Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / How I'd hack your weak passwords (Article)

Author
Message
JoelJ
21
Years of Service
User Offline
Joined: 8th Sep 2003
Location: UTAH
Posted: 1st Apr 2010 10:02
Link
I was just reading this article about password security. It's actually really interesting. I especially thought the table was helpful:



The difference between a 6 character and an 8 character password is outstanding. And the difference between an 8 character password and a 14 character password is just unbelievable.

Reading this article was very informative to me.

Your mother has been erased by a mod because it's larger than 600x120
Back to top
Profile PM Website
jeffhuys
19
Years of Service
User Offline
Joined: 24th May 2006
Location: No cheesy line here.
Posted: 1st Apr 2010 10:44
Link
Haha, glad I'm using 20+ characters...

You're the 'th to view this signature!
Back to top
Profile PM Email
lazerus
17
Years of Service
User Offline
Joined: 30th Apr 2008
Location:
Posted: 1st Apr 2010 14:01 Edited at: 1st Apr 2010 14:01
Link
32 characters in my passwords

It only takes me 2-3 secs to type it in aswell

I guess im overkill? / paranoid?


http://lazerus-reborn.deviantart.com/
Back to top
Profile PM Email
TheComet
17
Years of Service
User Offline
Joined: 18th Oct 2007
Location: I`m under ur bridge eating ur goatz.
Posted: 1st Apr 2010 15:04 Edited at: 1st Apr 2010 15:05
Link
Nah, I also have a 32 character password. (A teacher's name with tons of swear words in front and a few numbers )

TheComet

Back to top
Profile PM Email Website
AndrewT
18
Years of Service
User Offline
Joined: 11th Feb 2007
Location: MI, USA
Posted: 2nd Apr 2010 03:15
Link
My most frequently used password is 15 random letters, numbers, and symbols. When I was younger I decided to create a new password by closing my eyes and hitting my keyboard while randomly pressing the shift key. I memorized it, and it's pretty much all I use now.

i like orange
Back to top
Profile PM
Quik
16
Years of Service
User Offline
Joined: 3rd Jul 2008
Location: Equestria!
Posted: 2nd Apr 2010 04:20
Link
i... i... only use... 8.... chars and numbers... but...


[Q]uik, Quiker than most
Back to top
Profile PM
Dark Dragon
17
Years of Service
User Offline
Joined: 22nd Jun 2007
Location: In the ring, Kickin\' *donkeybutt*.
Posted: 2nd Apr 2010 04:27
Link
s***. I use simple passwords.......the minimum they will let me use........... Thanks, i know some stuff now about my password...............................Oh, my usual one is 4 characters, in case anyone wants to know. And all caps. I could get screwed, and bad.............

(\__/) HHAHAHAHAHAH!
(O.o ) / WORLD DOMINATION!!!!!!!!!!
(> < )
Back to top
Profile PM
General Jackson
User Banned
Posted: 2nd Apr 2010 04:36
Link
I have 10.
So if someone wants to hack my PW...they're free to try

Back to top
Profile
Phaelax
DBPro Master
22
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 2nd Apr 2010 06:43
Link
So the author thinks he can hack a 4 character password in under 2 seconds? Umm no sorry. Maybe if he used some kind of software, but in that case the times for the bigger passwords are way too long.


"Any sufficiently advanced technology is indistinguishable from magic" ~ Arthur C. Clarke
Back to top
Profile PM Email Website
Dragon Knight
18
Years of Service
User Offline
Joined: 10th Jan 2007
Location: Newcastle
Posted: 2nd Apr 2010 07:28 Edited at: 2nd Apr 2010 07:28
Link
If someone really wanted to hack your account they wouldn't use a Brute force method.

For example Hotmail, all you need is to know them personally enough to get past their relatively easy questions and bang you're in their account with a new password.

A key logger could also be used to record every key press, and what website it was on and so on.

Time taken for your machine to be hacked: 1 second - Never depending on how smart you really are .

I personally think it's pretty pathetic to go through all that trouble to get into someones emails..


http://www.hybridwolves.co.uk
Back to top
Profile PM Email
Gil Galvanti
20
Years of Service
User Offline
Joined: 22nd Dec 2004
Location: Texas, United States
Posted: 2nd Apr 2010 07:57
Link
Quote: "I personally think it's pretty pathetic to go through all that trouble to get into someones emails.."

It's not about getting into someone's emails just to read them though. It's about getting into their emails which you could have credit card or other important info sent to that you could then have access to. Most hackers don't just hack email out of curiosity to see what you sent your friend .


Back to top
Profile PM Website
JoelJ
21
Years of Service
User Offline
Joined: 8th Sep 2003
Location: UTAH
Posted: 2nd Apr 2010 08:16 Edited at: 2nd Apr 2010 08:18
Link
Quote: "So the author thinks he can hack a 4 character password in under 2 seconds? Umm no sorry. Maybe if he used some kind of software, but in that case the times for the bigger passwords are way too long.
"

He's talking about brute force with a typical computer and good software. And no they're not to high. They're calculated averages. Have you ever done a permutation problem with your computer? It's fast enough for the first ... 50 iterations. After that, you're going to be there for a very very long time. That's what makes The Traveling Salesman problem impossible to compute in your lifetime with modern technology.

Quote: "If someone really wanted to hack your account they wouldn't use a Brute force method."

Did you read the article? It was written by a hacker explaining what he would do to get the average Joe's password. And that would be to use a brute force method using common dictionary words. From what he says, it's actually pretty effective. The point of the article is, if you have a good strong password, you're pretty much immune to that method of attack.

Quote: "It's about getting into their emails which you could have credit card or other important info sent to that you could then have access to. "

Not even so much that. But if he can guess the password to an account that has weaker security (say, a forum or email), chances are your bank account uses the same, or similar, password. Then from there it's just mouse clicking to get what he wants.

Your mother has been erased by a mod because it's larger than 600x120
Back to top
Profile PM Website
lazerus
17
Years of Service
User Offline
Joined: 30th Apr 2008
Location:
Posted: 2nd Apr 2010 12:52
Link
Quote: "For example Hotmail, all you need is to know them personally enough to get past their relatively easy questions and bang you're in their account with a new password. "


You just reminded me of the hack on my dads account through live. That was done overnight in about 8 hours with 10 character password. it was only lower case, so maybe hes not a great haxor?


http://lazerus-reborn.deviantart.com/
Back to top
Profile PM Email
TheComet
17
Years of Service
User Offline
Joined: 18th Oct 2007
Location: I`m under ur bridge eating ur goatz.
Posted: 2nd Apr 2010 16:02
Link
Quote: "I have 10.
So if someone wants to hack my PW...they're free to try"


Professional password hackers usually try every simple word in the dictionary, then move on to more complex words. If that doesn't work, they combine it with numbers and symbols, and if that doesn't work, they try it with brute force.

So if you have a word in your password that exists in the dictionary, it's going to take shorter than what it says in the table.


@all

Luckily LINUX has a much safer system than windows. It always waits 5 seconds after typing in the password before it returns a "whoops, wrong password, please try again" message. With windows on the other hand you can test hundreds of passwords per second.

TheComet

Back to top
Profile PM Email Website
kaedroho
17
Years of Service
User Offline
Joined: 21st Aug 2007
Location: Oxford,UK
Posted: 2nd Apr 2010 16:11 Edited at: 2nd Apr 2010 16:19
Link
That is probably a very old table. Ive done a little bit of password cracking and heres a more up to date table using every type of character (uppercase, lowercase, numbers and symbols).

5 character password take about 2 minutes.
6 characters is about 3 hours.
7 characters is about 5 days.
8 characters is about 1 year.

Those are about the max amount of time it will take. How long it takes depends which characters you use. If you use AAAAA then it will be very quick even if it was 20 As but if you use high letters then the cracking program will have to check every possibility up to them letters. Just make sure that you password never ends with a, b, c, d, e, or f. And you should be fine.

BlitzTerrain - FREE LOD Terrain plugin for DBPro
Back to top
Profile PM Email Website
Insert Name Here
18
Years of Service
User Offline
Joined: 20th Mar 2007
Location: Worcester, England
Posted: 2nd Apr 2010 16:19
Link
According to the above info, my password is probably the safest in the world

[center]You can get further with a smile and a gun than you can with just a smile.
Back to top
Profile PM
David R
21
Years of Service
User Offline
Joined: 9th Sep 2003
Location: 3.14
Posted: 2nd Apr 2010 16:32 Edited at: 2nd Apr 2010 16:37
Link
Quote: "Luckily LINUX has a much safer system than windows. It always waits 5 seconds after typing in the password before it returns a "whoops, wrong password, please try again" message. With windows on the other hand you can test hundreds of passwords per second."


NT does the same thing every ~4 passwords but with about a 20 second delay instead

Quote: "So the author thinks he can hack a 4 character password in under 2 seconds? Umm no sorry. Maybe if he used some kind of software, but in that case the times for the bigger passwords are way too long."


Permutations are based on factorials (if you calculate them). So they increase exponentially.

09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0
Back to top
Profile PM Email Website
BatVink
Moderator
22
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 2nd Apr 2010 22:53 Edited at: 2nd Apr 2010 22:57
Link
It states:

Quote: "here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters."


So it takes 8.5 days to generate all the password combinations (their calculation is based on about 0.00001 seconds per password). For any web based system. The article is talking about hacking websites, so lets be fantastically generous and say it takes 1 second per check to get the response. That will take over 250 years to perform the check on a 6 letter password, not 8.5 days. Of course, they also need to match this to a user name or email address, so it's specific to an individual account, not just any account on the server.

However on the flipside of this argument, there are so many rules to make passwords less susceptible that they actually become easier. For example, if they insist you have at least one digit, it reduces the factor of one of the characters to 10 rather than 60+. Insisting on a capital letter reduces the factor of one of the positions to 26, and so on. Most rules simplify the hacking process!

Back to top
Profile PM Email
David R
21
Years of Service
User Offline
Joined: 9th Sep 2003
Location: 3.14
Posted: 3rd Apr 2010 00:38
Link
Quote: "For example, if they insist you have at least one digit, it reduces the factor of one of the characters to 10 rather than 60+. Insisting on a capital letter reduces the factor of one of the positions to 26, and so on. Most rules simplify the hacking process!
"


Not really - because you don't know which of the characters wil have this property. You'd have to check numbers, symbols and both cases for every character

09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0
Back to top
Profile PM Email Website
JoelJ
21
Years of Service
User Offline
Joined: 8th Sep 2003
Location: UTAH
Posted: 3rd Apr 2010 01:19
Link
Quote: "For example, if they insist you have at least one digit, it reduces the factor of one of the characters to 10 "

Except, it adds 10 possibilities to every other character. Thus, 10 more tries for each character position.

What drives me nuts is when sites REQUIRE you to have a recovery question... No one is going to guess my password, however, ANYONE could lookup my mother's maiden name. Or what highschool I went to. etc.

Your mother has been erased by a mod because it's larger than 600x120
Back to top
Profile PM Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 3rd Apr 2010 01:27
Link
Quote: "What drives me nuts is when sites REQUIRE you to have a recovery question... No one is going to guess my password, however, ANYONE could lookup my mother's maiden name. Or what highschool I went to. etc."


Enter a different password there, keeping in mind that your recovery question is likely not encrypted.

Back to top
Profile PM Email Website
JoelJ
21
Years of Service
User Offline
Joined: 8th Sep 2003
Location: UTAH
Posted: 3rd Apr 2010 02:24
Link
Quote: "Enter a different password there, keeping in mind that your recovery question is likely not encrypted.
"

Heh, that's what I do

Your mother has been erased by a mod because it's larger than 600x120
Back to top
Profile PM Website
ionstream
20
Years of Service
User Offline
Joined: 4th Jul 2004
Location: Overweb
Posted: 3rd Apr 2010 04:05
Link
I really hate recovery questions. Barring some brain injury, I will never forget my passwords. I like when they let me pick my own question, because then I just enter a really cryptic clue that only I will understand.

Back to top
Profile PM Website
Jeku
Moderator
21
Years of Service
User Offline
Joined: 4th Jul 2003
Location: Vancouver, British Columbia, Canada
Posted: 5th Apr 2010 23:04
Link
I have a pretty good way of generating a password in my head, different for every site (almost). The pattern is based on movement of my hand, and I originate it from the first letter of the site. It uses numbers and letters, and is pretty strong. I guess if someone knew my movement pattern they could guess it, but it foils all those brute force methods because they don't go by key distance.


Senior Web Developer - Nokia
Back to top
Profile PM Website
Cetobasilius
15
Years of Service
User Offline
Joined: 29th Dec 2009
Location: Mexico
Posted: 6th Apr 2010 01:29 Edited at: 6th Apr 2010 01:29
Link
it says clearly... using brute force. there are a lot of ways of getting a password faster, like phishing or a keylogger... or a trojan... you name it

hi
Back to top
Profile PM
Uncle Sam
19
Years of Service
User Offline
Joined: 23rd Jul 2005
Location: West Coast, USA
Posted: 6th Apr 2010 01:50 Edited at: 6th Apr 2010 01:51
Link
I have 18 characters for my Windows login.

EDIT: one way to learn something, like memorize a long quote or paragraph, would be to make it your password. If you don't know it, you don't get in.

Back to top
Profile PM Email
Darth Vader
20
Years of Service
User Offline
Joined: 10th May 2005
Location: Adelaide SA, I am the only DB user here!
Posted: 6th Apr 2010 03:46
Link
I have different passwords for different logins but usually there only 8 characters long... Maybe it's now time for me to get a really strong couple of passwords and use them.

Back to top
Profile PM Email Website
SunnyKatt
18
Years of Service
User Offline
Joined: 16th Sep 2006
Location: USA
Posted: 7th Apr 2010 12:57
Link
Good Article. I'm also password-paranoid - I use a different one for every site, and I randomly generate them out of 10-20 character strings, including underscores and odd characters.

Join Nation Of Design - A large volunteer graphic making team!

Back to top
Profile PM Email Website
Shaun Of The Dead
16
Years of Service
User Offline
Joined: 28th Jan 2009
Location: Wouldnt you like to know :P
Posted: 7th Apr 2010 14:16 Edited at: 7th Apr 2010 14:21
Link
I used the same password, but with 3 variants with extras on the end for more important sites. I use it for school, forums, emails, paypal, steeam etc...

My pc's password is 19 characters long, and my base password without a variant is 10 characters long

Im not sure why someone would choose to wait 4 years to hack a password though. Either very determined, or just a freak

Your signature has been erased by a mod - Neither clever nor funny.
Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2025-05-24 14:38:57
Your offset time is: 2025-05-24 14:38:57