[www.passwordmeter.com]

---

---

I don't know if I'm overly paranoid, but I don't usually type a password into a randomly linked page from an internet forum. I do genuinely appreciate your concern, though.

ETA: I used an analogue, and picked up some pointers. I realized two of the three deductions, but have been too stuck in my habits to change them. The third I could change, but it's gonna be a PITA.

---

“There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in."



Edited 1 time(s). Last edit at 03/26/2013 10:01AM by August West.

I've seen some of experts argue length is much more important than complexity, but this shows a 64 character lower case password as very weak and a "complex" 8 character password as very strong. The complex will aid against guessing, but length should win in a brute force attack, no?

[xkcd.com]

Quote
TLB
I've seen some of experts argue length is much more important than complexity, but this shows a 64 character lower case password as very weak and a "complex" 8 character password as very strong. The complex will aid against guessing, but length should win in a brute force attack, no?

Any serious attack would start with commonly used password guesses and then brute force. Assuming your password is not at all common or easily derived from an existing dictionary word, then length would indeed be the challenging factor. Every character you add to a password increases the possible combinations exponentially, but if all you are doing is making it a 26 character lowercase password from a-z, then that would be easy to guess, and you would probably be better off going with something shorter and much more obscure.

EDIT: The problem with that XKCD example is that it assumes the attack is only brute force, and will not try combinations of dictionary words. A computer would not think to do that, but a person behind the attack might.



Edited 1 time(s). Last edit at 03/26/2013 10:31AM by mikebw.

Somewhere a spammer/hacker is laughing as people willingly add to their password dictionary....

---

“Live your life, love your life, don’t regret…live, learn and move forward positively.” – CR Johnson
Loving life in Lake Tahoe, CA

You know you can check your password "strength" in OS X too? No need to use a third-party website provided by who knows.

---

Help MacInTouch: Buy from Amazon? use this link [amazon.com]
Mac News & Info: [macintouch.com] [macnn.com] [tuaw.com]
Mac Benchmarks: [barefeats.com]
Used Mac Stuff [FS/T]: LowEndMac Swap List
Mac Software Updates: [macupdate.com]
Fonts: [dafont.com] [fontspace.com]
Online Computer Store With Mac Support: [macsales.com]

Quote
mikebw
EDIT: The problem with that XKCD example is that it assumes the attack is only brute force, and will not try combinations of dictionary words. A computer would not think to do that, but a person behind the attack might.

True but according to Webster there are roughly 1 million english words - realistically you can assume 50,000 for the average English speaker. Each word "blob" would have 50,000 possibilities (vs 10 for digits only, 95 for all ASCII printable characters, etc.). Just 4 "characters" of 50,000 possibilities each is no easy task.

I tried "InnaGaddaDaVidaBaby!" without the quotes, and it got a score of 100% But as Markintosh points out, that password has probably now been added to a list somewhere, which renders it easily crackable.

Quote
MEG

Quote
mikebw
EDIT: The problem with that XKCD example is that it assumes the attack is only brute force, and will not try combinations of dictionary words. A computer would not think to do that, but a person behind the attack might.

True but according to Webster there are roughly 1 million english words - realistically you can assume 50,000 for the average English speaker. Each word "blob" would have 50,000 possibilities (vs 10 for digits only, 95 for all ASCII printable characters, etc.). Just 4 "characters" of 50,000 possibilities each is no easy task.

I'd suggest you visit this page to read up on what a "rainbow table" is. [en.wikipedia.org]

Then google about password cracking. Four character passwords are trivial to crack.

How I became a password cracker

1-2-3-4

Quote
freeradical
How I became a password cracker

Read that yesterday - a good read.

I liked the comment where someone said they Googled one of their passwords and the first search result was a hash table of passwords. "Oops."

My passwords do weightlifting. Strength training and fitness! And take supplements, and vitamins. I assume that's what you meant by "strength", yes?

I tried this: I loaded the page, and then pulled the network cable (WiFi is off). The page still shows me if a password is strong or not. So it may not send anything back to the website ("hacker"). Maybe someone with LittleSnitch installed can verify if the web page sends any data back once you type in your password.

Anyway, the score is meaningless. I mean 1-2-3-4-5-6 gets 100% score.

On the other hand you can't really tell who is behind this web site; looks like someone is trying to hide the real person behind this...


Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: PASSWORDMETER.COM
Created on: 27-Aug-07
Expires on: 27-Aug-13
Last Updated on: 28-Aug-12

Registrant:
Domains By Proxy, LLC
DomainsByProxy.com
14747 N Northsight Blvd Suite 111, PMB 309
Scottsdale, Arizona 85260
United States

Administrative Contact:
Private, Registration PASSWORDMETER.COM@domainsbyproxy.com
Domains By Proxy, LLC
DomainsByProxy.com
14747 N Northsight Blvd Suite 111, PMB 309
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598

Technical Contact:
Private, Registration PASSWORDMETER.COM@domainsbyproxy.com
Domains By Proxy, LLC
DomainsByProxy.com
14747 N Northsight Blvd Suite 111, PMB 309
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598

Domain servers in listed order:
NS1.DREAMHOST.COM
NS2.DREAMHOST.COM
NS3.DREAMHOST.COM


The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars

Haha, ASSWORDMETER.COM...

I think plenty of people use some kind of proxy or ID protection when they register domains.

Quote
mikebw
Haha, ASSWORDMETER.COM...

I think plenty of people use some kind of proxy or ID protection when they register domains.

for some reason the P got cut off when I posted, not sure why, but yeah, funny

Quote
rz
I'd suggest you visit this page to read up on what a "rainbow table" is. [en.wikipedia.org]

Then google about password cracking. Four character passwords are trivial to crack.

Not 4 characters - 4 random words. I think a 25ish-character string password comprised of 4 random words of is no trivial task even using combinations of dictionary words because of the number of possible words is several magnitudes of order greater than number of characters.

What am I missing? Seriously. Rainbow tables and other precomputation attacks do not work against passwords that contain symbols outside the range presupposed, or that are longer than those precomputed by the attacker. Is 25 characters not long enough?

My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.

Quote
MEG

Quote
rz
I'd suggest you visit this page to read up on what a "rainbow table" is. [en.wikipedia.org]

Then google about password cracking. Four character passwords are trivial to crack.

Not 4 characters - 4 random words. I think a 25ish-character string password comprised of 4 random words of is no trivial task even using combinations of dictionary words because of the number of possible words is several magnitudes of order greater than number of characters.

What am I missing? Seriously. Rainbow tables and other precomputation attacks do not work against passwords that contain symbols outside the range presupposed, or that are longer than those precomputed by the attacker. Is 25 characters not long enough?

My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.

Meg,

I wish I can get this point to the head of my IT.

---

All I ever really needed to know, I learned from watching Star Trek.

Quote

My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.

Meg,

I wish I can get this point to the head of my IT.

---

All I ever really needed to know, I learned from watching Star Trek.

My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.

Yes!

The ars link earlier had a good example in the comments of how tough a decent 16-character would be to crack, even for clustered CPUs and GPUs not even invented yet.

For places that allow it, I'd focus on length, with some reasonable obfuscation tossed in such as every nth character being wrong --- something the XKCD example lacks in its 4-word example but doing so adds an exponential amount of entropy because common or logical lookup patterns won't exist for it and brute force will be slowed way, way waaaaaay down ... think thousands (or a lot more, actually) years to crack, not "a few hundred" or less.

Quote
MEG
My point was that a long, easy to remember for a human password is more secure than the 8-character using upper, lower, number & symbol passwords.

I absolutely agree. It does seem possible however to compose an algorithm that could check for long passwords using multiple strings of real words. Ignore all the common and short passwords, forget about silly leet substitutions, and just go for the big guns. Assuming we have a 4-word phrase, we are essentially making a 4 character password but with a much larger set of potential characters, and we still don't know the length so that becomes the real computational challenge I think.

Quote
deckeda
For places that allow it, I'd focus on length, with some reasonable obfuscation tossed in such as every nth character being wrong --- something the XKCD example lacks in its 4-word example but doing so adds an exponential amount of entropy because common or logical lookup patterns won't exist for it and brute force will be slowed way, way waaaaaay down ... think thousands (or a lot more, actually) years to crack, not "a few hundred" or less.

Yes this sounds like the best approach I have seen.



Edited 1 time(s). Last edit at 03/26/2013 08:31PM by mikebw.

What galls me is that sites like Microsoft's updated Outlook mail (Hotmail replacement), and a lot of banking sites, limits a user to a maximum of 16 characters (some even less - 8 characters max). In this day and age, setting a 200 character limit (or so) shouldn't create buffer overflow issues for DDOS attacks (it's the reason usually given for limiting password length.)

Oh, incidently, try Googling your password. I did with a couple of mine, one came up with a md5 hashtag (ouch!) and the other was displayed in a listing of "bad passwords". (ouch again!)

So, even though I thought my passwords were relatively OK, it turns out that both have been cracked!

Wouldn't some place be better off having 2 passwords? My bank does, but I don't know if it truly has to have #1 guessed before someone would have to start work on #2. Then sometimes it also asks for you high school mascot sort of thing.

Quote
Dennis S
Wouldn't some place be better off having 2 passwords? My bank does, but I don't know if it truly has to have #1 guessed before someone would have to start work on #2. Then sometimes it also asks for you high school mascot sort of thing.

I think 1 strong password would be better than 1,000 weak passwords, and 2 strong passwords would be even better than that. Given the tendency for schools to promote themselves and their image it might not be all that difficult to figure out what the mascot would be.

My bank is similar. The philosophy there seems similar to two-factor authentication optionally available at Google, Apple and so on.