How good is your password?

[Leif]

Password.jpeg

    
(From https://www.hivesystems.io/blog/are-you ... -the-green)

To give you an idea how much hackers have improved their techniques, in 2022 the most complex 8-character password took 39 minutes - this year it is rated as 5 minutes...

[StuartR]

GkM#L@DcNFd$p!UWrs6$iToX

[ChrisGreaves]

Password.jpeg

Assuredly, if the hackers have unlimited access to my login screens.
But isn't this why the bank et al. Allow only three attempts and then lock you out for ten minutes?
(I optimistically beleive that after three lockouts in thirty minutes, some technician's pager beeps ... )

Too, I suppose that Brute Force means computing resources, so whether determining my password is parsed out amongst all computers on the UniHackers system ("Instant") or not, the hackers still have a limited (but phenomenal) computing resource at their disposal.

To that end, I would gain more Information from a table that told me how long would be taken to hack the passwords of, say, all customers who make use of online banking of the Canada-wide Bank of MOntreal, than me alone. The number of online customers of Newfoundland Power must be significantly less than the number from BMO, so my perceived risk (NL Power) is greater than my perceived risk (BMO), but there again, NL Power does not have any of my money in their cash-boxes, since I pay my bills to the cent at the start of each month.

Which means, since I examine my NL Power account but once a month, but my BMO account several nail-biting times a month peaking as pension-day arrives, I am more likely to spot errant behaviour in the BMO account than in NL Power.

@Stuart: I bet not a single hacker knows the name of the teacher who accompanied us on the public double-decker to and from Sunnybank school in Burnley 1952-56.

Cheers, Chris

[StuartR]

MANY security breaches end up with the hackers gaining access to encrypted password details of thousands of users. These brute force techniques are used to extract the unencrypted passwords so they can be used. So can you guarantee that your encrypted password will never be breached on the bank's (or any other) web site?

[Leif]

A quick question in the hope that someone has a quick answer -

If someone has (e.g.) an 8-character password and simply repeats it so that it becomes a 16-character password, would that infer that it would take 5bn years to crack instead of 5 minutes?

[StuartR]

No, the newer password cracking algorithms know about all these tricks

[StuartR]

I suspect that the figures in that chart are for passwords made up of random strings, not dictionary words, and not common repeating patterns. If your password is ABC12345678910 it will take seconds to crack

[Leif]

Thanks Stuart!

[StuartR]

I have also noticed that passwords made of one or two words are cracked very fast. Even if you replace a with @, e with 3, o with 0, and other common substitutions. And even if you add a couple of extra digits and a ! to the end

[ChrisGreaves]

I have also noticed that passwords made of one or two words are cracked very fast. Even if you replace a with @, e with 3, o with 0, and other common substitutions. And even if you add a couple of extra digits and a ! to the end

I imagine this to be because personal names (self, family etc.) make up a disproportionate percentage of all passwords, whereas random strings of characters make up a much larger percentage of all possible strings.

From the hacker's point of view, cracking facsimiles of combinations of names is a much smaller population than the population of all possible strings of the same length.

Cheers, 2b63(^4wohl of the planet 2r;/qvpnl35ssa15quvjvp

[BobH]

I use a pw generator that makes 12 character values that include numbers, symbols and upper and lower case letters. It can generate even longer ones, but I found that 12 characters was about as many as I wanted to have to type. It's reassuring to know that it would take 226 years to hack them; however, if computers get faster won't that time shrink?

[Leif]

...if computers get faster won't that time shrink?

As per my first post, a factor of 8 between this tear and last...

[ChrisGreaves]

What on earth did we do before we had online passwords?
Before computers were involved, even before unit-record equipment (yes IBM-407, we're talking about you) to deposit or withdraw money i went to my local bank, filled out a form, stood in line, and when my turn came the bank teller asked me how my sister was faring after her emergency appendix operation.

My father opened my chequing account in Perth when I started at university.

Years later when my wife and I moved from Newcastle NSW to Adelaide SA, we had with us a letter from the bank manager in Newcastle that said we were good people to have on board.
We were known personally to every local member of staff OR we carried a letter signed by a bank manager on bank letterhead. This is before laser printer days, of course.

We have passwords today because we have yielded personal contact for the convenience of world-wide cash withdrawals, and with the same piece of plastic, car and room rentals wherever we choose to go.

Does anyone still use Travelers Cheques?

Cheers, Chris

[Ted Myers]

A very interesting thread, but no one has posted where they test their passwords. I use https://www.security.org/how-secure-is-my-password/

[silverback]

If we're to believe what we read, the advent of quantum computers is going to be the end of security - as long as the hackers have a quantum computer.
Silverback

[HansV]

Use MFA (multi-factor authentication) whenever possible.

[RonH]

Does anyone still use Travelers Cheques?
Cheers, Chris

Have they introduced yet more 'cheques on travellers' ... I was hoping the days of mountains of paperwork were over

[stuck]

Use MFA (multi-factor authentication) whenever possible.

Yeh but... bad guys with a quantum computer will be able to find some way to exploit quantum entanglement and thus spoof the second factor

Ken

[StuartR]

A very interesting thread, but no one has posted where they test their passwords. I use https://www.security.org/how-secure-is-my-password/

You should never put a real password on one of these sites

[PJ_in_FL]

Use MFA (multi-factor authentication) whenever possible.

Yeh but... bad guys with a quantum computer will be able to find some way to exploit quantum entanglement and thus spoof the second factor

Ken

And when past time viewing a.k.a "The Light of Other Days" by A. C. Clarke, becomes a reality, the bad guys will just watch as you type.