Hatrack River Forum: How long would it take to hack your password?

This is topic How long would it take to hack your password? in forum Books, Films, Food and Culture at Hatrack River Forum.

To visit this topic, use this URL:
http://www.hatrack.com/ubb/main/ultimatebb.php?ubb=get_topic;f=2;t=044443

Posted by Icarus (Member # 3162) on :

I found this site and I thought it was interesting:

http://www.thecrypt.co.uk/lockdown/recovery_speeds.html

A class D attack on my passwords for important stuff would take at most 87 days in most cases. I reckon that's reasonably good. You could hack my Hatrack password in quite a bit less time.

One thing they didn't seem to take into account in the one-case versus mixed cases versus letters-and-umbers thing is where your numbers and case changes occur. I think if you only use upper case in your first letter, and you only use numbers at the end, that would make your account more vulnerable. (Granted, they're talking about randomized attacks, but if I were designing some random character password hacker program, I would start with upper cases first, numbers last, and proceed from there.)

How hackproof are you?

Posted by Nighthawk (Member # 4176) on :

My primary password doesn't even appear on the list: 96 character set, length of 10.

My forum password can be done in six days at Class D, though.

Posted by Gwen (Member # 9551) on :

I have eight passwords that I use for varying levels of security. The lowest is a four-digit number (stupid college site, they won't let me pick anything else), and then I also have my SSN (stupid college computers, they won't let me pick anything else). I never use either of those if I can help it.
My computer one is fifteen letters long (all lower case); another one of mine uses symbols and lowercase letters and is ten characters long (I use that one for another college site). My two shortest are five and four letters long, and I don't use those for anything important. None of them are dictionary words or phrases or pet's names or middle names or in fact guessable (by people, I mean) at all. My gmail one is a word, but it's not in most dictionaries; it's eleven letters long.
My mother, however, uses two passwords (her PIN and a name) with annoying regularity. She has different ones for things involving money which she has written down on her computer in a non-password-protected file, but I can still get into most of her password-protected things when I want to. And whenever she signs me up for something which requires a password, she uses the same seven-letter dictionary word that is fairly easily guessable to people who know me.
The scare of my life: signing up for an account with McAfee and it telling me my administrator password was "ender". I hadn't told it I wanted my password to be "ender", no one else had signed up for it, and it's easily guessable (further proof that I hadn't chosen it). How the heck did McAfee know that I was an OSC fan?
Yeah, I changed it right away.

Posted by Goody Scrivener (Member # 6742) on :

Forum password, class D - 4 days.
Financials password, class D - 23 years. Not too shabby [Smile]

I admit, I have about 4 passwords total because I'm not so good at remembering them and I don't want to have a list somewhere that could be picked up or hacked into. But even at that, the shortest is 6 characters, mixed alphanumeric.

As I've been changing passwords on sites to the (currently) most complex of them all, I'm seeing that more and more of them are requiring 8 character minimums.

Posted by Tstorm (Member # 1871) on :

Yeah, this is an educational exercise for people unfamiliar with password guidelines and strengths. They classify 'attack strength' based on passwords processed per second, each level increasing by a factor of 10. Class F, the highest, processes 1 billion passwords per second.

I usually divide my passwords into 3 groups. Public passwords, easy to break of course, but only protecting unimportant items. A shared folder on a network between my friends, for example.

So, for a 7 or 8 character password like this:

code:

Password  	Class of Attack
Length 	Combinations 	Class A 	Class B 	Class C 	Class D 	Class E 	Class F
7  	8 Billion  	9 Days  	22 Hours  	2¼ Hours  	13 Mins  	1¼ Mins  	8 Secs
8 	200 Billion 	242 Days 	24 Days 	2½ Days 	348 Mins 	35 Mins 	3½ Mins

Analysis: Security's already compromised, because of sharing with other people, and I'm not sharing anything I wouldn't want everyone to have. So why bother with a long password? [Smile]

My second level of passwords guards personal stuff like e-mail, forums, and some other web content. These passwords fall into the 96-character category; I mix numbers, letters (case sensitive), and symbols. Typical length: 10 characters. Hmm...funny that's not on the chart. [Smile]

code:

Length  	Combinations  	Class A  	Class B  	Class C  	Class D  	Class E  	Class F
8  	7.2 Quadrillion  	22,875 Years  	2,287 Years  	229 Years  	23 Years  	2¼ Years  	83½ Days

Analysis: It looks like I'm safe from all but the distributed computing projects. I rotate passwords, periodically. (Note of pride: I designed the password generator that creates these passwords for me.) [Smile]

I have a third level of passwords, but I rarely use it.

Posted by Icarus (Member # 3162) on :

quote:
Originally posted by Goody Scrivener:
I admit, I have about 4 passwords total because I'm not so good at remembering them and I don't want to have a list somewhere that could be picked up or hacked into.

I use a system, such that every (important) password I have is different from all the others, but, knowing my system, I can easily deduce what it is. Basically the base password is the same for all of them, but there are additional letters/numbers appended that I associate with the site or service itself, that I can easily remember.

Posted by B34N (Member # 9597) on :

Anyone know how long it would take for the 56 character variety that is actually 22 characters long?

Posted by Tante Shvester (Member # 8202) on :

A class D attack would take 253 days to crack my code. Have fun cracking!

Posted by Samprimary (Member # 8561) on :

Whenever possible, I put random super-fancy characters in my passwords.

§ and æ and ™ and all of that. I wonder how much that slows down a computer search ..

Posted by Tstorm (Member # 1871) on :

Well, it basically enlarges the number of possible characters in the password. More character combinations = longer search times, assuming the length of the password is the same.

Posted by King of Men (Member # 6684) on :

quote:
Originally posted by B34N:
Anyone know how long it would take for the 56 character variety that is actually 22 characters long?

You can calculate it from the information in the table. Start with the highest length they show; say it's ten. Then you are multiplying the number of combinations by 56 each time you add a character, which for 22 and 10 makes 56^12. So just multiply the length they show by 56^12, or about 10^21.

Posted by Nighthawk (Member # 4176) on :

quote:
Originally posted by King of Men:

quote:
Originally posted by B34N:
Anyone know how long it would take for the 56 character variety that is actually 22 characters long?
You can calculate it from the information in the table. Start with the highest length they show; say it's ten. Then you are multiplying the number of combinations by 56 each time you add a character, which for 22 and 10 makes 56^12. So just multiply the length they show by 56^12, or about 10^21.

Actually, I think the answer is "long enough"...

Posted by MightyCow (Member # 9253) on :

I doubt that any of the sites where I use a password would have the bandwidth or server strength to accept millions of password attempts per second or better.

I think the physical limitations of my websites protects me as much or more than the strength of my passwords. [Smile]

Posted by Icarus (Member # 3162) on :

I think there's a point of diminishing returns, though. I mean, given that you can't even see your password as you type it, I think a 22-character password or a password with characters not available on the keyboard is overkill.

Posted by Gwen (Member # 9551) on :

quote:
I use a system, such that every (important) password I have is different from all the others, but, knowing my system, I can easily deduce what it is. Basically the base password is the same for all of them, but there are additional letters/numbers appended that I associate with the site or service itself, that I can easily remember.

Now that is cool.

quote:
I think there's a point of diminishing returns, though. I mean, given that you can't even see your password as you type it, I think a 22-character password or a password with characters not available on the keyboard is overkill.

Ah, but you're assuming that functionality is a more important factor than braggability to one's friends. "Your password only uses characters on the keyboard? That's nothing. My password uses the trademark symbol!" meets "Oh yeah? Well my password is written in Chinese!", et cetera.

Posted by Samprimary (Member # 8561) on :

A special character takes all of three extra keystrokes. What's really cool about it is that it allows me to type in my password even with people standing there in view of the keyboard (which happens often, and is why I picked up the habit) and be pretty sure they ain't never catching the true character usage. That's Functional™

Posted by Icarus (Member # 3162) on :

You ever use a laptop?

Posted by MightyCow (Member # 9253) on :

If the password is even fairly strong, it's much easier to get it other ways than brute force. Looking over someone's shoulder as they type it, for example.

Posted by Demonstrocity (Member # 9579) on :

Really interesting numbers - thanks, Ic!

Posted by Nighthawk (Member # 4176) on :

My wife has a different password for each site she visits.

It takes about three visits or a week, whichever comes first, before she forgets said passwords.

It really upsets her that she can mention a password to me in passing and I'll remember it three years from now. I forget to tie my shoes, but I have yet to forget a single password that's ever been told to me.

I know Icarus' PIN number... anyone want it? [Wink]

Posted by Bob_Scopatz (Member # 1227) on :

What's the point of this, though? I don't know of single system I interact with that would accept 1 billion attempts per second. It might generate the 1 billion combinations, but it can't possibly TRY them all going through the system login process.

If the person has hacked PAST the login process, they already know enough to get more than just passwords, no? I mean, they're going to stimulate a foreign system 1 billion times a second with "Do you know me?" queries and I'm somehow going to stop them?

Posted by Samprimary (Member # 8561) on :

The numbers are neat and it reminds everyone not to use 'hat' or 'sex' as a password [Big Grin]

Posted by human_2.0 (Member # 6006) on :

quote:
Originally posted by MightyCow:
If the password is even fairly strong, it's much easier to get it other ways than brute force. Looking over someone's shoulder as they type it, for example.

The proliferation of cameras makes it MUCH easier to get peoples passwords. Heck, my laptop has a camera that is tiny. In a room full of people with laptops, I could easily point it at someone's keyboard and nobody would think twice.

If you use Windows you need to worry about keylogging utilities as well. They exist on Mac too, but there haven't been cases of them being bundled with spyware like they have been with Windows. But that doesn't mean it can't happen so no matter what platform you use, you have to be careful what you download.

The easiest way to get someone else's password is to pretend you are a server admin and ask the person for their password. I doubt anyone here would fall for it, but you would be surprised how many people would.

The numbers on that webpage refer to one specific kind of attack: an offline brute force attack of an encrypted password. Most Unix servers store system passwords in the file /etc/master.passwd, which is typically not readable by users. If a user can get root then they can read the contents of the file and take it offline (to some other computer) and try to brute force it with a utility like John the Ripper or Crack (which have legitimate uses by system admins to make sure users have uncrackable passwords). It is impossible to actually unencrypt the passwords. But it is possible to encrypt every known combination of passwords using the same encryption scheme (nearly all unix servers use the same method to encrypt passwords).

Other things to consider. Web apps will store passwords in some other form, which may be encrypted, and may not, depending on the author of the software. I've been emailed my passwords, so I know there are programers out there who are are storing cleartext passwords. If a cracker got root on one of those servers, they would have your password instantly, no matter how "strong" (strong refers to how long it takes to crack).

Finally, older operating systems have weaker passwords. Microsoft 95 passwords are crackable instantly I believe. Mac OS X 10.3 stored passwords securly for itself, but also stored a Windows version of the password which allowed the passwords to be cracked almost instantly because passwords longer than 8 characters were stored as 2 passwords (so a 9 character password becomes an 8 character password and a 1 character password). And there was no lower case. So I was blown away that what I thought were "strong" passwords were cracked by a desktop in oh, an hour or so.

Also, passwords that contain or are derivates of words are crackable faster because brute force cracking uses dictionaries. I cracked the password Sandra in 1 second on a G5 2.0 GHz desktop (which supposedly takes 33 minutes according to the chart).

And more info. Government security contractors have grids to crack passwords. And I believe there is an underground database of passwords with their encryptions. So all a cracker has to do is look up the encrypted password. A long time ago I tried to figure out how much hard disk space a database like that would take and it seemed to be too big for current hard disks. But I heard that one exists.

Also, one final bit of triva. The dogma that we should always change passwords is based on outdated technology and is no longer applicable. Before /etc/master.passwd, the passwords were stored in /etc/passwd and that file IS readable by everyone on the system. If you are using a unix based computer, try it by typing this in the terminal:

ls /etc/passwd

This is what I get:

nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
...

The * is where the password normally appears.

Anyway, back then, anyone could get the encrypted passwords of other users. So system admins used a chart just like what we have been looking at, and they figured that by current speeds, it would take about a month to crack passwords. So they said that everyone had to change passwords once a month as a protection.

Well, not only is the encrypted password harder to get now a days, but the computers are so fast that it is very likely that the password will be cracked long before you regularly change it. Even if you do change it in a month or so, the damage will already be done, so it is pointless.

Basically, the new dogma is that you should change it if you ever get the feeling that someone might have stolen it (if someone was watching over your shoulder while you typed it or if you used an unencrypted service like telnet or POP on an insecure network like unencrypted wireless). But you shouldn't change it often enough that you have to make it more insecure by having to write it down. Many IT departments have no idea why passwords were changed monthly so they will force user to do it anyway even though it is pointless and most likely makes the passwords more insecure by forcing users to write them on stickies hiding under keyboards.

Did I mention that security is kinda a hobby of mine? [Wink]

Posted by human_2.0 (Member # 6006) on :

Oh, here are other things that slipped my mind.

I mentioned that if users got root they could get the /etc/master.passwd file. There are other ways. If a server is running the webserver (apache) or other web service as root, a cracker might be able to hack the service and get it to show the master.passwd file. So obtaining root isn't a prerequisite to getting the password file. In fact, usually crackers obtain the password file in an effort to get someone else's password, then they login as that person and then attack the root acount. Many systems are unpatched. An expereinced cracker (most likely a programmer) can obtain root on unpatched systems in no time if they are logged in as a legitimate user. Once they have root they install backdoors so passwords are no longer needed (which is why changing passwords once you are hacked is pointless).

This is all regarding unix servers. I don't know much about Windows servers except that the Unix server admins I know have a very low opinion of Windows servers. The Windows server admins I know are not programmers and are very intimidated by Unix.

And one last bit of triva. Mac OS X 10.3 actually showed the password hashes even if the user wasn't root. It took Apple to 10.4 before it got a clue.

Posted by Tstorm (Member # 1871) on :

quote:
The dogma that we should always change passwords is based on outdated technology and is no longer applicable.

Are you saying that having a bi-annual, or annual, password change no longer provides any security benefits?

Posted by MightyCow (Member # 9253) on :

I think one of the more important password safety rules now should be that you need to have different passwords for different security.

If your hatrack password is Bob123, it's not that big a deal if someone hacks you... unless your bank password is also Bob123.

Sounds like human_2.0 is on the money to me. Have fairly strong passwords, but don't bother changing them unless you're worried that you've been compromised.

If your password can be cracked in an hour, changing it every six months doesn't make it significantly safer.

Posted by Tstorm (Member # 1871) on :

I agree and I follow that procedure (different passwords for different websites).

Besides, I'm not just approaching this topic from a user perspective. Think about it from the perspective of a system administrator, where multiple users logon to the system. Assuming the box hasn't been compromised already, does requiring a periodic change of user passwords offer any security benefits?

Posted by human_2.0 (Member # 6006) on :

Sure, I'm sure it helps a little. I know a guy who uses the same 6 letter password of the 52 char type everywhere and he has been using it for the past 5 or more years. I've tried to get him to change it because he tells it to all the sysadmins all the time. So for people like him, if you can get him to change it, every time he changes it then the number of people who know his password drops down to 2 or 3 (down from about 6 to 8).

But if it forces users to write the passwords down it is bad.

I have about 50 passwords probably, and I store them in an encrypted file (Mac OS X keychain). I'm not really fond of what I'm doing, but like you guys, I don't want to use the same password at more than one place unless it doesn't really matter.

Posted by Mike (Member # 55) on :

quote:
ls /etc/passwd

You meant cat not ls, right?

I'd never seen it named /etc/master.passwd. I guess that's just an alternative to /etc/shadow. Maybe in a different format? Oh, I see, it's a Linux vs. BSD thing: http://en.wikipedia.org/wiki/Shadow_password.

Posted by human_2.0 (Member # 6006) on :

Oh, yeah. Duh. I didn't know about /etc/shadow either because I've not done much linux administration.

I also posted a link to a report that says 1 in 3 computer users will become victims of viruses, spyware, or phishing. I think there is far more danger of losing the password to keyloggers than being cracked. Priorities matter. You can make your password fort knox, but if it is easy to install a keylogger on your computer, what is the point of even having a password?

I wrote a whole webpage about all of this. The cracking instructions are a bit old though, and some of the info is OS X specific.

Posted by Nighthawk (Member # 4176) on :

You all forgot the traditional "flip over keyboard and read Post-It note" method of determining passwords... Or like my sister, who keeps them in her Rolodex under "P" (the first card in her Rolodex is "A" for "alarm codes").

Also, her passwords aren't very original: I was once called by her alarm company because her house alarm was going on. I guessed the codeword on the first try.

Another thing that all this doesn't take in to consideration are dictionary searches. Unless there is some overly complex algorithm to the methods described above, it has to be a sequential search: "aaaaa", "aaaab", "aaaac"... until, eventually, by luck you hit it.

But nine out of ten people use words in their native language as their password, combined with a number or two on rare occasion. So the "brute force" systems first use a dictionary of commonly used words and brute force the extra stuff. For example, it will pick the word "dog" from its dictionary, then try "1dog", "2dog"... "dog1", "dog2"... etc...

Using this method, odds are it will get to the password well before any of the numbers mentioned. The numbers mentioned are "worst case".

For that matter, I can make my password "zzzzzzzzzz" and it'll be invincible!

Posted by BannaOj (Member # 3206) on :

I've been wondering. I got my hotmail password so long ago, it is no longer accepted because there are too few digits.

I've never changed it because that account is somewhat of a throwaway account anyway, and the password isn't used anywhere else anyway.

Would this actually make it safer? If the computer is looking for something with more digits and you don't have that number it seems like it would make things more difficult.

Posted by Earendil18 (Member # 3180) on :

Mine would take longer than 253 days at Class D.

The chart doesn't show how long for 9 characters, just 8.

Posted by Nighthawk (Member # 4176) on :

One of my customers had the administrative password on a public server set to be... you guessed it... "password".

As a human, that's one of the first words I try, along with the usual "12345" and the like. But a computer, without dictionary search, my take 200 days to come up with that when it finally gets to "p".

Posted by BlackBlade (Member # 8376) on :

My primary password is 9 characters long. If you crack it, and use derivatives from it you probably have every single password I use. The only thing it is not related to is my pin #

Posted by Goody Scrivener (Member # 6742) on :

Most of my coworkers have their workstation passwords set to "password". Makes me completely crazed, but it does make it easy for me to get into Sharon's computer when I need her scanner...

Posted by human_2.0 (Member # 6006) on :

quote:
Originally posted by BannaOj:
Would this actually make it safer? If the computer is looking for something with more digits and you don't have that number it seems like it would make things more difficult.

Online brute force attacks usually don't work because the authentication program usually disables a username after a number of incorrect guesses. I did that once with an ATM and my debit card. The difference between online and offline is that offline means you obtain the encrypted password file and can take it to some computer that doesn't have the limit on incorrect guesses.