CNN 'tech analyst' thinks 4chan is a person, recommends using 'pa$$word' as your password - Polidicks

[QUOTE=NoobieWafer223;45886036]Or just roll your fingers in set directions on the keyboard like: qwertasdfzxc That way you can remember it and no one would be the wiser. Except for now. Now someone will know to try this.[/QUOTE] Defeated before the war you are Off topic: Acid Fuzz had a great music video.

[QUOTE=5/3/4/3;45884706]pa$$w0rd 420 money shot[/QUOTE] fuck how did you guess my password

The ineptitude shown in the article is palpable

[QUOTE=C0linSSX;45889308]fuck how did you guess my password[/QUOTE] He just typed a bunch of stars. It only shows up as "pa$$w0rd 420 money shot" to YOU because that's your password. If I type my password, "********", it'll show up as stars for you.

Having special characters in your password only helps when the person trying to guess it doesn't consider them to be in your password. When it comes to brute forcing, having a long password with usual characters is definitely better than having special characters in a short one.

[QUOTE=Doom64hunter;45889391]Having special characters in your password only helps when the person trying to guess it doesn't consider them to be in your password. When it comes to brute forcing, having a long password with usual characters is definitely better than having special characters in a short one.[/QUOTE] The thing is, having special characters, and especially non-ASCII characters, increases the security by each length of the password somewhat. Fortunately, for most sites someone won't bother attempting to get YOUR password, for instance on a forum. And it especially won't help if each password is only stored as a unique hash that has been appropriately salted, or is appropriately parsed by bcrypt or the like. Also complete user-optional-but-notifications-sent-out password reset with stronger bcrypt every year or so.

[QUOTE=Mr.Cookie;45887636][IMG]http://i.imgur.com/zeU2H8C.png[/IMG] Password is a long string of 309 zeroes.[/QUOTE] And no computer would ever crack it. Unless someone watched you type it in, anyway.

Best password IMO = the first letters of a string or sentence of lyrics from some random song you like Exceedingly long, completely gibberish password that's easy to remember as long as you remember the song it was from

Best password = one generated and stored by a password application like for example PasswordGorilla, LastPass, or PasswordStore (personally I like this one) which is also not the same as any password you may have.

[QUOTE=NoobieWafer223;45886036]Or just roll your fingers in set directions on the keyboard like: qwertasdfzxc That way you can remember it and no one would be the wiser. Except for now. Now someone will know to try this.[/QUOTE] dictionary attacks try that too

[QUOTE=Doom64hunter;45889391]Having special characters in your password only helps when the person trying to guess it doesn't consider them to be in your password. When it comes to brute forcing, having a long password with usual characters is definitely better than having special characters in a short one.[/QUOTE] Having a long password with special characters in it is even better though. [editline]5th September 2014[/editline] [QUOTE=mastersrp;45889209]If you're not just a fat guy on an old desktop PC, you don't give a shit how long a persons password is. If you have at least access to a couple of somewhat highpowered machines, you tell those to run the maximum amount of times at a time that they can (minus one to be unnoticable), and run a simple pre-processed dictionary with various setups first. Assuming that the person didn't look words up on the internet, the average person knows only about up to 60.000 words, going through a combination of those words with maybe a small sentence is going to take a bit long (not really, but let's pretend it would), but there's plenty of filtering to do. Cut away the words that are rarely ever used, or that most people don't use. In most cases, you can probably cut away, say, half of those words. There we go, then it's durable in a very short amount of time. You can always run a customized bruteforce attack afterwards, if you didn't get any results, and then be sure to get results.[/QUOTE] A dictionary attack is not going to account for sentences though Even if a person only knows like 60,000 words, the number of possible combinations of words scales extremely rapidly with more words you have in a sentence. Random permutations with symbols and numbers/capitalization on top of that and you can make some pretty insanely difficult to break passwords.

[QUOTE=wickedplayer494;45884754]Against a bruteforce attack, somewhat. GRC actually published a theoretical tool to determine how long it would take to bruteforce a password. Here is "password": [img]http://i.imgur.com/B6BdtYh.png[/img] And here is "pa$$word": [img]http://i.imgur.com/9zhd5p7.png[/img] This doesn't account for dictionary attempts, which usually precede bruteforcing and consist of loads of the most common passwords used by many sipwickets. "password" is definitely the first password anyone with a malicious intent will attempt to use. "pa$$word" however is probably going to be added to such lists very soon because of this guy's terrible, terrible advice. [url=http://xkcd.com/936/]"correcthorsebatterystaple"[/url] might be on those lists. Hell, Dropbox has an easter egg where if you attempt to use said reference, it'll say not to take advice from a webcomic too literally. You can try the tool for yourself here: [url]https://www.grc.com/haystack.htm[/url][/QUOTE] Mine looks pretty good. [t]http://u.cubeupload.com/assassinraptor/FSXOGQ.png[/t]

[url]https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/[/url] Try this password tester instead It accounts for dictionary attacks and all that instead of just character by character brute force. You'll find that often times your passwords are significantly weaker than what other password tester would have you think.

[QUOTE=SPESSMEHREN;45885254]That is very flawed.[/QUOTE] Are you gonna explain why? Let me attempt to preempt you, though: I use this method too, taking a few words and stringing them together. What I also do, is randomly select a word, randomly select a letter, and randomly capitalize it. I do the same for a random number and a random special character. "correcthorsebatterystaple" becomes "corRecth5sebatteryst)ple" It's still really easy to remember, and even more secure when considering dictionary attacks because the hacker needs to know exactly what substitutions you made, which is unlikely considering how it's completely random. [url]http://world.std.com/~reinhold/diceware.html[/url]

[QUOTE=Shogoll;45894123]Having a long password with special characters in it is even better though. [editline]5th September 2014[/editline] A dictionary attack is not going to account for sentences though Even if a person only knows like 60,000 words, the number of possible combinations of words scales extremely rapidly with more words you have in a sentence. Random permutations with symbols and numbers/capitalization on top of that and you can make some pretty insanely difficult to break passwords.[/QUOTE] Again, it depends a lot on the situation. If you already know the setup, and you know the password is limited to a fixed amount of characters or bytes even, then it's not going to be troublesome guessing even a 2 sentence lyric part of a song, used as a password, with swapped case maybe, and substituded symbols. There are FAR more attacks that can be used with some clever thinking beforehand. Say that a password is limited to 255 characters (a rough C unsigned character array maximum, with a NUL (\0) at the end), and you know it is using words with possible substitutions of characters and symbols, then suddently it decreases from being 255 characters that MAY consist of ANY of 128 symbols to being an estimation of words up to, say, 50 words per password. Then you have perhaps a few additional computers. Lets say 5, just for the hell of it. Each of these 5 computers has a dual core recent Intel processor that can take advantage Hyperthreading allowing for (at least) (5*2)+5 threads to be running all at once attempting to crack this one password. That means we can divide the job into (overall jobs)/15, where each thread can process only a part of the task required, thereby reducing the overall time DRASTICALLY. And that is assuming the person attempting to crack these passwords aren't using a tiny botnet of say, 50 nodes each with dual core hyperthreading-capable technology, or better. Then you'd easily reduce the jobs to (overall jobs)/((50*2)+50) meaning overall jobs could be divided to run on 150 tasks ALL in parallell with eachother. Surely even by then a brute force attack would find it somewhat quick, even though a clever combination of filtered dictionary and brute force attack would find it eons earlier.