How breakable is your password?
Discussion
DuckAvenger said:
At work they change the password about every two months and I can't never remember it. It's written on to small piece of paper for anyone to see..
Yep, passwords on post-it notes stuck to the screen. See it every day. Online lists of account names and passwords on a whiteboard so people have access when others are off.Pointless.
Mr Whippy said:
as hashes will be encrypted and never stored in ram etc in the clear!
the 'hashes' are encrypted - it is never plaintext and never converted to the clear - many encryption algorithms only work in one direction anyway. The hashes are really just a list of encrypted passwords against usernames. When you type your password it is immediately encrypted and remains that way - the system will compare the encrypted password with the encrypted hash for a match.Passwords are 'cracked' by when the list of encrypted passwords (the hash) being stolen. To find any given password you have to encrypt trillions of combinations of possible passwords and compare these with each entry in the hash. hence why this requires brute force.
The thing is, computers available now are so fast, especially when augmented with extra processing power in the form of GPUs (usually used for graphics or AI), this task is becoming easier all the time. The number of calculations per second is mind boggling.
All this becomes much more difficult when combined with a second key only held by the user - hence MFA or multi factor auth. The latest incarnation being passkeys (used now by google amongst others) that rely on a local bio factor too. these are much smarter than passwords and better for the user for now.
b
hstewie said:
hstewie said: Realistically the biggest threat most people face is they'll re-use passwords or they won't use MFA.
If you do one thing to improve your online security make sure your email account is using a strong unique password and enable MFA on your email account and use Gmail or Outlook.com.
If you do the above nobody is getting into either of those any time soon.
To what end though?If you do one thing to improve your online security make sure your email account is using a strong unique password and enable MFA on your email account and use Gmail or Outlook.com.
If you do the above nobody is getting into either of those any time soon.
Outlook, Gmail, or even a home brew email server, will lock out anyone hammering your server with login requests from unknown IPs.
All MFA does is put it all on your mobile phone which then exposes your entire life carrying on as normal to being in possession of it.
If someone gets that they have everything, including email and the MFA interface, even if it’s locked the codes often show up on alerts (unless you turn them off)
I can’t even use eBay any more because it’s sending texts and I need to get up from PC to get mobile phone from bedroom or lounge etc.
IF you just used a good unique password all along you’d be fine.
But instead we now have account saturation, passwords are crap and or reused, and tin pot providers with crap security leak hashes or even clear passwords etc.
I still use *just* good secure unique passwords on email etc.
AND I don’t have a bloody Microsoft account for login.
AND I don’t have any payment methods in my phone.
Segregation and unique good passwords is fine.
Mr Whippy said:
To what end though?
Outlook, Gmail, or even a home brew email server, will lock out anyone hammering your server with login requests from unknown IPs.
All MFA does is put it all on your mobile phone which then exposes your entire life carrying on as normal to being in possession of it.
If someone gets that they have everything, including email and the MFA interface, even if it’s locked the codes often show up on alerts (unless you turn them off)
I can’t even use eBay any more because it’s sending texts and I need to get up from PC to get mobile phone from bedroom or lounge etc.
IF you just used a good unique password all along you’d be fine.
But instead we now have account saturation, passwords are crap and or reused, and tin pot providers with crap security leak hashes or even clear passwords etc.
I still use *just* good secure unique passwords on email etc.
AND I don’t have a bloody Microsoft account for login.
AND I don’t have any payment methods in my phone.
Segregation and unique good passwords is fine.
People (mostly) don't get hacked by people hammering their server with login requests from unknown IPs.Outlook, Gmail, or even a home brew email server, will lock out anyone hammering your server with login requests from unknown IPs.
All MFA does is put it all on your mobile phone which then exposes your entire life carrying on as normal to being in possession of it.
If someone gets that they have everything, including email and the MFA interface, even if it’s locked the codes often show up on alerts (unless you turn them off)
I can’t even use eBay any more because it’s sending texts and I need to get up from PC to get mobile phone from bedroom or lounge etc.
IF you just used a good unique password all along you’d be fine.
But instead we now have account saturation, passwords are crap and or reused, and tin pot providers with crap security leak hashes or even clear passwords etc.
I still use *just* good secure unique passwords on email etc.
AND I don’t have a bloody Microsoft account for login.
AND I don’t have any payment methods in my phone.
Segregation and unique good passwords is fine.
People (mostly) do get hacked because they use "mydogsbirthday" on every website they've ever registered for so when someone does hack the local Canoe clubs website or whatever it happens to be they now have the email address and password of "mydogsbirthdday" and can get straight into your email account.
A strong unique password and MFA with a suitable backup phone number kills that stone dead.
For how often you actually login to your email account (rather than login once then the session is cached) needing the mobile phone is a non-issue.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff