Overclock.net › Forums › Software, Programming and Coding › Networking & Security › How long should a password be?
New Posts  All Forums:Forum Nav:

How long should a password be?

post #1 of 14
Thread Starter 
After stubleing upon an app thats called barswf I have become paranoid. After seeing that my modest machine cpu @ 4.9ghz gpu @ 850 mhz could check 2.2 billion hashes a second I knew that password cracking s very trivial now. It brute force the md5 of the password I use on ocn in less than the amount of time it took me to write this post. Now i am a little paranoid, I have change all my password to be at least 20 characters long. Im still trying to figure out some way to make it longer and still remember it. I remember people saying it would take years to bruteforce. I guess nothing is safe now. I wonder how fast a dual GTX 590 system could do this.how about a cluster of these. for less than $10,000 i can have a setup pumping out over 18 billion checks per second. I guess nothing is truly safe with md5. Hopefully sha 256 is harder, and is more used today.
Valery
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k GA-P67A-UD4-B3 Radeon 7970 Reference G. Skill Sniper 
Hard DriveOptical DriveOSMonitor
Corsair NOVA SSD 64gb + 500gb Storage + 1TB Storag HP DVD burner Windows 7 64bit 37" 1080p60hz 
KeyboardPowerCaseMouse
Razer Blackwidow Ultimate Rosewill Lightning 1000W Single Rail LianLi PC-K58 Razer Spectre 
Mouse Pad
Razer Goliathus Speed 
  hide details  
Reply
Valery
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k GA-P67A-UD4-B3 Radeon 7970 Reference G. Skill Sniper 
Hard DriveOptical DriveOSMonitor
Corsair NOVA SSD 64gb + 500gb Storage + 1TB Storag HP DVD burner Windows 7 64bit 37" 1080p60hz 
KeyboardPowerCaseMouse
Razer Blackwidow Ultimate Rosewill Lightning 1000W Single Rail LianLi PC-K58 Razer Spectre 
Mouse Pad
Razer Goliathus Speed 
  hide details  
Reply
post #2 of 14
It's not about the length of a password, it's about using non-conventional characters and combinations so to avoid brute force or dictionary hacks.

A 20 letter word is much, much, much easier to guess for a brute forcer than a 20 character length combination of special chars.
Lightning
(20 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500K Gigabyte Z68XP-UD3P XFX HD6950 DD 2GB 8GB Corsair Vengeance 1600MHz 
Hard DriveHard DriveHard DriveOptical Drive
Crucial C300 64GB Samsung F2 1.5TB Seagate 500GB LG GH20NS15 
Optical DriveOSMonitorMonitor
Optiarc AD-7261S Win7 64bit 22" LG L226WTQ 19" AOC 
KeyboardPowerCaseMouse
Steelseries 6Gv2  Silverstone ST75F 750W Modular Fractal Design Arc Logitech G500 
Mouse PadAudioAudioAudio
Steelseries QCK Diablo 3 Beyerdynamic DT770 80ohm Fiio E9 Headphone Amp X-Fi XtremeGamer 
  hide details  
Reply
Lightning
(20 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500K Gigabyte Z68XP-UD3P XFX HD6950 DD 2GB 8GB Corsair Vengeance 1600MHz 
Hard DriveHard DriveHard DriveOptical Drive
Crucial C300 64GB Samsung F2 1.5TB Seagate 500GB LG GH20NS15 
Optical DriveOSMonitorMonitor
Optiarc AD-7261S Win7 64bit 22" LG L226WTQ 19" AOC 
KeyboardPowerCaseMouse
Steelseries 6Gv2  Silverstone ST75F 750W Modular Fractal Design Arc Logitech G500 
Mouse PadAudioAudioAudio
Steelseries QCK Diablo 3 Beyerdynamic DT770 80ohm Fiio E9 Headphone Amp X-Fi XtremeGamer 
  hide details  
Reply
post #3 of 14
Thread Starter 
Quote:
Originally Posted by GoTMaXPoWeR View Post
It's not about the length of a password, it's about using non-conventional characters and combinations so to avoid brute force or dictionary hacks.
I think length is more important than using special characters. when you look at the math, extra character increase the time that is needed to brute force more than adding special character.

think about it there are 47 * 2 +1 characters on a keyboard that are easy to enter. thats 95 commonly used characters.

for a 1 character password there are 95 characters. with each extra character its another level of complexity. the complexity is 95^x where x is the number of character. an character password has 6,634,204,312,890,625 possibilities. and would take my system about 35 days. add another character and you go up to 630,249,409,724,609,375 and that would take my system over 9 years. But my system is a toy compared to what can be made with proper amounts of funding. The cluster i described would do it in one year. so a 20 character password using only what can be easily entered on a standard keyboard has 3.5848592240854223435741044044495e+39 possibilities. Length > complexity any day.
Edited by donkru - 3/28/11 at 5:29pm
Valery
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k GA-P67A-UD4-B3 Radeon 7970 Reference G. Skill Sniper 
Hard DriveOptical DriveOSMonitor
Corsair NOVA SSD 64gb + 500gb Storage + 1TB Storag HP DVD burner Windows 7 64bit 37" 1080p60hz 
KeyboardPowerCaseMouse
Razer Blackwidow Ultimate Rosewill Lightning 1000W Single Rail LianLi PC-K58 Razer Spectre 
Mouse Pad
Razer Goliathus Speed 
  hide details  
Reply
Valery
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k GA-P67A-UD4-B3 Radeon 7970 Reference G. Skill Sniper 
Hard DriveOptical DriveOSMonitor
Corsair NOVA SSD 64gb + 500gb Storage + 1TB Storag HP DVD burner Windows 7 64bit 37" 1080p60hz 
KeyboardPowerCaseMouse
Razer Blackwidow Ultimate Rosewill Lightning 1000W Single Rail LianLi PC-K58 Razer Spectre 
Mouse Pad
Razer Goliathus Speed 
  hide details  
Reply
post #4 of 14
Perfect Passwords

I use this when I need a secure password, depending on length and characters the service you're creating the password for will accept, I just copy a randon string from there.
My Right Hand
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 920 D0 @ 4 GHz EVGA X58 SLI BFG GTX 285 OC (Flashed to OCX) 6GB Corsair Dominator DDR3 1600 
Hard DriveOptical DriveOSMonitor
3x Seagate Barracuda 7200.12 500GB RAID0 LG CD/DVD Burner Windows 7 Ultimate x64 Dell 17" 
KeyboardPowerCaseMouse
Logitech G11 Corsair HX1000W Antec Twelve Hundred Microsoft Optical Mouse 
Mouse Pad
None 
  hide details  
Reply
My Right Hand
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 920 D0 @ 4 GHz EVGA X58 SLI BFG GTX 285 OC (Flashed to OCX) 6GB Corsair Dominator DDR3 1600 
Hard DriveOptical DriveOSMonitor
3x Seagate Barracuda 7200.12 500GB RAID0 LG CD/DVD Burner Windows 7 Ultimate x64 Dell 17" 
KeyboardPowerCaseMouse
Logitech G11 Corsair HX1000W Antec Twelve Hundred Microsoft Optical Mouse 
Mouse Pad
None 
  hide details  
Reply
post #5 of 14
I don't use passwords.
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #6 of 14
The most important thing is to not use words/names/etc in your password. Thats because most attacks do something like:

Dictionary
Dictionary with rules
Brute force

Dictionary will use every word imaginable as the password. Dictionary with rules will use every word imaginable with rules, like replacing certain letters with numbers or symbols or appending additional characters. If after doing all of that it can't find it then it will brute force it. Once it begins brute force it starts check every possible combination of characters, and this can take a while. The longer the password the longer it will take on average to find.

Use a random sequence of letters(lowercase and caps), numbers and symbols. If you are paranoid use 15+ characters. I don't use quite that many but I'm not that paranoid.
Scream Machine
(9 items)
 
  
CPUMotherboardGraphicsRAM
i7-4770K Gigabyte Z87X-UD3H EVGA GTX 780 16GB DDR3 
Hard DriveCoolingOSMonitor
256GB Samsung 840 Pro Kraken X60 Windows 7 Shimian 2560x1440 
Case
Phantom 630 
  hide details  
Reply
Scream Machine
(9 items)
 
  
CPUMotherboardGraphicsRAM
i7-4770K Gigabyte Z87X-UD3H EVGA GTX 780 16GB DDR3 
Hard DriveCoolingOSMonitor
256GB Samsung 840 Pro Kraken X60 Windows 7 Shimian 2560x1440 
Case
Phantom 630 
  hide details  
Reply
post #7 of 14
How did it brute force your OCN password, given that it would have to check whether or not it is correct, and it cannot do so at such a rate.
For sale
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-920 Asus P6T Deluxe Asus GTX460 TOP 768mb G Skill ECO 1600 CAS7 1.35V 
Hard DriveOptical DriveOSMonitor
2x Vertex 60 GB raid[0] Asus DVDRW W7,Ubuntu 2 xAsus VH236H 
KeyboardPowerCaseMouse Pad
Razer Ultra X3 1000W HAF 932 My Desk 
  hide details  
Reply
For sale
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-920 Asus P6T Deluxe Asus GTX460 TOP 768mb G Skill ECO 1600 CAS7 1.35V 
Hard DriveOptical DriveOSMonitor
2x Vertex 60 GB raid[0] Asus DVDRW W7,Ubuntu 2 xAsus VH236H 
KeyboardPowerCaseMouse Pad
Razer Ultra X3 1000W HAF 932 My Desk 
  hide details  
Reply
post #8 of 14
Thread Starter 
Quote:
Originally Posted by Xazen View Post
The most important thing is to not use words/names/etc in your password. Thats because most attacks do something like:

Dictionary
Dictionary with rules
Brute force

Dictionary will use every word imaginable as the password. Dictionary with rules will use every word imaginable with rules, like replacing certain letters with numbers or symbols or appending additional characters. If after doing all of that it can't find it then it will brute force it. Once it begins brute force it starts check every possible combination of characters, and this can take a while. The longer the password the longer it will take on average to find.

Use a random sequence of letters(lowercase and caps), numbers and symbols. If you are paranoid use 15+ characters. I don't use quite that many but I'm not that paranoid.
With my most recent change is password i have resorted to using a pattern instead of words. I find that it is easier to remember a pattern that start on say capital h then to remember a long set of random characters. It sucks when i have to input a pattern on a non standard keyboard, takes me ages,
Valery
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k GA-P67A-UD4-B3 Radeon 7970 Reference G. Skill Sniper 
Hard DriveOptical DriveOSMonitor
Corsair NOVA SSD 64gb + 500gb Storage + 1TB Storag HP DVD burner Windows 7 64bit 37" 1080p60hz 
KeyboardPowerCaseMouse
Razer Blackwidow Ultimate Rosewill Lightning 1000W Single Rail LianLi PC-K58 Razer Spectre 
Mouse Pad
Razer Goliathus Speed 
  hide details  
Reply
Valery
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k GA-P67A-UD4-B3 Radeon 7970 Reference G. Skill Sniper 
Hard DriveOptical DriveOSMonitor
Corsair NOVA SSD 64gb + 500gb Storage + 1TB Storag HP DVD burner Windows 7 64bit 37" 1080p60hz 
KeyboardPowerCaseMouse
Razer Blackwidow Ultimate Rosewill Lightning 1000W Single Rail LianLi PC-K58 Razer Spectre 
Mouse Pad
Razer Goliathus Speed 
  hide details  
Reply
post #9 of 14
Thread Starter 
Quote:
Originally Posted by cdolphin View Post
How did it brute force your OCN password, given that it would have to check whether or not it is correct, and it cannot do so at such a rate.
i meant that i hashed my password and brute forced that. the password i used to use on ocn. i didn't actually attack ocn. im sure ocn uses salt to make the password more complex but if you are like many people who use the same password everywhere and they find one unsalted password then you are screwed. Also i just noticed that evga passes password in plain text and also seems to store them in plain text. so be careful there.
Valery
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k GA-P67A-UD4-B3 Radeon 7970 Reference G. Skill Sniper 
Hard DriveOptical DriveOSMonitor
Corsair NOVA SSD 64gb + 500gb Storage + 1TB Storag HP DVD burner Windows 7 64bit 37" 1080p60hz 
KeyboardPowerCaseMouse
Razer Blackwidow Ultimate Rosewill Lightning 1000W Single Rail LianLi PC-K58 Razer Spectre 
Mouse Pad
Razer Goliathus Speed 
  hide details  
Reply
Valery
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k GA-P67A-UD4-B3 Radeon 7970 Reference G. Skill Sniper 
Hard DriveOptical DriveOSMonitor
Corsair NOVA SSD 64gb + 500gb Storage + 1TB Storag HP DVD burner Windows 7 64bit 37" 1080p60hz 
KeyboardPowerCaseMouse
Razer Blackwidow Ultimate Rosewill Lightning 1000W Single Rail LianLi PC-K58 Razer Spectre 
Mouse Pad
Razer Goliathus Speed 
  hide details  
Reply
post #10 of 14
I know people that make a usual password, but every letter is off by one key on the keyboard. For example:

password123

becomes:
[sddeptf234

It's easy to remember, and it's more secure.
My Right Hand
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 920 D0 @ 4 GHz EVGA X58 SLI BFG GTX 285 OC (Flashed to OCX) 6GB Corsair Dominator DDR3 1600 
Hard DriveOptical DriveOSMonitor
3x Seagate Barracuda 7200.12 500GB RAID0 LG CD/DVD Burner Windows 7 Ultimate x64 Dell 17" 
KeyboardPowerCaseMouse
Logitech G11 Corsair HX1000W Antec Twelve Hundred Microsoft Optical Mouse 
Mouse Pad
None 
  hide details  
Reply
My Right Hand
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 920 D0 @ 4 GHz EVGA X58 SLI BFG GTX 285 OC (Flashed to OCX) 6GB Corsair Dominator DDR3 1600 
Hard DriveOptical DriveOSMonitor
3x Seagate Barracuda 7200.12 500GB RAID0 LG CD/DVD Burner Windows 7 Ultimate x64 Dell 17" 
KeyboardPowerCaseMouse
Logitech G11 Corsair HX1000W Antec Twelve Hundred Microsoft Optical Mouse 
Mouse Pad
None 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › How long should a password be?