...

frozenchief · 03-09-2021, 07:53 PM

Stumbled across this today. Something to consider when creating passwords.

I am not seeking to advertise the company, in part because I know nothing about the company but I figured I'd pass on the information. I expect that as computing power increases, those figures will decline. When I'm 87, my password will have to be something like

pleasegetmemoredependsbecausethesearefullofcrap1234*

vailpass · 03-09-2021, 10:48 PM

You think this is bad? Just wait til they get quantum hacking going. Anything without quantum crypto will be instant toast.

Fish · 03-09-2021, 10:56 PM

Or infinitely better.... enable multifactor authentication.

Why Not? · 03-09-2021, 11:44 PM

I got no dog in the fight because according to this, it will take hackers 2 trillion years to get to me but, I wonder how they would "show their work" so to speak? I don't know shit about technology outside of how to get on CP and check my email so I'm not saying this is wrong, just seems like one of those things you could just throw out there and assume you would never get fact checked on.

tmax63 · 03-10-2021, 09:45 AM

I'd assume that hacking programs start with "a" or "1" and progress sequentially through the possibilities. Does that mean if you started your passwords with "z" or "9" it would take longer for them to hack?

htismaqe · 03-10-2021, 10:34 AM

Quote:

Originally Posted by tmax63

I'd assume that hacking programs start with "a" or "1" and progress sequentially through the possibilities. Does that mean if you started your passwords with "z" or "9" it would take longer for them to hack?

Technically no.

htismaqe · 03-10-2021, 10:35 AM

Quote:

Originally Posted by Why Not?

I got no dog in the fight because according to this, it will take hackers 2 trillion years to get to me but, I wonder how they would "show their work" so to speak? I don't know shit about technology outside of how to get on CP and check my email so I'm not saying this is wrong, just seems like one of those things you could just throw out there and assume you would never get fact checked on.

CPU cycles are just mathematical increments.

htismaqe · 03-10-2021, 10:37 AM

Quote:

Originally Posted by vailpass

You think this is bad? Just wait til they get quantum hacking going. Anything without quantum crypto will be instant toast.

The already use botnet "clouds" to do it. The biggest thing is that you're not as likely a target as say, Target.

vailpass · 03-10-2021, 11:41 AM

Quote:

Originally Posted by htismaqe

The already use botnet "clouds" to do it. The biggest thing is that you're not as likely a target as say, Target.

I was more thinking of DOD and critical infrastructure
crypto but yeah.

Just salting the hashes isn't going to cut it soon.

**morphius** · 03-10-2021, 11:51 AM

What this is telling me that I'd probably be pretty safe to do a 15 lower case letter password and they could hack it when I'm dead. Not sure about their numbers here, with bot nets, phishing and other viruses they have other ways to gain access as well.

**HayWire** · 03-10-2021, 12:07 PM

Next time I say something stupid on CP I'm going to pull a celebrity move and say I was hacked. That's right, **** you Bearcat.

oops, that wasn't me.

htismaqe · 03-10-2021, 01:56 PM

Quote:

Originally Posted by vailpass

I was more thinking of DOD and critical infrastructure
crypto but yeah.

Just salting the hashes isn't going to cut it soon.

Exactly. The DoD already gets hacked on a frequent basis. Security is an endless nightmare if you're responsible for it and a gravy train if you get paid to do it.

htismaqe · 03-10-2021, 01:58 PM

Quote:

Originally Posted by morphius

What this is telling me that I'd probably be pretty safe to do a 15 lower case letter password and they could hack it when I'm dead. Not sure about their numbers here, with bot nets, phishing and other viruses they have other ways to gain access as well.

I use randomly-generated passwords - 20 characters with upper, lower, numerals, and a select few specials (ones that are universally acceptable).

I also store all of my passwords in an encrypted database.

unlurking · 03-10-2021, 02:06 PM

Obligatory XKCD...

Cool password generator based off the comic, but beware using it. The dictionary used is available and small. My current rig can crack all variations of the WEB16 and NTLM (default length options) in seconds. Currently testing masks for the DEFAULT, estimating 21-28 days.
https://xkpasswd.net/s/

unlurking · 03-10-2021, 02:22 PM

Also, while this chart is a good opening comment about security. it is SUPER subjective and not nearly detailed enough for a true discussion of what makes a secure password. Those numbers are based on "brute-force" attacks which attempt every possible variation in a character data set. It completely ignores non brute-force attacks, speed of guesses, and ease of guessing the type of hash.

You wouldn't believe how many passwords I see like Spring-2002! or GoBroncos!2002 (obvious assholes) or Ch13f$Rule!!! All of which crack in seconds using basic rule and mask attacks but people still think nobody will figure it out.

03-09-2021, 07:53 PM
frozenchief Cynical Misanthrope frozenchief's Avatar Join Date: Apr 2013 Location: Alaska	Security Stumbled across this today. Something to consider when creating passwords. I am not seeking to advertise the company, in part because I know nothing about the company but I figured I'd pass on the information. I expect that as computing power increases, those figures will decline. When I'm 87, my password will have to be something like pleasegetmemoredependsbecausethesearefullofcrap1234*
Posts: 3,919

03-09-2021, 10:48 PM	#2
vailpass Psycho Bag Of Squanch vailpass's Avatar Join Date: Sep 2001	You think this is bad? Just wait til they get quantum hacking going. Anything without quantum crypto will be instant toast.
Posts: 69,591

03-09-2021, 10:56 PM	#3
Fish Ain't no relax! Fish's Avatar Join Date: Sep 2005	Or infinitely better.... enable multifactor authentication.
Posts: 47,591	4 0

03-09-2021, 11:44 PM	#4
Why Not? In Search of a Life Why Not?'s Avatar Join Date: Apr 2013 Location: Kansas	I got no dog in the fight because according to this, it will take hackers 2 trillion years to get to me but, I wonder how they would "show their work" so to speak? I don't know shit about technology outside of how to get on CP and check my email so I'm not saying this is wrong, just seems like one of those things you could just throw out there and assume you would never get fact checked on.
Posts: 21,760

03-10-2021, 09:45 AM	#5
tmax63 Veteran Join Date: Apr 2007 Location: Colorado	I'd assume that hacking programs start with "a" or "1" and progress sequentially through the possibilities. Does that mean if you started your passwords with "z" or "9" it would take longer for them to hack?
Posts: 3,811

03-10-2021, 11:51 AM	#10
morphius World's finest morphius morphius's Avatar Join Date: Aug 2000	What this is telling me that I'd probably be pretty safe to do a 15 lower case letter password and they could hack it when I'm dead. Not sure about their numbers here, with bot nets, phishing and other viruses they have other ways to gain access as well.
Posts: 25,973

03-10-2021, 12:07 PM	#11
HayWire Retired Bearcat HayWire's Avatar Join Date: Dec 2011 Location: SWMO	Next time I say something stupid on CP I'm going to pull a celebrity move and say I was hacked. That's right, **** you Bearcat. oops, that wasn't me.
Posts: 7,434

03-10-2021, 02:06 PM	#14
unlurking MVP unlurking's Avatar Join Date: Aug 2003	Obligatory XKCD... Cool password generator based off the comic, but beware using it. The dictionary used is available and small. My current rig can crack all variations of the WEB16 and NTLM (default length options) in seconds. Currently testing masks for the DEFAULT, estimating 21-28 days. https://xkpasswd.net/s/
Posts: 10,620

03-10-2021, 02:22 PM	#15
unlurking MVP unlurking's Avatar Join Date: Aug 2003	Also, while this chart is a good opening comment about security. it is SUPER subjective and not nearly detailed enough for a true discussion of what makes a secure password. Those numbers are based on "brute-force" attacks which attempt every possible variation in a character data set. It completely ignores non brute-force attacks, speed of guesses, and ease of guessing the type of hash. You wouldn't believe how many passwords I see like Spring-2002! or GoBroncos!2002 (obvious assholes) or Ch13f$Rule!!! All of which crack in seconds using basic rule and mask attacks but people still think nobody will figure it out.
Posts: 10,620