Thread: Passwords - be secure online.

Found this interesting article on passwords and how long it takes to hack different lengths, combinations of lower and upper case and also numbers & symbols. Pretty interesting i thought.

Source Bloomberg Business Week

Most-used passwords: 123456, password, 12345678, qwerty, abc123

Time it takes a hacker's computer to randomly guess your password:

Length: 6 characters
Lowercase: 10 minutes
+ Uppercase: 10 hours
+ Nos. & Symbols: 18 days

Length: 7 characters
Lowercase: 4 hours
+ Uppercase: 23 days
+ Nos. & Symbols: 4 years

Length: 8 characters
Lowercase: 4 days
+ Uppercase: 3 years
+ Nos. & Symbols: 463 years



Length: 9 characters
Lowercase: 4 months
+ Uppercase: 178 years
+ Nos. & Symbols: 44,530 years

Average amount it costs a business to field a phone call requesting a password reset: $10
Proportion of help desk calls that are password-related: 30%
Users who choose a common word or simple key combination for a password: 50%

I wouldn't call this a tutorial, so I've moved it to computers. Anyhow, this is only assuming brute force methods work. My server will ban you for hours if you don't get it right the first several times and then I am notified via email instantly. If the user's IP is unrecognized and they were trying to get into something of high risk then I can the ban to permanent.

Didn't know where to post it. Just thought it was interesting. thanks

i did a test , so to guess my password you will need 139.001.123.119 years with a i7 core. my pass is 12 digits with Uppercase, lowercase, special characters and numbers :DD

Originally Posted by ElFusioN

i did a test , so to guess my password you will need 139.001.123.119 years with a i7 core. my pass is 12 digits with Uppercase, lowercase, special characters and numbers :DD

Wow! What's your password? ...jk!

I use Last Pass and it creates difficult passwords that I don't have to memorize. It can be used with most browsers so you can sync it will all your computers. Setting it up is also pretty simple, it can retrieve saved passwords from your browser or any other password programs such as Roboform.

The Easy, Any-Browser, Any-OS Password Solution

Yes last pass is a very good addom for the browser and secure , because all connections are encrypted

The 'article' is very misleading as it doesnt explain anything. The numbers they give could be right, but are no where near definitive.

Bruteforcing a website login is stupid and impractical, so any article that takes that into account needs new journalists. Most of the good ones will explain that your password is only hackable if the database containing your password info is stolen. This will contain your hash and also likely any salts. If the website is using a plain MD5 algorithm then you'll have your account lost within 7 days even if its up to around 18 characters. Why? Rainbow Tables. MD5 hashes are non-unique.
So when it encrypts "horse" it will always encrypt it to the same string. Rainbow tables are just precomputed databases of these and they're free or you can buy them (or rather buy the hard drives). Assuming the password isnt in the rainbow tables, MD5 passwords can be bruteforced at 2billion/sec with a simple I7. The highest I've seen has been 38 trillion/sec with GPUs.
If they use MD5 and salts, then rainbow tables are useless. They need to try to collide (match) each test. So if you put your password in as "horse" the salt is what is added onto it before computing. The salts for vBulletin (the forum software here) is usually 4 characters long and random. So while you can login with "horse" the actual password encrypted in the database is more like "horseId31". So if they only have your hash they cannot crack it.


I could write a more indepth thing, but my fingers hurt for now. If you want to actually know more I could try to find time.