How safe is encryption actually?

k_man

JustAnotherSaver said:

k_man said:

JustAnotherSaver said:

GDB2222 said:

I have one password that has been thoroughly compromised.

Anyway, now the cabling question has been answered, I can get on with asking about this...

How do you know it's been compromised? Have various accounts been hacked?

A good starting point to see if any accounts using your email address/username have been compromised:

https://haveibeenpwned.com/

If there are any results, there is significant risk that the associated password used on that system has also been compromised.

You can also check if a specific password is in a compromise list here:
https://haveibeenpwned.com/Passwords

Note: this does involve sending a hashed version of your password  to the site (ETA: you don't have to hash the password yourself, this was just highlighting that you are sending your password to the site, albeit not in plain text)

Many password managers can do both these checks automatically for you.


Finally, not showing in these lists doesn't mean you credentials aren't leaked, just that they are not in the public lists (yet).

Interesting.

One of my email addresses has been in 7 data breaches, but the one I use for 'official' stuff hasn't been in any.

A typical password I'll use has been 'seen' 4 times, however a variation of it hasn't been seen at all.

Thing is - what does this actually MEAN? In normal-talk.

It's been compromised - so what?

It's been in a data breach - so what?

Password has been 'seen' - well by who, and how, and regardless, so what?

If my details had been got at then surely they would've accessed my stuff, yet they haven't. Or they have but never did anything & I never got any alerts to say my account had suddenly been accessed from halfway across the world.

So things are riskier but what does THAT mean? Someone has all my details & they're just waiting for the right day to use them?

Yes. Albeit not someone, but anyone with nefarious intentions has access to the list of passwords and/or usernames.
These details are used to try all common systems, when they get around to it.
You may not know because:
No one has tried yet

Or

You have 2FA, so they don't get in

Or

The compromised system doesn't alert you

Or

You are lucky and no one will ever try

And how has my keyboard smash, not even a proper word password been 'seen'? Tracker files on my PC?

Most likely is that one of the systems you used the password on has been compromised, and stored the password weakly.

Or you accidentally typed/pasted it somewhere

Or, you have malware on one of your systems (least likely).

Normal (non malware) web tracking cookies etc wouldn't leak this.

As you suggest, you may be fine/lucky (so far), as nothing seems to have happened.
But if you used unique and strong passwords on each site, then there is no need to rely on luck for these type of risks.

A really strong password is only as strong as the systems that store it.
As such a good strong password used many times is, in general, much worse, than unique but less strong.
As in the latter, the weakest system risks all the others.

Better than both is strong and unique.

debitcardmayhem

Of course talking about passwords that have been seen/part of a breach or whatever, if you use different email addresses for each site you visit then the breach is only valid for that site and if said site uses 2FA then ...work it out it's not really a problem. I remember by accounts with Adobe being leaked years ago, but of course I have new emails for them now.

Edited of course the compromised emails i used  just go to the bin.

k_man

There are types of 'attacks':
Online

Where the live system is targeted. For most systems this means known/likely username and password are required.
Access attempts are massively limited, so all users with all passwords, or more brute force is not feasible 

Offline

A copy of data is accessed, and is available offline e.g. login details database is downloaded (usernames are usually not encrypted), or an encrypted file (where there is no username). In this case access attempts can be very very high rate and usually go through: common passwords, password lists, all possible passwords (brute force).
In this case the only protection is unique and long passwords, ideally with extended character sets (not just numeric, alpha, or alphanumeric)

[Deleted User]

This is quite an interesting chart - worth checking your 4 passwords on this and see how they stand up to an offline attack.

Of course that is just brute force, if your password contains any dictionary words (including those "0bfu5c4ted" in this way) it is much quicker.

Over 15 years ago I thought I knew it all and went down the path of a standard password for every account. I thought it was uncrackable, 10 characters, no dictionary words and met the criteria of the last column. I could memorise it yet it was complex enough not to be brute forced in a reasonable time - although that is reducing rapidly.

That was until I got a notification of a suspicious log in from the Philippines on one of my online accounts a couple of years ago. I doubt it was brute forced, probably leaked somehow, I have so many online accounts.

I spent a week changing over 700 account with the same password to unique randomly generated 15 character ones - they are all now safe from brute force and if one of them gets leaked, no other accounts are compromised. 

Funnily enough I got a notification 3 days ago about that original password being found in a data breach, I'm so glad I changed everything when I did. I still use it for a couple of minor internal systems on my network which is why it was picked up by Google password manager, those have also now been changed.

JustAnotherSaver

That's an interesting chart.

Looks like the earlier format of my password will be in the 2 hours to 3 years category (11 lower case characters, mixture of letters & numbers) with the revised form being 3 years (11 characters, upper & lower with numbers) to 3000 years (12, upper, lower, numbers & special character)

Looking in my password manager, I have 300-350 entries for various things. Banking, forums, general internet, emails.

Currently using KeePass which is manual. I like it but I was considering switching to something that's a bit more automatic.

Side unrelated note - Why can I hear the 8TB drive I bought last week when I'm trying to access files off it? It's a Seagate Ironwolf 8TB. I had the 6TB version (which is the one that had that issue last week) which was quiet.

Ergates

JustAnotherSaver said:

Imagine if this was a coffee shop...

Do you do a cappuccino here?

We do a latte, a mocha, a cortado, a flat white........................

Yeah I just want to know if you do a cappuccino.

Well IF you had asked if we do cappuccino's, then the answer would be yes.

Another analogy might be though:  Your son comes up to you and says "Ummmm, Dad, do we have any superglue?".  He's asked a "Yes"/"No" question, but you still might be inclined to ask "Why?" rather than just answering.

On web forums that cover things like networking questions like: "I'm thinking of cabling up my house, should I buy CAT6 or CAT6A?"  are very common - lots of people waste money buying CAT6A, thinking it's "the best" - which is how people interpreted the question.

JustAnotherSaver

Ergates said:

JustAnotherSaver said:

Imagine if this was a coffee shop...

Do you do a cappuccino here?

We do a latte, a mocha, a cortado, a flat white........................

Yeah I just want to know if you do a cappuccino.

Well IF you had asked if we do cappuccino's, then the answer would be yes.

Another analogy might be though:  Your son comes up to you and says "Ummmm, Dad, do we have any superglue?".  He's asked a "Yes"/"No" question, but you still might be inclined to ask "Why?" rather than just answering.

On web forums that cover things like networking questions like: "I'm thinking of cabling up my house, should I buy CAT6 or CAT6A?"  are very common - lots of people waste money buying CAT6A, thinking it's "the best" - which is how people interpreted the question.

Please don't be like the politician on page 2.

This isn't a game of chess. We do not need to be thinking 20 moves ahead. It really was just a simple case of what is this cable, is it this or that. 

Oh it's that? Right, ok thanks. Bye.

It was honestly that simple.

I know this is an unpopular opinion here but not everything has to lead somewhere. Some things can be taken on face value.

onomatopoeia99

[Deleted User] said:

This is quite an interesting chart - worth checking your 4 passwords on this and see how they stand up to an offline attack.

Of course that is just brute force, if your password contains any dictionary words (including those "0bfu5c4ted" in this way) it is much quicker.

Over 15 years ago I thought I knew it all and went down the path of a standard password for every account. I thought it was uncrackable, 10 characters, no dictionary words and met the criteria of the last column. I could memorise it yet it was complex enough not to be brute forced in a reasonable time - although that is reducing rapidly.

That was until I got a notification of a suspicious log in from the Philippines on one of my online accounts a couple of years ago. I doubt it was brute forced, probably leaked somehow, I have so many online accounts.

I spent a week changing over 700 account with the same password to unique randomly generated 15 character ones - they are all now safe from brute force and if one of them gets leaked, no other accounts are compromised. 

Funnily enough I got a notification 3 days ago about that original password being found in a data breach, I'm so glad I changed everything when I did. I still use it for a couple of minor internal systems on my network which is why it was picked up by Google password manager, those have also now been changed.

Brute force needs some explanation on that chart, because it assumes that a hashed version of the password is in the hands of the cracker, which is a big assumption.  It's not how long it would take with repeated attempts to log in via a web page.

Rainbow tables exist for smaller lengths / complexities already, but they get into terabytes in size around the red/orange boundary on the chart.

Ergates

onomatopoeia99 said:

Deleted_User said:

This is quite an interesting chart - worth checking your 4 passwords on this and see how they stand up to an offline attack.

Of course that is just brute force, if your password contains any dictionary words (including those "0bfu5c4ted" in this way) it is much quicker.

Over 15 years ago I thought I knew it all and went down the path of a standard password for every account. I thought it was uncrackable, 10 characters, no dictionary words and met the criteria of the last column. I could memorise it yet it was complex enough not to be brute forced in a reasonable time - although that is reducing rapidly.

That was until I got a notification of a suspicious log in from the Philippines on one of my online accounts a couple of years ago. I doubt it was brute forced, probably leaked somehow, I have so many online accounts.

I spent a week changing over 700 account with the same password to unique randomly generated 15 character ones - they are all now safe from brute force and if one of them gets leaked, no other accounts are compromised. 

Funnily enough I got a notification 3 days ago about that original password being found in a data breach, I'm so glad I changed everything when I did. I still use it for a couple of minor internal systems on my network which is why it was picked up by Google password manager, those have also now been changed.

Brute force needs some explanation on that chart, because it assumes that a hashed version of the password is in the hands of the cracker, which is a big assumption.  It's not how long it would take with repeated attempts to log in via a web page.

Rainbow tables exist for smaller lengths / complexities already, but they get into terabytes in size around the red/orange boundary on the chart.

I also like that the chart doesn't go to green until we get to billions of years.  Like that's the threshold of a good password - if it can be cracked in 100,000 years then that's only amber and 100 years is positively risky.

Ergates

JustAnotherSaver said:

Ergates said:

JustAnotherSaver said:

Imagine if this was a coffee shop...

Do you do a cappuccino here?

We do a latte, a mocha, a cortado, a flat white........................

Yeah I just want to know if you do a cappuccino.

Well IF you had asked if we do cappuccino's, then the answer would be yes.

Another analogy might be though:  Your son comes up to you and says "Ummmm, Dad, do we have any superglue?".  He's asked a "Yes"/"No" question, but you still might be inclined to ask "Why?" rather than just answering.

On web forums that cover things like networking questions like: "I'm thinking of cabling up my house, should I buy CAT6 or CAT6A?"  are very common - lots of people waste money buying CAT6A, thinking it's "the best" - which is how people interpreted the question.

Please don't be like the politician on page 2.

This isn't a game of chess. We do not need to be thinking 20 moves ahead. It really was just a simple case of what is this cable, is it this or that. 

Oh it's that? Right, ok thanks. Bye.

It was honestly that simple.

I know this is an unpopular opinion here but not everything has to lead somewhere. Some things can be taken on face value.

I get that - I was just providing context round why people may have interpreted your question differently.   If you hear the same question repeatedly, then when someone asks a similar sounding question, you tend to hear it as the common question.  So, whenever someone asks *any* question about cat6/cat6a people hear "Do I need Cat6a".   It's like the "Have you tried switching it off and on again" joke in the IT Crowd.