How safe is encryption actually?

[Deleted User]

onomatopoeia99 said:

Brute force needs some explanation on that chart, because it assumes that a hashed version of the password is in the hands of the cracker, which is a big assumption.  It's not how long it would take with repeated attempts to log in via a web page.

Agreed, it was subtly inserted in the first sentence where I said "offline attack" but I should have expanded on what that meant.

[Deleted User]

Ergates said:

I also like that the chart doesn't go to green until we get to billions of years.  Like that's the threshold of a good password - if it can be cracked in 100,000 years then that's only amber and 100 years is positively risky.

Yes so it does appear a bit extreme but those are maximum times. The way a brute force attack works means that you need to try say a trillion combinations and one of them will be correct.

By shear chance, the 1st of those trillion combinations could be the correct one and even a billion year password could be cracked instantly.

Reality is though that the chances it being the first one diminish as you head down the chart but brute force models can be made sophisticated enough to rule out billions of combinations as low likelihood - so chance of the password being "AAAAAAAAAAA" is slimmer, so a whole bunch of passwords with repeating or sequential can be made low priority.

JustAnotherSaver

Ergates said:

I get that - I was just providing context round why people may have interpreted your question differently.   If you hear the same question repeatedly, then when someone asks a similar sounding question, you tend to hear it as the common question.  So, whenever someone asks *any* question about cat6/cat6a people hear "Do I need Cat6a".   It's like the "Have you tried switching it off and on again" joke in the IT Crowd.

I've been around this board for a while so I'm very aware of how things are.

The sad thing is - is that a lot of people around these parts think they're Sherlock, making assumptions left & right.

Personally I like to go a different route. So to take my question as an example...

Playing the role of Sherlock, I'd respond how some people did. How I'd have done it had I been on the other side of the fence is - that's a Cat6 cable (note giving the answer straight away rather than refusing to / choosing not to) but that'll suffice in a home / your setup. Are you thinking of getting Cat6A, Cat7, Cat8 etc? (note - not wasting time going too deep in to why these would be a waste of time because the other person may say no I wasn't thinking of it. If they say yeah I was then we can go there).

I don't think anyone will convince me my way of approaching the question is anything other than better than the way it was originally approached by others.

But what do I know. Maybe some people like trying to be Sherlock?!

goodValue

If you have 2 step verification on an account, does that not reduce the need for a strong password?

Or are there good reasons for retaining a strong password?

[Deleted User]

goodValue said:

If you have 2 step verification on an account, does that not reduce the need for a strong password?

Or are there good reasons for retaining a strong password?

Strong passwords and 2FA tackle different security risks and therefore a strong password is still needed. 

goodValue

Strong passwords and 2FA tackle different security risks and therefore a strong password is still needed.

If I've understood correctly, 2FA requires you to have a physical device in your possession.

So, a strong password is required for people who have lost their laptop or mobile?

JustAnotherSaver

goodValue raises a point.

So if I have my house broken in to & my laptop is stolen with all my most personal files on it and my password is "password" then I'm in trouble right. I think we can agree on that.

But providing nobody can pry my phone out of my hands and I have 2FA enabled on things - banking for example, my phone account etc. Does it even matter if my password is "password"?

I remember back when I was an iPhone user, I would forever get pop ups on my screen saying someone in China / India (always seemed to be those countries. Was never any Scandanavian country for example) was trying to access my iCloud account.

I'd just hit decline or whatever & it went away ... until the next one.

So as I say, would it matter if the password was password in that 2FA situation?

And to take it further - for that to come up on my screen, would they have known what my password was - as in would they have managed to somehow obtain it (I guess 1st step) and that's how they got on to the pop up on my phone (2nd step?) or would the pop up have occurred even if they'd entered the wrong password?

[Deleted User]

Laptop passwords themselves don’t protect your data unless your disk is encrypted. 

But back to the 2FA, the reality is no security system is 100% secure but what you can do is reduce the odds and that you are the victim, and 2FA reduces that significantly but not if you are leaving other doors open with a simple password. 

I had a colleague who was a victim of a relatively simple hack, a new sim was requested from their mobile provider and sent to a different address. As soon as the SIM went live the hacker effectively had their 2FA device as well. They lost £thousands before they even knew, their own mobile had gone offline at this point and they couldn’t see what was going on. 

So the weakness wasn’t the bank with 2FA but their mobile phone account which opened the door to the 2FA. 

However the hacker must also have known their bank details and password, they have no idea how this happened but it does. It may well have been a password used across many sites and was leaked elsewhere. 

Don’t underestimate the determination and volume of hacking attempts. 

Just last week I had needed to connect to an O2 public WiFi, I don’t normally do this but desperately had to. 3 hours later I get a call from an Indian call centre scammer who was trying to give me half price O2 mobile and managed to get a 2FA code sent to my mobile that they were trying to prise from me - I had some fun for a few minutes quoting incorrect codes before they hung up. 

How the hell that happened I’ll never know but the hacker was just 6 digits away from my O2 mobile account access and possibly a huge amount of other hacking. 

That was with a complex password as well. 

Perils of public WiFi. 

So in summary, whole point of 2FA is providing more layers to make it more difficult, don’t make one of those layers easy. 

Olinda99

just to add to the mix - on the offline attack time chart, 'characters' in your password is only meaningful.if you are talking about truely random characters ie not words.

Thus your 15 character password 'elephantcabbage' is really only a 2 character password if the attackers uses a dictionary attack.

k_man

Olinda99 said:

just to add to the mix - on the offline attack time chart, 'characters' in your password is only meaningful.if you are talking about truely random characters ie not words.

Thus your 15 character password 'elephantcabbage' is really only a 2 character password if the attackers uses a dictionary attack.

Albeit based on a much larger 'character set' (there are many more possible words than single characters).

A 2 word password is similar in strength (time to brute force, assuming a dictionary attack with multiple words is even being used) to a 6 character password, so is indeed weak. But still better than all the single word passwords in use!
Or reused passwords (which have the risk of being leaked).

Password attacks are usually done in the following order (or slight variant)

Short list of common passwords

Longer list of common passwords

Single dictionary words (common words)
Single dictionary words (inc. less common words)
Big list of leaked passwords

(All the above are near instant for offline attacks)

Brute force (may include multiple words)

If you can make sure the password at least require brute force, you are at least no longer the low hanging fruit.


Add a few more words, and make sure some are unusual/made up (effectively increases the character set), and passphrases are strong and easier to remember (for those few passwords that need to be memorized.  Use of a password manager and unique and random is preferable for most passwords).


Further light reading:
https://weberblog.net/password-strengthentropy-characters-vs-words/#:~:text=However, to have at least,an entropy of 70 bits.