Passwords

Grim... · **Posted:** Fri Apr 13, 2012 14:36

We talked about passwords a bit the other day, but it was in the iPad thread so I didn't want to derail it further.

Anyway, this is by far the most accurate password strength tester I have ever seen: http://dl.dropbox.com/u/209/zxcvbn/test/index.html

If you're interested, this is how it works: http://tech.dropbox.com/?p=165

My hardcore password's crack times were all measured in "months", so that's good. My 'general' one that I use for things I don't really care about was 0.2 seconds so, er... That's not so good.

devilman · **Posted:** Fri Apr 13, 2012 14:43

Both your links are the same. Interesting stuff though - my 'strong' password is still only a 30-minute one.

Bamba · **Joined:** 25th Jul, 2010 **Posts:** 11128

Mine are predictably shite and piss easy to crack. The secret seems to be to avoid any words that appear in the English language (whether you use number swapping or not). Even just stripping the vowels from a known word seems to work wonders.

The real question is: how much does this site reflect the technqiues people really use to crack passwords? And how do we know the answer to that question?

Bobbyaro · **Joined:** 18th Apr, 2008 **Posts:** 11843

Well, Grim... now knows half the forums' passwords for starters!

TheVision · **Posted:** Fri Apr 13, 2012 14:58

My hardcore password would take 5 months to crack apparently.

Why someone would want to spend 5 months just to read my emails is anyones guess, but still... Up to them isn't it?

Runcle · **Posted:** Fri Apr 13, 2012 15:00

One of my passwords has a crack time of 4 years, anyone beat that?

Plissken · **Posted:** Fri Apr 13, 2012 15:02

Bobbyaro wrote:

Well, Grim... now knows half the forums' passwords for starters!

The one and only correct answer!

Runcle · **Posted:** Fri Apr 13, 2012 15:02

Runcle wrote:

One of my passwords has a crack time of 4 years, anyone beat that?

Ha I've just realised if I add a letter to the end of it, the crack time changes into centuries.

myp · **Posted:** Fri Apr 13, 2012 15:02

That thing is great. I've generated a new password that's easy to remember that will take 97 years to crack.

Grim... · **Posted:** Fri Apr 13, 2012 15:02

devilman wrote:

Both your links are the same. Interesting stuff though - my 'strong' password is still only a 30-minute one.

Oops! Fixed.

Bamba wrote:

The secret seems to be to avoid any words that appear in the English language (whether you use number swapping or not).

Nah, man. Try

Code:

My name is Bamba.

myp · **Posted:** Fri Apr 13, 2012 15:03

It seems to be the spaces that makes those hard to crack.

markg · **Joined:** 30th Mar, 2008 **Posts:** 16560

Yeah, spaces or anything that isn't a letter or a number. Is it just that brute force attacks try combinations without those first or something?

KovacsC · **Posted:** Fri Apr 13, 2012 15:12

my work one is measured in centuries!!

devilman · **Posted:** Fri Apr 13, 2012 15:13

KovacsC wrote:

my work one is measured in centuries!!

'measured in centuries!!' was a good password, but you should probably change it now.

Bamba · **Joined:** 25th Jul, 2010 **Posts:** 11128

Grim... wrote:

Nah, man. Try

Code:

My name is Bamba.

As others have said, take the spaces out (and also remove 'Bamba' which isn't a real word) and the crack time drops massively. Alternatively, try flibbertygibbet.

Grim... · **Posted:** Fri Apr 13, 2012 15:16

markg wrote:

Yeah, spaces or anything that isn't a letter or a number. Is it just that brute force attacks try combinations without those first or something?

They may well do, as a load of things don't allow spaces in passwords (cunts).

Grim... · **Posted:** Fri Apr 13, 2012 15:17

Bamba wrote:

Grim... wrote:

Nah, man. Try

Code:

My name is Bamba.

As others have said, take the spaces out (and also remove 'Bamba' which isn't a real word) and the crack time drops massively.

I, er... Well, yes. Or, to put it another way, "change the secure password to a non-secure one and it becomes less secure"

Replacing the spaces and the word 'Bamba' to get something like

Code:

My.name.is.a.name

is still really good.

Curiosity · **Posted:** Fri Apr 13, 2012 15:19

Mine is surprisingly good! 59 years!

Not pad considering it only has 8 characters, none of which are anything odd.

Grim... · **Posted:** Fri Apr 13, 2012 15:20

Curiosity wrote:

Not pad considering it only has 8 characters, none of which are anything odd.

Obv. pad is three characters.

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14490

password: correcthorsebatterystaple
entropy: 45.212
crack time (seconds): 2037200406.475
crack time (display): 65 years

I wonder how many passwords in systems are now that :-)

Curiosity · **Posted:** Fri Apr 13, 2012 15:21

Grim... wrote:

Curiosity wrote:

Not pad considering it only has 8 characters, none of which are anything odd.

Obv. pad is three characters.

Whatevs

Grim... · **Posted:** Fri Apr 13, 2012 15:24

zaphod79 wrote:

password: correcthorsebatterystaple
entropy: 45.212
crack time (seconds): 2037200406.475
crack time (display): 65 years

I wonder how many passwords in systems are now that :-)

Enough to assume it's a dictionary word by now.

ApplePieOfDestiny · **Joined:** 17th Dec, 2008 **Posts:** 8293

Centuries, motherfuckers. No Cap changes, no words, no spaces.

I fucking rock. Apple can go fuck themselves.

Dimrill · **Posted:** Fri Apr 13, 2012 15:34

Passwords are things on a computer.

Grim... · **Posted:** Fri Apr 13, 2012 15:35

Dimrill wrote:

Passwords are things on a computer.

4,329,143,000 years!

Hero of Excellence · **Joined:** 23rd Nov, 2008 **Posts:** 674

password: boiledvimtoflattoptwopoundsamonth
entropy: 73.001
crack time (seconds): 472663088655908860
crack time (display): centuries

:attitude:

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14490

Grim... wrote:

Dimrill wrote:

Passwords are things on a computer.

4,329,143,000 years!

password: 4,329,143,000 years!
entropy: 62.886
crack time (seconds): 426159280464937.9
crack time (display): centuries
score from 0 to 4: 4
calculation time (ms): 55

markg · **Joined:** 30th Mar, 2008 **Posts:** 16560

p a s s w o r d

Is good for centuries too apparently.

Zardoz · **Posted:** Fri Apr 13, 2012 15:37

|-|0t35tc|-|1|1|/\†|-|\/\/0®|∂

Grim... · **Posted:** Fri Apr 13, 2012 15:39

Zardoz wrote:

|-|0t35tc|-|1|1|/\†|-|\/\/0®|∂

It's a great password from a security point of view, but you'd kill yourself trying to remember it.

Or write it down, rendering it fairly useless.

Grim... · **Posted:** Fri Apr 13, 2012 15:44

TheVision wrote:

Why someone would want to spend 5 months just to read my emails is anyones guess, but still... Up to them isn't it?

Just saw this - the reason they'll spend a lot of time trying to get into your emails is because they can reset pretty much all your other passwords once they've done so.

Or because they're Sky news, and they think you've done something bad.

Hero of Excellence · **Joined:** 23rd Nov, 2008 **Posts:** 674

Grim... wrote:

Zardoz wrote:

|-|0t35tc|-|1|1|/\†|-|\/\/0®|∂

It's a great password from a security point of view, but you'd kill yourself trying to remember it.

Or write it down, rendering it fairly useless.

Writing it down wouldn't be too bad in certain circumstances - most people wouldn't have the vaguest clue how to get those symbols from a computer keyboard.

Grim... · **Posted:** Fri Apr 13, 2012 15:49

Hero of Excellence wrote:

Grim... wrote:

Zardoz wrote:

|-|0t35tc|-|1|1|/\†|-|\/\/0®|∂

It's a great password from a security point of view, but you'd kill yourself trying to remember it.

Or write it down, rendering it fairly useless.

Writing it down wouldn't be too bad in certain circumstances - most people wouldn't have the vaguest clue how to get those symbols from a computer keyboard.

That's true - plus you could write it down in "English".

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14490

Grim... wrote:

TheVision wrote:

Why someone would want to spend 5 months just to read my emails is anyones guess, but still... Up to them isn't it?

Just saw this - the reason they'll spend a lot of time trying to get into your emails is because they can reset pretty much all your other passwords once they've done so.

Or because they're Sky news, and they think your hot.

FTFY

Zardoz · **Posted:** Fri Apr 13, 2012 15:53

Grim... wrote:

Zardoz wrote:

|-|0t35tc|-|1|1|/\†|-|\/\/0®|∂

It's a great password from a security point of view, but you'd kill yourself trying to remember it.

|-|/\/\/\/\ 1 ∂0/\† |</\0\/\/, 1 †3/\∂ †0 \/53 †|-|3 5/\/\/\3 ç|-|/\®5 \/\/|-|3/\ 13375P3/\|<1/\G.

itsallwater · **Posted:** Fri Apr 13, 2012 15:56

Try however using that password on something as simple as a US keyboard. Stupid \ in the wrong place *mummble grummble*

TheVision · **Posted:** Fri Apr 13, 2012 16:08

zaphod79 wrote:

Grim... wrote:

TheVision wrote:

Why someone would want to spend 5 months just to read my emails is anyones guess, but still... Up to them isn't it?

Just saw this - the reason they'll spend a lot of time trying to get into your emails is because they can reset pretty much all your other passwords once they've done so.

Or because they're Sky news, and they think your hot.

FTFY

My hot what?

Malabelm · **Posted:** Fri Apr 13, 2012 16:11

Grim... wrote:

TheVision wrote:

Why someone would want to spend 5 months just to read my emails is anyones guess, but still... Up to them isn't it?

Just saw this - the reason they'll spend a lot of time trying to get into your emails is because they can reset pretty much all your other passwords once they've done so.

Or because they're Sky news, and they think you've done something bad.

*Hugs Google’s two-step logins*

My standard-but-slightly-varying-depending-on-the-site thirteen-character password would take centuries, supposedly. That’ll do.

Warhead · Noob as of 6/8/10

Derek The Halls · **Joined:** 31st Mar, 2008 **Posts:** 3742

My passwords generally take months. Apart from my amazon one which takes centuries.

Pundabaya · **Joined:** 30th Mar, 2008 **Posts:** 5016

It proves what XKCD said about passwords

"rowdy roddy piper at the gates of dawn"

is way more secure than

"3fg£cgh"

and is also easier to remember.

eta: https://xkcd.com/936/

Joans · **Joined:** 31st Mar, 2008 **Posts:** 8648

My work one would take centuries, but only because I stuck a 1 on the end when I had to change it. Before that it was only 38 years.

Some of my other passwords have crack times in seconds, or in some cases "instant" :'(

Grim... · **Posted:** Sat Apr 14, 2012 20:48

Malabelm wrote:

*Hugs Google’s two-step logins*

Their what?

ApplePieOfDestiny · **Joined:** 17th Dec, 2008 **Posts:** 8293

Effectively, an rsa key app on your phone which runs alongside your password for any new login location.

Malabelm · **Posted:** Sun Apr 15, 2012 14:32

Grim... wrote:

Malabelm wrote:

*Hugs Google’s two-step logins*

Their what?

You put your password in, they send a code to you via SMS to log in. If anything doesn’t support logging in that way, you can generate an app-specific password for it. It’s quite effective, but obviously more hassle.

Malabelm · **Posted:** Sun Apr 15, 2012 14:33

http://support.google.com/accounts/bin/ ... wer=180744

Malabelm · **Posted:** Wed Apr 18, 2012 8:57

Aha, Jeff Atwood has just blogged about this two-step lark: http://www.codinghorror.com/blog/2012/0 ... proof.html

KovacsC · **Posted:** Wed Apr 18, 2012 9:06

I have started changing all my passwords..

ElephantBanjoGnome · **Joined:** 22nd Dec, 2010 **Posts:** 8175

My shit passwords for stuff I don't care about are instantly breakable. My better ones for important stuff are measured in tens of years. Interesting stuff to know though.

God help anyone that uses the same password for everything.

Plissken · **Posted:** Wed Apr 18, 2012 10:42

ElephantBanjoGnome wrote:

God help anyone that uses the same password for everything.

This is why I get very twitchy when asked to sign in to some site using my Facebook, Twitter or Google account.

Be Excellent To Each Other

Passwords

Who is online