FlyerTalk Forums - View Single Post - Password "security" ?
Thread: Password "security" ?
View Single Post
Old Jan 25, 2016 | 7:09 am
  #50  
gqZJzU4vusf0Z2,$d7
All eyes on you!
10 Years on Site
 
Join Date: Feb 2013
Location: Somewhere In The Five Eyes
Posts: 238
Originally Posted by broadwayblue
TOne site I use has such a ridiculous requirement I end up resetting it every time I login. Maddening.
Use a password vault. Easy. Not, maddening.

> Does that mean that even if I choose a 20 digit multi character
> password all this can be affected and degraded by the way that
> the website operator chooses to encrypt the password before
> they store it?

Correct. And for the most part, you have no way to determine
if they are doing it correctly. Getting security correct, is really,
really hard ... and waaay too many sys/web admins make horrible
security choices. They are well intentioned, but they simply
"don't know", what they "don't know." And rather than hire
genuine security professionals, trust their gut.

> Some methods being harder than others to crack?

Correct. Hacks ALWAYS get better:

- SHA1 was believed to be secure-enough thru 202x.
- Then 2017.
- Then some well meaning idiots started a petition to push it back out to 202x.
(while the petition was being debated summer/fall 2015 ...)
- Until Oct 2015 ... and some smart(er) guys discovered a new SHA1 weakness.
- Now we're on a mad rush to banish SHA1.

That little padlock in your browser window? It only means that somebody
is trying to care. It PROVES nothing. To measure security expertise and effort:

www.ssllabs.com
> Test my server
>> Enter the URL of the site you want test.
>> An A-grade is good and means that somebody at least cares.
>> A B-grade means that somebody isn't paying attention, or making odd choices.
>> A C-grade & below? Whoever is doing the website security? Amateurs.

> How fast does Hashcat do 20 random multi symbol types?

It all depends upon the hashing algorithm and whether is can be (too easily)
accelerated. An 8-GPU rig (fast food paycheck) is good for ~80 BILLION guesses/sec
if MD5 hashing is being used ...

The beauty of Hashcat is the ability use word lists and substitution-rules.

If you bragged about your password being 20-characters (bad opsec!); I know that
I do not have to check any other lengths. To walk the entire 20-character keyspace
(brute force) using MD5 (don't use MD5!): 1.24*(10**21) years.

But humans choose LOUSY passwords. Hashcat cracked this 60-character password in one [count'm 1] day: You w!ll n3v3r b3 abl3 t0 brut3 f0rc3 th!$ l3ngthy passw0rd!

It also cracked a LOT of other passwords in the same 24 hours.
Last edited by gfunkdave; Jan 25, 2016 at 7:31 pm Reason: merged consecutive
gqZJzU4vusf0Z2,$d7 is offline  
Reply