Privacy generally

  • Thread starter Neddo
  • 38 comments
  • 1,956 views
Oddly enough, I read this thread yesterday, then logged into PSN in god knows how long and was prompted to change my password before I could log in PSN, so I go to my email used for PSN and had to update my info there as well. Coincidence?
 
Liquid
If you want to try and come up with a more secure password, try howsecureismypassword.net.

Privacy is more than just passwords though. Bit of a lame opening to a very broad topic.
Click to expand...

The site seems like it's calculating on a pure brute force attack. But a dictionary attack with a well chosen dictionary against the sort of passwords advocated in the XKCD strip can be more effective than that. A four word password is totally crackable within a reasonable amount of time.

The idea is still a good one, it's the best way to generate secure yet easy to remember passwords. But they're not as secure as that website might lead you to believe. I believe six words is generally considered to be pretty secure by today's standards.

For an interesting overview of general cracking tactics:



Luminis
So, err, the time needed for an average computer to crack a password, according to that website - that's just the raw time to run through enough random combinations to "guess" right password, I suppose? I mean, most websites block further log-in attempts after entering a wrong password a couple of times...
Click to expand...

Yeah, nobody is cracking passwords like that on any half respectable website. What they do is get a hold of the table that holds the passwords. However, only a complete idiot would hold the passwords in plaintext, what they hold is a hash of the password. Basically, the password is put through a mathematical transformation that is extremely difficult to reverse, and the result is stored. The password is confirmed by putting the word you enter through the same transformation and checking whether it matches.

So a cracker has this list, and the only way to find out what the passwords actually are is to run their guesses through the mathematical transform one at a time and compare them. One can just go through starting with AAA, and then AAB, AAC, AAD, etc. This is called brute forcing, and while it takes a long time you'll eventually get all the passwords.

Another option is to use a dictionary of selected words and phrases, which can be used, combined, and modified using selected rules like E=3 and A=4. This won't crack all passwords, but it'll get you a surprising number. And a cracker is really only after a few passwords, they don't particularly care which ones they get. It's much faster than pure brute force, and it deals with multi word passwords like the XKCD one pretty well. You still get decent security out of the XKCD method, but it's not as impregnable as you might think.

==============

For a really strong password, you're better off taking a memorable phrase and modifying it. For example, The quick brown fox jumps over the lazy dog. Take the first letter of all these and you have Tqbfjotld. Maybe stick a 1 in there instead of the L, and maybe you type out the "dog" at the end, so you have Tqbfjot1dog. That's a pretty solid password against any cracking scheme, and easy to remember.
 
All this talk about privacy measures and half the world is still going to:

• use a very simple password because forty people need to use it (The Duh Effect)

• write it on a Post-it-Note for all to see

• scribble it in a small notebook conveniently located next to the computer

• Blame "hackers" when they should have made it a little more complex than [name of company]
 
Grayfox
This is the phrase that will take 688 nonillion years to crack.
Click to expand...

Yeah. It's 30 or so orders of magnitude less with a dictionary attack, but they're still both retardedly uncrackable. Basically anything over about twenty years is secure, because by that point either the information will be redundant or technology will have progressed so much as to make the current password irrelevant anyway.
 
These predictions of "47 gazillion years" to crack a password do not take into account the future increase in processing power. The DES algorithm used to be considered quite secure...
 
Imari
The site seems like it's calculating on a pure brute force attack. But a dictionary attack with a well chosen dictionary against the sort of passwords advocated in the XKCD strip can be more effective than that. A four word password is totally crackable within a reasonable amount of time.

The idea is still a good one, it's the best way to generate secure yet easy to remember passwords. But they're not as secure as that website might lead you to believe. I believe six words is generally considered to be pretty secure by today's standards.

For an interesting overview of general cracking tactics:





Yeah, nobody is cracking passwords like that on any half respectable website. What they do is get a hold of the table that holds the passwords. However, only a complete idiot would hold the passwords in plaintext, what they hold is a hash of the password. Basically, the password is put through a mathematical transformation that is extremely difficult to reverse, and the result is stored. The password is confirmed by putting the word you enter through the same transformation and checking whether it matches.

So a cracker has this list, and the only way to find out what the passwords actually are is to run their guesses through the mathematical transform one at a time and compare them. One can just go through starting with AAA, and then AAB, AAC, AAD, etc. This is called brute forcing, and while it takes a long time you'll eventually get all the passwords.

Another option is to use a dictionary of selected words and phrases, which can be used, combined, and modified using selected rules like E=3 and A=4. This won't crack all passwords, but it'll get you a surprising number. And a cracker is really only after a few passwords, they don't particularly care which ones they get. It's much faster than pure brute force, and it deals with multi word passwords like the XKCD one pretty well. You still get decent security out of the XKCD method, but it's not as impregnable as you might think.

==============

For a really strong password, you're better off taking a memorable phrase and modifying it. For example, The quick brown fox jumps over the lazy dog. Take the first letter of all these and you have Tqbfjotld. Maybe stick a 1 in there instead of the L, and maybe you type out the "dog" at the end, so you have Tqbfjot1dog. That's a pretty solid password against any cracking scheme, and easy to remember.
Click to expand...

I take a similar tact when making a PW. I used 2 or 3 words and then add some special characters and numbers in somewhere in the PW. IE. How12Now!#coW

That said, most websites, videos games, internet services do not have a limit on how many times you can try passwords. Some do utilize a bot check after so many tries, but unless the site/product/whatever has to comply with PCI, NIST, IRS, etc. standards, they typically don't.
 
I always thought that Only Me option is useless on Facebook because Facebook itself can see it probably
 
Last edited:

Similar threads

half_sourly
How do I check if a member has changed name or is no longer active?
Replies
0
Views
393
half_sourly
half_sourly
Exorcet
Best Time Period in History
2
Replies
54
Views
2K
DriveSpark
D
P
Brake assist?
Replies
14
Views
2K
JamCar0ne
JamCar0ne
mef
  • Poll
Digital IDs and how they will be used to control us
2
Replies
40
Views
3K
MatskiMonk
MatskiMonk
samsaoule
Spare parts....record of the world
Replies
5
Views
783
TurboBoy64
T

Latest Posts

Back