Jump to content
Sign in to follow this  
twinair

Who has the strongest password?

Recommended Posts

Just been lurking around Whirlpool and found a link to https://www.grc.com/haystack.htm which enables you to check the strength of your password.

The result for my home VPN password is this:

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 68.97 billion trillion trillion trillion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 6.90 hundred trillion trillion trillion centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 6.90 hundred billion trillion trillion centuries

 

Haha, that's a fkn long time!

 

What's yours?

Edited by twinair

Share this post


Link to post
Share on other sites

Someone posted a graphic recently about how it was dumb that passwords we use are hard for us to remember but easy for computers to crack, but if we used a long phrase it's easy for us to remember but insanely hard for a computer. Something like:

 

mypasswordisverylong

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 6.59 thousand trillion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 65.90 million centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 65.90 thousand centuries

 

VS

 

X#4D2ai&

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 2.13 thousand centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 18.62 hours

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 1.12 minutes

 

That said, they do say below:

 

It is NOT a “Password Strength Meter.”

Basically, that's just how long it would take to go through the set of different passwords that could be generated with those parameters.

 

Edit: Don't remember who posted it, but it was this:

 

Posted Image

Edited by Periander

Share this post


Link to post
Share on other sites

Oh this is bullshit, my specifically formulated complex gibberish passwords that are also easy to remember - 2.2 seconds in the mass-cracking scenario (then 20 years, then 20 million centuries).

 

However, I once used the password 'motherfuckingpassword' for an account I rarely used, and hence always forgot the password to: "Dammit, what is the motherfucking password? Oh right...".

 

1.7 million centuries in mass-cracking.

 

This is really annoying, because most websites enforce password complexity policies when registering an account - even though this site proves it's not only needlessly annoying, but also downright unsafe in comparison.

Share this post


Link to post
Share on other sites

A TAFE teacher told our class that if a password is more than 14 charactors long, it won't be cracked by anyone. Not because it can't be, but because it would take too long. It didn't need to be a complex password with symbols and numbers and capitals, it just needs to be over 14 charactors long.

 

Going by the above scenerios it looks to be kinda right.

Share this post


Link to post
Share on other sites

Online Attack Scenario:

(Assuming one thousand guesses per second) 8.47 hundred trillion trillion trillion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 8.47 million trillion trillion centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 8.47 thousand trillion trillion centuries

 

That's mine =D - I know it off by heart so i'm pretty proud of that :)

Edited by smakme7757

Share this post


Link to post
Share on other sites

i usually just make something up on the spot, and write it down in a little book i keep next to my computer. I got sick of using the same password for things, when stupid websites would get hacked and then everyone would have my email/username/password combo and I would have to change it everywhere I used it.

 

The other alternative is that they have enough of your personal information to request a reset and usually get though any validation.

 

I think that is of much bigger risk than someone brute forcing your password.

Edited by p0is(+)n

Share this post


Link to post
Share on other sites

That's it, the first letter of the website 100 times is my new password.

 

Online Attack Scenario: 1.04 billion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

Offline Fast Attack Scenario: 0.39 trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

Massive Cracking Array Scenario: 10.39 billion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

 

:P

Share this post


Link to post
Share on other sites

Have of the problems with passwords are not the complexity but are due to some of the morons who build authentication systems. Simple way to prevent anybody from doing this form of attack is to lock out the account for a period of time after a number of unsuccessful attempts. If for every 3 failed attempts to access a users account you locked that account for (30*n/3) seconds this kind of attack is no longer possible.

 

There are other ways to improve your security, for any site that lets you use an email as a login take advantage of the + character and make your email: your_name+dkadf3kd@example.com

 

You now have a random email as well as a random password.

 

Another simple trick, use a password management tool.

Share this post


Link to post
Share on other sites

Have of the problems with passwords are not the complexity but are due to some of the morons who build authentication systems. Simple way to prevent anybody from doing this form of attack is to lock out the account for a period of time after a number of unsuccessful attempts. If for every 3 failed attempts to access a users account you locked that account for (30*n/3) seconds this kind of attack is no longer possible.

What about offline attacks?

 

Also, your formula annoys me, it should just be 10*n.

 

Rob.

Share this post


Link to post
Share on other sites

This is my gmail password:

Online Attack Scenario:

(Assuming one thousand guesses per second) 1.74 hundred billion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 1.74 thousand centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 1.74 centuries

 

I'm hoping that's good enough for now, since I cbf'd changing it and re-entering on my various devices :P

 

My online money password is:

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 1.83 billion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 18.28 centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 1.83 years

 

I guess I should change or augment that. Though it does have upper/lower/numbers and a symbol. Stupid length argument making some kind of sense.

Share this post


Link to post
Share on other sites

Have of the problems with passwords are not the complexity but are due to some of the morons who build authentication systems. Simple way to prevent anybody from doing this form of attack is to lock out the account for a period of time after a number of unsuccessful attempts. If for every 3 failed attempts to access a users account you locked that account for (30*n/3) seconds this kind of attack is no longer possible.

What about offline attacks?

 

Also, your formula annoys me, it should just be 10*n.

 

Rob.

 

Not sure how offline makes any difference, this is an attack against a password interface. If you are attacking the password store, the use of a salt makes this computationally expensive also along with the usual tricks of using multiple rounds of hashing or a slow hashing algorithm.

 

The formula would be 10*n is you happened to pick value 3 failures and 30 seconds, but for visibilities sake I chose not to simplify.

Share this post


Link to post
Share on other sites

Tried to put in one of my passwords from a few years ago..

 

When I tried the 3'rd character it took me to a different website.... I used the 'alt' key + number combinations... What I got from a http website was

 

Ùå\/­Ù

 

Not even remotely close to what it would be if I put it in notepad.... Missing about 10 characters.

 

So......

 

Yeah... Anyways..

 

AD

Share this post


Link to post
Share on other sites

Noones using my wireless!

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 9.52 thousand trillion trillion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 95.17 million trillion centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 95.17 thousand trillion centuries

Share this post


Link to post
Share on other sites

This test is undoubtedly biased. After all, I got my most secure password from a GRC random generator :P

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 12.69 thousand trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 1.27 hundred million trillion trillion trillion trillion trillion trillion trillion trillion centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 1.27 hundred thousand trillion trillion trillion trillion trillion trillion trillion trillion centuries

Share this post


Link to post
Share on other sites

I'm with tantryl, I kinda went overboard with the WPA2 passkey with a generator :D

 

26 Uppercase 22 Lowercase 8 Digits 7 Symbols 63 Characters

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 12.69 thousand trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 1.27 hundred million trillion trillion trillion trillion trillion trillion trillion trillion centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 1.27 hundred thousand trillion trillion trillion trillion trillion trillion trillion trillion centuries

 

It's a pain in the arse to enter into devices, but it's also generally a one-time setup.

Share this post


Link to post
Share on other sites

I'm with tantryl, I kinda went overboard with the WPA2 passkey with a generator :D

 

26 Uppercase 22 Lowercase 8 Digits 7 Symbols 63 Characters

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 12.69 thousand trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 1.27 hundred million trillion trillion trillion trillion trillion trillion trillion trillion centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 1.27 hundred thousand trillion trillion trillion trillion trillion trillion trillion trillion centuries

 

It's a pain in the arse to enter into devices, but it's also generally a one-time setup.

Haha, as of two days ago I had a 64 character long WPA 2 password too, which I'd had there for 3 years. I decided to change it though, it was becoming a real PITA seeing as my wife could never input it correctly when she got a new phone!

 

I've decided 12 characters is a nice minimum for the next year or two. I doubt many normal folks would be able to hack a 12 character WPA 2 password even with rainbow tables. In a year or two I might move up to a 15 character minimum.

Share this post


Link to post
Share on other sites

GRC's Interactive Brute Force Password “Search Space” Calculator

(NOTHING you do here ever leaves your browser. What happens here, stays here.)

atomicfrizzl

Enter and edit your test passwords in the field above while viewing the analysis below.

Brute Force Search Space Analysis:

Search Space Depth (Alphabet): 26

Search Space Length (Characters): 7 characters

Exact Search Space Size (Count):

(count of all possible passwords

with this alphabet size and up

to this password's length) 8,353,082,582

Search Space Size (as a power of 10): 8.35 x 109

Time Required to Exhaustively Search this Password's Space:

Online Attack Scenario:

(Assuming one thousand guesses per second) 3.19 months

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 0.0835 seconds

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 0.0000835 seconds

 

Pretty easy one :(

Share this post


Link to post
Share on other sites

Here's mine. Made it up myself, no random generators here.

 

6 Uppercase 13 Lowercase 7 Digits 1 Symbol 27 Characters

 

Online Attack Scenario:

(Assuming one thousand guesses per second) 80.45 thousand trillion trillion trillion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 8.04 hundred million trillion trillion centuries

Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 8.04 hundred thousand trillion trillion centuries

 

Putting that same key into http://askthegeek.us/pwd_meter/index.htm gives it a 72% strength rating.

Share this post


Link to post
Share on other sites

Just been lurking around Whirlpool and found a link to https://www.grc.com/haystack.htm which enables you to check the strength of your password.

Heh, I just found this under the stats box...

 

IMPORTANT!!! What this calculator is NOT . . .

 

It is NOT a “Password Strength Meter.”

:P

 

Rob.

Edited by robzy

Share this post


Link to post
Share on other sites

Y'know what? Since none of the stuff I need a password for is susceptible to offline attack, nor interesting enough to warrant it even if it were, I'm quite ok with an online attack time of anything over a century.

 

As it is, my weakest one is a few hundred trillion centuries. :P

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×