How breakable is your password?
Discussion
bigpriest said:
In that original example why are key presses treated differently depending on the output being alphabetic, numeric or symbol? A key is a key.
Adding numbers and/or symbols hugely increases the number of possible passwords to check - if you know you only have to try letters it's much quicker.eliot said:
admin password for well known organisation i did work for was ‘jam’ - it was like that for many years
I worked for a massive tech company. The company originally was known by a TLA. The database user used by the main application had its username as this TLA and the password was the same.Plus it had god level privileges. There was so much tech debt though that no one dared trying to change it.
I remember doing a Novell Netware training course many years ago, upgrading from one version to another. The lecturer was telling us about a potential security hole (undocumented) when doing the upgrade. He said that when he gave the course to an unnamed government department, when he mentioned the 'hole', about half the class umped out of their seats, pulled out their mobile phones, and ran out of the room speaking urgently to the person on the other end.
eliot said:
admin password for well known organisation i did work for was ‘jam’ - it was like that for many years
Yep, international bilion dollar company had the same admin password on all servers which was known by pretty much everyone in IT across maybe 40-50 sites. This was the same for at least 3 years when I contracted for them.
BlueMR2 said:
otolith said:
Those presumably are times for brute force cracking a stolen hash on fast equipment. You obviously can't brute force the front door of a system in that manner.
The picture states 12 x RTX 4090, so not cheap but not out of the budget for many.Given any front end will be limited to a try a minute after say 5 wrong attempts, for instance, the risks of ste passwords should fall off quite a bit.
And I’d hope server side stuff will go encrypted soon enough.
All that being said, I’m surprised hashes are even stored unencrypted.
Ie, can’t they be loaded to ram then unencrypted… then surely accessing hashes from ram becomes many times harder?!
Or are these servers that get attacked literally under full control?
It does all seem like a circular issue in that end users aren’t particularly vulnerable except via re-using passwords, and that’s a thing because of too many passwords, and that’s a thing because of too many ducking accounts!
Scabutz said:
eliot said:
admin password for well known organisation i did work for was ‘jam’ - it was like that for many years
I worked for a massive tech company. The company originally was known by a TLA. The database user used by the main application had its username as this TLA and the password was the same.Plus it had god level privileges. There was so much tech debt though that no one dared trying to change it.
Mr Whippy said:
Or are these servers that get attacked literally under full control?
The scenario they’ve modelled is where the database of hashes has been stolen and they’re brute forcing them on their own tin. You could reversibly encrypt the hashes, but that’s just putting another hurdle in the way, not definitely solving the problem. Mr Whippy said:
It does all seem like a circular issue in that end users aren’t particularly vulnerable except via re-using passwords, and that’s a thing because of too many passwords, and that’s a thing because of too many ducking accounts!
Yep. Realistically the biggest threat most people face is they'll re-use passwords or they won't use MFA.
If you do one thing to improve your online security make sure your email account is using a strong unique password and enable MFA on your email account and use Gmail or Outlook.com.
If you do the above nobody is getting into either of those any time soon.
If you do one thing to improve your online security make sure your email account is using a strong unique password and enable MFA on your email account and use Gmail or Outlook.com.
If you do the above nobody is getting into either of those any time soon.
bhstewie said:
Realistically the biggest threat most people face is they'll re-use passwords or they won't use MFA.
If you do one thing to improve your online security make sure your email account is using a strong unique password and enable MFA on your email account and use Gmail or Outlook.com.
If you do the above nobody is getting into either of those any time soon.
Very good advice. Primary email is so important yo have properly secured. If anyone gets into that they can pretty much get into any of your other accounts then. If you do one thing to improve your online security make sure your email account is using a strong unique password and enable MFA on your email account and use Gmail or Outlook.com.
If you do the above nobody is getting into either of those any time soon.
I use a password manager and have a complex unique password and MFA. If you login to your office account in security you can see the login attempts and there are multiple attempts a day from other people trying it on. Probably with leaked creds from another site. They not getting in.
Quite.
It won't happen to them or it's too much hassle to go through all their accounts or they don't trust a password manager or (shocker!) decent password managers cost money blah blah blah.
Or everyone you know and everything you use has your ntlworld email address you still use with POP3 and it's too much trouble to change it everywhere.
I get it.
But ask yourself just how much someone could fk up your real life if they had access to the email that gets sent every single time you see a "forgot password" option on a website or service you use
It won't happen to them or it's too much hassle to go through all their accounts or they don't trust a password manager or (shocker!) decent password managers cost money blah blah blah.
Or everyone you know and everything you use has your ntlworld email address you still use with POP3 and it's too much trouble to change it everywhere.
I get it.
But ask yourself just how much someone could fk up your real life if they had access to the email that gets sent every single time you see a "forgot password" option on a website or service you use
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff