In the end, people tend to follow particular patterns. The people who write cracking software take advantage of those -- it's not 100% brute force.

A lot depends on what they're trying to do; if the goal is to break as many passwords as possible out of a given file, they're going to go for the low-hanging fruit first -- in the worst case, if the idiots running the site didn't salt the hashes, they can just look at known hashes in the file (e.g. 286755fad04869ca523320acce0dc6a4 is the md5 hash of "password" ) and you've got probably the top 100 most common passwords just for looking them up.

Adding a letter always adds some entropy, but even there things are surprisingly predictable.

It's not so much degraded (although some sites do -- nothing like using a mix of capital and lower case letters only to have the site coerce it to all caps or all lower) as that the particular hashing or encryption algorithms are of varying strength.

All hashing algorithms have the disadvantage that they convert something longer or shorter into a fixed length; in the case of the two oldest/most common (MD5 and SHA1), they are simple enough and produce a short enough output that between size and bugs, there are now attacks where the attacker may be able to find a different string that produces the hash even if it's not your password.

The other alternative is actively encrypting the passwords, but the disadvantage there is that there is a master password somewhere which will unlock all of them.

The only real solution is not to use passwords at all, but there isn't a practical alternative for most things, and while in theory more secure, the other common alternative (certificate-based login, where you have a private key and the serer has the corresponding public key) is open to other sorts of attacks.

This. It was bad enough (but manageable) when you had to include an upper and lower case plus a number. But now sites are starting to get crazy...two special characters? ...? One site I use has such a ridiculous requirement I end up resetting it every time I login. Maddening.

But that's very simple to manage. You just use a tool such a LastPass or 1Password to generate the passwords for you. The generated password is then stored either on your device, or in the cloud. You never actually need to know what the password is.

You can then either let the software autofill the password when you re-visit the site, or you can just copy the password to the clipboard and paste it into the password field.

Use a password vault. Easy. Not, maddening.

> Does that mean that even if I choose a 20 digit multi character
> password all this can be affected and degraded by the way that
> the website operator chooses to encrypt the password before
> they store it?

Correct. And for the most part, you have no way to determine
if they are doing it correctly. Getting security correct, is really,
really hard ... and waaay too many sys/web admins make horrible
security choices. They are well intentioned, but they simply
"don't know", what they "don't know." And rather than hire
genuine security professionals, trust their gut.

> Some methods being harder than others to crack?

Correct. Hacks ALWAYS get better:

- SHA1 was believed to be secure-enough thru 202x.
- Then 2017.
- Then some well meaning idiots started a petition to push it back out to 202x.
(while the petition was being debated summer/fall 2015 ...)
- Until Oct 2015 ... and some smart(er) guys discovered a new SHA1 weakness.
- Now we're on a mad rush to banish SHA1.

That little padlock in your browser window? It only means that somebody
is trying to care. It PROVES nothing. To measure security expertise and effort:

www.ssllabs.com
> Test my server
>> Enter the URL of the site you want test.
>> An A-grade is good and means that somebody at least cares.
>> A B-grade means that somebody isn't paying attention, or making odd choices.
>> A C-grade & below? Whoever is doing the website security? Amateurs.

> How fast does Hashcat do 20 random multi symbol types?

It all depends upon the hashing algorithm and whether is can be (too easily)
accelerated. An 8-GPU rig (fast food paycheck) is good for ~80 BILLION guesses/sec
if MD5 hashing is being used ...

The beauty of Hashcat is the ability use word lists and substitution-rules.

If you bragged about your password being 20-characters (bad opsec!); I know that
I do not have to check any other lengths. To walk the entire 20-character keyspace
(brute force) using MD5 (don't use MD5!): 1.24*(10**21) years.

But humans choose LOUSY passwords. Hashcat cracked this 60-character password in one [count'm 1] day: You w!ll n3v3r b3 abl3 t0 brut3 f0rc3 th!$ l3ngthy passw0rd!

It also cracked a LOT of other passwords in the same 24 hours.

Again, thanks for the useful explanations. Fear not, I only gave 20 as an expression for example purposes

I hate it when websites limit me to six or eight digits or insist on it! It makes the hackers job much easier I am sure.

So basically I just stick with LastPass and my different password for each site made as long and complicated as possible. And hope for the best!!

Thanks gqzjzu4vusf0z2-d7.

I used the link you provided and tested some of my frequent flyer company servers.

It's timely too as I recently wondered about the security of some of these accounts. One just required 6 digits. I'm worried. Then again my iPhone requires 6 digits too. I assume I'm reliant on how the password process is implemented per your post #42?

Another vote for 1password. I'm paranoid. I only sync on my wifi network so no password file is stored on any cloud based server.

> I assume I'm reliant on how the password process is implemented per your post #42?

Correct.

The test I suggested in #42 only tells you if they seemingly care and are at least
trying. It is NOT a security audit.

Even if they do the on-line security correctly, it is still possible for them to screw-up
the human side. Example: PayPal

Until VERY recently; it was possible to hijack a PayPal account by calling them on the
phone. The only info that PayPal required to-do a full account reset/hijack:

- Name
- Last 4-digits of SSN
- Last 4-digits of your CC

Stoopid. Stoopid. Stoopid. Where were the adults when this was being conceived?

Another great way to determine if login/security is poor:

- Any website that can return your actual password is not hashing (salted) passwords and
is doing login/security HORRIBLY WRONG. Avoid.

re: Password managers

Many choices. Some good. Others; um, not. My biases:

Good password vaults:

- LastPass (my favorite)
- 1Password
- Strip Lite
- Safe Wallet
- mSecure
- DataVault

Not good enough:

- Trend Micro
- My Eyes Only Secure Password Manager
- Password Safe
- iPassSafe
- Keeper Password & Data Vault
- SplashID Safe
- Safe
- Safe Password
- Awesome Password Lite
- Password Lock Lite
- iSecure Lite
- Ultimate Password Manager
- Secret Folder Lite

No mention of Keepass one way or the other. Thoughts?

FYI, Strip Lite is renamed Codebook, and only the paid version is available (full, not "Lite"). Same system, but they (thankfully) decided the STRIP name was outdated (https://www.zetetic.net/blog/).