Now I know why my company recently went to 15 character passwords. Upper, lower, number and symbol also required. It was a bitch to come up with something I could remember.
@tinamarie1974 For a brief period, because of a misdesigned interface at A Very Large Company, my password in that company’s free email system was a leeted version of “fuckyoumicrosoft”. (I changed it again later, and I never used that one anywhere else, so knowing this won’t help any cracker.)
@tinamarie1974@werehatrack
Can you remember
TinaMarie1974 :>)
??
That’s 17 including the space; most systems I’ve used lately will allow spaces in passwords. (And then they get fancy and call them passphrases.)
I once was on a lame system that insisted on printing out your password with your other user information on any dump, so I put a few nonprintable ASCII characters into my password, and it accepted it.
@tinamarie1974@unksol@werehatrack How do you know that is her username for the system in question? You been hacking? Picking up the radio waves from her keyboard?
I dont know most of my passwords.
Yeah, that’s getting to be a problem for me too, as I get older.
JK
@phendrick@tinamarie1974@werehatrack
If you are trying to hack a password brute force you are using a specific username. Every password policy will not let you use your username as part of your password.
Regardless the reason I don’t know most of mine is because I’ve never seen them. I just randomly generate one for every website. I can get some pretty complex ones into muscle memory, but obviously best practice is to have a different one everywhere. No one can remember all that, especially for sites you use once a year. Hence a safe is a good plan. If someone gets some junk from homedepot.com or anywhere else. Good luck using it anywhere
Regardless brute forcing a user password is not a main threat for a number of reasons. Just an interesting exercise using non real word parameters as an example of what computers are capable of.
This is why it’s so easy to crack a safe with a micro controller, stepper motor, and a suction cup though
@phendrick@tinamarie1974@werehatrack well of course lol. I just meant that’s a standard password rule on the same system. Regardless of work/personal stuff
For obvious reasons. Crossing personal and work passwords/info is not good but… Some people you can’t stop…
I swear the security/password/phishing training we get all the time is just… Really? We have people doing this? But. It happens apparently
@phendrick@unksol@werehatrack sounds like my work. Now they send these crazy emails as fake phishing attempts. God forbid you dont catch it and smash the phishing button in Outlook
It should be noted that most such cracking requires that the place accepting the password must not lock out the user after a small number of attempts. Remember, the same hash value may be produced by more than one password; the cracker might be able to reverse-engineer the exact algorithm and still not be able to use the hash values to predict a unique source string for a given hash. But the larger the size of the hash file, and the more of the hashes that correspond to passwords that the cracker has obtained via other means, the easier it becomes to zero in on the rest.
@werehatrack I got into several arguments with our head of educational technology at the college I used to teach at, over passwords. He required long passwords, had to be changed every 90 days (generally gave you no warning when about to expire), and gave you three attempts before the lock-out. I thought the “three” part was inane, since if you only use the 52 upper and lower case letters and the 10 decimal digits, an 8-character password could be any one of 218340105584896 possibilities. And didn’t show you what you tried to enter. THREE?
OK, you try it once, get an error message, wonder what you typed wrong. You try it again, thinking a little harder, but fumble the keys – it didn’t feel right. Your third try, after concentrating intently into your memory banks, typed exceedingly carefully, doesn’t work either, but after that you realize the CAPS LOCK light is on.
Welp, time to call Tech Support. They got used to getting calls from me. IF 200 tries were allowed, still a random attack would have a 10^-10 chance of success, but only if they knew you had a password of exactly length 8.
I should have just done what a lot of other faculty did, put it on a Post-It Note.( Wrong, they didn’t slap it on the front of the monitor. They kept it in their UNLOCKED desk drawer.)
I thought the guy in charge was otherwise sharp, and later became “Vice President of Technology” there. But he sometimes missed out on a little common sense, IMO.
@narfcake That came out long enough ago that I printed out your xkcd and showed it to the guy in charge. Made no impression. I was still arguing against the 90 day bit. Just use a VG password and leave it. (But, a different one, tailored for whichever system you were accessing.)
I saw that at one of the Related Hak5 sites. It is not pretty. That is the reason I use a password manager with all the options, most of the time is 15 with everything. FB is over 20 as is what was Twitter.
Also please keep in mind we aren’t seeing their data and they are most likely using an unrestricted brute force on a test password on a system with no restrictions.
You know that thing every website does when you get a time out after three failures? Those timeouts drastically ballon brute force attacks like this
When you input a password into a website, the website will only save your hash, rather than your password.
Well, that’s supposed to be how it’s done, but not everyone builds their website properly.
Another Important Point:
The graphic explains that these times were calculatedestimated based on the assumption that the attacker already has access to the password hashes. (i.e. there was some sort of data breach)
Based on the speeds in the “Numbers Only” column, I think they’re running at nearly 2 trillion attempts (guesses) per second.
Those are not speeds they’ll be able to reach while going through a website’s login form — but that doesn’t mean there’s nothing to worry about.
In short, practice good password hygiene, and hopefully you’ll never run into problems.
We once had a PhD user who forgot his password. I can’t remember exactly but it was 666666 or 777777.
Some PhDs are really smart and others not so much.
Mind your this was before 1997.!!!
@AnniKat That’s OK, back in the late '80s at my job, the “password” length was 3. Alpha only. This was in software running on a Univac 940/40. (Nobody outside of the mainframe priests had a system password or root access.)
Organic chemists are never short of password possibilities, e.g. (8R,9S,10R,13S,14S,17S)-17-hydroxy-10,13-dimethyl-1,2,6,7,8,9,11,12,14,15,16,17-dodecahydrocyclopenta[a]phenanthren-3-one which everyone here will immediately recognize as testosterone, unless, that is, you’re a quart low. +
No one says you have to use the full name. Just use as many characters or parts of whatever compound name you’ve chosen, and which you can hopefully remember and you can throw in a few uppercase letters as well.
@f00l Just remember to have [at least] two good passwords that you can remember:
the password manager
the email(s) you use to reset passwords for everything else
Password managers can also be used to store other useful information, too. Like your credit card number. It makes it a lot easier to buy things online if you don’t have to carefully copy it off the card each time. (though maybe that’s a bug, not a feature? Your spending may vary…)
Now I know why my company recently went to 15 character passwords. Upper, lower, number and symbol also required. It was a bitch to come up with something I could remember.
@tinamarie1974 For a brief period, because of a misdesigned interface at A Very Large Company, my password in that company’s free email system was a leeted version of “fuckyoumicrosoft”. (I changed it again later, and I never used that one anywhere else, so knowing this won’t help any cracker.)
@tinamarie1974 @werehatrack
Can you remember
TinaMarie1974 :>)
??
That’s 17 including the space; most systems I’ve used lately will allow spaces in passwords. (And then they get fancy and call them passphrases.)
I once was on a lame system that insisted on printing out your password with your other user information on any dump, so I put a few nonprintable ASCII characters into my password, and it accepted it.
@phendrick @tinamarie1974 @werehatrack mmm user name not allowed in password.
Passwordsafe is a good offline one. I dont know most of my passwords.
8 characters with appropriate reset periods and timeouts are secure enough.
It’s common to see 15 for non expiring service accounts now. Cause that’s never going to get brute forced
@tinamarie1974 @unksol @werehatrack How do you know that is her username for the system in question? You been hacking? Picking up the radio waves from her keyboard?
Yeah, that’s getting to be a problem for me too, as I get older.
JK
@phendrick @tinamarie1974 @werehatrack
If you are trying to hack a password brute force you are using a specific username. Every password policy will not let you use your username as part of your password.
Regardless the reason I don’t know most of mine is because I’ve never seen them. I just randomly generate one for every website. I can get some pretty complex ones into muscle memory, but obviously best practice is to have a different one everywhere. No one can remember all that, especially for sites you use once a year. Hence a safe is a good plan. If someone gets some junk from homedepot.com or anywhere else. Good luck using it anywhere
Regardless brute forcing a user password is not a main threat for a number of reasons. Just an interesting exercise using non real word parameters as an example of what computers are capable of.
This is why it’s so easy to crack a safe with a micro controller, stepper motor, and a suction cup though
@phendrick @unksol @werehatrack not my work username, also not my password lol.
@phendrick @tinamarie1974 @werehatrack well of course lol. I just meant that’s a standard password rule on the same system. Regardless of work/personal stuff
For obvious reasons. Crossing personal and work passwords/info is not good but… Some people you can’t stop…
I swear the security/password/phishing training we get all the time is just… Really? We have people doing this? But. It happens apparently
@phendrick @unksol @werehatrack sounds like my work. Now they send these crazy emails as fake phishing attempts. God forbid you dont catch it and smash the phishing button in Outlook
@phendrick @tinamarie1974 @werehatrack oh they do that too lol. They are very obvious.
Sometimes I report company stuff because they poorly communicate
It should be noted that most such cracking requires that the place accepting the password must not lock out the user after a small number of attempts. Remember, the same hash value may be produced by more than one password; the cracker might be able to reverse-engineer the exact algorithm and still not be able to use the hash values to predict a unique source string for a given hash. But the larger the size of the hash file, and the more of the hashes that correspond to passwords that the cracker has obtained via other means, the easier it becomes to zero in on the rest.
@werehatrack I got into several arguments with our head of educational technology at the college I used to teach at, over passwords. He required long passwords, had to be changed every 90 days (generally gave you no warning when about to expire), and gave you three attempts before the lock-out. I thought the “three” part was inane, since if you only use the 52 upper and lower case letters and the 10 decimal digits, an 8-character password could be any one of 218340105584896 possibilities. And didn’t show you what you tried to enter. THREE?
OK, you try it once, get an error message, wonder what you typed wrong. You try it again, thinking a little harder, but fumble the keys – it didn’t feel right. Your third try, after concentrating intently into your memory banks, typed exceedingly carefully, doesn’t work either, but after that you realize the CAPS LOCK light is on.
Welp, time to call Tech Support. They got used to getting calls from me. IF 200 tries were allowed, still a random attack would have a 10^-10 chance of success, but only if they knew you had a password of exactly length 8.
I should have just done what a lot of other faculty did, put it on a Post-It Note.( Wrong, they didn’t slap it on the front of the monitor. They kept it in their UNLOCKED desk drawer.)
I thought the guy in charge was otherwise sharp, and later became “Vice President of Technology” there. But he sometimes missed out on a little common sense, IMO.
@narfcake That came out long enough ago that I printed out your xkcd and showed it to the guy in charge. Made no impression. I was still arguing against the 90 day bit. Just use a VG password and leave it. (But, a different one, tailored for whichever system you were accessing.)
https://xkcd.com/936/
@narfcake whoops guess I repeated. I was like. How is this not already here lol
I saw that at one of the Related Hak5 sites. It is not pretty. That is the reason I use a password manager with all the options, most of the time is 15 with everything. FB is over 20 as is what was Twitter.
/image correct horse battery staple
Also please keep in mind we aren’t seeing their data and they are most likely using an unrestricted brute force on a test password on a system with no restrictions.
You know that thing every website does when you get a time out after three failures? Those timeouts drastically ballon brute force attacks like this
From the bottom of the picture:
Well, that’s supposed to be how it’s done, but not everyone builds their website properly.
Another Important Point:
The graphic explains that these times were
calculatedestimated based on the assumption that the attacker already has access to the password hashes. (i.e. there was some sort of data breach)Based on the speeds in the “Numbers Only” column, I think they’re running at nearly 2 trillion attempts (guesses) per second.
Those are not speeds they’ll be able to reach while going through a website’s login form — but that doesn’t mean there’s nothing to worry about.
In short, practice good password hygiene, and hopefully you’ll never run into problems.
We once had a PhD user who forgot his password. I can’t remember exactly but it was 666666 or 777777.
Some PhDs are really smart and others not so much.
Mind your this was before 1997.!!!
@AnniKat That’s OK, back in the late '80s at my job, the “password” length was 3. Alpha only. This was in software running on a Univac 940/40. (Nobody outside of the mainframe priests had a system password or root access.)
Organic chemists are never short of password possibilities, e.g. (8R,9S,10R,13S,14S,17S)-17-hydroxy-10,13-dimethyl-1,2,6,7,8,9,11,12,14,15,16,17-dodecahydrocyclopenta[a]phenanthren-3-one which everyone here will immediately recognize as testosterone, unless, that is, you’re a quart low. +
Structure of Testosterone
No one says you have to use the full name. Just use as many characters or parts of whatever compound name you’ve chosen, and which you can hopefully remember and you can throw in a few uppercase letters as well.
I let a password manager remember all.
Unique for each site.
@f00l Just remember to have [at least] two good passwords that you can remember:
Password managers can also be used to store other useful information, too. Like your credit card number. It makes it a lot easier to buy things online if you don’t have to carefully copy it off the card each time. (though maybe that’s a bug, not a feature? Your spending may vary…)