Password Security

[Bob Loblaw]

I bring this up, (obviously) based on the recent hackings. When looking at the passwords that were cracked, it appeared that the only ones that were, strictly used lower case letters and numbers (up to a length of I believe 11). That being said, just because your password wasn't cracked, does NOT mean you shouldn't change it. If he has the password hash now, and you don't change it, he can spend as long as he wants decrypting it, and will eventually get it.

 

As for whether or not the hacker got passwords the second time around doesn't matter. He could have, and that's all that does. For that reason I recommend you change your passwords to be safe (again, if he has the hash, eventually, if he wanted to, he could decrypt it, and gain access to your account if you didn't change it).

 

This isn't aimed to be a lecture, and you might absolutely not give a fuck at all, but I recommend you at least read/understand it. It's mostly intuitive, but it is informative, and interesting (imo).

 

Let me preface this with that this is aimed at cracking a password. S3pt1991 might be alright in an exhaustive password search, but if he knows my birthday is in September of 1991, it just got significantly worse.

 

Keeping your password safe is still up to you, it doesn't much matter how strong your password is if you have a keylogger that just jots it down character for character.

 

Password Haystacks: How Well Hidden is Your Needle?

 

I'll sum up the key points:

 

Use 1 lower case letter, 1 upper case letter, 1 number, and 1 symbol.

Take a 4 letter password (too short, but for example). If it is all lower case, there is 26 x 26 x 26 x 26 guesses to be GUARANTEED to have guessed the correct password. ie. 456,976 guesses total.

 

For a human this may seem satisfactory, but for a computer (or many computers) trying to crack your password, it is definitely not.

 

If you add in upper case, numbers, and symbols to the possible characters of your password means it's 95 x 95 x 95 x 95 possible answers for your password. ie. 81,450,625 possible passwords.

 

But again, 4 character long password is not long enough.

 

At the end of the day, the hacker does not know what your password LOOKS LIKE. He does not know if he was close, he only knows if he was CORRECT.

Ex.

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

 

Which of these two passwords is more secure? In reality, D0g is a much stronger password

 

But wouldn't something like “D0g” be in a dictionary, even with the 'o' being a zero?

Sure, it might be. But that doesn't matter, because the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn't know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.

 

Password Padding.

Take an easy to memorize password, and add some form of padding to it to make it much stronger.

 

"password" might be the very first guess that is tried, but if your password is "-+P4ssw0rd[....]" then it goes from being the first guess, to uncrackable (not really, but in comparison to "password" it might as well be).

 

Once an exhaustive password search begins, the most important factor is password length!

 

And on a final note, a sentence is incredibly easy to remember, and incredibly hard to crack.

"Th3n they ran through the store"

 

There you have an uppercase, lowercase, number, and symbol (whitespaces are symbols). You likely wouldn't want a password this long, but just take it as an example. It's easy to memorize, and would take a VERY long time for a computer to crack your password. This refers back to "

Once an exhaustive password search begins, the most important factor is password length!

".

[Neptune]

I changed all my passwords mc, steam, forum, and email as soon as this happened.

[omarfire00]

This is a very important thread, especially after what happened recently

[Nasu]

How much easier is it to crack passwords with a password hash than without? Something like "Th3n they ran through the store" is as far as I know impossible for a hacker to brute force hack without it taking longer than his own life. So if a hacker really wants to decrypt the whole hash that was taken would it really make any actual difference in time taken whether you had a hard and long password or a normal one?

 

also basic hacking here http://hackertyper.com/

[Bob Loblaw]

How much easier is it to crack passwords with a password hash than without? Something like "Th3n they ran through the store" is as far as I know impossible for a hacker to brute force hack without it taking longer than his own life. So if a hacker really wants to decrypt the whole hash that was taken would it really make any actual difference in time taken whether you had a hard and long password or a normal one?

 

also basic hacking here Hacker Typer

 

I mean you're not wrong. A "normal password" (as long as it is reasonably strong, primarily using Lower Case, Upper, Number and Symbol) that isn't something like Password1234! (might hold up but wouldn't risk it) should hold up. But it's also saying your password doesn't have to be impossible to memorize like I*#n0sM3jKd3f. Words and phrases are much easier to remember, but are also susceptible to dictionary attacks, so these are just ways to have a secure password that is easy to remember (padding/sentences (or abbreviations, take a sentence and take the first letter of each one, interspercing numbers, symbols, upper/lower case letters)).

 

And while that is virtually uncrackable, it wouldn't necessarily take longer than one's lifetime to do so, as a hacker could have many infected computers all attempting to crack a password at once. (instead of 1 computer cracking 1 password, think a botnet of 1000 computers cracking 1 password - for instance).

[WoLF]

Thanks for the advice

[Aznsoul]

This is a great thread (thanks Bob), I recommend others to change their passwords if they haven't already. I already changed my Steam, Email, and SB.

[Ozzy]

Thanks bob this really helped.

[Nasu]

I mean you're not wrong. A "normal password" (as long as it is reasonably strong, primarily using Lower Case, Upper, Number and Symbol) that isn't something like Password1234! (might hold up but wouldn't risk it) should hold up. But it's also saying your password doesn't have to be impossible to memorize like I*#n0sM3jKd3f. Words and phrases are much easier to remember, but are also susceptible to dictionary attacks, so these are just ways to have a secure password that is easy to remember (padding/sentences (or abbreviations, take a sentence and take the first letter of each one, interspercing numbers, symbols, upper/lower case letters)).

 

And while that is virtually uncrackable, it wouldn't necessarily take longer than one's lifetime to do so, as a hacker could have many infected computers all attempting to crack a password at once. (instead of 1 computer cracking 1 password, think a botnet of 1000 computers cracking 1 password - for instance).

 

How much faster is decrypting a password hash than brute force hacking? Also do the same principles apply that work to prevent brute force hacking (symbols, etc.) when the hacker is decrypting a hash?

 

Just asking out of curiosity and thanks for answering.

[Bob Loblaw]

How much faster is decrypting a password hash than brute force hacking? Also do the same principles apply that work to prevent brute force hacking (symbols, etc.) when the hacker is decrypting a hash?

 

Just asking out of curiosity and thanks for answering.

 

Brute force (and dictionary) are both ways to crack a password hash. They try a password, hash it (with salt if necessary), and see if the hashes come out to be the same thing. If it does, they've found the password, if it doesn't, then they try the next password. For this reason, they have no idea what the password looks like, they only know if they got it correct.