My wife saw this on Buzzfeed, I thought it would be interesting to the group.
That is a delight. Thanks for posting it.
Love it, thanks for sharing…
It sure depends on the amount of processing power you put behind that, and more importantly if the service will actually allow you to brute force a password.
Most of the online services with some engineering behind it, would probably block a computer that is doing many wrong retries, because that is a brute force by definition.
I’m pretty sure that this table applies to cracking the password after someone has stolen an encrypted password file from a website and is trying to extract individual passwords from it. Trying to do the same by logging in to a website or other system will hit rate limiters and automatic account locks pretty quickly.
I wish websites would have higher limits on character count. I still run into websites that only allow up to 12! Even some financial institutions only allow 20.
12! is a really big number
I really dislike short password limits too. It makes it impossible to use pass phrases.
Just out of interest how many failed tries would you get as a median before a site locked up so to speak?
I have often wondered about that, somebody on Disqus did try to hack my account I know for a fact. I was then getting those ‘crosswalk’ puzzles all the time, getting logged out constantly and it was really becoming unusable. I think that was the idea really though.
Lol you’re right. Shouldn’t have used a factorial.
How did you know they tried to hack your account?
apparently it would take 1qt (cuatrillion?) years to hack any of my passwords
I love the sites that don’t state their upper limit. A few months ago I learned one that I use ignores anything over twelve. If I had been manually typing in 25 characters all these years I would have been a bit upset.
FWIW this is pretty abstract without knowing the encryption involved. Some encryptions literally let you specify an added CPU cost for decryption, to make brute forcing slower.
Unless I’m totally spacing out, it is also very abstract without the character pool. For example, why are letters easier to brute force than letters and numbers? It’s because of the possible combinations. 26 letters, in upper and lower case form, is 52 characters. If you add 0-9, that becomes 62 characters. So in the case of a 4 character password:
52^4 = 7,311,616 possible combinations
62^4 = 14,776,336 possible combinations
Having said that, what does it mean to add “symbols”? If you add the symbols above your numbers only, you’ve added 10 characters to the pool. If you add every symbol printed on on my US MBP keyboard, you’ve added 33, I think. If you take all the symbols not printed on the keyboard, but still easy to output, such as Option+0-9 or Option+A-Z, it’s even more.
My best advice to ayone is this. Just make sure your email password is really secure. Because if anything else is compromised, it’s easy enough to reset via your email. But if your email gets compromised, they can gain access to everything else.
Take a look at this online tool, it is fun to try different variations to see how secure a password is and to increase the security:
I personally don’t put any real passwords in the search but it provides a great reference anyway.
Thanks for posting this. I just entered some actual passwords used by senior managers where I used to work. (They all, at some point gave me their pw).
I think I’ll send them this link. I’m sure their passwords are the same, but the final number has gone up by 24.
I got a password reset request. Then the person actually sent me an email with some bs explanation of what they were doing and then boasted about what they were doing on the blog itself, gloating actually since they did the same to several other users; one of these smug but unhinged extremists: anti vaxx type I think, not quire sure. I contacted Disqus security and they took ZERO action. Same as Facebook they don’t basically care as long as the hits keep coming. That is partly why I was so pleased David started using this platform.
Weird story eh?
Quite a ways back I signed up for a site that took a huge password at signup time, and then when I tried to use it to log in it told me the password was incorrect. Apparently the signup helpfully truncated it before putting it in the database, but the login form didn’t do me the same “favor”.
I also hate the sites that won’t even give you the parameters for setting up a new password up-front. If I need upper / lower / numeric / symbol, max length 20 characters, just let me know that up front rather than making me guess.
Most of my passwords are 20+ characters generated by 1Password. I have a few that I want to be able to remember easily but have them secure. For those I use a variant of dice words. Instead of random words you can use unrelated words that are memorable to you. As example, as a child I lived on the following streets - Spring, Madison, Gildersleeve. Concatenating them into one string would be hard to guess. Other than my brothers I doubt there’s anyone live that knows I lived on those streets.
I’ve only had one significant issue with passwords. Tried to sign onto my Vanguard account and was told it was locked due to too many attempts. Went through the process to reset my password and got back in. Checked the next day and it was locked again. Called Vanguard support and their only resolution was to cancel my login credentials and create a new userid/password to access my account. No problems since. My guess was that someone compromised some other site and tried to use my login to sign into financial sites. The combination of Vanguard’s security and my use of unique passwords prevented any problems.
To my understanding there is no way to crack a password without comparing it with the source system. This is how the new encryption systems work at least. Encryption works only a single way, you usually do not compare plain text to plain text. The user input gets hashed and compared to the stored hash. I don’t think it is possible to crack a password offline. Again I am talking about how passwords are being hashed and stored these days.
If you have the hashed password you can crack offline by hashing your guesses using the same algorithm and testing them against your local copy.
It’s horribly inefficient, but theoretically possible.
You will require the hash key as well. Which is hopefully was not stored in the hacked DB