Reply
Thread Tools
Posts: 842 | Thanked: 1,197 times | Joined on May 2010
#1
With the recent hacks of Gawker Media and the subsequent release of just about everything, including all usernames, emails and passwords, it has come to light just how -many- users use a poor password.
As shown in the third link, over three thousand users had "123456" as their passwords!
Theoretically, all these passwords were "encrypted", but a simple password is easy to crack, no matter -what- you do to it.

Now, let me quickly explain how websites store your password.
Most sites, including this one, use a method known as "hashing".
A hashing function is a bit of code that takes a string of characters of -any- length, does some fancy math to it, and puts out a relatively short(in the case of MD5, 32 hexadecimal characters) string. This string is -always- the same length, and the same input will -always- give the same output. Now, the important part of this is that there is -no way- to "reverse" the process, and get the original string or password back out.

What this does is give us a way to authenticate someone -without- storing the password.
Lets say your password is "thisismypass". When you register for an account with that password, the hash of that is stored in the site's database(In this case, the md5 hash is "79b202fb0e7236fdc804af5c22c2de59").

When you attempt to login with your password, the site takes that input, uses the same hashing method on it, and then compares the resulting value with what's stored in the database.
Here's a couple of examples:
1.You type "thisisMYpass": The md5 hash of this is "adca84828518cd2ff2a5f58591eb46ff". Is it the same? NO. You've typed a wrong password.
2. You type "thisismypass": The md5 hash is "79b202fb0e7236fdc804af5c22c2de59", which is the same as that above, and you are accepted.


Now, we've shown that we aren't keeping the password in the database. But, anyone with access to the database can get the hashes - I, for example, can get -anyone's- pass hash in a matter of seconds.
But what can I do with that hash?
If it's simple enough, I can simply run it through a cracking tool which simply -brute-forces- the password - it just generates sequential password after password, feeds it into the chosen hash function, and compares the result to the password hash we've gotten from the database.
The problem is a matter of scale: Lets say I have a 5-character numeric password. That's a maximum possible 10^5, or 100,000 combinations. My current dual-core 2.6ghz Athalon backup PC can test 5,546,000 keys per second. That password wouldn't even last one second!
Lets say we've got a 5-letter password with uppercase, lowercase -and- numbers. That means we have 62 possible values per character(26 for each upper and lower, 10 for number), so the password could be 62^5 possible combinations. That's 916,132,832 combinations, or 165 seconds(<3 minutes) to crack(maximum).

Now, lets talk about a strong password. Lets say we have something that's ten characters long, and we've got Upper, Lower, Numbers, and symbols(!@#$%^&*(),.:;'"-_[]{}+=). That's 86^10, or 22,130,157,888,803,070,000 combinations. It could take 3,990,291,721,746 seconds to crack, or 126.5 thousand years to crack!
As you can see, the difference between a weak password and a strong password is -significant-; while a weak one could easily take less than a day, a strong one would take too long to worry about.


That's the theory, at least. In practice, it may take less time, and also if there are -problems- with the hash(like md5 has), it can take significantly shorter time, even for a long password.

The best thing to do is to:
1. Use a unique password for each site.
You may want to keep some of the less important sites in your browser's password cache for ease of use, but remember that that isn't all that secure.
2. Use a password-management application. I recommend KeePassX, as it's available for all systems - including the N900. You will need a -very- secure password for that, and that is what you need to memorize.
3. Keep your computer secure; all the precautions in the world won't matter if your password can be read as you type it.
If you don't have a bunch of security software already(or are running Linux), I'm not sure I can help you.


Comments, CC guys? Anything else I should add?
__________________
My projects: BackupMenu - OS Backup & restore | Video: Flashing your n900(LiveCD)
My devices: N770 + 8GB SD card soldered internally, N900 with 8GB SD card + Custom OC(125-950 typically).
OC freqs: 0:22,90 125:22,90 250:28,180 500:30,360 550:32,400 600:34,430 700:39,430 750:41,430 805:45,430 850:47,500 900:50,500 950:54,500 1000:58,500 1100:67,520 1150:71,520
 

The Following 3 Users Say Thank You to RobbieThe1st For This Useful Post:
Posts: 26 | Thanked: 2 times | Joined on Nov 2009
#2
Salt (https://secure.wikimedia.org/wikiped...ryptography%29) makes a dictionary attack harder.
 
Posts: 889 | Thanked: 537 times | Joined on Mar 2010 @ scotland
#3


xkcd.com has an answer for everything. not that imm discrediting ur helpful and informative post. this ways just funnier
__________________
sarcasm may be the lowest form of wit, but its the only wit i have.

its a sad day when i can't slip at least one hitchhiker reference in somewhere.
 
JohnLF's Avatar
Posts: 551 | Thanked: 507 times | Joined on Feb 2010 @ North West England
#4
An easy way to have a long password is to use a phrase or sentence, e.g.
MyMothersnameisMary

If you need numbers in there, simply replacing O and I with 0 and 1 would suffice
MyM0thersname1sMary

Other examples
MywifeAnnewasbornin1970
Mylastaddresswas12TheHighStreet

These are ridiculously long passwords that are very easy to remember. The problem for most people is that they don't want to use a different password for every site. Passwords managers are all well and good, but if you don't backup often and lose the information, you are often severely inconvenienced. I work in IT and get bored of telling people how important it is to backup, especially when I am asked to recover all that really important data which was so important they never quite got around to making a copy anywhere. Sigh.
__________________
My websites: -
http://www.lefebvre.org.uk
http://www.lefebvre.ltd.uk
 
Reply


 
Forum Jump


All times are GMT. The time now is 22:43.