12 Nov 16 – 100 Guesses Is Enough To Crack Your Password
November 11, 2016 at 5:47 PM #5001
It’s getting harder to keep secure on the Internet these days!November 11, 2016 at 9:01 PM #5002
Wouldn’t that have to be an extremely short password? If I use the common “password” for a password, I can spell it (using a mix of case) 256 ways. So, on an average, knowing the 8 letters — but not the case — I would still have 128 tries.
Looking at another example — restricting our password (like some banks do) to just letters (both cases) and numbers — we have a pot of 62 characters to choose from. A 2 character password would have 3844 possibilities, or about 1900 tries on on average.
Far back in time I had to come up with password protection for a system where every byte was important. The system would accept any character in a password, or any length, and it was stored as a hashed value in one byte — 256 possibilities. With that I guess it would be possible to hit a matching password in around 100 tries — but hopefully systems today are a little more secure.
My Linux boxes here allow 5 tries to log in, then you have to start over.
What am I missing?November 12, 2016 at 7:18 AM #5003
I do not understand the source of this “100 Guesses” password stuff. Maybe I should try to listen to part of the show today for more of an explanation.November 12, 2016 at 8:42 AM #5004
There’s no way on my end. I learned from soundbytes to go out at least 17 characters (if memory serves, that was the number I always considered the “safe length” based on something talked about on the show).
My memory has unquestionably suffered in middle age tho, so perhaps I don’t remember hearing that correctly on the show.
Despite that, I am able to remember almost a dozen 18+character passwords based on various memory anchors/tricks I use, utilizing my increasingly decreasing mental agility.
Never using any actual words with correct sppelings, being a part of my sense of (false?) security.
I also physically write them down, instead of putting them anywhere on any computer or separate drive. I’m that paranoid.
I’ll never dare anyone to hack my emails/etc, but I can say I’m a lot more solid than the majority of people. (Majority meaning 51%, and with the understanding that the majority, as a general rule, tend to be stupid by default).
Sorry for the stupid remark.
(Meaning, that I called people “stupid,” not that the remark itself was stupid).November 12, 2016 at 9:44 AM #5005
The number comes from an experimental password guessing algorithm called TarGuess, which uses stolen bits of personally information to help them guess which words, phrases or numbers you might have used in creating a password. So the lesson is don’t use names or phrases that could be gleaned by looking at your Facebook profile. Part of the reason TarGuess achieved success though is that the research still shows people use terrible passwords, with 123456 being the most common.
This article also mentioned something called an online-offline chasm. In an online attack, your password only needs to be able to survive 1 million guesses. There is little point in making in stronger unless it’s capable of withstanding on offline attack (100 trillion guesses).November 12, 2016 at 12:14 PM #5008
I use Lastpass along with testing passwords with Steve Gibson’s Password Haystack at grc.com. Hopefully soon Steve will have SQRL available.
You must be logged in to reply to this topic.