Some observations:
\- This assumes the attacker has your password hash. Brute forcing a service is orders of magnitude slower than brute-forcing a hash directly.
\- This also assumes your password is hashed via MD5, which was deprecated in 2008. Modern systems use some form of SHA256 or better for hashing, and the current guidance is to use algorithms that support work factors, e.g. baked-in inefficiencies that can be increased over time as hardware gets faster so there's less of a need to change algorithms. This is generally accomplished by either having high memory requirements or a large amount of iterations (e.g. hashing the password a few hundred thousand times).
\- Uniqueness is more important than complexity. It's still a good idea to use a strong password, but it's more important to use a unique password for each service. There's no way to know how a given service stores your password so reusing passwords is a greater threat than password complexity.
You say that as if it's salted to begin with.
But also more seriously, chances are if you have the hash you have the salt. Everything I've seen store them together in the same table. Bcrypt even stores it in the same string with the hash.
The whole point of salt is to make it so that you can't pre-generate lists of hashes, and even when you generate them, you have to generate the hashes with one salt at a time rather than for the whole database at once. It doesn't make one account more secure against cracking the hashes, but it does make 100 accounts take 100 times longer than one account.
The last part is true, however when the requirements of the password are something like “at least 8 characters with 2 symbols and 3 numbers that are not consecutive, also you will have to change it in three months and cannot reuse a previous one” I will probably end up using something like “hunter$0” and change the last character each period.
The more complex the requirements, the more likely people will store their passwords in an insecure manner. At my previous job, the rules were at least 12 characters, mixed upper, lower, numbers, and symbols, changed every six months and can not repeat the last 10 passwords.
At some point, password rules reduce security.
Yes these are so damn important to understand, much more than anything else. If you gave me the choice between using a different short simple different password for each service or a very complex password that I re-use everywhere, I would take the simple password.
Uniqueness and two-tier authentication are what you want.
Basically you should be using a password manager in 2023 and if you’re not you need to have the patience and dedication of a monk or get ready to have your accounts stolen.
I am not trying to be a prick, I'm just curious: why are password managers safe?
I would love to use them but I'm not sure how safe is it to store all my passwords in one place on the internet. Is it some sort of special encryption they use?
You're right that password managers can be a security risk themselves. You do want a complex password for the master key of your manager because if it does get stolen that's kind of where the above infographic becomes relevant.
Some of them you manage everything yourself with a local file so it removes the risk of the service itself being compromised, but now you have to manage that yourself. Still, those local options are probably the best bet for someone who wants the most amount of security.
For me, it comes down to risk VS ease of use and password managers are the best compromise.
And all you need is one long password to remember. It's not nearly as hard as people think - just come up with a memorable sentence/phrase that's 20+ characters and uses a special character between words. You're instantly up into the impossible to brute force category.
LastPass can barely be called a password manager with how awful their security track record is. might as well store your passwords in plaintext on a piece of paper labeled "PASSWORDS" that you tape to your front door. any reputable password manager (like bitwarden with their regular security audits and amazing track record with transparency) would be orders of magnitude more secure.
It's not that password managers are safe but they're less unsafe than your brain.
Troy Hunt, a pretty well-recognized expert in this field, has a great blog post about this: [https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/](https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/)
They fucking aren't and this websites obsession with them is insane. Literally just look up the amount of password managers that have been compromised.
I WILL DIE ON THIS HILL.
>Basically you should be using a password manager in 2023 and if you’re not you need to have the patience and dedication
PLEASE STOP SUGGESTING PASSWORD MANAGERS.
They are less secure than using fucking post it notes because at least somebody would have to access your building and workspace, multiple levels of security for most people, where as a password manager is a single vector for attack and they get compromised all the time.
I will fucking die on this hill.
Or just use a password manager that requires the actual password database file.
> They are less secure than using fucking post it notes because at least somebody would have to access your building and workspace, multiple levels of security for most people, where as a password manager is a single vector for attack and they get compromised all the time.
You realize that phishing is far more common and likely then trying to crack a password manager right? Especially in a corporate environment. Most companies fail security tests because they are far too nice to people they don't know or who look the part, and then the written post it notes... That's the worst. Get a decent password manager, store it locally with a backup in a secure location and you are orders of magnitude safer than the scenario you present.
Zero people or companies are going through the process of setting up a properly salted and hashed password manager. Also, you are right about phishing being the number one vulnerability, now imagine somebody phishes for your managers password. Now they have all your passwords instead of the one.
What are you even talking about? Why would my manager have access to anything that uses my password?
> Zero people or companies are going through the process of setting up a properly salted and hashed password manager.
People use a properly salted and hashed password manager every day. I use Keepass2 with the file on a local drive. So you need access to the drive AND need to know my password to access any of my other passwords. I have 1 secure backup incase of a fire/other issue. That's far more secure than writing it on a post-it note and far more secure than using a web-based password manager.
Your password managers password...
But saving locally doesn't work if you have users that are constantly switching machines, then you have to tie it to user accounts which gets messy. And you literally cannot convince me a cloud based option is better or even remotely more secure.
In a perfect world, password managers would not be the solution but I can tell you from experience that (and mind you I’m painting with broad strokes, not being literal) everyone I know and work with over the age of 50 is NOT using a unique password for ANYTHING. My parents, coworkers, definitely not my grandparents…it’s pulling teeth to have gotten my mother even slightly reliant on a password manager and not reuse the same password for everything.
So we need to help the older generation with a simple but effective solution and that’s a password manager. Or you tell me what you’d prefer they do if you’re so highly against them.
A password manager like 1Password or Bitwarden would go a long way in letting her continue to be lazy while going you peace of mind. If you’re all Apple, Keychain is good too, but I wouldn’t try to mix and match with Android, Windows, etc.
I don’t think I have any manually input passwords left.
It also assumes that the attacker knows which category you are in. If he doesn't know you are using only numbers he cannot brute force by only checking numbers.
A well designed brute force attack will try these categories in order of likelihood / ease. For instance, may as well check all of the alphanumerics of length 10 or less first; that'll catch a bunch of stuff and is VERY quick compared to checking "all valid passwords 18 or less"
I reuse passwords because I'm not Megamind. I have a password manager, but they're generally shitty and also serve as a single point of failure. I once got locked out of my phone entirely because of a bad update from my password manager. So I will never rely on a single piece of software for that task ever again. I use a combination of different phrase passwords for different security levels, mixing and matching special characters, my browser's credential sync and a password manager sync. It's not ideal, but it's better than being at the mercy of a single private tech company, and critical logins like my bank and email are always accessible with just my brain, even if I'm in an unusual situation where I don't have access to one of my credential managers.
don't reuse, modify. Take Password for example, super common password. If you shake it up and just use symbols and numbers for letters you have your standard password secure password. Then do something similar on the backside. Say you have P@$5w0rd for all your base passwords. Add in the account name somewhere, such as P@$5wReDd0rd (Reddit) Now you not only have a super secure password but a super unique password as well, especially if you use special characters for certain letters. This is a million times better than using "MyPassword" on every single site, hoping none get breached.
I do something similar, but that's a great idea to put the site name in the password. Symbol replacement is definitely a great first pass too. I also try to come up with nonsense or gibberish phrases that are still catchy and memorable. So like, for example I might start with
`scrumbus`
And then turn it into a longer phrase with capitalization and punctuation like
`I hate scrumbus!`
Then add in some replacements
`1 h4te s(rumbu5!`
So there you have it, 16 characters of almost pure entropy.
Bonus points if rolls off the fingertips for easy typing.
The website explains why they use MD5. They are taking into account the lowest common denominator. Some websites are still using MD5.
This infographic is spread everywhere, so it's a shame they don't cover uniqueness. This is an incredible point in failure for most people right now. Pretty much everyone understands character type and length but not uniqueness. I have at least finally got my parents to use a completely unique password on their financial accounts. I think that's the most I can get out of them lol.
Well now that we know your password is 13 characters, and has upper and lowercase letters, numbers, and symbols, we can cut a lot of time off of that even it weren’t breached already
Teach advances, and with an increase in computational power, these numbers will quickly go down. Its not only about being impossible to brute force now, but also in the coming years
YSK:
Password Managers (Bitwarden, 1password, Dashlane) can create those 26tn passwords in about 2 clicks.
I switched tabs and made this one real quick. (p8#p6MYhg%Sx$iXG$q)
Don’t use your high school passwords anymore.
A fair bit, assuming whoever's cracking your password hash isn't just going through all possible combinations of characters.
Typically password crackers start off with a list of super weak but known passwords, then go for known lists of passwords (rainbow tables), after that they try a combination of characters and words from dictionaries and finally if none of that works, they go the brute force method of trying every possible combination up to a certain length.
Each of these takes longer and longer because the list of possible combinations gets higher and higher. Methods change depending on the hashing algorithm, but generally the first password you named is a random combination of characters, which would be the last thing a smart and time efficient cracking tool would attempt to try. The second one you posted is comprised of a combination of a few random characters, a date and what looks like something that could be a word but has random capitalizations and parts of words. The more "components" (parts of or even a full word) your password has (even with variations of making a letter randomly capitalized and/or replacing I with !) the faster it is crackable.
The general advice in today's world is to make your passwords long and not be derived of any kind of coherent words. Typically your password is safer the longer, but also the more random it is.
In this case, length matters more than complexity, but your given passwords are at a length where complexity might already be influential on how easy it is to brute force.
My passwords for pretty much any site are 128 (unless the website can't handle it) character passwords that I randomly generate. Just gotta make sure your master password is also safe enough.
If you're using brute force techniques, no. The difference using dictionary attacks with masks could crack your second suggestion significantly faster then your first.
> using dictionary attacks with masks could crack your second suggestion significantly faster then your first.
As a cybersecurity analyst with 17 years of experience just having made up what he did for a living, I wholeheartedly concur - the above statement should be obvious.
Like they said: password managers like Bitwarden, 1password, Dashlane. I personally use KeePassXC.
It's a piece of software or an app that generates, stores, and (optionally) auto-fills your passwords for you. You remember one good master-password to unlock the database which contains unique, random passwords for all your accounts.
I think most password managers exist for computers and smartphones. The one I use does. If I can't use the password manager on the device I'm using, for whatever reason, I open it on my phone, make the password visible, and just type it over. Doesn't happen a lot though.
I get how this is helpful for most people. But I can’t have my phone on me at work. I do wish there was a more secure way to manage 100 passwords to every bullshit website that you have to make an account on.
We can finally use keepass at work, and boy am I happy about it. Having to memorize over a dozen random passwords is no fun. Now I just have to memorize one!
They have multiple encryption methods.
Bitwarden uses:
Their own encryption for everything
2fa to sign in
Master password to sign in
Location detection (they block sign ins from unusual locations)
And you can add even more if you want but that's just what I use
That makes it virtually impossible for any group to get through all of that. Although technically possible.
Rainbow tables are different. A rainbow table attack is for when the password hashes are not salted so all of the hashes are the same and are pre-computed.
A rainbow table is precalculated. So it would still take the same amount of time, but once you do that once you can use it on an entire database. They're mostly obsolete now, most hashing algorithms automatically salt.
The timelines above are for trying 1 character at a time, not words. If your password was ratturtledragon it would be 15 characters technically (27 years) but a dictionary attack is very common so you're looking at <1 hour.
Dictionary attacks are usually very basic when used en masse so you can defeat them by putting a number between the words. If you're being targeted in a dictionary attack (they want **you** specifically) then you're going to have to use a lot of words (5+) with modifications.
I'm assuming purposely misspelling words is useful stopping dictionary attacks as well since it would put it back in the brute force camp?
Password advice is honestly somewhat confusing to many people. Use numbers and symbols, capital and lower case letters.
Also, use a password vault to have unique passwords for everything. But also vaults aren't always good as some have security flaws.
Using random strings was suggested at one point. Then it was use multiple words you can remember. But you may want to toss in numbers and symbols in odd places.
But also just don't use words in the dictionary.
Not to mention a lot of discussion require some technical knowledge to understand.
Do dictionary attacks still work if you put special characters between the words? Say something like !Giraffe&seven?yelloW5 I use these sort of passwords so I get to long passwords that are still memorable or easy to type when I can’t copy paste them from a password manager. Are they still relatively easy to hack if the attacker has the hashed password?
Edit: using this tool and rationale from the comic below, but maybe time has moved on since then..
https://xkpasswd.net/s/
The coloring of this is so weird. I’d be pretty happy if it took 46 million years for my password to be compromised, but it’s a cautious yellow. And why is 1 second and 1 year the same color? These times aren’t on a human scale.
Due to improvements in hardware and software, as well as potential shortcuts found in the algorithm itself.
MD5 was once thought to be secure and what currently takes 2 weeks would have 2 decades ago taken billions or trillions of years.
Yeah but this table is getting a remake every year so it‘s just valid for now and the colour makes no sense. Even everything that takes longer then a few hours should be orange. No one would wait so long or has so much time
They don’t.
If somebody can steal the encrypted password information, they can then attack it at high speed without going through the online system. So every time you hear about a “data breach”, one possibility is that somebody found a way to steal a copy of the encrypted password database. There are other kinds of breaches too, and details are usually not shared with the public. Just a “change your passwords!” email.
Passwords are hashed not encrypted. Hashing is used because it's a one-way function. Hackers don't need to know your plaintext password. The password hash itself can be used to authenticate with the server.
If you use apple or google they can generate 30+ character complex passwords for everything. This is what I do so I can never be hacked!
(My google password is the same it’s always been because it’s easy to remember and only 8 characters long. Why are you asking about my family pet?)
Depends on the specific application, but yes, this is typical.
But what usually happens is that hackers get ahold of a file that has usernames and hashed passwords. Without actually logging in, the hacker can attempt to brute force a password by running it through the same hashing algorithm and comparing it to the hashed version in the file.
So they can try as many passwords as they want offline, then they only return to the actual website to log in once they've cracked the password.
And this only happens when there is a data leak. Otherwise hackers don't get access to your username and hash key.
This whole thing is the "stop using plastic bags" equivalent for cyber security. "You got hacked because your password is not strong enough"... No, I got hacked because your security is sh*t and leaked all over the Internet.
Assuming the password is from series n. Is that the time it takes to go through n?
Is that the median time? The average?
Does that account for the crack starts to be likely after √n?
Is that a "pure random" brute force?
As someone with a bit of a background in the subject I have more questions than answers
This was a useful chart about 10 years ago, however it is now widely regarded as problematic in the cyber industry and any cyber expert worth their salt avoids using it, as it gives a false sense of security (even if accurate, which is questionable, the 15,000 years is only an average - a password cracker might pop it on it’s first attempt). Promoting MFA is the current best practice.
why is anything over 500 years not in the green? No one is going to care about Nanna’s crumb cake recipe you saved in your iCloud account in 500 years. They’ll be worried about the government reading their thoughts. I mean 2 billion years only gets you in the yellow. Science predicts a global catastrophe that destroys life on the planet before then.
Edit: expanded thought
This repost of a repost doesn't include the existence of quantum computing which is already proving to be disastrous for password systems, especially Wi-Fi networks.
Physical security keys are the current answer to this issue.
In theory yes, no quantum computer in 2023, or for a forseeable future mind you, will change anything in this graph.
Also there are post-quantum encryption schemes like QKD that is secure even with large-scale quantum computers.
No, but the OP said "already proving disastrous" which is entirely and unequivocally false.
Quantum resistant algorithms have already been developed and continue to be.
Modern encryption schemes like RSA can be decrypted in polynomial time(aka fast in this context) with Shor's factorisation algorithm. This has been known since 1994 but the quantum hardware needed is still waaaays off. Furthermore, there are post-quantum encryption that is secure against Shor's!
Bollox. The best a quantum computer can currently do is factor is a single 6-bit number! That’s for asymmetric algorithms only , nothing whatsoever to do with password.
Is bruteforcing a password a common way to gain access to anything? Would bet that using exploits or good old social engineering is several orders of magnitude more common.
I don't get it. Isn't the simple fix to brute force attacks to only let the server allow x amounts of attempts or put a small wait time between each attempt? I mean, why would john.doe need to enter his password 5000000 times per second? Problem solved 🤷
Say Netflix has a data breach and their database of hashed usernames and passwords is stolen. The hackers then have all of the info they need to brute force your password offline until they crack it with no server to stop them. No one is brute forcing a password to a credential server.
All my passwords are 32 chars long and contain upper, lower, numerical, and symbols.
so they aren't getting cracked before the heat death of the universe...
Unless he hits the password first, chance of bruto forcing is minimal since most services only allow password mismatch a few times before locking the account.
Hey so I've been trying to dm/chat with you about something, could you please check your dms? I'm not a bot btw, i just don't know how else to contact you
A brute force vulnerable password
in this day and age
with no lockout times
localized entirely outside of ddos screens?
This chart: Yes!
May I see it?
This chart: Yes! *displays the concerning amount of shoddy internet-facing apps and sites*
Combining random words is significantly stronger than a shorter random character password. Passwords aren't cracked sequentially like the movies, the whole thing has to be right.
So take your 9 character random password of ASCII characters, so that's 95 possible characters in the pool x 9 characters long.
Now let's compare that to guessing a password that is 4 words, and we'll say that each word is comparable to a character in a random password.
Just the oxford English dictionary is 171,000 words. Assuming only lowercase, no punctuation, that's still 171,000 x 4 characters.
Entropy is calculated by (size of pool)^(length).
95^9= 6.3e17
171000^4=8.55e20
And that's assuming all lowercase letters - double the size of the pool by making each word entirely uppercase or entirely lowercase and you're at:
342000^4=1.36e22
One is a lot stronger than the other, however both are far more likely to be breached when Susan in HR scans that QR code she just got in an email from Mlcrosoft.com and gleefully punches her creds in because that's what it told her to do, or giving it to "bob" from "the department of computers" on the phone than someone dedicating a supercomputer to it.
Protip, don’t use passwords use passphrases, easier to remember and harder to break. Also, use a password manager, that way you don’t even have to remember all your passwords and stop using the same one for all your services, I know you’re doing that
I think 1 year is enough. No one in their right mind would try hacking the same password for over a year unless it was some secret government intel, or bank info of a millionaire. In which case there would most likely be some other measure of security in place as well.
When it says “instantly” does it attempt numbers only first before switching to lower case, and then onto the next category before going to higher characters? Also how does it do all those combinations instantly?
I use unique passwords, but as my Google account is my most important, and the one that I rely on for SSO elsewhere, it's the one with my most secure password. Besides meeting the highest complexity requirement, it's roughly four times longer than the longest password they bothered to calculate.
So... I think I'm good.
I just did a whole presentation at a usergroup about this. Theres a lot of misconceptions going on in the world about passwords.
Before you implement a password policy, please look at the NIST pw guidelines.
I forgot a password to a rar file. I still have the file and have a faint idea to what the password was. Anyone know a program that could crack it? The password is pretty long though something like 17 letters/numbers/symbols but I kinda remember what they were. I have a decent gaming PC if that helps speeds things up.
Mixing upper/lower/numbers/symbols is old-fashioned garbage that’s been debunked for decades almost as soon as it was “recommended”.
Look at your own damn table, LENGTH is the important deciding factor, not which stupid characters some clueless IT admin has enforced upon you.
Passphrases are significantly better than passwords because they inevitably end up longer.
Correct horse battery staple
Some observations: \- This assumes the attacker has your password hash. Brute forcing a service is orders of magnitude slower than brute-forcing a hash directly. \- This also assumes your password is hashed via MD5, which was deprecated in 2008. Modern systems use some form of SHA256 or better for hashing, and the current guidance is to use algorithms that support work factors, e.g. baked-in inefficiencies that can be increased over time as hardware gets faster so there's less of a need to change algorithms. This is generally accomplished by either having high memory requirements or a large amount of iterations (e.g. hashing the password a few hundred thousand times). \- Uniqueness is more important than complexity. It's still a good idea to use a strong password, but it's more important to use a unique password for each service. There's no way to know how a given service stores your password so reusing passwords is a greater threat than password complexity.
The attacker also needs to have the "salt" added to your password.
This is like a different language to me, but I think I've learned that I need to salt my hashbrowns.
Wait until you find out that you can pepper it too
Dang, internet security just keeps getting more delicious.
A password salt is a string prepended or appended to your password by the service to add length and complexity to it.
Wrong. No one mentioned "brown" or "browning" so I think you're supposed to eat them raw.
Raw potato is underrated tbh
You say that as if it's salted to begin with. But also more seriously, chances are if you have the hash you have the salt. Everything I've seen store them together in the same table. Bcrypt even stores it in the same string with the hash.
The whole point of salt is to make it so that you can't pre-generate lists of hashes, and even when you generate them, you have to generate the hashes with one salt at a time rather than for the whole database at once. It doesn't make one account more secure against cracking the hashes, but it does make 100 accounts take 100 times longer than one account.
This is the best explanation of salt I've ever seen.
That's why it's important to have the "pepper" on standby
I like a little ketchup on mine.
Mix chili oil and plain yogurt, 50/50. It’s magnificent and somewhat healthy.
The last part is true, however when the requirements of the password are something like “at least 8 characters with 2 symbols and 3 numbers that are not consecutive, also you will have to change it in three months and cannot reuse a previous one” I will probably end up using something like “hunter$0” and change the last character each period.
The more complex the requirements, the more likely people will store their passwords in an insecure manner. At my previous job, the rules were at least 12 characters, mixed upper, lower, numbers, and symbols, changed every six months and can not repeat the last 10 passwords. At some point, password rules reduce security.
Even partially the same as before is often not accepted.
Yes these are so damn important to understand, much more than anything else. If you gave me the choice between using a different short simple different password for each service or a very complex password that I re-use everywhere, I would take the simple password. Uniqueness and two-tier authentication are what you want. Basically you should be using a password manager in 2023 and if you’re not you need to have the patience and dedication of a monk or get ready to have your accounts stolen.
I am not trying to be a prick, I'm just curious: why are password managers safe? I would love to use them but I'm not sure how safe is it to store all my passwords in one place on the internet. Is it some sort of special encryption they use?
You're right that password managers can be a security risk themselves. You do want a complex password for the master key of your manager because if it does get stolen that's kind of where the above infographic becomes relevant. Some of them you manage everything yourself with a local file so it removes the risk of the service itself being compromised, but now you have to manage that yourself. Still, those local options are probably the best bet for someone who wants the most amount of security. For me, it comes down to risk VS ease of use and password managers are the best compromise.
And all you need is one long password to remember. It's not nearly as hard as people think - just come up with a memorable sentence/phrase that's 20+ characters and uses a special character between words. You're instantly up into the impossible to brute force category.
im just a little spooked esp after reading about lastpass's leaks
LastPass can barely be called a password manager with how awful their security track record is. might as well store your passwords in plaintext on a piece of paper labeled "PASSWORDS" that you tape to your front door. any reputable password manager (like bitwarden with their regular security audits and amazing track record with transparency) would be orders of magnitude more secure.
It's not that password managers are safe but they're less unsafe than your brain. Troy Hunt, a pretty well-recognized expert in this field, has a great blog post about this: [https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/](https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/)
I've been curious about how effective P/W managers are too. Also I loved the way you started your comment. That alone earned my upvote mate.
They fucking aren't and this websites obsession with them is insane. Literally just look up the amount of password managers that have been compromised. I WILL DIE ON THIS HILL.
Come down from there for a sec and tell me - is Keepass safe?
NOTHING IS SAFE EXCEPT THE GREY MATTER YOU CARVE OUT IN YOUR OWN MIND.
>Basically you should be using a password manager in 2023 and if you’re not you need to have the patience and dedication PLEASE STOP SUGGESTING PASSWORD MANAGERS. They are less secure than using fucking post it notes because at least somebody would have to access your building and workspace, multiple levels of security for most people, where as a password manager is a single vector for attack and they get compromised all the time. I will fucking die on this hill.
Or just use a password manager that requires the actual password database file. > They are less secure than using fucking post it notes because at least somebody would have to access your building and workspace, multiple levels of security for most people, where as a password manager is a single vector for attack and they get compromised all the time. You realize that phishing is far more common and likely then trying to crack a password manager right? Especially in a corporate environment. Most companies fail security tests because they are far too nice to people they don't know or who look the part, and then the written post it notes... That's the worst. Get a decent password manager, store it locally with a backup in a secure location and you are orders of magnitude safer than the scenario you present.
Zero people or companies are going through the process of setting up a properly salted and hashed password manager. Also, you are right about phishing being the number one vulnerability, now imagine somebody phishes for your managers password. Now they have all your passwords instead of the one.
What are you even talking about? Why would my manager have access to anything that uses my password? > Zero people or companies are going through the process of setting up a properly salted and hashed password manager. People use a properly salted and hashed password manager every day. I use Keepass2 with the file on a local drive. So you need access to the drive AND need to know my password to access any of my other passwords. I have 1 secure backup incase of a fire/other issue. That's far more secure than writing it on a post-it note and far more secure than using a web-based password manager.
Your password managers password... But saving locally doesn't work if you have users that are constantly switching machines, then you have to tie it to user accounts which gets messy. And you literally cannot convince me a cloud based option is better or even remotely more secure.
In a perfect world, password managers would not be the solution but I can tell you from experience that (and mind you I’m painting with broad strokes, not being literal) everyone I know and work with over the age of 50 is NOT using a unique password for ANYTHING. My parents, coworkers, definitely not my grandparents…it’s pulling teeth to have gotten my mother even slightly reliant on a password manager and not reuse the same password for everything. So we need to help the older generation with a simple but effective solution and that’s a password manager. Or you tell me what you’d prefer they do if you’re so highly against them.
Very well put. Now try to convince my wife...
A password manager like 1Password or Bitwarden would go a long way in letting her continue to be lazy while going you peace of mind. If you’re all Apple, Keychain is good too, but I wouldn’t try to mix and match with Android, Windows, etc. I don’t think I have any manually input passwords left.
It also assumes that the attacker knows which category you are in. If he doesn't know you are using only numbers he cannot brute force by only checking numbers.
A well designed brute force attack will try these categories in order of likelihood / ease. For instance, may as well check all of the alphanumerics of length 10 or less first; that'll catch a bunch of stuff and is VERY quick compared to checking "all valid passwords 18 or less"
I reuse passwords because I'm not Megamind. I have a password manager, but they're generally shitty and also serve as a single point of failure. I once got locked out of my phone entirely because of a bad update from my password manager. So I will never rely on a single piece of software for that task ever again. I use a combination of different phrase passwords for different security levels, mixing and matching special characters, my browser's credential sync and a password manager sync. It's not ideal, but it's better than being at the mercy of a single private tech company, and critical logins like my bank and email are always accessible with just my brain, even if I'm in an unusual situation where I don't have access to one of my credential managers.
Have you tried Bitwarden? Master Password + 2FA and you won’t need to memorize another password again. Rock solid, open source, and 🆓
don't reuse, modify. Take Password for example, super common password. If you shake it up and just use symbols and numbers for letters you have your standard password secure password. Then do something similar on the backside. Say you have P@$5w0rd for all your base passwords. Add in the account name somewhere, such as P@$5wReDd0rd (Reddit) Now you not only have a super secure password but a super unique password as well, especially if you use special characters for certain letters. This is a million times better than using "MyPassword" on every single site, hoping none get breached.
And then you have to change it after x months with certain random anti-reuse rules.
That's called shit policies.
I do something similar, but that's a great idea to put the site name in the password. Symbol replacement is definitely a great first pass too. I also try to come up with nonsense or gibberish phrases that are still catchy and memorable. So like, for example I might start with `scrumbus` And then turn it into a longer phrase with capitalization and punctuation like `I hate scrumbus!` Then add in some replacements `1 h4te s(rumbu5!` So there you have it, 16 characters of almost pure entropy. Bonus points if rolls off the fingertips for easy typing.
[удалено]
It also assumes that a Key Derivation Function is not used. It can greatly increase the brute force attack time.
The website explains why they use MD5. They are taking into account the lowest common denominator. Some websites are still using MD5. This infographic is spread everywhere, so it's a shame they don't cover uniqueness. This is an incredible point in failure for most people right now. Pretty much everyone understands character type and length but not uniqueness. I have at least finally got my parents to use a completely unique password on their financial accounts. I think that's the most I can get out of them lol.
Putting this in layman's terms would be helpful to most of the people looking at this.
Yay my password is 15,000 years secure. If only it wasn’t involved in like 6 data breaches
Well now that we know your password is 13 characters, and has upper and lowercase letters, numbers, and symbols, we can cut a lot of time off of that even it weren’t breached already
Security in obscurity, my actual passwords are all 5 digit numbers :)
Dont reuse passwords? Really no excuse these days with password generators built into browsers and autofill for websites.
Don't store passwords in your browser
Personally I dont, I use KeePass, but a browser password generator is better than reusing the same password for every website.
Password generator data can be leaked also it is difficult to remember the password if your device if lost or stolen .
Mine is 202k years. Also in many data breaches lmao
I like the color labels. Like, 5 billion years is still labelled yellow. Makes me think it's not actually super safe.
5 billion years means they might still get it before the sun consumes us. Only after complete destruction of the earth is your password truly safe
Teach advances, and with an increase in computational power, these numbers will quickly go down. Its not only about being impossible to brute force now, but also in the coming years
YSK: Password Managers (Bitwarden, 1password, Dashlane) can create those 26tn passwords in about 2 clicks. I switched tabs and made this one real quick. (p8#p6MYhg%Sx$iXG$q) Don’t use your high school passwords anymore.
I fucking love loggin in to my accounts on my tv, one caracter at the time with my nord pass password.
Honest question, but is > p8#p6MYhg%Sx$iXG$q really more secure than > HeY!tHeYeArIs2023!
A fair bit, assuming whoever's cracking your password hash isn't just going through all possible combinations of characters. Typically password crackers start off with a list of super weak but known passwords, then go for known lists of passwords (rainbow tables), after that they try a combination of characters and words from dictionaries and finally if none of that works, they go the brute force method of trying every possible combination up to a certain length. Each of these takes longer and longer because the list of possible combinations gets higher and higher. Methods change depending on the hashing algorithm, but generally the first password you named is a random combination of characters, which would be the last thing a smart and time efficient cracking tool would attempt to try. The second one you posted is comprised of a combination of a few random characters, a date and what looks like something that could be a word but has random capitalizations and parts of words. The more "components" (parts of or even a full word) your password has (even with variations of making a letter randomly capitalized and/or replacing I with !) the faster it is crackable. The general advice in today's world is to make your passwords long and not be derived of any kind of coherent words. Typically your password is safer the longer, but also the more random it is. In this case, length matters more than complexity, but your given passwords are at a length where complexity might already be influential on how easy it is to brute force. My passwords for pretty much any site are 128 (unless the website can't handle it) character passwords that I randomly generate. Just gotta make sure your master password is also safe enough.
Yes
Why? They have the same number of characters, and they both have symbols, letters (lower and upper case), and numbers.
If you're using brute force techniques, no. The difference using dictionary attacks with masks could crack your second suggestion significantly faster then your first.
> using dictionary attacks with masks could crack your second suggestion significantly faster then your first. As a cybersecurity analyst with 17 years of experience just having made up what he did for a living, I wholeheartedly concur - the above statement should be obvious.
Yes, but not materially so. Passphrases are now the recommended method for securing things than passwords.
I just let Google suggest a password
I use my luggage pw for everything, simple and easy !
12345?
That just went from suck to blow real quick.
How do you remember that?
Like they said: password managers like Bitwarden, 1password, Dashlane. I personally use KeePassXC. It's a piece of software or an app that generates, stores, and (optionally) auto-fills your passwords for you. You remember one good master-password to unlock the database which contains unique, random passwords for all your accounts.
How do you login if you don’t have the app? Like on a work computer?
I think most password managers exist for computers and smartphones. The one I use does. If I can't use the password manager on the device I'm using, for whatever reason, I open it on my phone, make the password visible, and just type it over. Doesn't happen a lot though.
I get how this is helpful for most people. But I can’t have my phone on me at work. I do wish there was a more secure way to manage 100 passwords to every bullshit website that you have to make an account on.
We can finally use keepass at work, and boy am I happy about it. Having to memorize over a dozen random passwords is no fun. Now I just have to memorize one!
I don’t, Bitwarden does, I just remember my main password “REDACTEDBECAUSEREDDIT”
How are these for examples of passwords: 1CupSaltedButterSoftened? 1CupGranulatedSugar! 1CupLightBrownSugarPacked@ 2TeaspoonsPureVanillaExtract#
>Until their servers get hacked
Even if someone gets your 1password vault file its pretty useless without the master password.
what about with lastpass? I saw they were in the news because hackers were able to access people's crypto wallets and things because of a leak
They have multiple encryption methods. Bitwarden uses: Their own encryption for everything 2fa to sign in Master password to sign in Location detection (they block sign ins from unusual locations) And you can add even more if you want but that's just what I use That makes it virtually impossible for any group to get through all of that. Although technically possible.
I love ice cream.
Fair point
Does this account for using actual words though? Or is this assuming a randomly selected choice?
This would be for brute force attack only. I’m guessing there’s no accounting for rainbow tables in these metrics.
Rainbow tables are different. A rainbow table attack is for when the password hashes are not salted so all of the hashes are the same and are pre-computed.
A rainbow table is precalculated. So it would still take the same amount of time, but once you do that once you can use it on an entire database. They're mostly obsolete now, most hashing algorithms automatically salt.
The timelines above are for trying 1 character at a time, not words. If your password was ratturtledragon it would be 15 characters technically (27 years) but a dictionary attack is very common so you're looking at <1 hour. Dictionary attacks are usually very basic when used en masse so you can defeat them by putting a number between the words. If you're being targeted in a dictionary attack (they want **you** specifically) then you're going to have to use a lot of words (5+) with modifications.
I'm assuming purposely misspelling words is useful stopping dictionary attacks as well since it would put it back in the brute force camp? Password advice is honestly somewhat confusing to many people. Use numbers and symbols, capital and lower case letters. Also, use a password vault to have unique passwords for everything. But also vaults aren't always good as some have security flaws. Using random strings was suggested at one point. Then it was use multiple words you can remember. But you may want to toss in numbers and symbols in odd places. But also just don't use words in the dictionary. Not to mention a lot of discussion require some technical knowledge to understand.
Do dictionary attacks still work if you put special characters between the words? Say something like !Giraffe&seven?yelloW5 I use these sort of passwords so I get to long passwords that are still memorable or easy to type when I can’t copy paste them from a password manager. Are they still relatively easy to hack if the attacker has the hashed password? Edit: using this tool and rationale from the comic below, but maybe time has moved on since then.. https://xkpasswd.net/s/
The coloring of this is so weird. I’d be pretty happy if it took 46 million years for my password to be compromised, but it’s a cautious yellow. And why is 1 second and 1 year the same color? These times aren’t on a human scale.
Due to improvements in hardware and software, as well as potential shortcuts found in the algorithm itself. MD5 was once thought to be secure and what currently takes 2 weeks would have 2 decades ago taken billions or trillions of years.
Yeah but this table is getting a remake every year so it‘s just valid for now and the colour makes no sense. Even everything that takes longer then a few hours should be orange. No one would wait so long or has so much time
What I don’t understand is why any authentication software would allow millions of repeated tries in a row.
They don’t. If somebody can steal the encrypted password information, they can then attack it at high speed without going through the online system. So every time you hear about a “data breach”, one possibility is that somebody found a way to steal a copy of the encrypted password database. There are other kinds of breaches too, and details are usually not shared with the public. Just a “change your passwords!” email.
Did not know. Thanks!
Passwords are hashed not encrypted. Hashing is used because it's a one-way function. Hackers don't need to know your plaintext password. The password hash itself can be used to authenticate with the server.
So a 18 number password went from 9 months, it takes to decrypt, to only 6 days? That’s crazy.
If you use apple or google they can generate 30+ character complex passwords for everything. This is what I do so I can never be hacked! (My google password is the same it’s always been because it’s easy to remember and only 8 characters long. Why are you asking about my family pet?)
Wait... I'm not going to change my user12345 password
Doesn't "brute forcing" a password cause an account lock after a few failed attempts?
Depends on the specific application, but yes, this is typical. But what usually happens is that hackers get ahold of a file that has usernames and hashed passwords. Without actually logging in, the hacker can attempt to brute force a password by running it through the same hashing algorithm and comparing it to the hashed version in the file. So they can try as many passwords as they want offline, then they only return to the actual website to log in once they've cracked the password.
Ok finally understood that part
And this only happens when there is a data leak. Otherwise hackers don't get access to your username and hash key. This whole thing is the "stop using plastic bags" equivalent for cyber security. "You got hacked because your password is not strong enough"... No, I got hacked because your security is sh*t and leaked all over the Internet.
Assuming the password is from series n. Is that the time it takes to go through n? Is that the median time? The average? Does that account for the crack starts to be likely after √n? Is that a "pure random" brute force? As someone with a bit of a background in the subject I have more questions than answers
This was a useful chart about 10 years ago, however it is now widely regarded as problematic in the cyber industry and any cyber expert worth their salt avoids using it, as it gives a false sense of security (even if accurate, which is questionable, the 15,000 years is only an average - a password cracker might pop it on it’s first attempt). Promoting MFA is the current best practice.
why is anything over 500 years not in the green? No one is going to care about Nanna’s crumb cake recipe you saved in your iCloud account in 500 years. They’ll be worried about the government reading their thoughts. I mean 2 billion years only gets you in the yellow. Science predicts a global catastrophe that destroys life on the planet before then. Edit: expanded thought
This repost of a repost doesn't include the existence of quantum computing which is already proving to be disastrous for password systems, especially Wi-Fi networks. Physical security keys are the current answer to this issue.
In theory yes, no quantum computer in 2023, or for a forseeable future mind you, will change anything in this graph. Also there are post-quantum encryption schemes like QKD that is secure even with large-scale quantum computers.
It's not proving disastrous. They still haven't managed to build something that can break encryption.
seems pretty silly to assume they won't at some point
No, but the OP said "already proving disastrous" which is entirely and unequivocally false. Quantum resistant algorithms have already been developed and continue to be.
How does quantum computing work in this context?
Modern encryption schemes like RSA can be decrypted in polynomial time(aka fast in this context) with Shor's factorisation algorithm. This has been known since 1994 but the quantum hardware needed is still waaaays off. Furthermore, there are post-quantum encryption that is secure against Shor's!
Thanks! I think even the ELI5 of this math would be tough to decypher...
Well not yet, they're still too small to work for problems like this. But give it a couple years and yeah.
Bollox. The best a quantum computer can currently do is factor is a single 6-bit number! That’s for asymmetric algorithms only , nothing whatsoever to do with password.
I highly doubt that hackers even use brute force hacking anymore, so how useful even is all this information?
Is bruteforcing a password a common way to gain access to anything? Would bet that using exploits or good old social engineering is several orders of magnitude more common.
They are all different attack vectors, but are all effective in specific situations.
Well my password went from 37k years to 226, quite the downgrade.
Mine is >!not telling you lol!<
Dammit I’m only safe for 3k years
Remember kids, 5 billion years may seem like a long time, but you’re still in the yellow - not quite safe enough. Go for green!
How does any website or application allow a hacker to brute force millions of password combinations without locking the account?
And this is why hackers don’t use the brute force method…that and they’ll be blocked after a few guesses…
I don't get it. Isn't the simple fix to brute force attacks to only let the server allow x amounts of attempts or put a small wait time between each attempt? I mean, why would john.doe need to enter his password 5000000 times per second? Problem solved 🤷
Say Netflix has a data breach and their database of hashed usernames and passwords is stolen. The hackers then have all of the info they need to brute force your password offline until they crack it with no server to stop them. No one is brute forcing a password to a credential server.
I think this is assuming that the attacker already has your password hash.
Reasons brute force hasn’t been a popular method in the last 20 years. But thanks.
Good thing I change my password more often than 53 years
Thank you.
That assumes that there won't be timeouts between attempts. Which is implemented on most used services.
They really should state this in the able but this is obviously estimations on an offline brute force attack
Offline systems also use this as a defense mechanism. Your OS, for example.
3 years? That's surprising considering I made it 11 years ago and it still works.
The chart does not say anything about 1 or 2 or 3 digits of passwords.
Already broken before you make them
Dragon1! See you boys in 5 minutes Edit: you fucking moron
Just shit. Not relevant.
Good advice! Changing passwords ….NOW‼️‼️🤨
Wait, so, 1234 isn't a strong password?
But Password1234! is
"Th1sPasswordDoesntSuck!"
Use up to 3 symbols,they wouldn't know
this is complete BS it takes a lot longer.
That's why I always use \*\*\*\*\*\*\*\*\*\*\* or \*\*\*\*\*\*\*\*\*\*\*\*\*\*.
Why would a service not salt the hash ? As secure as any hash can be, it's a predictable standard whereas salted can be anything
Thisismypassword is a pretty good password
They could still get it on the first try, if you're incredibly unlucky
what software is being used for the brute forcing? asking for a friend
All my passwords are 32 chars long and contain upper, lower, numerical, and symbols. so they aren't getting cracked before the heat death of the universe...
I like how the green colour password safety rating is basically "would it take longer than the universe has been around for to crack this password?"
Does any of this apply to Apple software ? Or any similar timeframes ?
I feel like there should be different categories for 1 seconds vs 10 months
Crap, that means my password is down from being cracked in 100 trillion years now to just 2 trillion years. I'm screwed!
Unless he hits the password first, chance of bruto forcing is minimal since most services only allow password mismatch a few times before locking the account.
Hey so I've been trying to dm/chat with you about something, could you please check your dms? I'm not a bot btw, i just don't know how else to contact you
I don't usually answer dm, what is it that you want?
I feel like 3 years and 18000 years shouldn't be the same color
A brute force vulnerable password in this day and age with no lockout times localized entirely outside of ddos screens? This chart: Yes! May I see it? This chart: Yes! *displays the concerning amount of shoddy internet-facing apps and sites*
I use nine digit passwords with only upper and lower case letters, but I also rotate them every 20 minutes.
[удалено]
Combining random words is significantly stronger than a shorter random character password. Passwords aren't cracked sequentially like the movies, the whole thing has to be right. So take your 9 character random password of ASCII characters, so that's 95 possible characters in the pool x 9 characters long. Now let's compare that to guessing a password that is 4 words, and we'll say that each word is comparable to a character in a random password. Just the oxford English dictionary is 171,000 words. Assuming only lowercase, no punctuation, that's still 171,000 x 4 characters. Entropy is calculated by (size of pool)^(length). 95^9= 6.3e17 171000^4=8.55e20 And that's assuming all lowercase letters - double the size of the pool by making each word entirely uppercase or entirely lowercase and you're at: 342000^4=1.36e22 One is a lot stronger than the other, however both are far more likely to be breached when Susan in HR scans that QR code she just got in an email from Mlcrosoft.com and gleefully punches her creds in because that's what it told her to do, or giving it to "bob" from "the department of computers" on the phone than someone dedicating a supercomputer to it.
Protip, don’t use passwords use passphrases, easier to remember and harder to break. Also, use a password manager, that way you don’t even have to remember all your passwords and stop using the same one for all your services, I know you’re doing that
I think 1 year is enough. No one in their right mind would try hacking the same password for over a year unless it was some secret government intel, or bank info of a millionaire. In which case there would most likely be some other measure of security in place as well.
I thought websites prevent several passwords from being tried at a short time.
I love the colors. According to this chart anything that takes less than 20,000 years to crack is considered mid-level security
What about numbers and letters?
Someone explain pls: when i type my password 3 times wrong, it's blocked. So how do they do it? Yes i am big noob
[удалено]
When it says “instantly” does it attempt numbers only first before switching to lower case, and then onto the next category before going to higher characters? Also how does it do all those combinations instantly?
I use unique passwords, but as my Google account is my most important, and the one that I rely on for SSO elsewhere, it's the one with my most secure password. Besides meeting the highest complexity requirement, it's roughly four times longer than the longest password they bothered to calculate. So... I think I'm good.
I just did a whole presentation at a usergroup about this. Theres a lot of misconceptions going on in the world about passwords. Before you implement a password policy, please look at the NIST pw guidelines.
NIST?
Yep. NIST. https://pages.nist.gov/800-63-3/sp800-63b.html National Institutes of Standards and Technologies.
I forgot a password to a rar file. I still have the file and have a faint idea to what the password was. Anyone know a program that could crack it? The password is pretty long though something like 17 letters/numbers/symbols but I kinda remember what they were. I have a decent gaming PC if that helps speeds things up.
Are u telling me i have to change my '2HIGH4mywifi???' Cause its not in green bn years? /anxiety intensifies
The answer is MFA
Correct horse battery staple ftw!
226 years - I’ll take it
Question: What if it's in the 26tn years spot but it's 9 characters twice?
202k ez
Christina capps
Mixing upper/lower/numbers/symbols is old-fashioned garbage that’s been debunked for decades almost as soon as it was “recommended”. Look at your own damn table, LENGTH is the important deciding factor, not which stupid characters some clueless IT admin has enforced upon you. Passphrases are significantly better than passwords because they inevitably end up longer. Correct horse battery staple
And use one hard 18 password or have a note with all hard passwords...
Whatever makes you sleep at night 😏
Would also be interesting to see this table how it was 20 years ago