• Posts: 137
• Loc: Knappa, Oregon

3+ Months Ago

It's kinda like this:
7
Take a few seven character passwords:

These have the same ammount of time to crack because they are the same ammount of characters 26^7 or 8031810176 possible character combinations
alpha lowercase only
alpha uppercase only

52^7 or 1,028,071,703,000 possible character combinations
one is alpha upper and lowcase mixed

These are 36^7 or 78364164096 possibles
one is alphanumeric lower
one is alphanumeric upper

Alphanumberic upper and lower is 62^7 combinations

Even better alphanumeric upper, lower, along with nonalpha characters You can pick a seven character password with 92^7 character combinations. That's a lot of character combinations.

Now consider this math with a longer password.

Say you can have up to 22 characters in your password and use the entire array of printable ascii chararcters. This will be a pretty strong password. This is 92^27 (1.052619323×10⁵³) This password is going to take lot more time and or resourses to break than a simple lowercase alpha password.

I've been haunting this forum today and I was noticing a lot of people talking about passwords being hacked.
Since I have some kinda idea about exhaustive key searche (brute force) attacks work.

The attacker can only run so many tries per second against a given machine. One reason for this may be that attacker has limited resources ie only has one system with a quad core CPU and single GPU. They are only going to be able to run about 500-1000 tries per second against your machine. The other reason is that the system they are trying to get into might also have limited resources. So if the attacker is using one of those 64 core jobs or a cluster to run the attack it can still only run so many tries in a given time ammount of time because the target system also has limited resources. So a huge volume of traffic will cause the target machine to slow or even crash do to the amout of requests thrown at it.

Dictionary attacks will use a precomputed word list to run the attack. Guess what? If your password isn't in the dictionary file or isn't a reasonably small permutation of one of the dctionary words the attack will fail.

Moral of the story don't use words that are in the dictionary. Well or dictionary files. This won't prevent your password from being cracked but it will take the attacker much longer.

Use something like WseR@1#7q9*&gD3Qdvz7% if you possibly can. The time it takes to crack this password is a lot greater than something in a dictionary.

There's things like hashing, salting, and shadowing. That I don't really know much about. Anybody know how all that stuff works?
• Guru
• Posts: 1289
• Loc: Sydney

3+ Months Ago

why don't you use a CD key, i have made about 6 variations of my first windows xp cd key from years ago and it is unique and random.
• Brewmaster
• Posts: 6274
• Loc: Seattle, WA

3+ Months Ago

Relevant: http://xkcd.com/936/
• Posts: 137
• Loc: Knappa, Oregon

3+ Months Ago

For sure those are both pretty good suggestion. Concatenating two random words or just using some random product. Or just using a keygen
• Guru
• Posts: 1089
• Loc: Same place you left me.

3+ Months Ago

This is from a tutorial I wrote here on Ozzu:

Many users fail to keep their passwords secure. This can be a result of several things.
-Any password that contains a single word that is found in the dictionary is extremely vulnerable.
-Any password using all letters or all numbers is extremely vulnerable.
-Any password using less than 8 digits is extremely vulnerable.
-Any password using less than 12 digits is weak.
-Any password containing personal information is weak.(Ex: Smith4501 - Last name + house number)
-Any password used at more than one location or more than one site is slightly vulnerable.(Your basing the security of your site on the security practices of someone else)
-Any password saved on your computer or written on a paper found near your computer is slightly vulnerable.

Best password practices are as follows:
-A password containing lower case letters and upper case letters.
-A password unique to this site or application.

A secure password should be similar to the following: X91gt\$1d.#4s9J1k(0sx
The password is 20 digits long, contains caps and lower case, contains numbers, contains special characters and is unique to this site.

I wrote a tiny program that automatically generates that type of password. It ensures its random every time, and follows all the guidelines every time. The biggest threat with passwords right now is man in the middle attacks and packet capturing. Soon as you have someones password hash, its fairly easy to solve. There are massive databases of cracked hashes for different encryption types, as well as the ability for users to crack password hashes on their own. For \$10,000 you can build a machine designed exclusively around cracking password hashes that can run around 500 giga hash per second.

Strong password is step one(letters and numbers only is a pretty weak password regardless of length) and step two is to make sure you're using SSL sites only and step three is making sure you're on a secure connection(not public free WIFI).
• Newbie
• Posts: 14

3+ Months Ago

I have focused my PHP studies on security and one great practice is to use an MD5 hash as your password and save it somewhere. The password would look like this:

97b9d805c7aac197a3aeacdcaca16406

Kindest Regards,
• Brewmaster
• Posts: 6274
• Loc: Seattle, WA

3+ Months Ago

Fosco999 wrote:
I have focused my PHP studies on security and one great practice is to use an MD5 hash as your password and save it somewhere. The password would look like this:

97b9d805c7aac197a3aeacdcaca16406

Kindest Regards,

I fail to see how that's even remotely a good idea.

1. Passwords should be easy to remember but hard to forget. "Saving" your password somewhere, either in digital form or on a piece of paper, makes it inherently less secure.

2. There's little difference between an MD5 checksum, and a randomly generated set of characters (within range).

Read the XKCD comic I liked earlier in this thread. Although I don't usually make a habit of using web comics to make a point, I think it does a good job in explaining, in layman's terms, why password security-by-obscurity simply isn't as good as a longer, easier to remember password.
• Newbie
• Posts: 14

3+ Months Ago

It only has to do with length when brute-forcing.
• Brewmaster
• Posts: 6274
• Loc: Seattle, WA

3+ Months Ago

Right, and brute-forcing is still a popular technique for cracking passwords. But using a random hash string as a password still doesn't provide any real benefit over a legit password/passphrase of similar length, especially if you need to store it somewhere just to use it.

## Post Information

• Total Posts in this topic: 8 posts
• Users browsing this forum: No registered users and 3 guests
• You cannot post new topics in this forum
• You cannot reply to topics in this forum
• You cannot edit your posts in this forum
• You cannot delete your posts in this forum
• You cannot post attachments in this forum