We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Time needed to crack passwords
Comments
-
Can someone please explain why software can't be written that only allows, say, three attempts at a password instead of the millions that are surely needed to crack reasonably imaginative combinations?0
-
Most software is written like that (although 3 guesses is quite low, 5-10 tends to be more common).
Although if the software uses challenge/answer hashes then an attacker just need the hash and can target that offline (WPA rainbow table hacking for example).0 -
I would say most decent sites can combat this. But as we know, many people are registered to many different sites and use the same or similar passwords. So once theyve hacked one...........:idea:0
-
Kernel_Sanders wrote: »Can someone please explain why software can't be written that only allows, say, three attempts at a password instead of the millions that are surely needed to crack reasonably imaginative combinations?
That's the distinction between "online" and "offline" attacks. An online attack is where the attacker is given an opportunity to input a password and then find out if it's right. As you say, sensible websites either lock accounts after some number of bad guesses or have some sort of rate limiting which slows the rate down the more bad attempts there have been.
However, an offline attack is where the password has been stored as a secure hash and the attacker has that hash (1). They can then deploy whatever computing resources they have to hand, from a PC through to the entire capability of GCHQ, to attempt to guess the password. Obviously, in order to do this, the attacker has to have access to the hashes. But they can do all this guessing in private, so you cannot prevent them doing as much of it as they want.
So the "this can be broken in three days" doesn't mean "someone can bang against the website for three days and guess your password", it means "given the secure hash, which they shouldn't have, they can guess your password in three days given some estimate of the computing resources they have available".
The problem is that originally, way back when, the idea of using hashes like this was that it was infeasible to perform that guessing. So the hashes were effectively public. The Unix password file format circa 1980 exposed the hashes of every user to every other user, and this wasn't really a serious risk.
But in the mid 1980s, it became practical to hash the entire dictionary, common password patterns and so on, given a few days' work on a computer science department sized network. Today, you can hash the entire dictionary plus lots of common passwords in a few hours on a laptop, and can start making serious inroads into trying every combination of eight characters in a few days with a few computers to hand.
So today you need to treat hashes almost as carefully as you would a file of plaintext passwords. Unfortunately, old habits die hard, and password hashes aren't terribly well looked after.
There are short-term solutions. One popular one is to iterate the hash. If instead of using the hash algorithm once you use it a thousand times, it takes the attacker a thousand times longer to do their thing. But computers speed up by a factor of a thousand roughly every fifteen years, so you have to keep increasing that iteration count. And if something happens which changes the game --- fast hash implementations running on graphics cards, for example --- any advantage the iteration is giving can rapidly be rendered irrelevant.
Passwords are rubbish. Most of the ways we know to store them fail in the face of offline attacks, system developers are bad at preventing the leaking of hashes (and often don't even do the hashing properly), users are bad at generating and remembering them, and users choose bad passwords. Find a solution, get your PhD (and the rest).
I use Lastpass to store a separate, random password, ideally of sixteen characters, ideally containing the whole range of characters (although many websites limit both of these), for every website I use. That's ~200 passwords stored in the database. This is hardly an ideal solution, and I'm of course shifting the risks to new places (the Lastpass software, particularly) rather than fixing them. But as I say, fame and fortune awaits anyone who comes up with a scaleable, effective better solution. Most of the two-factor approaches have their own limitations.
(1) A secure hash is a function which maps an input, such as a password, to an output, where is it computationally infeasible to reverse the process. So if I show you a hash and tell you that it is the result of hashing an eight character password, you should have no faster method of finding the password than trying all combinations of eight characters. Passwords are stored by taking the password, adding a random string called (for historical reasons) "salt", and then hashing the result. The salt is there to prevent common passwords always hashing to the same results.0 -
How do 'rik.
More for the paranoid.
https://windowssecrets.com/top-story/legitimate-app-breaks-popular-encryption-systems/Move along, nothing to see.0 -
securityguy wrote: »And if something happens which changes the game --- fast hash implementations running on graphics cards, for example --- any advantage the iteration is giving can rapidly be rendered irrelevant.
P = NP → all your bank account are belong to us?
(I've been reading The Laundry Files)0 -
-TangleFoot- wrote: »
Assuming the attacker has the hash, yes.
But I wouldn't lose any sleep over it.0 -
Just 3 hours to crack what I thought was a pretty good one, changing 1 digit makes it 7 hours while remaining as memorable...Utinam logica falsa tuam philosophiam totam suffodiant.0
-
Hmmm. "password" doesn't take very long to crack. And neither does "passw0rd"!
Think I'll have to change this on all websites, programs,...0 -
Whatever you think of Microsoft they do offer a password checker, I assume it's a genuine site
http://www.microsoft.com/en-gb/security/online-privacy/passwords-create.aspx
And it tells me that R5µ%79ì[âe~ÂâÂ/5)»!‘ is rated best
But it also says
Protect your passwords from prying eyes
The easiest way to "remember" passwords is to write them down. It is okay to write passwords down, but keep the written passwords in a secure place.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards