The secret of a secure password

kav

Distinguished Member
At university we logged into a particularly one-dimensional friend's account just by guessing his details. Username: "manutd". Password: "football". I've been working in that area since and have seen some cracking examples of stupidity with password security, but that one always sticks out for me.
 

imightbewrong

Distinguished Member
This means it takes the following time to hack a simple password like "sun":

•Brute-force: 3 minutes
•Common Word: 3 minutes
•Dictionary: 1 hour 20 minutes
Maybe I'm missing something here - how can dictionary search be several orders of magnitute slower than brute force? Looping over all 1/2/3 letter words in a dictionary over an hour? Really? I could do that in over an hour :)
 

imightbewrong

Distinguished Member
Also, all their 'how to hack a password' attacks are defeated by systems that lock you out after a few tries. Even if they only lock you out for one minute a hacker has no chance if they are purely generating guesses.
 

GasDad

Remembered (1964-2012)
I'm missing something here as well.

To me a dictionary attack takes seconds - but requires a copy of the encrypted users password (not impossible on lots of systems). You only need to encrypt each word once and store it - and then simply use the encrypted users password as a hash to look up the plain text password - really not difficult.

Because this can all be done in advance of the actual 'attack', depending on storage available, multiple word dictionary attacks also become possible.
 

Ian J

Banned
It's often the name of a child or the dog.

We used to have an interesting program a few years ago that showed us a list of forum members using the same password and there were sometimes 25 or more people using the same password.

Fortunately for site security the passwords were encoded and so we couldn't actually read them but I wouldn't mind betting that the more popular ones were "password" or "letmein" or even "123456"

I used to catch loads of banned people re-registering as they tended to use the same password every time they registered but unfortunately changes made in later versions of vbulletin rendered this nifty little program unusable.
 

rickinyorkshire

Distinguished Member
That document doesn't mention case sensitivity either..
 

Geege

Well-known Member
So the article suggested that using three uncommon words were both easy to remember and highly secure. Does this include adding a space or without?

Thisisfun or This is fun? I assume the former, as sign ins don't allow spaces.
 

rickinyorkshire

Distinguished Member
So the article suggested that using three uncommon words were both easy to remember and highly secure. Does this include adding a space or without?

Thisisfun or This is fun? I assume the former, as sign ins don't allow spaces.
I think it was suggesting the spaces... strange article all in all.
 

mattclarkie

Novice Member
So you think I should change from 'password1' :D

The only easy way to have a complex password is to use a sentence such as 'Iate1biscuit', pee easy to remember, and almost impossible to brute-force in a reasonable time.
 

MIghtyG

Well-known Member
So you think I should change from 'password1' :D

The only easy way to have a complex password is to use a sentence such as 'Iate1biscuit', pee easy to remember, and almost impossible to brute-force in a reasonable time.

I use 1qaz2wsx 3edc, really easy to remember but the numbers and letters make it impossible to brute force....
 

imightbewrong

Distinguished Member
So how many of you have really great passwords and then keep them for years and use them for all and sundry no-reptuation web-sites as logins? :)
 

imightbewrong

Distinguished Member

Marc

Distinguished Member
the company i last worked for introduced a complex password policy to improve security, which required users to change their password once every 45 days, and the password had to have 8 characters, and use three of upper case, lower case, numbers and symbols, and could not be any of your last 10 passwords, or contain more than 3 consecutive characters from your username

People complained it was too hard to remember their passwords and started writing them on post-it notes stuck to their monitors :rolleyes:
 

imightbewrong

Distinguished Member
that's the classic outcome when enforced complexity is ramped up too much

I worked at one place where you had to regularly change your password, and it said 'Your password cannot be the same as any past or future passwords' :confused:
 

IronGiant

Moderator
Username: admin
password: admin

Simples :laugh:
 
Last edited:

Marc

Distinguished Member
that's the classic outcome when enforced complexity is ramped up too much

I worked at one place where you had to regularly change your password, and it said 'Your password cannot be the same as any past or future passwords'

lol, that sounds like a Linux message, there are some right doozies on that OS :laugh:

yeah the complex password thing just crashed and burned but as an IT department it was something we had to do, just to say we'd done it more than anything else. If the users want to compromise their own security it's not on our heads.

Other people would just change the number at the end of their password each time it expired, and some even more cunning blighters would change their password 10 times so they could go back to the first one again! We stopped them though by preventing more than 1 password change per day (which then caused problems because it also counted if someone in IT reset someone's password for them to 123456 or something, they couldn't then change it to something secure till the next day :rolleyes:)

Social engineering is still the way to go though, i just know i could phone up someone at that company and go "hi, i'm jeff in IT (people don't know our names) and i'm really sorry but i accidentally just changed your password instead of someone else's, could you tell me what you had it set to, and i'll quickly change it back so it doesn't cause your programs to disconnect from the network" and i'm pretty sure i'd get their password right then and there.
 
Last edited:

The latest video from AVForums

Panasonic HZ2000 4K OLED TV Review | The best OLED for movie viewing in 2020

Latest News

Samsung updates and expands access to Samsung TV Plus
  • By Andy Bassett
  • Published
Disney+ UK introduces GroupWatch co-viewing feature
  • By Andy Bassett
  • Published
What's new on Netflix UK for November 2020
  • By Andy Bassett
  • Published
Harman Kardon launches Citation Amp
  • By Andy Bassett
  • Published
AVForums Podcast: 21st October 2020
  • By Phil Hinton
  • Published
Top Bottom