This is probably due to a database leak from somewhere IIRC even hotmail passwords were leaked at some point.
This website is super useful, they have a database of a lot of leaks and you can check your email account to see if a password from a particular site that's been hacked has been leaked.
EDIT: Since this blew up a bit, I figured I'd give my two cents on passwords.
Use 2FA when you can and on things you care about
Passwords don't necessarily have to be complicated just long, This site is good for testing password strength I personally construct my passwords using quotes from my dreams, that way they're nonsensical, most likely unique and long.
People are creatures of habit and most likely use the same password for multiple sites/accounts, a lot of people use these leaks to just bruteforce accounts on other sites, (i.e a BTC forum gets hacked, and then hackers are using the same credentials on online BTC wallets and other platforms)
We as people are the most weakest link in terms of security, that's why there is businesses that run fake phishing scams on other businesses to help educate employees on security. It's worth taking time to double check when something seems out of place.
Just change your password. Also if you used that same password on any other websites then change your password there as well.
*Since this comment is getting a few upvotes I wanted to edit and suggest using this website to check the strength of your password: https://howsecureismypassword.net/
If you don't feel like typing in your actual password then just change a few letters and it will be the same strength.
privacytools.io is a great resource for people wanting to take control of their data more.
This article in particular outlines a pretty strong regime to make sure you're as anonymous in the real world as you can be.
howsecureismypassword.net is a great tool for estimating the strength of your passwords. It would take a computer 128 trevigintillion (or 128,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000) years to crack my master password.
I've been using randomized four-word passwords for my passwords recently, even though the makers self don't fully recommend it.
I tried the correcthorsebatterystaple in this site and I got a chuckle from the answer.
Great to hear that I have been of use!
You are absolutely right about these sites being able to do something what you enter.
https://howsecureismypassword.net/ Claims "This site could be stealing your password... it's not, but it easily could be. Be careful where you type your password."
Since these sites have no login and no other information, the most they could do is steal your password and add it to a database or something and could not use it without your login username.
Unless they have some viruses or something, but these sites are quite popular so I assume they don't have anything too fishy going on.
Thanks for commenting :) Glad to be of help.
Length is greater than complexity.
obama would talk .002 seconds to crack
0bama is 5 times more secure, however that still means it's only .01 seconds to crack
You'd be better off doing something like, take your funky obama: "0bama"
and add the first 3 (uncapitalized) and the last 3 (capitalized) letters of the site you're on: "0bamaredDIT"
Then add your birth year, and some symbols (#@!, 321 backwards): "0bamaredDit1989#@!"
Now all^^1 of your passwords are different, easy to remember, and take 71 Quadrillion years to crack.
https://howsecureismypassword.net/ is a good tool to use
You can use your own password algorithm along with LastPass (or just use either or). LastPass is an awesome tool that will generate random passwords and save them, under security of your one main password
Vad ca lumea nu a invatat inca ce inseamna o parola sigura.
Pe scurt: "asa arata o parola sigura", si parola usor de spart arata asa: "P4r0la#$" . Conteaza cat timp ii ia unui PC sa o ghiceasca - https://howsecureismypassword.net/
Deci da, daca vrei parerea cuiva din domeniu, sunt niste cretini ca au impus regula asta. Singura chestie buna este ca impiedica refolosirea parolelor - care este de fapt cea mai mare problema la parole.
The problem is that most of those crack duration calculations are very, very bad. Take my example Hometown1!
, which has 10 ASCII characters. Counting the MSB zero this password has very optimistic 80 bits of information. This naive test site (don't use it) calls it "Strong", and this also naive website states it would take 6 years to crack it. Wanna know what the real time is? Perhaps 2 minutes using strong Hashing, down to very, very few milliseconds, thanks to the very easy to guess pattern, which speeds up real brute force attacks enormously.
The password meter you linked is brilliant, however, and it guessed the real strength about right. So, requiring passwords to take an eternity to crack is a good idea... if you also provide strong requirements on what your metrics should be based on. Please, also show this tool to other backend developers you happen to stumble upon.
Shut down my pc and Practice saying "I am not answering any questions before I speak with my lawyer"
With A fully encrypted HDD and a 15 character random P/W
It would take a desktop PC about
12 trillion years
to crack my password
https://howsecureismypassword.net/
Das Problem ist, dass der Suchraum bei 4 bekannten Zeichen deutlich sinken kann.
Das (gerade zufällig generierte) Passwort "]7!~N\gR$?T8" ist laut https://howsecureismypassword.net/ sicher genug, dass es 485 000 Jahre dauern müsste, dieses zu knacken.
Wenn man die 4 ersten Zeichen schon hat bräuchte man laut der Seite nur noch 2 Tage.
Natürlich ist man bei einem Passwort mit genug Stellen sicher. Wie viele Benutzer haben jedoch ein solches Passwort, und wie viele halten sich nur mürrisch an die Mindestanforderungen für das Passwort?
Ensure you are using at least WPA2 to secure your wifi. While WPA2 does have multiple flaws, most hinge on brute force attacks. So use a password that would be difficult to brute force.
Use a site like https://howsecureismypassword.net/ to get an idea of how easily cracked your password is by brute force attacks. In this age you should be able to make your password pretty complex and not have to type it in very often. Some devices even support logging into wifi by scanning a QR code.
If you don't like complex passwords that look like you rolled your face on the keyboard, you can use long pass phrases. For example, a password like "i stroke my shaft with only the finest moisturizers" will unlikely be brute forced in your lifetime.
Oh, and make sure your wifi router firmware is up to date.
Sorry, I should have specified. The concern isn't whether your password could be brute forced from the login page, as you point out that they'd be locked out almost immediately, but that it can be brute forced if the attacker has a list of hashes, which is what they'd likely get if they stole info from the system.
If you use something like https://howsecureismypassword.net/, you can see an 8 character password takes 10-20 minutes to crack. But since crackers simply want to get access to any account, and not any specific one, they can go to town on hashing possible 6-8 character passwords, and get thousands of hits in seconds, and have just about all of them in minutes.
I don't even think that spoiler is going to be in the anime. It doesn't add anything to the plot since we already have a connection between Daru and Kurisu's PC.
You don't even need to be a master hacker to make something impenetrable. I have a flash drive with Linux Mint installed on it which, according to How Secure is My Password?, would take about 56 sesvigintillion years to figure out the password.
It took me less than a minute to set up and Mint is on par with any Windows system as to noob friendliness.
> guess I really don't need a 10 character randomized password as much as I thought I did.
Yes, you do. In fact, thats not secure at all. This video does a great job of showing just how quickly computers can calculate and test passwords.
I linked to where he is brute-forcing lowercase 7-digit long passwords in a database of 6 thousand passwords, and he gets all 7-digit lowercase passwords in a second. He then does 8 digit and gets even more, in only a few seconds.
It's not password COMPLEXITY that is important, it is LENGTH. This site shows just how important length vs complexity is.
I'm not sure I trust those.
I went to this site here:
https://howsecureismypassword.net/
I typed in "red potatoes are my friends" (without the quotes). It tells me that it would take a PC 3 octillion years to crack my password.
However, if said PC is running at 4 billion hashes per second and stepping down a the list of all words in the english language sorted by frequency of use, my password would last about 2 days. "chili dog monkey nutso" (from the article) is better than my own password would be in terms of word frequency ("nutso" in particular isn't in the top 50,000 words), but it sure as fuck wouldn't be able to hold out for 18 quintillion years.
In fact, imagine you're the NSA and you have shit tons of money. The entire english language is about 1,000,000 words. Assuming a desktop PC can check 4 billion hashes per second, a password with four words in the space of the entire english language would take 8 million years for a single PC to crack. At $500 a pop, 8 million PCs would cost about 4 billion dollars, well within the NSA's budget. In other words, in the space of a single year, they could crack every single 4 word combination in the english language. If, as many people would, you stick in the top 10,000 words (like my red potatoes password), then they could get all combinations of 6 words or less in the same timeframe.
In short, password entropy checkers aren't a whole lot of good unless they check a word frequency list. Words have a lot less entropy than a random string of letters.
According to "How secure is my Password":
>It would take a computer about > >671 NOVEMDECILLION YEARS > >to crack your password.
Not sure, what they mean by "a computer" though.
Adding a "$" sign to the end it would bring calculation time to a whooping 3 TRESVIGINTILLION YEARS!
edit: "novemdecillion": a number equal to 1 followed by 60 zeros - a tresvigintillion is a 1 followed by 138 zeroes.
Cyber Sec employee here. Dealing with this PageUp shit at my place of work as well, woohoo!
Sign up to receive Veda alerts to be notified of fraudulent credit applications under your name.
Ensure you have strong passwords to any online accounts that are important to you (bank, share trading, etc.) and do not use the same password for different systems. A good password usually has multiple, non-personal words (14+ characters) in them to create a 'passphrase'. Check your password strength here - https://howsecureismypassword.net/
Call your telephony provider and ask them how they can secure your account to avoid someone re-burning your phone number to a different simcard. You want to do this, as SMS is generally used as multi-factor authentication for banks (which is a joke but anyway) - people with this data can quite easily impersonate you on the phone to do a sim re-burn. Your password to your bank account is likely something like 'Password1!', they've got your phone number to MFA, and suddenly it's all gone.
when i was with bank of the west, they had an 8 character limit too. turns out my password there could be hacked "instantly". my new bank and pass would take "a billion years".
Re: the password ... also to ensure that users made strong passwords with long strings and to prevent passwords like “11111” and “asdfjkl” hoping at least users would arrive at “asdfjklSophia”
According to https://howsecureismypassword.net/
“asdfjkl” can be machine cracked instantly, while “asdfjklSophia” would take 16 million years of machine time.
Also, the Swiss.
Source: Am Swiss IT Manager.
Passwortmanager sind auf jeden Fall eine gute Idee und vielleicht werde ich eines Tages damit anfangen, aber bis dahin fahre ich sehr gut mit folgendem System:
Jedes mal wenn ein Passwort zur Registration benötigt wird, besteht dieses aus zwei Teilen: Einer immer gleich bleibenden und komplizierten/sicheren Phrase und einem einzigartigen und leichten Schlüsselbegriff für das spezifische Konto.
Die sichere Phrase bildet sich aus den Initialen eines Satzes der leicht zu merken ist und persönliche Bedeutung hat. Beispielsweise: "Edgar Allen Poe ist der beste Horrorautor seiner Zeit." wird zu: "EAPidbHsZ"
Dann wirft man irgendein Sonderzeichen hinterher (sollte immer das gleiche sein) und hängt schließlich etwas an, was man intuitiv mit der Webseite/dem Service für den man sich registrieren will verbindet. Das könnte für einen neuen Redditaccount z.B. "Scheißepfosten" sein. Das resultierende Passwort "EAPidbHsZ;Scheißepfosten" wird von https://howsecureismypassword.net/ sehr gut eingestuft und kann jederzeit erinnert werden.
Wenn irgendjemand beim Tippen des Passworts zusieht oder es vielleicht sogar kurz im Klartext sieht ist die Chance sehr gering, dass die sichere Phrase lange genug hängen bleibt um damit etwas anzufangen, da nur man selbst den "Schlüssel" zum Erinnern hat. Gibt es irgendwo ein Datenleck und dein Passwort kommt raus? Egal, alle anderen sind anders. Gehst du zum ersten mal seit Jahren auf eine Webseite und kannst dich nicht an dein Passwort erinnern? Versuch einfach ein paar Assoziationen als Anhängsel durch, erstaunlich oft ist das richtige dabei.
Un muy buen sitio para medir fortaleza de passwords.
Es importante que el sitio use un diccionario de palabras para la medición, ya que palabras comunes facilitan el hackeo. Por ejemplo, si el sitio te dice que "password" es más segura que "passwor", es porque no usa diccionario. Si bien ambas son patéticas, "password" se hackea más rápido que "passwor" por estar en los diccionarios.
Además de no usar palabras comunes, lo importante es la cantidad de combinaciones que necesitaría un atacante para llegar a tu clave. Usar símbolos especiales o números ayuda, pero más ayuda la longitud. Por ejemplo, "quieromateconfacturas" es más segura que "##5Jhnsr7241!!", simplemente por que lo que "pierde" por sólo usar letras lo gana en longitud. Esto no significa que sólo importe la longitud, ya que por ejemplo "KieroMateConFatura" es más corta pero más segura aún. Y lo mismo vuelve a pasar con "KieroMateyFatura!". Es cuestión de un balance justo.
There are websites where you can see how long a brute force needs to crack your password: https://howsecureismypassword.net
I would say if it already needs some weeks, it's not worth for the police to run the computer for that long time, they even can not know how long it will need. I think if it already needs longer than 1 hour they will give up. They normally expect to crack it in seconds.
I also believe that because if you use a longer password, the start screen of the iPhone looks different. Maybe they will then think: «Oh shit he isn't using a 6 digit code, I don't even will try to crack it.»
7 character alphanumeric passwords can be cracked in a couple of minutes, 8 chars a few hours, 9 a few days. This assumes using a modern graphics card and Kali.
Having a long password and using symbols hugely increases your security. Howstrongismypassword gives a little example of how long it might take to crack your password but it doesn't take into account the newest cards.
Also you can check Haveibeenpwend to see if you've been picked up anywhere.
Remember, all of your passwords are only as secure as the email account you link them to, if someone gets that they can use the reset password link and access anything you've got.
> The sad thing is it's actually a better idea than you would think.
Tried it and:
>It would take a desktop PC about an hour to crack your password
Source: https://howsecureismypassword.net/
However, if we used your comment 'The sad thing is it's actually a better idea than you would think.'
>It would take a desktop PC about a quattuortrigintillion years to crack your password
Phrases are better than you think. And easier to remember.
</meta>
my thoughts exactly... "isn't it only 10^3 ?", it'll take a desktop computer about 0.00000025 seconds to figure it out according to: https://howsecureismypassword.net/ ... and that's with it not knowing it's limited to 3 integers.
I see this from time to time, so let's do a little analysis. My numbers are coming from this paper (see page 20 for numbers). For words with a character range of 5-9 you have 63792 different words (according to the previously linked paper). Lets round that down to 50000 fairly conservative estimate.
Using 4 words will make that 50000^4 combinations. That's 6250000000000000000 (6.25 * 10^18 ) combinations. Converting that to bits (4*ln(50000)/ln(2)) gives me 2^62.4385... combinations, or the equivalent of 62 bits. Thats not too bad for 4 words for a person to remember.
Let's say there are 80 characters you can use for passwords on the standard US keyboard (this probably isn't true, but let's give it some liberties). And let's say you use a super secure password of 10 characters. That's pretty hard to brute force. This website suggests that the password given in the xkcd comic will take ~4000 years to brute force (although it is 11 characters long). Following the same calculations I gave before I get 63 bits (which, by the way is the same number you get if you use the numbers given by the paper I linked). 1 bit difference, for something (potentially) much harder for a human to remember.
As a side note: If you instead use each character (as in the attacker doesn't know you've done this), you get 94 bits for 20 letters (4 5 letter words). That's easy for you to remember. The ease of the user is much more important in my mind.
8 is not good enough.
What usually happens is that people don't change their passwords often enough and a site gets hacked and those passwords get leaked. The bad people get those files and start cracking. The software and the cracking power is amazing and only getting better. Here is an amazing video on passwords if you want to learn more... https://www.youtube.com/watch?v=7U-RbOKanYs
You can run your old password through this site https://howsecureismypassword.net/
Or better yet a similar password as you should never trust a site with any password that you use or have used before.
I like to shoot for 20 or more characters long and will only go lower if a site makes me. A Password Manager will help to keep track of those long passwords, just make sure you have a good master password and don't forget it.
Using the cited website: https://howsecureismypassword.net/
C0mpl3x!ty : 10 characters, combination of upper and lower case, letters, numbers, and special characters. 58 years.
lotsoflength : 11 characters, all lower case letters. 276 days.
I'd say C0mpl3x!ty > lotsoflength
https://howsecureismypassword.net/
You can see how secure your password is with different websites. That password says it could take up to a year to crack (I'm guessing this website is guessing brute force attempts). I'd say that's pretty secure. But, with two less characters it would only take 7 hours.
As good an explanation as any.
My last pass master pass is 24+ characters long, with just a little bit of special character, mostly because it's hard to break the habit.
How do I remember the master pass? It's the first stanza to a poem I know well. I remember which stanza because I have a sticky with the acronym of the stanza. An acronym is ok in the clear, because you only have the first letter of about 7 words. You'd have to know me very well to actually know which stanza the acronym referred to.
Also, the stanza includes non-English words, which also increases entropy.
If I used mixed case + lots of special characters, even with an acronym it'd be hard to remember and that defeats the point.
https://howsecureismypassword.net/ says that an analog of my LP master pass would require "998 undecillion years" to guess, + I have it memorized + I have a good reminder for it in the clear on a sticky that makes it no less secure.
That's why. It's very hard to meet the last three conditions with the over use of special characters.
That's entirely way too difficult to remember. If you do Sept2021! it is even longer and makes the bit thingys higher. That one change according to howsecureismypassword.net makes it go from 8 hours to 3 weeks.
(I'm kidding about it being difficult btw.)
I get that a random site that asks for your passwords is pretty suspicious but howsecureismypassword.net is actually pretty safe. Their source code is online and they don't send anything you type over the internet.
most common way to do it is create some website promising free gems or something of the sort. In that case they just ask you nicely for your login details.
Another option is them getting your email from somewhere (could be leaked from IH, could be something like you having your email publicly shown in Facebook / twitter and following the IH official page), and then they brute force your password, meaning they use a bot to try thousands of possible passwords hoping to get a hit. You can easily solve this by using a longer password. Here's a useful website to check how password length / complexity affects time: https://howsecureismypassword.net/
Note: don't actually use your real password, just use the same number of letters, numbers and special symbols. Even thought this website seems secure, putting your password on such sites is dumb
There are more complex methods of interrogating passwords, but there's pretty much no gain for the hackers here. Hacker is some brat having fun on people's expense.
What are try to say with that statement? A simple password is obviously not very secure, but to say all passwords are insecure is a stretch. Got to https://howsecureismypassword.net/ and type a handful of random characters (don't use one of your actual passwords for obvious reasons). You should be able to see an estimate of how easy it to crack. It's not like a password can leak either, because current methods of salting+hashing make it impossible for a hacker to decipher the password database. 2-factor authentication should be paired with a strong password, not just a replacement.
Nâo vou nem falar que essa senha não deveria nem ser cogitada como uma senha válida.
À titulo de curiosidade, veja esse site que estima o tempo de quebra de uma senha.
Apparently it would take less than a second to crack your password with a script. Try it out here. Note: While I trust the site, I wouldn't put my real pass in there.
PSA for thosw who don't do this already: A good method for making a secure password is as follows. Use the first letters from a sentence you will remember, it is what I do! Example using that sentence (including punctuation): Utflfasywr,iiwId!
It would apparently take a single PC 6 quadrillion year to brute force. Remember, it's not a matter of if it can be cracked, it's a matter of how long it will take.
This is total horseshit.
The passcode is a six character alphanum string. Assuming you can add punctuation complexity, 6 character mixed case alphanum + punctutation strings can be broken in 52 seconds, at 4 billion attempts per second.
https://howsecureismypassword.net/
4 billion attempts per second is feasible for an offline encryption screen (less so for online brute force attacks, as the online auth will shut down that many attempts).
I think they are attempting to get you to feel safer than you are. There is nothing so valuable to intelligence communities as a data repository that you trust that isn't really, because obviously you will put the most sensitive information in just a place and not use other methods of evasion.
You can test your passwords at https://howsecureismypassword.net/
For sgodevolI33 , it would take 41 years.
You'd be surprised how little time it takes to crack a l337 password.
A long "base password" + the name of the site would be a lot less complicated and still the same security.
Between 'JUST4TODAY!@q#$q$w' and 'JUST4TODAY!reddit' the only difference in strength is the 1 extra character in the first password. As long as your password has a single special character adding more doesn't help you at all.
I also want to point out that several OS's and even some Hard Drives come with sufficiently competent encryption software.
Take for example the most popular linux distro, Mint, which has built in hard drive encryption(on top of the usual password prompt).
You wouldn't even need anything special to make a hard drive practically uncrackable. For example, by using the first paragraph of this very comment as a password, according to howsecureismypassword, you'd need up to 5,653,984,132,174,864,000,000,000 sexagintillion years to crack by brute force.
Even if you made thousands of copies of the HD, and use them to run simultaneous brute force attacks, humanity would be extinct by the time it finished.
How Secure Is My Password is a great example of this. They use a Java Script (this one) to analyze your password. It looks like a wall of text, but basically, every time you change the text in the password box, it runs that script, which checks length, complexity, and runs it against a word bank to check for common passwords. Since the script is downloaded onto your computer when you load the webpage, and run on your own computer, your password never travels over the internet, making it impossible for them to store, let alone see it.
You ask about a "Spectre type attack". This is pretty difficult, though not impossible (poor source), but also completely useless. For that to work, the attacker would have to run an advertisement with the Spectre attack in it, which would likely get picked up by the advertiser, the website owner, a savvy client or even your web browser. An alternative attack would be to compromise the web server and modify the script to send a copy of the password to a server under the control of the attacker, but that again involves an extremely challenging task because you can't just "hack into" a server.
Except computer programs designed to crack passwords will check repeated numbers and patterns in general before systematically checking every single number. To prove it, enter 00000000 into https://howsecureismypassword.net/ as well as another 8 letter password.
If the password is being hashed, how the fuck can it make sense to limit the length?
Side thought: is that sentence a strong password?
edit:
Length: 84 characters Character Combinations: 71 Calculations Per Second: 4 billion Possible Combinations: 320 quinquagintillion
It would take a desktop PC about 2 quadrillion quadragintillion years to crack your password.
source (from below)
Entropy>complexity. Just make it longer, don't worry about the number substitution. And if you can work in the name of the thing the password is for, then it becomes unique.
This-is-absolutely-not-password-i-use-for-facebook
Add a number if you need to, but that is currently practically UN brute forcible.
It would take a computer about 15 TRESVIGINTILLION YEARS to crack that one. howsecureismypassword.net
It doesn’t have to be random numbers, letters and symbols. It can be something that is more of a passphrase rather than a password.
Try using https://howsecureismypassword.net if you want to see how long it would take to brute force (try random combinations until it works) a password.
In most cases your data is private and safe unless you are a person of interest in which case most information on you can be easily ascertained. The encryption laws really enable the Australian government the right to get information from businesses that hold data on you or force you to hand over your passwords. Keeping safe and private is pretty easy and most of what you'll do on Tor will be fine. If you're not already under surveillance and your host machine is 'clean' you are private for the most part. Use a good offline encryption tool for sensitive files and leave it in the cloud. Easy would be Cryptomator and more tricky might be Veracrypt. These satisfy most users. Use good passwords. Use an online strength tester https://howsecureismypassword.net
Si mañana el sub se llena de zurdos, juegos de azar y mujerzuelas, tengan la seguridad que me hackearon. Y no, no pienso cambiar mi password. https://howsecureismypassword.net/ me dijo que llevaría billones de años* crackearla.
As can be seen on https://howsecureismypassword.net/ , a strong password is not necessarily a short string of overly complex characters, but can easily be a long phrase.
Something like "thisisthebestplayeroftheworld" is stronger and easier to remember than "e)yVTu5b"
More like a passphrase. You don't know how easy it is for a computer to bruteforce a password made up of letters and numbers.
This xkcd comic pretty much sums it up: https://xkcd.com/936/
Edit: ~~You can also use this: https://howsecureismypassword.net/ to test the strength if your password if so inclined. You don't have to actually send your password to the server, you just type it in and they give you a rough estimate of how long it'd take to bruteforce your password through normal means.~~
An even better one, measuring passwords by entropy(Use this one): https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
Sounds like a basic creep. Generally speaking people who have control of a device don't usually tell the owner that as they normally would want to maintain the connection. If it is a scam I'd guess "Chris" wanted your GF to believe he had control over her device, social media accounts, shopping, banking, texts, photos ect ect and in order to relinquish the control she'd have to pay his price. Normally money or photos, like I said, a creep.
You've done the right thing blocking the contact, normally when they realise the target isn't buying it and isn't going to interact they move on.
It's probably unlikely her device is compromised and the fear is the only tool "Chris" was using, however generally speaking, it's never a bad time to think about digital security house keeping is a good idea. Don't reuse passwords, don't use common/weak passwords, make sure your devices are up-to-date with the latest version of your OS, try not to over share online and so on.
If you check out;
https://haveibeenpwned.com https://howsecureismypassword.net
You can see if your email accounts have been in past data breaches and get a rough idea of how weak/strong your passwords are.
Hopefully that's the last you'll hear from "Chris" though, if it happens again and becomes harassing in nature make notes, don't engage with him and inform the appropriate authorities.
> https://howsecureismypassword.net/
LOL. I use Bitwarden as my password manager (it’s the best one out there these days), and I use a password generator to create ridiculously complex passwords that, thanks to Bitwarden, I don’t have to remember.
For example something I just generated,
>¨?©|فûÞÌ#Àº,¨ã5নিĚĕcŦz8*;¸tę유fÁŦŭկĎěēÅÔðĘÚģđŝú%e¹eÐî}£は¯-āß¡ø½Ũł¸
Is rated by the site above as needing “13 SEXAGINTILLION YEARS” to crack.
And here I have enough problems figuring out how much a Brazilian is.
Considering that I use the entire UTF-8 character set to build my passwords from, I doubt any password cracker currently out there is going to brute-force my passwords.
Brute force algorithms treat every possibility as equally likely, so yes, someone trying to crack a key could get really, really lucky.
I’m not a hacker, but I have a feeling that software designed to crack passwords and keys is done using dynamic programming rather than brute force. Like, check for commonly used passwords first, lowercase characters appear more often than uppercase, some number combinations are more common than others, etc.
How effective this type of cracking would be in public/private key encryption is a different question. I’m guessing if someone is looking to encrypt data, they’re not gonna set their private key as “password”.
But, if you check out this website, https://howsecureismypassword.net, you’ll find some longer words can be cracked instantly, while misspelling the same word can add orders of magnitude more time to take to crack.
The biggest threat is having a simple password for a website and using that password across multiple websites with the same email/username
This private key is 79 characters long. Most websites recommend a password of around 12 characters long. That would take 4 years to brute force on an average computer. How about a 79 character one? Well, that would take about 3 quadragintillion years (3 * 10^123). That is longer than the age of the universe (about 14 billion years). In fact, according to simple Excel math, that is about 2 * 10^113 times as long as the age of the universe.
I think your keys are pretty safe.
Calculate for yourself: https://howsecureismypassword.net/
When someone tries to argue with me for why I require complex passwords I show them https://howsecureismypassword.net/
Then put in whatever weak ass password they think is sufficient, when they see "Instantly" or a short period of a few days to a few weeks they're surprised.
I follow that up with, the reason you've gotten along with this passwords like this up until now has been sheer luck. Everybody's luck runs out, yours will too. The IT world is filled with stories from users who got by with weak passwords until they didn't, the expenses and damage to the company's image were immeasurable.
Security minded IT folks may seem like paranoid fools, and sometimes they are. But its insurance, you strike a balance of inconvenience and security and maybe, just maybe, that hacker that was working on getting into your network decides to move onto easier targets.
My password at work is only allowed to have 8 characters exactly, one Capital letter and with no special characters (Alphanumeric).
I also increment the last digit, IT has decided we shouldn't be allowed to do that. I still do it with no repercussions.
This site says it would take 2 hours to crack most of the combinations I can come up with. https://howsecureismypassword.net/
My favorite one I came up with was "1LuvRyan" I have a coworker named Ryan :P
Try and beat my high score with these password requirements. Post your results for the Lolz.
according to this site it would take the average desktop computer 10 days to crack a 10 character alphanumeric password. And that's assuming your password is the last one tried.
If your USB is obtained by authorities, the only option they will have is brute force. Any password can be bruteforced, no exceptions, but more complicated passwords take more time. Very simple passwords can be bruteforced in a fraction of a second. Very complicated passwords can only be bruteforced in maybe billions of years. Use https://howsecureismypassword.net/ to get a better sense of just how secure your passwords are.
And remember, if authorities obtain access to your computer and not just your USB flash drive, they can get your password in other ways. For example, they can install a keylogger on your computer that could capture your password immediately the next time you enter it.
A password containing 14-15 characters (special characters, uppercase, lowercase, and numbers) will have more permutations than atoms in the universe. Testing 4 billion passwords a second would take 4-157 billion years to go through them all. By comparison, the sun will only burn for ~5 billion years
A person on YouTube named CaptainTTI who is notorious for exploiting and flaming various servers took over his accounts after Otaku accidentally gave out his password in the IRC while attempting to use a command.
OtakuSRL: ~authserv (censored)
OtakuSRL: (censored)
You were kicked by ChanServ, reason: Bad language
First censor was the password and second censor was the foul language OtakuSRL said after accidentally giving it out.
He used this password on almost everything he had and according to How Secure is My Password it would take a desktop PC 7 hours to brute force his account.
Captain ended up hijacking the Reddit for the 2nd time and not only taking off most of the moderators, but making Otaku decide to step down.
Things were fixed within minutes due to Reddit adminstrators quickly getting on the problem, and Otaku's account was temporarily locked.
Otaku has a bad reputation for being incredibly biased and has been accused of other things such as lying, this has caused him to receive lots of hate from some people in the community.
That's basically the story, if you have any more questions, ask.
Stating the obvious here, but all 15-letter passwords are not equal. For example, the word "conspicuousness" would be cracked much faster than "0d3unpc4jb7dtvt" because most brute-force methods will try dictionary attacks first. howsecureismypassword.net says the former would take 13 thousand years, but realistically it would take less than a day.
My favorite password "strength" detector was built by a Dropbox engineer and is hosted here (related blog post). It was written in response to the xkcd "correct horse battery staple" comic, and it seems to calculate more realistic crack times by basing its calculations on dictionary patterns, commonly used passwords, and other methods that crackers will invariably use.
"conspicuousness" would take 39 minutes, "0d3unpc4jb7dtvt" would take centuries. The latter is impossible to remember, but here are other examples that will take centuries to crack: "jean rendered benjamin surgery" or "came helen teenage corners" or "finished greece whats jacket", and so on.
Moral of the story: if you want to be relatively safe from brute-forcing AND have a memorable password, your best course of action is a unique pass phrase.
NO! on www.howsafeismypassword.com "bra71L" takes fourteen seconds to crack, but "brazildefense" takes nineteen years! Throw in 's to get "brazil'sdefense" and it takes 19 MILLION YEARS to crack /u/TenNinetythree's password. Try it out for yourself.
More info: xkcd: Password Strength http://correcthorsebatterystaple.net/
According to https://howsecureismypassword.net/ your password would take 500 trillion years to crack, which is good, but it's still difficult to remember, you have to remember which prompting object is associated with the password, and you have to remember the pattern you imposed upon it too.
A far easier and more secure system is to make the passwords very long. You can take a line of a song which is easy to remember, don't bother with numbers and case changes, just do it all in lower case without spaces. For example "rememberwhenyouwereyoungyoushonelikethesun" comes out at 200 duodecillion years to crack. And "Wish You Were Here" is easy to recall as a prompt
https://howsecureismypassword.net Great website for determining the actual security of your password
Some of these things only consider brute force so they'd consider "password12345" an extremely secure password because of complexity and character length. But this site seems to be considering dictionary attacks which will crack passwords that people think are secure in just a few seconds. I don't think they're using rainbow tables though, it says keyboard walks and sequences when they're definitely not.
I did the same exact thing ages ago. Four RANDOM words, capital letter for each word, RANDOM number on end. Passwords get found because people do stupid shit like FirstnameBirthday or Pet'sname111 or LastnameFirstname.
Example: SickGraphiteYellowBubble1 - TomBeeFungusCamel2 - you get the idea.
The less it relates to you, the better. Some people might think this would be hard to remember, but you can use password keeper or a running notepad on your phone for a while until you remember it. It's easier than you think.
Better example: This website shows how long it would take to brute force a password. "Password" is literally instant because it's the first thing anybody would try, but that much is obvious. Firstnamebirthday, which is much more common than you'd probably like to believe, takes roughly one minute in Tom1126, four days for a tougher one in Jason0424.
SickGraphiteYellowBubble1? 511 septillion years to brute force.
A random alphanumeric password that's 8 characters long can be brute forced in 11 minutes by your average PC. 9 characters would take 7 hours, 10 characters increases that to 10 days, 11 characters would take a year, 12 would take 37 years, and 13 would take 1000 years. In three more characters and you'd need 1 million years to run through all possible options.
I guess it's not that big of a deal, since according to https://howsecureismypassword.net/, the password aaaaaaaaaaaaaaaa (16 a's) would take 345k years to crack, so anything over 16 is essentially overkill. Kinda dumb that they don't tell you that anything over 16 isn't counted, though.
Much more than ten years. Look at this. It says a normal pc should take 28k years to crack my rockstar password, which is much shorter than 28 characters, and does not contain any symbol. (thanks Rockstar)
P.s. Don't test your real password on the site. You never know.
> Also have a gander at https://howsecureismypassword.net/[2] for the beginning of an idea of password strength.
Sorry, you are potentially putting your legitimate password here into a web service you know nothing about. Similar services have known to be honeypots to build up password dictionary lists. You talk a lot about security but you're also asking people to input their password in plain text into a service they know nothing about.
Dude...
https://howsecureismypassword.net/
This is a subreddit about Bitcoin, not your Google tab.
I *can not* understand the mods here, letting stuff like this pass through. It's not like we're lacking in good content and are desperate for *anything* to fill the sub...
assuming it's a128 char passwords with symbols, it would take a computer about 42 sextillion septuagintillion years to crack it
FYI the password tested is
acVKw4JxEeeuJqeHv6YFHScJHKnzYeJYkP95EX_vjEe?R-aZ2xqbTE?tFy+%J8%aZyNLk=B&Bn6QH%5C26H7Vw7XGxmz^&YeTQYhALrGksEfLm%STAAtE3u59r
and the calculation site is this: https://howsecureismypassword.net/
It means there was a security breach on those sites. It doesn't mean that your info was stolen, but it may have been. You need to change your password on those sites, right away. Make sure not to use the same password on different sites. i
Use this site to help pick out new passwords
https://howsecureismypassword.net/
​
And get a password manager if you don't already have one. I like LastPass
> TWBAPPTCBR
This is a terrible password, crackable inside an hour according to https://howsecureismypassword.net/.
Why not just use the whole phrase? ThisWouldBeAPasswordPhrase is an excellent password, and it's no harder to remember the whole thing than the first letters of the whole thing. Random words are even better: MouthPipeRabbitHydrant is easy to remember, but very hard to guess.
More of a network security question than a pi question but...
No body confirmed it was Russians. His password was p@ssword, enter it here https://howsecureismypassword.net/ basically it would be cracked instantly by anyone using hack tools that any 10 year old could easily use. Now months after he knew he had been compromised never NEVER CHANGED any passwords contained in his emails. People on 4chan had a lot of fun in his Netflix account etc... The DNC "hack" was proved a leak,in his case what just a really really weak a stupid password.
Short answer since I'm tired:
Apples DMG encryption is proprietary. That means, no one can say how safe it is.
Some chases have shown that the encryption is pretty good (AES I guess) and Apple has not included/revealt a backdoor.
(I remember some chases were the FBI or someone wanted Apple to decrypt a phone. Not sure if they could do it in the end)
However, no one knows whether its actually safe or not.
VeraCrypt on the other hand is free and the source code is visible for anyone.
TrueCrypt (the predecessor) had an audit and had only some minor flaws, none of them were really serious.
So (for me at least) there is no question which one is "better". Obscurity is no substitute for security.
It also depends on what you want to encrypt. No one will waste days/weeks/years to crack a file if he doesn't know whats inside.
Moreover, social engineering far more effective than Bruteforce or Dictionary attacks.
For everyday life an AES-128 (265 if it helps you sleep better) encryption is more than sufficient.
On the other hand, if you want to hide data that is so valuable, the encryption is (by far) not the weakest link in the chain.
Would you keep the password safe if someone is about to cut your finger/hand/leg off?
Edit: Bruteforcing is impossible, presumed that the password is long enough. Take a look at the AES wiki page.
> as a 126-bit key (instead of 128-bits) would still take billions of years to brute force on current and foreseeable hardware.
Also this neat site tells you how long it would take to crack your password.
I'm not sure how accurate it is, bit if you land something > 10 years, you should be safe.
Another thing that this website shows, is that length>complexity. So you are far better with "namejackage36" than with "ja36ck."
Sad that I had to scroll so far to find this.
Of course there's going to be large dictionary of common passwords, computing power to brute force things under a certain length, and connecting dots to exploit password reuse... this is nothing new. The numbers just change.
There are 62 alphanumeric characters without special symbols. Special symbols + numbers don't make a password strong; they just make it more difficult to remember.
What matters are permutations; numbers and symbols hardly help that. Anything common in a dictionary is already lost.
Use a phrase: tacosmightbemyfavorite
That's: 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 * 52 = 5.650326708567015e+37
Which according to this site would take 11 trillion years to crack.
Does it use common words? Yes... but there are over 171,476 words in the English dictionary. Swap that 52 for 171k and forget about it.
Edit: I'm using 52 instead of 62 because there are no numbers, so it's a-zA-Z.
Additionally, this is why Alpha/Alphanumeric difference is stupid ("Please use a number"). Many people use passwords that hover around 8 characters, so let's look at the difference.
53,459,728,531,456 Alpha only
218,340,105,584,896 Alphanumeric
A difference of not much. So let's add 3 more characters to Alpha only and see what happens:
7,516,865,509,350,965,000 Alpha only, with 11 characters (like adding "ing" to a word).
Huge difference. Now turn that into a small unique phrase with 20+ characters and the number will be too huge to write.
You can even just use your favorite words like: puppies-guitar.seltzer-whiskey (175 DECILLION YEARS)
I think that N>25 with at least 1 uppercase is sufficient. If you use a phrase the entropy gets so high that a special character isn't gonna help. Ex. LongPassphraseThatIsRandom has an estimated crack time of 327 septillion years. Basically check it in have you been pwned and if it hasn't a decent phrase with no special characters will be fine.
Here is the test site I used. https://howsecureismypassword.net/
Well, a pin number with 6-8 digits would be easily crackable. 12 Word passphrase is very safe. Try out this website and see how unsecure a pin number with 6-8 digits would be for accessing the wallet and transactions:
Use this secure password generator
And check out how long it would take a brute-force algorithm to crack your password
And keep in mind, sometimes the most secure way to store data--like complex passwords to RC websites--is to take it back to good-old analog data storage. No computer hacker in the world can access a small stack of scrap papers in a mason jar or zip-lock sitting behind the 2-year-old, freezer-burned vanilla ice cream in the back of your freezer lol.
Are you trying to make something like this?
https://howsecureismypassword.net
The fastest way to make an estimate would be to run make and run a benchmark to see how fast your hardware can guess small-ish passwords to get a rate of growth, then use that to create an exponential expression that gives a time estimate.
Actually finding passwords more than ~8-10 characters will take a while, unless you used specialized password cracking techniques.
Taugen tun Einige was, es gibt die als Service (wo du dich wie bei einem "Cloudanbieter" anmelden kannst von überall. )- die haben dann allerdings das Problem das die sehr vertrauenswürdig und unglaublich sicher sein müssen. Das ist zwar sehr komfortabel, aber auch risikoreich (und Risiko wollen wir ja vermeiden)
Es gibt lokale PW-Manager mit dateibasierter Datenbank, der verbreitetste dürfte KeePass2 sein (den nutz ich auch), Sehr sichere Verschlüssselung der Datenbank, Open Source (das heisst, wenn du genug Ahnung hast kannst du dir den Quellcode des Programms selbst anschauen und verifizieren), und kompatible Programme sind für so ziemlich alle Systeme verfügbar (Win, Linux, Apple, iOS, Android, WinPhone etc). KeePass2 kann ausserdem mit Plugins noch überall in integriert und angeknüpft werden.
Es gibt auch kommerzielle Produkte, diese sind aber meist für die Arbeit in Teams (Arbeitsgruppen mit verschiedenen Sicherheitsberechtigungen etc) optimiert. Für die persönliche Datenbank würde ich bei KeePass2 bleiben.
Achso - Backup, Backup, Backup - und ein schööön langes Masterpasswort. Nicht kompliziert, sondern lang - Warum das wichtig ist, siehst du zum Beispiel hier: https://howsecureismypassword.net/ (aber keine PWs dort eintippen die du wirklich benutzt!).
I don't see any issues on this, take a look at different password combinations here: https://howsecureismypassword.net/ and see if it starts to make more sense why this is the suggested policy. Only difference with this and my organization's policy is we do 120 days.
I'd suggest looking into a tool like Adaxes to help with password changes, it allows users to answer security questions at the login screen to reset the password.
If computing capacity (which can't scale infinitely) manages to lower the calculations needed to check all possible DarkSend variations from several trillion to several billion years I still doubt we'd be in trouble.
Complexity increases exponentially so the step from 5 digit passwords to 8 is a huge leap in terms of required calculations. This site says 5 digits will be cracked in 23 seconds. Increase it to 8 digits and we already have 2 years. Add just one more digit and you get 433 years! Now imagine stepping up from 500 to 800 digits (which is basically the area of cryptographic functions) and tell me whether computing can keep up with that.
My point is: DarkSend right now is secure enough and will be secure enough for the forseeable future. Your house may not survive the explosion of the sun, but for now and the next few billion years it's a pretty good bet against the elements, wouldn't you agree?
A password manager is even better because you only need the one strong password to unlock everything, but it saves individual SUPER strong passwords for all the accounts you put in.
You can set it to automatically generate 100+ character passwords. In reality, you only need about 30 to make a password practically uncrackable, but why not do overkill when you don't have to worry about typing it in?
>Apparently passphrase passwords aren't as secure unless you do really really long ones (like a paragraph) which are too big for most websites.
This is abjectly not true. You can use password strength assessors such as the one built into KeePass or basic web based ones to verify the strength of a password and a simple sentence works handily for the overwhelming majority of people for the overwhelming majority of uses.
Yes, it's irritating to have to copy/paste a mishmash of characters but that's why you create a pass*phrase* that you can remember easier, using the password manager as a backup when your memory fails.
Keepass is helpful for randomly generating up to a 256bit Hex key for passwords, which would take all the computing power on earth to the end of time to bruteforce. The database itself is heavily encrypted as well, and with a long password for the database it would take a similarly long amount of time to bruteforce. A piece of paper could be easily lost or looked at by a friend/family member.
Keepass is an offline locker, meaning it has no connection to the internet. The only way someone would be able to open it up is if they stole the file from your PC somehow, and even then, because of its encryption, they would need to know the password to open the database, or bruteforce it which would take an obscene amount of time (billions of years+) if OP set a nice long password.
Remember, the key to a secure password nowadays is not complexity, its length. You can use https://howsecureismypassword.net/ to see what I mean.
Thanks for your feedback, bookerio! Please feel free to improve the script. The code is on Github already. I'm just having basic skills in PHP / HTML / CSS / JavaScript so I'm afraid I cant do anything more to improve the script at the moment.
two forms: I was trying to keep it simple with the two forms / reload of the whole website. And it works right now, since the generation is fast.
current special characters: !@#$%&*? (they should be all safe to use. I even left this one out: ^)
howsecureismypassword.net is amazing. We can check for open source solutions that would help creating a tool like that for privacytools.
I'd prefer a no javascript version at the moment. Disabled javascript in browsers gives generally a better privacy.
This is a nice addition to the website, BurungHantu. Really nice job. I can help you improve it, if you like.
>
in passwords because they think that will protect them from XSS, even though passwords should never surface in plain-text anyway..., so an option to disallow special symbols could be useful).I noticed that you send a HTTP request to the server to generate the password, which causes the page to refresh. If you think it is best to generate the passwords on the server, then maybe it would be a good idea to make the request asynchronous through JavaScript, which will remove the page reload and improve UX. That being said, in my opinion, generating passwords on the server is a little bit more secure but, generating them on the client using JavaScript is better for privacy and UX. What do you think?
This is totally not true. basically, most of services on the internet wouldn't allow "§" sign. Try googling for "why use passphrases instead of passwords". "This is my supercool password" is way easier to remember than "optiplex§2010" and is way more secure.
Try comparing them through https://blog.kaspersky.com/password-check/ or https://howsecureismypassword.net/
:)
Rainbow tables are the big vector of attacks for password hashes. They are often precompiled and they map passwords to hashes.
Lets take the password: ads3op
It has an md5 hash of: ce042427036c81b2425785f596ccac6a
Now run it through here: http://md5.my-addr.com/md5_decrypt-md5_cracker_online/md5_decoder_tool.php
and it cracks it. Easy peasy.
There exists rainbow tables with lower_alpha&numeric up to 8 characters, with over 80% hit rates. Possibly even better now with advanced computing technology.
To really scare you, brute forcing a single password is easier given enough time and horsepower.
https://howsecureismypassword.net/
A hash generated from a much longer password, like a passphrase will be less easily cracked.
We should probably explain a bit more about the password cracking, as it's presented in a misinformed manner (the implication being that the simple passwords are somehow harder to crack than a random one). It's the length, not the distribution. Something like https://howsecureismypassword.net/ can help with the visualization there. Of course, it's not a good idea to do something like a single letter repeated 64 times just on the off chance that their brute forcer tries that.. but in theory it would still take as "long" to crack.
According to https://howsecureismypassword.net/ that password DonkeyMonkeyEnglandMoon would take a regular desktop computer an impossible amount of time to crack. With a string of 4 common english words the computer would have to test every single 4 word combination of every word in the language. Not only that but it would have to test the capital letters too.
The password is only a sliver of the problem. WEP is an extremely weak encryption, which can be cracked in a matter of seconds. A 5 character password is 40 bits, which has been recorded as being cracked in as little as 2 seconds, due to the insecure ways of WEP.
WPA2 is much more secure. It requires a minimum of 8 characters (which isn't that hard to remember, throw a few numbers/letters on it that have significant meaning or something), and is a much stronger encryption over all, which at this time I believe is only crackable by brute force. Depending on password complexity, brute force can range from a couple seconds to trillions of years. You can get an idea of your password strength here. Bd452 comes up as a whole .23 seconds to brute force.
Hope you find this informative ;)
less than a second, according to: https://howsecureismypassword.net
Do NOT enter your actual password, but rather, enter a similar one. Entering 6 random digits shows that It would take a desktop PC about 0.00025 seconds to crack your password
Using a 12 letter password, this time goes up to 19 years.
a 15 letter password will take 13,000 years to crack.
Cracking passwords is like picking apples, you can crack most of the low-hanging (easy) passwords quickly, but there's always a few in the top branches you can't reach. This is entirely dependent on how strong your password is. The more character sets and the longer the password is, the more protected you are. at a certain point of complexity, your password would take billions of years of computer processing time to crack. any passwords under like 6 characters can be done in like 15 seconds. If this was a web-based attack, it would have been much slower than a local crack where you actually have hashes saved on your computer.
Check out this neat tool. It'll tell you how strong your password is.
Long passwords based on length are easy. Dictionary attacks can absolutely destroy them. The capitals and symbols help add orders of magnitude. As long as you're using rules that are common it's only a matter of time. In general, people don't have very complex vocabularies. In general, serious hackers are running a lot of cores to crack stolen passwords with techniques other than brute force.
If I make up a sentence and set my own rules to that password, it's protected against such techniques.
I1mu4545m0rtt|>,ip.
I made that password from that sentence. You have to brute force it to crack it. https://howsecureismypassword.net/ puts it at 14 Quintilian and it wouldn't take more than a minute or so for hunt and peckers. Not to mention much less prone to errors in typing. Meanwhile "This is my password and I defy anyone to guess it" ends up as a first guess for dictionaries.
I would say you are more right because using a dictionary attack requires some skill. Cracking 8 character long random passwords is very very easy.
Using this website, https://howsecureismypassword.net/ for both
So, combine the two for most security, use a dictionary password with some random thrown in. For example, if you know a second language add a word in that language.
Password brute force simulator.
Also, here's XKCD explaining passwords.
The quick and dirty of passwords is: just make it longer.
My solution to not wanting to remember various different passwords:
1 - find acronym to a saying that you like that contains at least one general pronoun (who, them, etc). Ill use "Who lives in a pineapple under the sea", so "wliaputs"
2 - change 1 or 2 letters to familiar symbols (@ for a, $ for s, etc) and others to their numerical form
3 - for the twist, replace the pronoun of the acronym with the first letter, or couple letters for more security, of the site you're on. for extra measures, you can also capitalize it.
So like for reddit, the password looks like "Rli@788$" and facebook would become "Fli@788$" - which would take a hacker approx 5000x longer compared to the original one (52 seconds to 3 days)
Excuse me sir, noob question here.
I can see that with 4000kh/s you cracked a 16 character password in two days. I my self, am using a 20 character password with complex structure for my wallet. How long do you think it will take to crack that and with how much power?
According to this website it would take around 20 septillion years to do so. Is it a load of crap?
Congratulations for winning the contest btw :)