How secure is your password?

Whiteout

Fun little app that shows how fast your password can be cracked. I sent the link out to everyone at work, got more then a couple replies saying, "uh oh, guess I better change my password..."

How Secure Is My Password?

Akaricloud

My current password: 3 thousand years.

Work admin password: .. Not good.

Devilsbane

21 sextillion years on my wifi password

The actual password I use on a daily basis, probably not so much. But I refused to enter it on a site such as this

DevilWAH

I was going to say, is it a good idea to enter passwords that are currently in use on a unknown site. Sure work would love it if they new I was putting domain admin password in to an unauthenticated web page, non secure webpage I might add!

Akaricloud

You don't need to enter the exact password in order to use the results. Enter something similar in layout/length.

danny069

wow kool website i'll be sure to share, thanks!

Roguetadhg

All forums have their own separate global password. I've seen forums hacked and passwords taken then used for other accounts. Rather just nip it in the butt. Don't care if you take my forum names, I'll remake

About7Narwhal

12 Trillion years for my Google account (which houses my entire life just like the rest of the world). I, too, am unwilling to attempt my admin PW but I will be way less than my Google account.

ChooseLife

Security of a password entered on a third-party web site = 0

Whiteout

Really people worried about password security? Obviously don't do it while logged into admin from your web server... It's a tool used to analyze how different combinations of characters effect the difficulty to crack a password. So put in a password that has the same characteristics as the one you are trying to test.

TheShadow

I guess a password of password was not very good but @p433w05d was ok for 419 years. l33t speak is still not normal I a33ume.

dontstop

I wouldn't trust this website. (good way to harvest passwords)

Something like https://www.grc.com/haystack.htm Is much more reputable.

log32

425 quintillion years lol

DevilWAH

Whiteout wrote: »

Really people worried about password security? Obviously don't do it while logged into admin from your web server... It's a tool used to analyze how different combinations of characters effect the difficulty to crack a password. So put in a password that has the same characteristics as the one you are trying to test.

The point was, to point out to people to be careful, there are a lot of people just starting out in IT on this forum. A fun website I agree, but just needed a little disclaimer i felt I can just see the junior system admin, rushing to tell his boss how secure there passwords are.. "so how did you find out that??", "oh i put them in to some web site to check!" Might not be great for there job path

Hypntick

I fail to believe that Password123 will take 412 years to break...

DevilWAH

Hypntick wrote: »

I fail to believe that Password123 will take 412 years to break...

I don't think it is assuming dictionary attacks, just direct brute force with no tuning.

networker050184

According to this site 'securepassword' takes ten times as long to crack than my password that contains upper, lower, special characters, numbers and no dictionary words.....

Tackle

.5 seconds. Looks like I need to do some updating.

gkca

"It would take a desktop PC about
759 sextillion years
to crack your password"

About7Narwhal

networker050184 wrote: »

According to this site 'securepassword' takes ten times as long to crack than my password that contains upper, lower, special characters, numbers and no dictionary words.....

That isn't surprising. Try a common phrase with spaces and all dictionary words. It will take ages.

dontstop

Hypntick wrote: »

I fail to believe that Password123 will take 412 years to break...

Actually, brute force that's a pretty big password - 11 character sample space (with 35 symbols only counting [a-Z][0-9]) of around 35^11 or 9.6549157e+16. Typically though it's much weaker, using a dictionary attack on this password or a common password list and you will pwn it in <1 day. Especially since even Googling easy passwords will bring up Password123. But these sites are only showing a case of pure brute force zero knowledge, they are showing you the Maths behind the attack.

e.x. (35 ^ 11) * (1 second / 1 Billion) = 3.05952352 years (35 characters @ 11 characters long) * 1 nanosecond per operation = 3 years.

In reality, You could point a gun to someones head & get the password in 2 seconds, But that's a different kind of "Brute Force" attack

Also if you read the logic behind most of these sites, your typical assumptions for passwords are incorrect. 53cur3p@$ is much weaker to crack than thispasswordisreallyfuckinglong. Especially because your sample space is vastly reduced with security boffins saying to us to use a password between 8-12 characters (congrats you have just gone from a zero knowledge attack, to giving away a big key about character length).

If you think about the permutations even with a dictionary attack that it would take to figure out my password above. There are about 1,000,000 words in the English dictionary (that's spelling them correctly) now you need to find 5 of them *and* heres the kicker, get them in order.

The above password also lends itself being easier to remember, none of this my$5||][~3 junk. Just a long & easy to remember password. It's even better if you slip in a special character or a word that doesn't exist like: goingtotheshopsissiggby as siggby won't show up in a dictionary attack (pushing this back to a pure brute force of ~35^x)

Okay: (8-12 chars): iM@h0m)(#$%! (easy to remember? hell no)

Brute Force: 17135 Years
Dictionary: 4.4731 x 10^19 Years

Okay: imgoingtotheshopstoday

Brute Force: 4.2718 x 10^11 Years
Dictionary: 1.3357 x 10^13 Years

Better: imgoingtotheshopstoburarp$

Brute Force: 3.4942 x 10^26 Years
Dictionary: 2.7413 x 10^29 Years

RobertKaucher

Even with a dictionary attack a long passphrase with numbers and punctuation will take years to brute force EVEN WITH rule based algorithms.

Here is an example of what one of my passwords might look like:
This! is a super good stapler I have on my desk. 300 staples!

One similar to the what I used last month:
How to root a galaxy s3? It's just too easy...

You cannot possibly build a rule based dictionary for a long (7+ words including any punctuation and numbers) passphrase that encompasses the entire rule set of English syntax and expect it to work within your lifetime unless it is a famous direct quote that is included in the rules.

If you consider that the average native English speaker has a vocabulary of 2000 words, and then you combine that with numbers and punctuation and you have created so many possibilities that brute forcing becomes simply impossible from a practical perspective. 2000 is much greater than the 26 letters of the alphabet in English. Even if you half that number to 1000, it is still massively greater than 26. A good passphrase with greater than 7 words, some punctuation, and a number or two and your password is both exceptionally complex and easy to remember because it represents an idea you can picture in your mind.

wes allen

I use a relatively long passphrase for my master password, but let 1password generate long, complex password to use. While passphrases are pretty strong, you would still have to remember a unique one for each site, which would be tough without using some kind of predictable formula.

From what I have read, a pretty large percent of password hashes fall to some form of rule based attack, with brute force being a last resort, so even if it is "strong" in a brute force way, it might still be pretty easy to crack using a rule based attack, like the case of password123.

Intresting enough, I was setting up for Juniper testing, the personvue site just choked on a longer password, and I had to drop it down to get it to work right.

About7Narwhal

I generally assume that the biggest threat is social engineering. Bob over here has a son, who was born May 5th, 2009. Bob's password is likely a permutation of that information. John5509, John05-09, etc. I could easily ask Bob about his son and he wouldn't think anything of it. "My little Jill was born march 3rd. She is 4 now. Can you believe how fast they grow up?" Then the engineering continues from there.

Hell, my default password is a permutation of a locker combination I had in 6th grade which includes special characters and letters. It cannot be tied to me directly because I was the only one who owned the lock and it cannot be engineered because no one ever has a conversation about their locker combinations from 10+ years ago. lol All of us are talking about how strong our passwords are from brute force when we all know it is the least of our concerns. Granted, Bob pops in an infected USB drive and all hell breaks loose. But it is far more likely that he will give away his password because of HOW it was created and how it ties to him.

RobertKaucher

About7Narwhal wrote: »

I generally assume that the biggest threat is social engineering. Bob over here has a son, who was born May 5th, 2009. Bob's password is likely a permutation of that information. John5509, John05-09, etc.

I literally guessed a friend's password for their email yesterday based on this. We were discussing this very topic on FaceBook.

inscom.brigade

i thought i had good stuff you guys rock!

ME/ mines/ one of them

It would take a desktop PC about 157 billion years to crack your password /// shoot that is pittens compared to some of yours

Danielh22185

I was just playing around with it and typed in: 1 2 3 4 5 6 7 8 9 0. Says it will take 48 billion years to crack? I highly doubt this.

GOZCU

Danielh22185 wrote: »

I was just playing around with it and typed in: 1 2 3 4 5 6 7 8 9 0. Says it will take 48 billion years to crack? I highly doubt this.

calculation is almost true, it just computes the values, but doesn't social engineer it. a small note is attached about why easy it can be to crack

• Length: 19 characters
• Character Combinations: 29
• Calculations Per Second: 4 billion
• Possible Combinations: 6 octillion

• [h=2]POSSIBLY A TELEPHONE NUMBER / DATE[/h]Your password looks like it might be a telephone number or a date. If it is and it has personal significance then it might be very easy for someone to guess.