aspose file tools*
The moose likes Meaningless Drivel and the fly likes how secure is my password Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Other » Meaningless Drivel
Bookmark "how secure is my password" Watch "how secure is my password" New topic
Author

how secure is my password

Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30774
    
156

HowSecureIsMyPassword.net is interesting. My "insecure" password that I use for mailing lists and the like lists as 10 days to hack. What I previously thought of as my secure passwords for email and online banking came in at 3 days. I have two factor authentication on for gmail so this isn't really a problem. I changed both passwords anyway. The new secure password for banking comes in at a billion years.

And no, I didn't use my actual passwords. I used security equivalent ones.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

THat is a cool site. My 'insecure password would take 19 seconds to crack, and the slightly more secure version would take 20 minutes. My secure password takes 92 years. I have been replacing all those options with passwords from a random generator, samples of which took 100s of thousands of years.


Steve
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61437
    
  67

My bank account password equivalent will take 364 quintillion years to crack.

My laptop password will take 19 seconds.

Guess which one I'll be changing?


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

Bear Bibeault wrote:Guess which one I'll be changing?

The first one, anything over a billion shows a lack of free spirit and willingness to take risk that the ladies just find off-putting ;)
fred rosenberger
lowercase baba
Bartender

Joined: Oct 02, 2003
Posts: 11422
    
  16

my work nt account password would take 345 thousand years.


There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30774
    
156

Fred: Good idea. A variant of my most secure work password: 157 billion years. As you might imagine, there are a lot of rules about what needs to be in that password. Oh, and we get to change it every month. I actually tested with a variant of a previous one because I'm paranoid.
Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3610
    
  60

How do we know the site doesn't build some neat password database?
Saurabh Pillai
Ranch Hand

Joined: Sep 12, 2008
Posts: 509
I think critical online services should block your account after number of failed attempts and for that reason Crackers are not going to go for individual accounts but the whole database.
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

Martin Vajsar wrote:How do we know the site doesn't build some neat password database?
You don't, so don't enter your real password, enter a password with comparable complexity.
Seetharaman Venkatasamy
Ranch Hand

Joined: Jan 28, 2008
Posts: 5575

i didnt type there my password. otherwise 100000 years become 1 millionth second to crack.... we need to find out symbol dynamically i.e,there should not be a keyboard
Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3610
    
  60

Steve Luke wrote:
Martin Vajsar wrote:How do we know the site doesn't build some neat password database?
You don't, so don't enter your real password, enter a password with comparable complexity.

The key questions is whether all users do it this way. I'd say the ranch users don't behave the same as a typical user in this regard...
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

True, there is still a missing piece to the puzzle though: where the passwords are applicable and what username they are applicable to. You could guess the passwords would apply to common sits (FB, EBay, etc...) but you still have to link them to usernames for them to be useful.
Seetharaman Venkatasamy
Ranch Hand

Joined: Jan 28, 2008
Posts: 5575

Steve Luke wrote:but you still have to link them to usernames for them to be useful.

SSO is like credit card . Yes , I forget to add IMO in front of this typing...
fred rosenberger
lowercase baba
Bartender

Joined: Oct 02, 2003
Posts: 11422
    
  16

our work passwords can be one of two flavors...either:

minimum of 8 characters, with one or more symbols, and a mixture of upper and lower case, change every 3 months

or

minimum of 15 characters, change once a year

I choose the latter. I pick a phrase from a song, or a line from a book, or something like that. Its easy to remember, and after a day, easy to type in. And there are quite a few selections to choose from.

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

fred rosenberger wrote:
minimum of 8 characters, with one or more symbols, and a mixture of upper and lower case, change every 3 months
or
minimum of 15 characters, change once a year


Lots of companies have policies that require frequent changes of passwords, most of the time, its self defeating. @fred's seems reasonable. But I dont' see any rational way to enforce it, as once the passphrase has been passed through though the one-way hash, no one knows how long it was.

The problem with changing passwords is that you need a human to remember them. Humans only remember things that they use. So a hard to break password is also hard to remember. If you make the user change the password frequently, they won't have used it enough to burn it into the brain. Then they do the obvious things, like put the password in a sticky note on the monitor.

We really need to invent something besides passwords. They simply don't work.
Arun Giridhar
Ranch Hand

Joined: Mar 10, 2012
Posts: 147

It would take a desktop PC about 2 seconds to crack your password


hate Professionalism . Join the http://2014.hack.lu/index.php/Main_Page
Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3610
    
  60

Arun Giridhar wrote:It would take a desktop PC about 2 seconds to crack your password

I'm a bit skeptical about the "time it would take to crack the password". It is actually the time to produce all passwords of the same length and similar complexity, and it sometimes also assumes the attacker knows the complexity class of your password beforehand (eg. "numbers only" or "characters only"). However, time to determine whether the generated passwords match the real one is not considered. I really don't know how that is usually done, but I'm pretty sure it doesn't take zero time.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Martin Vajsar wrote:
Arun Giridhar wrote:It would take a desktop PC about 2 seconds to crack your password

I'm a bit skeptical about the "time it would take to crack the password".


Your skepticism is warranted over the exact times presented, but they have the order of magnitude correct, so whether its "2 second" or 9 seconds makes no difference.
No one uses a desktop PC CPU to do this, you use GPU cards.

Martin Vajsar wrote: However, time to determine whether the generated passwords match the real one is not considered. I really don't know how that is usually done, but I'm pretty sure it doesn't take zero time.


You look up the results in a 'rainbow table', there are many online. The lookup can be O(1) but the constants are large, as you typically hash into the table. Since the table can be pre-sorted, you can access it in O(ln N), which is pretty fast, but sure is not zero.

The major problem (other than that passwords/passphrases are a bad idea) is that humans pick common words. So all 8 letter passwords do not have even 26^8 possibilities, rather than have maybe 10,000 words with a bit of LEET-speak mangling.
Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1779
    
    7

It's all a bit 'meh' as far as I'm concerned. Sure a strong password is extremely important, but the strength indication this website offers is a bit riddiculous if you ask me. It only applies if a hacker can get a hold of the database that holds the password, and then maybe if the passwords are stored as unsalted MD5 hashes a desktop could perform a lookup fairly quickly using a rainbow table. If a website has a half decent security setup it will generate salted hashes using an iterated hashing approach with something like SHA-256, or using a key derrivation function like PBKDF2 or bcrypt / scrypt. However I do agree paranoia pays off when it comes to passwords, so never ever trust the security of any website. I use a mobile apps version of KeePass on a USB stick to generate and keep track of the more sensitive stuff. Oh and also this: http://xkcd.com/936/


Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
Greg Charles
Sheriff

Joined: Oct 01, 2001
Posts: 2854
    
  11

That XKCD strip was the first thing I thought about. The website agrees that Tr0ub4dor&3 is much less secure than correcthorsebatterystaple, but the estimates of total time are way different. Randall (XKCD) gives 3 days vs. 550 years, but howsecureismypassword.net gives 4000 years vs. a quintillion years. That's a salient difference since I might be motivated to change a password that could be cracked in three days, but the difference between 4000 years and a quintillion years in this context is essentially nil.

My IT department forces us to change passwords every 90 days, which I really dislike. My feeling is that it leads to more frequent requests for passwords to be reset, and prompts people to write their passwords down until they're sure they won't forget it. That makes the system less secure, not more. Also, it's a pain.
Samuel Bird
Ranch Hand

Joined: Jul 19, 2013
Posts: 96

2 septendecillion years

yay, i think...
Rohit Kumar Singh
Ranch Hand

Joined: Sep 29, 2013
Posts: 105

My Lap Pass will take 0.0000000065 seconds to crack ...


and my account pass will take about 157 billion years to crack...


and my FB and most social networking pass will take about 81 billion years


Accept me as I am, or Watch me as I go.
Daniel Hirning
Ranch Hand

Joined: Sep 16, 2013
Posts: 50
    
    1

Passwords, come in all flavors.

If you are using a pw generator, and you store it with a program like LastPass or Password Safe and trust the security measures and the math behind the encryption then theoretically the sky is the limit.

Any large combination of special characters, numbers, random letters, upper and lower case auto generated, is going to take more time to crack than your secret is worth.

The problem is, most people either don't have these, or hide these behind something easily dictionary attacked for the convenience of memorization.

I use a version of the pass phrase method as mentioned in this article by Bruce Schneier

According to the link in the OP - A version of my java ranch password (Auto Generated) would take 2 Billion years to crack.

And a version of my master password (Pass Phrase) where i store my auto generated ones would take 39 Quadrillion years, its memorable, personal and Dictionary safe.

Do i trust the results of this site? Not unless I check the math myself and then pass it to someone who didn't sit through math with a set of head phones on.
 
wood burning stoves
 
subject: how secure is my password