12 Nov 16 – 100 Guesses Is Enough To Crack Your Password

Home Forums The Poll Discussion 12 Nov 16 – 100 Guesses Is Enough To Crack Your Password

This topic contains 5 replies, has 6 voices, and was last updated by  Larry 1 year ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
  • #5001
    Nick Francesco
    Nick Francesco

    It’s getting harder to keep secure on the Internet these days!



    Wouldn’t that have to be an extremely short password? If I use the common “password” for a password, I can spell it (using a mix of case) 256 ways. So, on an average, knowing the 8 letters — but not the case — I would still have 128 tries.

    Looking at another example — restricting our password (like some banks do) to just letters (both cases) and numbers — we have a pot of 62 characters to choose from. A 2 character password would have 3844 possibilities, or about 1900 tries on on average.

    Far back in time I had to come up with password protection for a system where every byte was important. The system would accept any character in a password, or any length, and it was stored as a hashed value in one byte — 256 possibilities. With that I guess it would be possible to hit a matching password in around 100 tries — but hopefully systems today are a little more secure.

    My Linux boxes here allow 5 tries to log in, then you have to start over.

    What am I missing?



    I do not understand the source of this “100 Guesses” password stuff. Maybe I should try to listen to part of the show today for more of an explanation.



    There’s no way on my end. I learned from soundbytes to go out at least 17 characters (if memory serves, that was the number I always considered the “safe length” based on something talked about on the show).

    My memory has unquestionably suffered in middle age tho, so perhaps I don’t remember hearing that correctly on the show.

    Despite that, I am able to remember almost a dozen 18+character passwords based on various memory anchors/tricks I use, utilizing my increasingly decreasing mental agility.

    Never using any actual words with correct sppelings, being a part of my sense of (false?) security.

    I also physically write them down, instead of putting them anywhere on any computer or separate drive. I’m that paranoid.

    I’ll never dare anyone to hack my emails/etc, but I can say I’m a lot more solid than the majority of people. (Majority meaning 51%, and with the understanding that the majority, as a general rule, tend to be stupid by default).

    Sorry for the stupid remark.

    (Meaning, that I called people “stupid,” not that the remark itself was stupid).


    Would your password withstand 100 guesses from a hacker?

    The number comes from an experimental password guessing algorithm called TarGuess, which uses stolen bits of personally information to help them guess which words, phrases or numbers you might have used in creating a password. So the lesson is don’t use names or phrases that could be gleaned by looking at your Facebook profile. Part of the reason TarGuess achieved success though is that the research still shows people use terrible passwords, with 123456 being the most common.

    This article also mentioned something called an online-offline chasm. In an online attack, your password only needs to be able to survive 1 million guesses. There is little point in making in stronger unless it’s capable of withstanding on offline attack (100 trillion guesses).



    I use Lastpass along with testing passwords with Steve Gibson’s Password Haystack at grc.com. Hopefully soon Steve will have SQRL available.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Comments are closed.