What is Digg?Sponsored by Travelzoo
Take Advantage of Ridiculously Low Holiday Airfares view!
travelzoo.com - Flights $52 and up for Thanksgiving, Christmas & New Year. But move on it now.
145 Comments
- inactive, on 10/12/2007, -1/+53class A: 692 Years
class F: 60.5 hours
Finding years worth of personal information by dumpster diving in 10 minutes: Priceless - ubergmr, on 10/12/2007, -2/+38looks like "asdf" isn't as secure as I thought
- p9s50W5k4GUD2c6, on 10/12/2007, -3/+35But "love' is only four letters. That will be cracked in 46 seconds!
Yup - that's about right. Love cracks in 46 seconds.
Joking aside: good article, great analysis. - carguy84, on 10/12/2007, -2/+23Remind me to change the combination on my luggage...
- TeacherOfHeroes, on 10/12/2007, -0/+20The way to figure it out is simple:
1.) take the desired character set - say the 52 character one (UPPERS and lowers) and put it to the power of the number of characters in your password - in my case with a 19 character password its 52^19
2.) Pick your class of attack - class F (the fastest listed) can do 1,000,000,000 (1 trillion) attacks per second. Now divide the previous answer by this number - for me its (52^19) / 1 000 000 000
This is the number of seconds it would take to crack your password.
3.) Divide your answer repeatedly by increments of time until you get it down to a nice managable number;
/ 60 - minutes
/ 60 - hours
/ 24 - days
/ 365 - years
/ 1000 - repeat for thousand, million, billion of years, etc...
Mine's 12.4 Quadrillion years :) - chicken101, on 10/12/2007, -2/+20That must be a bitch to remember/type in.
- breakneckridge, on 10/12/2007, -2/+14The secret code is 1, 2, 3, 4
That's amazing! That's the same code I have on my luggage! - bradbeattie, on 10/12/2007, -0/+10Article summary: use passwords of more than 8 mixed characters (upper and lower case, numbers, puncutation) and change your password every month or so.
- xswag, on 10/12/2007, -0/+9Password selection rules
CORPORATE DIRECTIVE NUMBER 88-570471
In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.
RULES FOR THE SELECTION OF PASSWORDS:
1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.
2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.
3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.
4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.
5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.
6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.
7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.
Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.
Google
Password Jokes
I'm Feeling Lucky. - bradbeattie, on 10/12/2007, -3/+10It's ubergmr@gmail.com, right? :P
- Mac2492, on 10/12/2007, -1/+7With a hammer, about a second - why?
- paroxsitic, on 10/12/2007, -0/+5Its my understanding that these are times if you knew the exact length of the password.
96^8 = 7.2 Quadrillion
It should be 7.2 Quadrillion plus the combos for 2, 3, 4, 5, 6, 7. If you were actually trying to brute-force a password you have no idea of its length, it would first go through the 2 character, then 3, then 4, than 5..
But, for an example the password cracker would start with 000000000 and go to 999999999 (based on 10 chars) where as if someones password was 6 characters long, the cracker wouldn't even attempt it. It should attempt 00-99 first, then 000-999, then 0000-9999, etc. - cranium, on 10/12/2007, -1/+6Phishing is still much easier than cracking.
- tke248, on 10/12/2007, -1/+6Just one more reason I use Alt-chars
http://digg.com/security/uncrackable_passwords - ericsnels, on 10/12/2007, -0/+5To change my password every month or so would mean I would have post-it notes all over my monitor reminding me what my password is. Thats just crazy. (I did like the "Quadrillion Combinations" though)
- squeevey, on 10/12/2007, -0/+5You only wish it that they used brute force to crack it.
two words: RAINBOW CRACK - chicken101, on 10/12/2007, -2/+68 200 Billion 242 Days 24 Days 2½ Days 348 Mins 35 Mins 3½ Mins
I think I might change my password.... - trump, on 10/12/2007, -2/+6class A would take 692 Years
class F would take 60.5 hours
I now love my password - ggko, on 10/12/2007, -0/+4>Remind me to change the combination on my luggage...
Don't use 1-2-3-5, that's the next combination they'll try. - inactive, on 10/12/2007, -0/+4I don't see a need for all the various classes... They could've just used the values for "class D" and assume this is what a password would typically be cracked with.
So for passwords that take years to crack, I guess you can save the cracking progress so you can upgrade your computer then continue cracking the password. - Jibberish, on 10/12/2007, -0/+4You don't. You take the file that contains the "encrypted" password off of the target computer and run the PW cracking program on another computer against the "encrypted file". More or less.
You have to know which file on the target computer is the PW file though. - pcgeek101, on 10/12/2007, -0/+4http://keepass.sourceforge.net/
- Zeusandhera, on 10/12/2007, -0/+4Does a brute force password attack start in any particular area? Like with 0's or a's and work to the end of the Alphabet? If so, I want to change my password to zzzzzzzzzzzz
- breakneckridge, on 10/12/2007, -0/+4This doesn't take into account how quickly computers are getting faster. These are the lengths of time at the present, but in ten years it will take much shorter for the same password. What will we do for security then?
- 9mmCensor, on 10/12/2007, -1/+4Unless they get luck and find it real quick.
- evilpig, on 10/12/2007, -4/+7Ah, No capital letter in the title. AHHHH NOO!
- spiffyman, on 10/12/2007, -0/+3I have a series of passwords from very weak to very strong. I only use the strong ones on stuff I care about.
Strong passwords are a pain.
Also, why would I want to possibly expose a strong password by using it on my Yahoo email or message board? - macaholic, on 10/12/2007, -0/+3Class a = 302,603 years
Class f= 3 years
I'm not changing my password.
(Why is class f the best if in schools and f is failing?) Sorry that didn't make much sense to me... - thegreypilgrim, on 10/12/2007, -0/+3True dat.
But some stuff can be brute force attacked "off-line" so the attempts per second/minute/hour are irrelevant. Take any wireless network for example - sniff a few packets, take em away for analysis/key-attack. A weak key can be cracked easily - return to the network and you're in - with a single valid response to a password/key challenge. However, use a long random ascii key, and your WPA encrypted network is as good as completely locked tight. - Shizlak, on 10/12/2007, -1/+4So someone would have to break into my house, and this does not apply to anything online. gotcha.
Password cracking seems kind of trivial when people just ran off with your computer, tv, jewelery and all your other valuable possessions... - H2Oloo, on 10/12/2007, -0/+3That's why the safest place to save your passwords is via pen and paper ... and I guess that is even insecure if you loose it.
- sc0ticus, on 10/12/2007, -0/+3This is theoretically correct, but it is a naive approach that is too linear, it wouldn't go from 0 to zzzzzzzzz. Password cracking (or deciphering in general) is not so cut and dry as this. There's alot more art to it. I'm sure there are frequency statistics available for the most common length of a password, second one, etc... So start with six letter combinations, then five letter combinations, then seven, then whatever is fourth.
The second approach of going from 0-Z, etc... is also a bad approach, dictionary attacks use the common English words, variations such as 7 for T, 1 for L, etc...
Finally, as much information about the target would be gathered to try other guesses.
For more about cryptography in general, try the great book "The Code Book" by Simon Singh. It's a great introduction to a history of cryptography and the techniques from Caesar, the Enigma, to current day RSA/PGP. - Bhima, on 10/12/2007, -0/+3Or they could recover all the passwords from users of a given website... like Digg for example... I'm sure our Digg passwords are not stored in a very secure manner. Or look at the other choices... eBay, PayPal, On-line Banking... etc. All a professional has to do get the file with the password hashes.
Incidentally if you read the article carefully you will see that it's fairly old, and that the data it uses is probably a little older. Moore's law has provided us with at least an order of magnitude speed increase. Coupled with the more advanced Time-Memory Trade-Off attacks and I think the whole table would fall to "Nearly Instant"... so given the password hashes of slashdot and digg you could have all of the passwords before lunch. - foolfromhell, on 10/12/2007, -0/+3Where is the program? i would like a shot at this...
What about, knowing the personality of the person, some idiot who has a website about UFOs might have a password like "Alien". - JulianTosh, on 10/12/2007, -0/+2None of this matters, especially to a government agency intent on invading your privacy. Why brute-force crack your 64 character password when they can legally force your OS manufacturer to install a backdoor to reveal your keystrokes or monitor the RF coming off your keyboard from the black helicopter hovering over your house?
:| - rayblasdel, on 10/12/2007, -0/+2Ack, that just looks scary. I draw pictures on the keyboard.
- jestershinra, on 10/12/2007, -0/+2The problem here is that these are maximum lengths--your password, at each level, would be cracked (by simple brute force process of elimination) within the allotted time frame. Obviously, how exactly yours is determined depends on the precise order of the attacking software, but you could have a password that's listed here to take a trillion years be cracked in, say, one year--it just depends on how it's cracked.
- bryan314, on 10/12/2007, -0/+2build a long, random, easy to remember password
http://world.std.com/~reinhold/diceware.html - Kazanoe, on 10/12/2007, -1/+3I wish they gave some higher numbers, my password personally has 10 characters, and has a 'common symbol' in it, which they dont have written down.
Given the information that 6 characters takes 13 mins, and 8 characters takes 2004 hours, I'm going to assume mine would take several years to crack using a Class F
(assuming they didnt get my password within the first few million combinations) - bman212121, on 10/12/2007, -0/+2Unfortunately, this article is way off! It may hold true for a standard brute force, but it's no where near reality by using other types of attacks. Here is a good example. An article done by MS about the differences between Passwords and Passphrases goes into detail about how quick a password can actually be cracked using other methods. http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx
Quote
For instance, assume the passwords are non-dictionary words using 8 characters with at least three of the four character types, and they expire in 70 days. For an attacker with no prior knowledge of any of those passwords to guess one of them before it expires would require the computer to have a network bandwidth of 53,000 T-3 (44.736 Mbps each). This is required just to send the authentication traffic required to try half of all the possible passwords (assuming each is equally likely).
A cracking attack against all possible 8-character passwords using the 76-character set will, based on that test rate, take 6 years. Of course, many of the passwords will be found in much less time, and any given password will statistically be found in half that time. If the passwords are only 7 characters cracking the full set will take only about 28 days.
/END Quote
This coming from 2004 as well. If you read on parts 2 http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
and 3 http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx
it will give you a better idea of the actual randomness involved in passwords. A lot of passwords are not even close to random, like the b33r&MUG password, which could be represented as 3 parts, and only be as strong as a truly random 3 character password. - 0x0000ff, on 10/12/2007, -0/+2edit: I need to type faster
@Kazanoe:
Your password would provide 66483263599150104576 combinations (96^10) -- which is 2108 years to calculate as a "class F"
(which doesnt really mean anything) - cranium, on 10/12/2007, -1/+3I use a different password for every site. Basically, I've got a mental hash that combines the domain name with my basic password, but not in an obvious way.
- Buelldozer, on 10/12/2007, -0/+2Am I the only person to notice that this article is over two years old AND most of it's "speed" guesses are built around a Pentium 100?
- mwebb1984, on 10/12/2007, -0/+2You should use a wholly different password for each site, unless maybe a group of site's accounts are very "unimportant." Unless you have very weak passwords, the biggest threats are that: 1) someone hacks your system and monitors it, thus obtaining passwords or 2) one of the websites/service providers/etc has a security breach and someone gains access to users' account infos. You can escape 2) with little damage if each password is wholly different. (of course remember some sites will just send your passwords to your email... so if your email's hacked.....)
- kevogod, on 10/12/2007, -0/+2The amount of time required to crack your fingerprint reader would be dependent on how the comparison data is stored. It would be more reasonable to find a security hole in the fingerprint reader itself than going after the fingerprint "password".
- inactive, on 10/12/2007, -0/+2I wonder how long people have actually had their machines running to break a password. Seems like anything longer than a month is out of the question for anything except national security matters.
- Bhima, on 10/12/2007, -0/+2If you look at the article closely you will see that's it's a little old Jan 2004 and the data used is a little older (Pentium 100). So just based on Moore's law we've surpassed this by at least an order of magnitude... Add to that new cracking methodologies like Time-Memory Trade-Offs and most of that table probably should just read "nearly instantaneous"
- kevin2735, on 10/12/2007, -0/+2Your password is only as strong as were you use it. Take a look a Windows Registery, specifically the Protected Storarge for Internet Explorer. I was able to access all of the passwords a user entered for accessing password protected sites in the Internet. This ultimatley allowed me access to highly encrypted files elsewhewre on the hard drive. People are lazy and will use the same credentials for everything.
- ggko, on 10/12/2007, -0/+2I have an infinite number of monkeys at my disposal. Poo-flinging breaks aside, that has to be at least a Class E attack.
- .Steven, on 10/12/2007, -0/+2((((((62^18) / 76 600 000 000) / 60) / 60) / 24) / 365.25) / 1 000 = 7.580846 x 10^10
So... 7.580846E10 milleniums!!! (Using something faster than the Distributed.net's Project Bovine RC5-64)
(And that is only my password for Digg!!! (THink more of around 256chars (not bits but bytes) using the whole ASCII Table) -
Show 51 - 100 of 145 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is