How breakable is your password?

You can stop that right now, asking for my password. I'm not falling for that, unless you really are a Nigerian Prince with banking issues. Then I might lend it you.

In that original example why are key presses treated differently depending on the output being alphabetic, numeric or symbol? A key is a key.

I worked for a massive tech company. The company originally was known by a TLA. The database user used by the main application had its username as this TLA and the password was the same.

Plus it had god level privileges. There was so much tech debt though that no one dared trying to change it.

For years the default database administrator account and password for Microsoft SQL Server was sa and 'blank'

The easiest way to connect another system to the database or to setup a scheduled job was to use sa and 'blank'

I expect that in some place that still exists.

Novell... theres a memory. Still got an original set on 5.25 floppys somewhere.

This will all become a bit of a non issue with encryption on chip I’d hope, as hashes will be encrypted and never stored in ram etc in the clear.

Given any front end will be limited to a try a minute after say 5 wrong attempts, for instance, the risks of ste passwords should fall off quite a bit.


And I’d hope server side stuff will go encrypted soon enough.

All that being said, I’m surprised hashes are even stored unencrypted.
Ie, can’t they be loaded to ram then unencrypted… then surely accessing hashes from ram becomes many times harder?!
Or are these servers that get attacked literally under full control?



It does all seem like a circular issue in that end users aren’t particularly vulnerable except via re-using passwords, and that’s a thing because of too many passwords, and that’s a thing because of too many ducking accounts!

The scenario they’ve modelled is where the database of hashes has been stolen and they’re brute forcing them on their own tin. You could reversibly encrypt the hashes, but that’s just putting another hurdle in the way, not definitely solving the problem.

Yep.

Realistically the biggest threat most people face is they'll re-use passwords or they won't use MFA.

If you do one thing to improve your online security make sure your email account is using a strong unique password and enable MFA on your email account and use Gmail or Outlook.com.

If you do the above nobody is getting into either of those any time soon.

Very good advice. Primary email is so important yo have properly secured. If anyone gets into that they can pretty much get into any of your other accounts then.

I use a password manager and have a complex unique password and MFA. If you login to your office account in security you can see the login attempts and there are multiple attempts a day from other people trying it on. Probably with leaked creds from another site. They not getting in.

Careful now. Maybe time to upgrade to "Password1!"