advertisement
Forums

The Forum is sponsored by 
 

AAPL stock: Click Here

You are currently viewing the Tips and Deals forum
PSA: check your password strength
Posted by: decay
Date: March 26, 2013 09:51AM
[www.passwordmeter.com]



---
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: August West
Date: March 26, 2013 09:57AM
I don't know if I'm overly paranoid, but I don't usually type a password into a randomly linked page from an internet forum. I do genuinely appreciate your concern, though.

ETA: I used an analogue, and picked up some pointers. I realized two of the three deductions, but have been too stuck in my habits to change them. The third I could change, but it's gonna be a PITA.



Picasso in his studio after the liberation of Paris, taken by my friend and mentor.





Edited 1 time(s). Last edit at 03/26/2013 10:01AM by August West.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: TLB
Date: March 26, 2013 10:21AM
I've seen some of experts argue length is much more important than complexity, but this shows a 64 character lower case password as very weak and a "complex" 8 character password as very strong. The complex will aid against guessing, but length should win in a brute force attack, no?
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: MEG
Date: March 26, 2013 10:26AM



[xkcd.com]
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: mikebw
Date: March 26, 2013 10:29AM
Quote
TLB
I've seen some of experts argue length is much more important than complexity, but this shows a 64 character lower case password as very weak and a "complex" 8 character password as very strong. The complex will aid against guessing, but length should win in a brute force attack, no?

Any serious attack would start with commonly used password guesses and then brute force. Assuming your password is not at all common or easily derived from an existing dictionary word, then length would indeed be the challenging factor. Every character you add to a password increases the possible combinations exponentially, but if all you are doing is making it a 26 character lowercase password from a-z, then that would be easy to guess, and you would probably be better off going with something shorter and much more obscure.

EDIT: The problem with that XKCD example is that it assumes the attack is only brute force, and will not try combinations of dictionary words. A computer would not think to do that, but a person behind the attack might.



Edited 1 time(s). Last edit at 03/26/2013 10:31AM by mikebw.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: Markintosh
Date: March 26, 2013 10:36AM
Somewhere a spammer/hacker is laughing as people willingly add to their password dictionary....



“Live your life, love your life, don’t regret…live, learn and move forward positively.” – CR Johnson
Loving life in Lake Tahoe, CA
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: M A V I C
Date: March 26, 2013 11:08AM
You know you can check your password "strength" in OS X too? No need to use a third-party website provided by who knows.




Help MacInTouch: Buy from Amazon? use this link [amazon.com]
Mac News & Info: [macintouch.com] [macnn.com] [tuaw.com]
Mac Benchmarks: [barefeats.com]
Used Mac Stuff [FS/T]: LowEndMac Swap List
Mac Software Updates: [macupdate.com]
Fonts: [dafont.com] [fontspace.com]
Online Computer Store With Mac Support: [macsales.com]
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: MEG
Date: March 26, 2013 11:10AM
Quote
mikebw
EDIT: The problem with that XKCD example is that it assumes the attack is only brute force, and will not try combinations of dictionary words. A computer would not think to do that, but a person behind the attack might.

True but according to Webster there are roughly 1 million english words - realistically you can assume 50,000 for the average English speaker. Each word "blob" would have 50,000 possibilities (vs 10 for digits only, 95 for all ASCII printable characters, etc.). Just 4 "characters" of 50,000 possibilities each is no easy task.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: rz
Date: March 26, 2013 12:34PM
I tried "InnaGaddaDaVidaBaby!" without the quotes, and it got a score of 100% But as Markintosh points out, that password has probably now been added to a list somewhere, which renders it easily crackable.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: rz
Date: March 26, 2013 12:38PM
Quote
MEG
Quote
mikebw
EDIT: The problem with that XKCD example is that it assumes the attack is only brute force, and will not try combinations of dictionary words. A computer would not think to do that, but a person behind the attack might.

True but according to Webster there are roughly 1 million english words - realistically you can assume 50,000 for the average English speaker. Each word "blob" would have 50,000 possibilities (vs 10 for digits only, 95 for all ASCII printable characters, etc.). Just 4 "characters" of 50,000 possibilities each is no easy task.

I'd suggest you visit this page to read up on what a "rainbow table" is. [en.wikipedia.org]

Then google about password cracking. Four character passwords are trivial to crack.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: freeradical
Date: March 26, 2013 01:22PM
Re: PSA: check your password strength
Posted by: cbelt3
Date: March 26, 2013 01:54PM
1-2-3-4
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: deckeda
Date: March 26, 2013 02:13PM
Quote
freeradical
How I became a password cracker

Read that yesterday - a good read.

I liked the comment where someone said they Googled one of their passwords and the first search result was a hash table of passwords. "Oops."
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: guitarist
Date: March 26, 2013 02:14PM
My passwords do weightlifting. Strength training and fitness! And take supplements, and vitamins. I assume that's what you meant by "strength", yes?
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: space-time
Date: March 26, 2013 02:22PM
I tried this: I loaded the page, and then pulled the network cable (WiFi is off). The page still shows me if a password is strong or not. So it may not send anything back to the website ("hacker"). Maybe someone with LittleSnitch installed can verify if the web page sends any data back once you type in your password.

Anyway, the score is meaningless. I mean 1-2-3-4-5-6 gets 100% score.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: space-time
Date: March 26, 2013 02:26PM
On the other hand you can't really tell who is behind this web site; looks like someone is trying to hide the real person behind this...


Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: PASSWORDMETER.COM
Created on: 27-Aug-07
Expires on: 27-Aug-13
Last Updated on: 28-Aug-12

Registrant:
Domains By Proxy, LLC
DomainsByProxy.com
14747 N Northsight Blvd Suite 111, PMB 309
Scottsdale, Arizona 85260
United States

Administrative Contact:
Private, Registration PASSWORDMETER.COM@domainsbyproxy.com
Domains By Proxy, LLC
DomainsByProxy.com
14747 N Northsight Blvd Suite 111, PMB 309
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598

Technical Contact:
Private, Registration PASSWORDMETER.COM@domainsbyproxy.com
Domains By Proxy, LLC
DomainsByProxy.com
14747 N Northsight Blvd Suite 111, PMB 309
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598

Domain servers in listed order:
NS1.DREAMHOST.COM
NS2.DREAMHOST.COM
NS3.DREAMHOST.COM


The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: mikebw
Date: March 26, 2013 03:28PM
Haha, ASSWORDMETER.COM... tongue smiley

I think plenty of people use some kind of proxy or ID protection when they register domains.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: space-time
Date: March 26, 2013 05:03PM
Quote
mikebw
Haha, ASSWORDMETER.COM... tongue smiley

I think plenty of people use some kind of proxy or ID protection when they register domains.

for some reason the P got cut off when I posted, not sure why, but yeah, funny
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: MEG
Date: March 26, 2013 06:17PM
Quote
rz
I'd suggest you visit this page to read up on what a "rainbow table" is. [en.wikipedia.org]

Then google about password cracking. Four character passwords are trivial to crack.

Not 4 characters - 4 random words. I think a 25ish-character string password comprised of 4 random words of is no trivial task even using combinations of dictionary words because of the number of possible words is several magnitudes of order greater than number of characters.

What am I missing? Seriously. Rainbow tables and other precomputation attacks do not work against passwords that contain symbols outside the range presupposed, or that are longer than those precomputed by the attacker. Is 25 characters not long enough?

My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: wowzer
Date: March 26, 2013 07:49PM
Quote
MEG
Quote
rz
I'd suggest you visit this page to read up on what a "rainbow table" is. [en.wikipedia.org]

Then google about password cracking. Four character passwords are trivial to crack.

Not 4 characters - 4 random words. I think a 25ish-character string password comprised of 4 random words of is no trivial task even using combinations of dictionary words because of the number of possible words is several magnitudes of order greater than number of characters.

What am I missing? Seriously. Rainbow tables and other precomputation attacks do not work against passwords that contain symbols outside the range presupposed, or that are longer than those precomputed by the attacker. Is 25 characters not long enough?

My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.


Meg,

I wish I can get this point to the head of my IT.



All I ever really needed to know, I learned from watching Star Trek.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: wowzer
Date: March 26, 2013 07:50PM
Quote

My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.


Meg,

I wish I can get this point to the head of my IT.



All I ever really needed to know, I learned from watching Star Trek.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: deckeda
Date: March 26, 2013 07:55PM
My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.

Yes!

The ars link earlier had a good example in the comments of how tough a decent 16-character would be to crack, even for clustered CPUs and GPUs not even invented yet.

For places that allow it, I'd focus on length, with some reasonable obfuscation tossed in such as every nth character being wrong --- something the XKCD example lacks in its 4-word example but doing so adds an exponential amount of entropy because common or logical lookup patterns won't exist for it and brute force will be slowed way, way waaaaaay down ... think thousands (or a lot more, actually) years to crack, not "a few hundred" or less.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: mikebw
Date: March 26, 2013 08:30PM
Quote
MEG
My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.

I absolutely agree. It does seem possible however to compose an algorithm that could check for long passwords using multiple strings of real words. Ignore all the common and short passwords, forget about silly leet substitutions, and just go for the big guns. Assuming we have a 4-word phrase, we are essentially making a 4 character password but with a much larger set of potential characters, and we still don't know the length so that becomes the real computational challenge I think.

Quote
deckeda
For places that allow it, I'd focus on length, with some reasonable obfuscation tossed in such as every nth character being wrong --- something the XKCD example lacks in its 4-word example but doing so adds an exponential amount of entropy because common or logical lookup patterns won't exist for it and brute force will be slowed way, way waaaaaay down ... think thousands (or a lot more, actually) years to crack, not "a few hundred" or less.

Yes this sounds like the best approach I have seen.



Edited 1 time(s). Last edit at 03/26/2013 08:31PM by mikebw.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: Sam3
Date: March 26, 2013 10:44PM
What galls me is that sites like Microsoft's updated Outlook mail (Hotmail replacement), and a lot of banking sites, limits a user to a maximum of 16 characters (some even less - 8 characters max). In this day and age, setting a 200 character limit (or so) shouldn't create buffer overflow issues for DDOS attacks (it's the reason usually given for limiting password length.)

Oh, incidently, try Googling your password. I did with a couple of mine, one came up with a md5 hashtag (ouch!) and the other was displayed in a listing of "bad passwords". (ouch again!)

So, even though I thought my passwords were relatively OK, it turns out that both have been cracked!
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: Dennis S
Date: March 26, 2013 11:01PM
Wouldn't some place be better off having 2 passwords? My bank does, but I don't know if it truly has to have #1 guessed before someone would have to start work on #2. Then sometimes it also asks for you high school mascot sort of thing.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: mikebw
Date: March 27, 2013 07:30AM
Quote
Dennis S
Wouldn't some place be better off having 2 passwords? My bank does, but I don't know if it truly has to have #1 guessed before someone would have to start work on #2. Then sometimes it also asks for you high school mascot sort of thing.

I think 1 strong password would be better than 1,000 weak passwords, and 2 strong passwords would be even better than that. Given the tendency for schools to promote themselves and their image it might not be all that difficult to figure out what the mascot would be.
Options:  Reply • Quote
Re: PSA: check your password strength
Posted by: deckeda
Date: March 27, 2013 07:31AM
My bank is similar. The philosophy there seems similar to two-factor authentication optionally available at Google, Apple and so on.
Options:  Reply • Quote
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 201
Record Number of Users: 186 on February 20, 2020
Record Number of Guests: 5122 on October 03, 2020