Password strength
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Password strength

  1. #1
    Junior Member
    Join Date
    Dec 2004
    Posts
    6

    Password strength

    Is there any ranking on how secure passwords are based on the time it takes a password cracker to break them? What would be an average time with say LC4 to crack a strong password (upper,lower case, numbers, characters) ? I recently ran my machine through LC4 and was suprised how fast it got one of them, the other password on the other hand took four and a half hours.

    Thanks for any info you could give.

  2. #2
    Junior Member
    Join Date
    Nov 2003
    Posts
    12
    No "Official" ranking as far as I know, however, a lot of password crackers use "known" lists or combinations, and different algorithms.....for a "Strong" password, use at LEAST 8 characters, with a mixture of uppercase and lower case letters and other AscII keys, a better length would be something easily remembered, but at least twelve or more characters long....the longer the password string, the longer it will take a cracker to break it...
    jazz is a state of mind...

  3. #3
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    The inherent flaw with any question regarding "how long will it take" is failing to identify the computing powers at use.

    LC4 can crack a password on a Dual P4 machine in minutes, where as on an old Pentium 90 it would take days...weeks.

    As for how strong to make it...see my tutorial...although I didn't start a new thread, so it's not counted as a tutorial...
    http://www.zencoder.net/archives/2005-01-17/12/

    You will want to make them as long as possible, though. 8 is the minimum suggested...I'd recommend 16 or more, if you can handle that many characters.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    Junior Member
    Join Date
    Nov 2003
    Posts
    12
    "failing to identify the computing powers at use...."
    True, and relevant.
    jazz is a state of mind...

  5. #5
    Junior Member
    Join Date
    Dec 2004
    Posts
    6
    Thanks guys, I am only running a Celeron 2 Ghz., so its not the fastest of machines. The first password was 11 characters and it cracked it in 8 seconds, mind you it wasn't the most secure password and it will be changed. The second one was only 8 characters and I figured it would be cracked sooner, but it took 4 hours and it didn't have capitals, numbers or characters. Wierd. I will deffinately have to go back and change my passwords, too weak for my liking.

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    From a recent security course I attended...

    the use of pass phrases is recommended

    with spaces, upper case\lower case alpha numeric characters over 26 characters....
    will slow it down


    This i$ my n3w passw0rd phr@se t0 get 1n t0 7h3 n3w s3rv3r.

    the longer the better

    and as many variations on your characters....above is just an example

    although it is a bitch to have to type

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    Junior Member
    Join Date
    Nov 2003
    Posts
    12
    Good idea...now if we can just get the users in a network not to write it down on a sticky note and post it on their monitors...lol :P
    jazz is a state of mind...

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Lusers are your weakest link!

    Dont give them access to anything more than they need...

    I always start from none ..then add as needed..although those damn windows wizaeds have much to be desired

    now the servers admin password...no lowly user has access to that...or the domain admin access for that matter....it all depends on how you set it up

    and you should change your passwords it often

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Junior Member
    Join Date
    Nov 2003
    Posts
    12
    Oh, I agree completely...just making a point on drive-by access.....lol :P
    jazz is a state of mind...

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    OK,

    A few observations:

    The basic methods of cracking are dictionary and brute force. If you do not use known words or include spelling mistakes and foreign languages you might reasonably expect to foil a brute force attack.

    As a general principle, it is a good practice to include upper and lower case, numbers, symbols etc. so as to make the password more complex. However, length is actually a greater show stopper than complexity as a general rule.

    Try setting up this password:

    HolacoNNai$ez2b0£lockBran€<?>

    Then see how long it takes to crack

    My gut feel is that if your encryption algorithm is fundamentally weak, you password will be more readily cracked, but that is no excuse for making it easy.

    One of the recent developments has been "rainbow tables" In my simplistic view these are basically "pre-cracked" passwords. The best I have seen on offer are capable of cracking a 14 character password from the "normal" keyboard set, in a matter of minutes. But, if you have a longer password, they are useless. They also require a vast amount of computer power to calculate and enormous storage space.................I forget the exact figure, but I think that the 14 character version requires about 60 Gigabytes.

    It is the old security story, you do not buy certainty, only time?

    The password above may seem pretty difficult to remember, but actually it is not...........it says "Hello, do you know bollock brain"

    "Hola" is colloquial Spanish
    "connaisez" French for do you know (plural + spelling mistake)
    "2" = "tu" which is "you" (singular.....grammatical errors help )
    "bollockbrane"..........a term of endearment usually reserved for politicians, in-laws, and the like. It is colloquial English and contains a spelling error.

    Just my thoughts................
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides