Time needed to crack passwords

spud17

SteveJW wrote: »

Whatever you think of Microsoft they do offer a password checker, I assume it's a genuine site

http://www.microsoft.com/en-gb/security/online-privacy/passwords-create.aspx

And it tells me that R5µ%79ì[âe~ÂâÂ/5)»!‘ is rated best

But it also says
Protect your passwords from prying eyes

The easiest way to "remember" passwords is to write them down. It is okay to write passwords down, but keep the written passwords in a secure place.

I was also going to post this link, .

I've just tried a 9 character (upper, lower, numeral, symbol) password on the MS link, and it's only rated as 'Medium'.
But according to the link from the Avast site, it would take 999253 years to crack.
Hmmm.

I also keep my passwords written down, but with a slight 'shift' or 2 from what they actually are.

VoucherMan

I was surprised at how secure some of my passwords are.

I used to use a date eg: 19mar73. Then added a couple of letters to the start. Even some of these to have crack time (display): centuries.

Add in a couple of randon characters $& for example and all my fairly simple 11 character passwords seem to get good scores.

I'd been thinking it was time for a change. I won't bother now.

GunJack

aliEnRIK wrote: »

and this ladies and gentlemen is why I dont bother posting on here anymore

some of us have missed you RIK, mate

whilst there does seem to have been a bit of excess cynicism around lately (partly why I've been more absent than not) we all ain't bad

Linton

Perhaps someone can explain...

What does taking a hundred years to crack actually mean in practice, or even theoretically? Surely if the only information you have is whether a password is right or wrong you will never crack it except by exhaustive search unless it is one of the obvious personal things like your budgy's birthday or whatever. And if you use exhaustive search you are limited by the response time to find out whether you guessed right or not.

The only other information that could help would be the encrypted form of the password. But then you would need access to a large number of password/encryption pairs. A single one or even a few wont help unless you happen to know the nature of the encryption.

mr_fishbulb

Linton wrote: »

Perhaps someone can explain...

What does taking a hundred years to crack actually mean in practice, or even theoretically? Surely if the only information you have is whether a password is right or wrong you will never crack it except by exhaustive search unless it is one of the obvious personal things like your budgy's birthday or whatever. And if you use exhaustive search you are limited by the response time to find out whether you guessed right or not.

The only other information that could help would be the encrypted form of the password. But then you would need access to a large number of password/encryption pairs. A single one or even a few wont help unless you happen to know the nature of the encryption.

The bit I have boldified is what it means. An exhaustive search - i.e. trying every combination of characters until the right password is found - is called a brute force attack. As processing power increases, the time to go through all the combinations decreases.

You also have to take into account the information it is protecting. Would I care that it takes 6 months for someone to crack my Money Saving Expert forums password? Not really - people wouldn't spend that much effort trying for such a small payoff. But should we care that it takes 6 months to crack the launch codes for all our nuclear weapons? Hell yes!

However is there much extra effort on my part to have a more secure Money Saving Expert password? Nope.

There are other factors in how long it takes to crack password; for example the hashing algorithm (LM Hashes will take a few seconds whereas SHA-256 hashes could take centuries for the same password).

SailorSam

I'm going off now to change my password .... ABC123 i didn't think anyone would think of that.

Johnmcl7

Recently there was an interesting system demonstrated which consisted largely of GPU's and was able to crack standard Windows passwords very quickly but it's also worth a read as it answers some of the questions in this thread about how breaking a password works:

http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

John

jaydeeuk1

Think of an amazing unhackable by quantum computers 64 character password using all areas of the keyboard, and then have a security question, "what is your favourite colour?"

SailorSam

Since HSBC gave those little keyrings out which give you back a new password every time you do any Internet banking, it's a pain in the a*re to use but i imagine it must be pretty secure.

securityguy

mr_fishbulb wrote: »

The bit I have boldified is what it means. An exhaustive search - i.e. trying every combination of characters until the right password is found - is called a brute force attack. As processing power increases, the time to go through all the combinations decreases.

Only if you have the hash. That's the point: if you attempt to crack a password by using a oracle which says "yes that's right" or "no that's wrong", then the oracle can rate-limit your attack by taking a second to return a response, by refusing to take more than ten wrong passwords per day for a given account, etc. In fact, that's why the current bad guys tend to scan a list of accounts (normally email addresses) for a single password, rather than vice versa, so they only book one wrong password attempt to each account. You can have as much processing power as you like, and it won't help you.

There are other factors in how long it takes to crack password; for example the hashing algorithm (LM Hashes will take a few seconds whereas SHA-256 hashes could take centuries for the same password).

LMHASH is a special case, because it's completely broken for this application. Other hash functions have properties which are a concern for some applications, but as of today, even MD5 works for password hashing. The flaws in MD5 don't affect it for this case. It's far more likely that poor choice of salt will weaken a password hashing scheme than anything else.

And in all this stuff, the lesson is straightforward: don't provide hashes to attackers. Treat the hashes as you would plaintext, and all will be well.