Overclock.net › Forums › Industry News › Technology and Science News › [Ars] Why passwords have never been weaker—and crackers have never been stronger
New Posts  All Forums:Forum Nav:

[Ars] Why passwords have never been weaker—and crackers have never been stronger - Page 5

post #41 of 49
Quote:
Originally Posted by ./Cy4n1d3\. View Post

You know last pass is free, right? Unless you run it on your mobile devices.
But I use it for Chrome on my desktop computer, USB Portable Apps version, and on my laptop. Once i get me a smartphone I will be purchasing a subscription too. I also use xmarks to keep my bookmarks synchronized. Honestly, I don't know the password to anything but my lastpass account. I am helpless without it.
I know its free but premium give better security.
post #42 of 49
Quote:
Originally Posted by ./Cy4n1d3\. View Post

You know last pass is free, right? Unless you run it on your mobile devices.
But I use it for Chrome on my desktop computer, USB Portable Apps version, and on my laptop. Once i get me a smartphone I will be purchasing a subscription too. I also use xmarks to keep my bookmarks synchronized. Honestly, I don't know the password to anything but my lastpass account. I am helpless without it.

I did the random password generating. I then made a .txt file of my passwords...in a truecrypt container. I just wanted a "just in case".
Be Rock Steady
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7-2600K 4.7ghz @ 1.33 ASUS P8Z68 Deluxe Titan X Corsair Vengeance 16GB PC12800 DDR3 
Hard DriveHard DriveHard DriveCooling
Corsair Force CSSD-F115GB Seagate 1tb Western Digital 3TB bare H100 
OSMonitorKeyboardPower
Windows 7 Home Premium qnix kul es-87 Cooler Master Silent Pro M850 
CaseMouseAudioAudio
Corsair Obsidian 800D Razer Deathadder BE Schiit Audio Bifrost Uber Schiit Audio Lyr 2 
Audio
Audeze LCD-2 
  hide details  
Reply
Be Rock Steady
(19 items)
 
  
CPUMotherboardGraphicsRAM
i7-2600K 4.7ghz @ 1.33 ASUS P8Z68 Deluxe Titan X Corsair Vengeance 16GB PC12800 DDR3 
Hard DriveHard DriveHard DriveCooling
Corsair Force CSSD-F115GB Seagate 1tb Western Digital 3TB bare H100 
OSMonitorKeyboardPower
Windows 7 Home Premium qnix kul es-87 Cooler Master Silent Pro M850 
CaseMouseAudioAudio
Corsair Obsidian 800D Razer Deathadder BE Schiit Audio Bifrost Uber Schiit Audio Lyr 2 
Audio
Audeze LCD-2 
  hide details  
Reply
post #43 of 49
Yubikeys are pretty neat, otherwise fairly complex passwords work too. Would have to look at last pass though.
Melchior SR-2
(15 items)
 
  
CPUMotherboardGraphicsRAM
Intel i74930K EVGA X79 Dark Nvidia GTX Titan X (Pascal) 64GB GSkill Sniper 
Hard DriveOptical DriveCoolingOS
Intel 750 Series 1.2 TB PCIe x4 NVMe SSD / 960G... LG Blu-Ray Burner / 2x LG Millenniata DVD+/-RW Corsair H80 Pump + 3 YL Medium Fans Windows 10 Pro 64-bit 
MonitorKeyboardPowerCase
Dell 27" 4K P2715Q Corsair Strafe Cherry Red MX EVGA SR-2 PSU Lian-Li PC P80 
MouseMouse Pad
Corsair Steelseries Rival 100 None 
  hide details  
Reply
Melchior SR-2
(15 items)
 
  
CPUMotherboardGraphicsRAM
Intel i74930K EVGA X79 Dark Nvidia GTX Titan X (Pascal) 64GB GSkill Sniper 
Hard DriveOptical DriveCoolingOS
Intel 750 Series 1.2 TB PCIe x4 NVMe SSD / 960G... LG Blu-Ray Burner / 2x LG Millenniata DVD+/-RW Corsair H80 Pump + 3 YL Medium Fans Windows 10 Pro 64-bit 
MonitorKeyboardPowerCase
Dell 27" 4K P2715Q Corsair Strafe Cherry Red MX EVGA SR-2 PSU Lian-Li PC P80 
MouseMouse Pad
Corsair Steelseries Rival 100 None 
  hide details  
Reply
post #44 of 49
I don't have anything important to protect on the internet sad-smiley-002.gif
Dunno
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5 3550 Asrock P67 Extreme4 Gen3 MSI HD7850 1GB Kingston Hyperx Blu 2x2GB 
RAMHard DriveHard DriveCooling
Kingston Hyperx Blu 2x4GB Samsung Spinpoint F3 1tb Intel 330 60Gb SSD Scythe Mugen 2 
OSMonitorMonitorPower
Windows 8 Pro Acer AL2416W Samsung 940n Chieftec 750w 
Case
Thermaltake V4 
  hide details  
Reply
Dunno
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5 3550 Asrock P67 Extreme4 Gen3 MSI HD7850 1GB Kingston Hyperx Blu 2x2GB 
RAMHard DriveHard DriveCooling
Kingston Hyperx Blu 2x4GB Samsung Spinpoint F3 1tb Intel 330 60Gb SSD Scythe Mugen 2 
OSMonitorMonitorPower
Windows 8 Pro Acer AL2416W Samsung 940n Chieftec 750w 
Case
Thermaltake V4 
  hide details  
Reply
post #45 of 49
If someone really wants your info, it's gone, depending on how much it's worth. You can have 1024 character bit encrypted password, and it can be defeated by an efficient silent key logger. Sensitive data is kept off the net, simple as that. Intranet or nothing.

Case in point: Stuxnet. I am sure Iran's facilities had much more sophisticated than a normal user would ever use.
Main System
(16 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 560 @ 4.00Ghz Asus EVO USB3.0 GTX 670 8 GB 1600 Corsair 
Hard DriveOptical DriveCoolingOS
Samsung 830 128GB, 80GB Raptor, 1 TB 7200 RPM, ... LG Zalman CNPS 9700 Windows 7 Home Premium 64Bit 
MonitorMonitorKeyboardPower
Dell U2311H 23" HP ZR30w Razer Black Widow Ultimate Edition Corsair TX650w 
CaseMouseMouse PadAudio
Corsair 600T Special Edition (White) Razer Imperator 4G Absent Asus Xonar DS, Sony STR-DH720 Reciever , Sennhi... 
  hide details  
Reply
Main System
(16 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 560 @ 4.00Ghz Asus EVO USB3.0 GTX 670 8 GB 1600 Corsair 
Hard DriveOptical DriveCoolingOS
Samsung 830 128GB, 80GB Raptor, 1 TB 7200 RPM, ... LG Zalman CNPS 9700 Windows 7 Home Premium 64Bit 
MonitorMonitorKeyboardPower
Dell U2311H 23" HP ZR30w Razer Black Widow Ultimate Edition Corsair TX650w 
CaseMouseMouse PadAudio
Corsair 600T Special Edition (White) Razer Imperator 4G Absent Asus Xonar DS, Sony STR-DH720 Reciever , Sennhi... 
  hide details  
Reply
post #46 of 49
Quote:
Originally Posted by Shrimpykins View Post

Quote:
Originally Posted by RiverOfIce View Post

Using word phrase passwords is not really all the secure. Here is why. If I assume that you are using only English words and you spelled the correctly, I can crack that password in a few minutes.
Take the maximum number of characters allowed by the account. Take the minimum number of characters allowed by the account. For example, it can not be longer then 16 characters, or shorter then 6. Now you can take the common English dictionary combine each word that is shorter then 16 characters. You now have limited that possible words to less then 80,000 possible choices. Take all the words shorter then 6 characters and combine them words under 16 characters, you have less then 100,000,000 combos, I am rounding it here, it can not be less then 171,000 words nor more then 120 million combos.
If you take that the fact that you have limited the number of possible words and word orders to less then 100,000,000 combos, your password is broken in less then 10000 seconds. Which means that you have a password that is crack able in less then 27 days. Remove all uncommon words, remove all words that combo does not equal more then 16 and less then 6, you can crack it in less then 12 seconds.
Sorry, it is just not very secure.
The best way to make up passwords is to use a poem.
A Cliff Dwelling- Robert Frost
There sandy seems the golden sky
And golden seems the sandy plain.
No habitation meets the eye
Unless in the horizon rim,
Some halfway up the limestone wall,
That spot of black is not a stain
Or shadow, but a cavern hole,
Where someone used to climb and crawl
To rest from his besetting fears.
I see the callus on his soul
The disappearing last of him
And of his race starvation slim,
Oh years ago - ten thousand years.
TsstgsAgstspNhmte- would take 9 thousand centuries
Anyone can remember a song, poem, or favorite quote. Remember it is very simple and very easy to remember.
Using common words is insanely easy to break with brute force and is trip over easy to crack for rainbow tables. If you use the poem above, unsalted hashed passwords would take decades to crack. Unsalted whole word phrases will go down in minutes.

Add in capitals, numbers, and symbols and it's not that easy.

My password above, "blueman21isarabbit@thebox" would take 30.20 billion trillion centuries to crack at one-hundred trillion guesses per second. 9k centuries is nothing next to that. Using just lowercase and uppercase letters is probably the worst thing you can do. Just because you are using pre-made words doesn't make the pass any easier to crack. The person doing the cracking would have to know this and on top of that would have to know the character count.

1. Actually, the single most important part of a password is its length because it increases your security exponentially.
A password containing ONLY 12 digits is 3x as hard to crack as a 6 length "sophisticated" password.

12 digits = 1,000,000,000,000 guesses.
6 UPPER CASE, lower case, digit or symbols = 304,006,671,424 guesses

2. The second most important aspect is randomness.
Even if your password is reasonably long but if it uses keyboard patterns, dictionary words, or is a common password... it can be cracked almost instantly.

3. The third most important part is securing the key.
If you store your key in a text file, post-it note, or anyway unprotected for that matter... cracked instantly.

4. I would say the 4th most important thing is symbol count as it only increases security additionally.

G = S ^ L
G (# of Guesses)
S (Symbol Count)
L (Length)
Quote:
Originally Posted by Phil~ View Post

If someone really wants your info, it's gone, depending on how much it's worth. You can have 1024 character bit encrypted password, and it can be defeated by an efficient silent key logger. Sensitive data is kept off the net, simple as that. Intranet or nothing.

Case in point: Stuxnet. I am sure Iran's facilities had much more sophisticated than a normal user would ever use.

Agreed but top secret security is a MUCH different world than low level user security.
Edited by kennyparker1337 - 8/23/12 at 7:33pm
post #47 of 49
Quote:
Search Space Depth (Alphabet): 26+10+33 = 69
Search Space Length (Characters): 14 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length) 56,263,591,
126,494,879,335,720,610
Search Space Size (as a power of 10): 5.63 x 1025

Time Required to Exhaustively Search this Password's Space:

Online Attack Scenario:
(Assuming one thousand guesses per second) 17.89 trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 1.79 hundred thousand centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.79 hundred centuries

is this good?
Cause and FX
(9 items)
 
Heap
(9 items)
 
 
CPUMotherboardGraphicsRAM
AMD FX-8120 Asus Sabertooth 990FX MSI GTX460 Hawk Samsung 30nm (2x4) 
Hard DriveCoolingOSPower
Seagate Barracuda 160 Tuniq 120 Windows 8x64 Antec Earthwatts 650 
Case
cardboard box 
CPUMotherboardRAMHard Drive
Athlon II x250 @ 3.75 ghz MSI NF750-G55 SLi ocz platinum 1600 cl7 (2x2) @ 1482(6-6-5-15-19-1T) 1T green 
OSCase
7x64 ultimate Cooler Master Elite 360 
  hide details  
Reply
Cause and FX
(9 items)
 
Heap
(9 items)
 
 
CPUMotherboardGraphicsRAM
AMD FX-8120 Asus Sabertooth 990FX MSI GTX460 Hawk Samsung 30nm (2x4) 
Hard DriveCoolingOSPower
Seagate Barracuda 160 Tuniq 120 Windows 8x64 Antec Earthwatts 650 
Case
cardboard box 
CPUMotherboardRAMHard Drive
Athlon II x250 @ 3.75 ghz MSI NF750-G55 SLi ocz platinum 1600 cl7 (2x2) @ 1482(6-6-5-15-19-1T) 1T green 
OSCase
7x64 ultimate Cooler Master Elite 360 
  hide details  
Reply
post #48 of 49
Quote:
Originally Posted by Bobotheklown View Post


I really need to get better passwords frown.gif

Remember there is more than one algo to store a pass as well, that HUGE number is NTLM ... and there is much better ways to get these anyway .. yay for fud ...


v2.0 v2.5
MD5 45B/sec 74.2B/sec
NTLM 70B/sec 143.8B/sec
MD4 75.2B/sec 149.8B/sec
SHA1 15.4B/sec 25.9B/sec


~~~~~~~~~~~~


Most websites store in Sha1 - sha-256, so its not as fast as people think wink.gif
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #49 of 49
Quote:
Originally Posted by Phil~ View Post

If someone really wants your info, it's gone, depending on how much it's worth. You can have 1024 character bit encrypted password, and it can be defeated by an efficient silent key logger. Sensitive data is kept off the net, simple as that. Intranet or nothing.
Case in point: Stuxnet. I am sure Iran's facilities had much more sophisticated than a normal user would ever use.

That's the beauty in LastPass + Yubikey. With the right configuration you're never typing anything in and you're more secure then you'd ever need.. Someone close to you would have to target you and LastPass would still keep you safe. I would urge anyone reading this thread to take a serious look if they're interested in implementing personal digital security. thumb.gif
Z77DEFINE
(12 items)
 
220ESXi
(11 items)
 
X120E
(13 items)
 
CPUMotherboardGraphicsRAM
i7-2600K ASRock Z77 Professional-M ASUS ENGTX570 DCII 16GB (2x8GB) G.SKILL 16GBXL 
Hard DriveCoolingOSMonitor
840 Pro 256GB | 2xWD VR 300 RAID0 Antec KÜHLER H2O 620 P/P Windows 8.1 Professional x64 2x HP 30" S-IPS LCD ZR30w 
KeyboardPowerCaseMouse
Logitech G15 Corsair Pro Series Gold AX850 Fractal Design Define Mini Logitech G9x 
CPUMotherboardRAMHard Drive
AMD FX-6300 Vishera 3.5GHz (4.1GHz Turbo) ASRock 970 EXTREME4 AM3+ AMD 970 16GB (2 x 8GB) Kingston HyperX DDR3 1600 (KHX16... TBD 
CoolingOSOSOS
Corsair H50 w/PP PWM Fans VMware vSphere ESXi 5.1 Nas4Free Debian 
OSPowerCase
WHS 2011 CORSAIR CMPSU-400CX 400W ATX12V V2.2 80 PLUS NZXT SOURCE 220 
CPUGraphicsRAMHard Drive
AMD Fusion Processor E-350 1.6Ghz AMD Radeon HD 6310 2 GB DDR3 Zalman S Series 64GB SSD 
OSMonitor
Windows 7 Professional x64 11.6" HD (1366x768) AntiGlare 
  hide details  
Reply
Z77DEFINE
(12 items)
 
220ESXi
(11 items)
 
X120E
(13 items)
 
CPUMotherboardGraphicsRAM
i7-2600K ASRock Z77 Professional-M ASUS ENGTX570 DCII 16GB (2x8GB) G.SKILL 16GBXL 
Hard DriveCoolingOSMonitor
840 Pro 256GB | 2xWD VR 300 RAID0 Antec KÜHLER H2O 620 P/P Windows 8.1 Professional x64 2x HP 30" S-IPS LCD ZR30w 
KeyboardPowerCaseMouse
Logitech G15 Corsair Pro Series Gold AX850 Fractal Design Define Mini Logitech G9x 
CPUMotherboardRAMHard Drive
AMD FX-6300 Vishera 3.5GHz (4.1GHz Turbo) ASRock 970 EXTREME4 AM3+ AMD 970 16GB (2 x 8GB) Kingston HyperX DDR3 1600 (KHX16... TBD 
CoolingOSOSOS
Corsair H50 w/PP PWM Fans VMware vSphere ESXi 5.1 Nas4Free Debian 
OSPowerCase
WHS 2011 CORSAIR CMPSU-400CX 400W ATX12V V2.2 80 PLUS NZXT SOURCE 220 
CPUGraphicsRAMHard Drive
AMD Fusion Processor E-350 1.6Ghz AMD Radeon HD 6310 2 GB DDR3 Zalman S Series 64GB SSD 
OSMonitor
Windows 7 Professional x64 11.6" HD (1366x768) AntiGlare 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Technology and Science News
Overclock.net › Forums › Industry News › Technology and Science News › [Ars] Why passwords have never been weaker—and crackers have never been stronger