Password Managers

[jonbuoy]

Plenty of online password checkers, try examples yourselves.

[bogan]

They wouldn't expect a common bogan to have much of value.

And that, is why stealth is better than security!






... and poverty trumps both

[Akzle]

Well your wrong, try it. Marian will take less time than M@r1@n

no.
assuming the pwd allows the @...
a hex cracker will go something like:
abscdefhijklM
Mabcde....z12345...@
M@abcdef...r
etc.

Only problem is, a brute force attempt processing 500,000 passwords per second might raise some alarms on the server, especially since at that rate you'll be going for up to 32 hours (with a known 6 digit password). Much higher chances of somebody finding that uberhard to crack one that you have to write down imo. Brute force isn't as practical in the real world, as it is infallible in textbook land...

that's why don't dont hack liek that. (most servers wont allow more than 3/minute then lock you out for X amount of time)
you lift their pwd files and run them through teh h4cKzor5 program.

but we agree. brute force is almost null now. especially with the rollout of 128 bit. that shit is nasty.

Unless the password hacking algorithm is designed to run the more common combinations (words) first; which seems an extremely simple time-saving measure I'd be surprised if any decent hacker didn't make sure that was the case. In fact it wouldn't surprise me if words were run with numerical letter replacements straight after the correct spelling.

yuhuh.

Depends, if they've intercepted something and are trying to break an encryption that takes say 4 weeks to crack and you change your encryption every 3 weeks it makes things a lot harder. Extreme example.

perfect example. everyone should.

[jonbuoy]

no.
assuming the pwd allows the @...
a hex cracker will go something like:
abscdefhijklM
Mabcde....z12345...@
M@abcdef...r
etc.


that's why don't dont hack liek that. (most servers wont allow more than 3/minute then lock you out for X amount of time)
you lift their pwd files and run them through teh h4cKzor5 program.

but we agree. brute force is almost null now. especially with the rollout of 128 bit. that shit is nasty.


yuhuh.


perfect example. everyone should.

Really? Might want to check that, put Marina and M@r1n@ into http://howsecureismypassword.net/

[bogan]

no.
assuming the pwd allows the @...
a hex cracker will go something like:
abscdefhijklM
Mabcde....z12345...@
M@abcdef...r
etc.

even a hex cracker will try a before @, and i before 1; as you have listed, not sure why your third line gets to M@... before Ma...

Really? Might want to check that, put Marina and M@r1n@ into http://howsecureismypassword.net/

That site is scaremongering just a little bit, 4 billion goes per second is a little unlikely!

[jonbuoy]

even a hex cracker will try a before @, and i before 1; as you have listed, not sure why your third line gets to M@... before Ma...



That site is scaremongering just a little bit, 4 billion goes per second is a little unlikely!

Maybe but it gives you an idea of how to turn seconds of working into years by just substituting a few characters without making it that much harder to remember.

[Akzle]

even a hex cracker will try a before @, and i before 1; as you have listed, not sure why your third line gets to M@... before Ma...

because it checked for Ma, which was incorrect.. so it kept going 'till it found M@...
that is one very basic example. as some wont tell you letter by letter, and you need to put in a whole password, then encrypt it and check the hashes against what the poached file gives up...

doesn't really matter, because if you have a hack tool, you may decide to re-script it, if you happen to know that your hackee is likely to use substitution...

[jonbuoy]

To take Akzels recommendation in a previous post of just 8 characters lower case and numbers would take 66 days at 500,000 attempts per second fine for joe publics email but just adding upper case characters extends that to 15 years, adding some commas or full stops - 58 years.

Marian would take 11 hours, M@r1@n would take 4 days.

http://lastbit.com/pswcalc.asp

[Akzle]

IMPORTANT NOTE: Password Calculator estimates recovery time for Brute-force attack only. Brute-force attack is the worst case, sometimes other more effective recovery methods are available. For example any password-protected Word or Excel document could be recovered using our unique Guaranteed Recovery or Express Recovery within a reasonable time frame

. .

[bogan]

Maybe but it gives you an idea of how to turn seconds of working into years by just substituting a few characters without making it that much harder to remember.

Yeh, guess if it is easy to remember then no reason not to. But I'm not seeing any motivation to change mine, more difficult is well and good, but as long as it is difficult enough...
I don't encrypt files locally, all my passwords are for websites (which I think is pretty common), rate of trying passwords for site is so slow I would think instead of seconds turned to years, it would be years turned to millenia! Actually maybe thats why they recomend the change every 3 months, so any fucker thats started hacking has to start all over again

because it checked for Ma, which was incorrect.. so it kept going 'till it found M@...
that is one very basic example. as some wont tell you letter by letter, and you need to put in a whole password, then encrypt it and check the hashes against what the poached file gives up...

doesn't really matter, because if you have a hack tool, you may decide to re-script it, if you happen to know that your hackee is likely to use substitution...

True, but I only thought by character matching worked in the movies. I guess if they start off looking through the full set it will be more or less just as hard, but if they start off with the basic char set, or a dictionary set, its a much different story. I've tried getting into a few rar/zips, downloaded without realising they were passworded, only cracked one, and it was a dictionary attempt starting with a!

[jonbuoy]

Yeah there are some smart people out there, if they can get past government/ heavy corporate security I don´t think our email accounts are safe no matter how long our passwords are. Only reason "we" haven´t been "hacked" is because a pro hasn´t tried. Just as the only reason your house hasn´t been broken into is because a pro hasn´t tried.

Leaving your password as your wifes/dogs/cats name in plain case text is a bit like leaving a ground floor window open in your house, a burglar can always get in but they are inherently lazy and will always look for an easy target unless you have something they really want.

[sinned]

Google "password manager review" or similar and spend 30 minutes or so to school up. BTW I purchased Roboform -does everything and more.

[SMOKEU]

Just wait till the BFL ASICs start shipping. They will completely revolutionize brute force cracking compared to AMD GPU cracking, and prices are low enough for most script kiddies to afford ($US149 for the Jalapeno).

[Hoon]

Password managers have a few constraints namely:

• Only works on the machine it's loaded on. Want to log on from a mates PC/internet kiosk?? - Hard luck!
• You lose the password file/app/PC without backup, you lose all your passwords.
• Who the hell wants to open an spreadsheet/app everytime they want to log into anything?

If none of the above apply to you then go for it. If not then here is my alternative.

For me I have multiple devices in multiple locations I use to access various areas. I have developed my own system where I only have 4 passwords I need to remember for my 4 levels of security.

Level 1 - "Don't care, share with anyone" password for untrusted internet forums, non financial/non personal website logins, most online buying websites, guest PC logins, etc. Password is very simple and more for speed and simplicity rather than security (i.e. "123qwe" type passwords)

Level 2 - "Trusted shared password" for more personal stuff but willing to share this password with trusted others (wife, best mate etc) say Home PC, trademe, itunes, wireless access key etc.

Level 3 - Real password. The one I use for personal email accounts, windows accounts.

Level 4 - High security. Strong password used for all financial stuff where my money can be transferred or spent without further authentication.

A few points:

• Web/Server administrators of the site you have joined can extract your password at will. This is why all untrusted web sites go under the Lvl 1 "untrusted" password.
• I have a few environments where my password needs to be changed every 60 days. For these I just tack a number on the end and increment it each cycle and then update all other environments I use this lvl password next time I attempt to log in.
• Once I had to give my wife temp access to my bank account. Instead of giving her my lvl 4 password, I changed my bank password to my lvl 2 and gave her that one instead.
• For level 3 and 4 passwords be sure to use strong passwords that will not be rejected by sites for not being complex enough.
• Keep in mind that your personal email account should also be treated as highish level as anyone that gains access to this can also "forgot my password" on any site you are registered to and reset the password thereby gaining control of that also.
• And of course the biggest vulnerability is that if one site is hacked/compromised then all sites using that level password are also compromised so will need to be changed. I'm willing to accept this but others may not.

[wysper]

I notice Mr Fox hasn't posted here.
Maybe he used one of the password programs, lost the main password and can't log into Kiwibiker anymore!