.com/936/
 
Greg Charles
Sheriff
Posts: 2984
12
Firefox Browser IntelliJ IDE Java Mac Ruby
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That XKCD strip was the first thing I thought about. The website agrees that Tr0ub4dor&3 is much less secure than correcthorsebatterystaple, but the estimates of total time are way different. Randall (XKCD) gives 3 days vs. 550 years, but howsecureismypassword.net gives 4000 years vs. a quintillion years. That's a salient difference since I might be motivated to change a password that could be cracked in three days, but the difference between 4000 years and a quintillion years in this context is essentially nil.

My IT department forces us to change passwords every 90 days, which I really dislike. My feeling is that it leads to more frequent requests for passwords to be reset, and prompts people to write their passwords down until they're sure they won't forget it. That makes the system less secure, not more. Also, it's a pain.
 
Samuel Bird
Ranch Hand
Posts: 96
Eclipse IDE Java Linux
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
2 septendecillion years

yay, i think...
 
Rohit Kumar Singh
Ranch Hand
Posts: 105
Eclipse IDE Java jQuery
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My Lap Pass will take 0.0000000065 seconds to crack ...


and my account pass will take about 157 billion years to crack...


and my FB and most social networking pass will take about 81 billion years
 
Daniel Hirning
Ranch Hand
Posts: 50
1
Android Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Passwords, come in all flavors.

If you are using a pw generator, and you store it with a program like LastPass or Password Safe and trust the security measures and the math behind the encryption then theoretically the sky is the limit.

Any large combination of special characters, numbers, random letters, upper and lower case auto generated, is going to take more time to crack than your secret is worth.

The problem is, most people either don't have these, or hide these behind something easily dictionary attacked for the convenience of memorization.

I use a version of the pass phrase method as mentioned in this article by Bruce Schneier

According to the link in the OP - A version of my java ranch password (Auto Generated) would take 2 Billion years to crack.

And a version of my master password (Pass Phrase) where i store my auto generated ones would take 39 Quadrillion years, its memorable, personal and Dictionary safe.

Do i trust the results of this site? Not unless I check the math myself and then pass it to someone who didn't sit through math with a set of head phones on.
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic