Password Security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've read the literature about having strong passwords that contain numbers,
symbols, upper and lower case, over 8 characters and also be gibberish.
Obviously there must be a balance between strenth and using a password that
is at least memorable.

Not being a security expert, would anyone tell me how secure an 8 character
password would be consisting of numbers, upper and lower case letters and is
just gibberish, thus not prone to dictionary attacks.

Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896

How long would it take to crack a password of this complexity by brute

Thank you

Re: Password Security

Quoted text here. Click to load it

     From what I read, most security experts are now suggesting
that you write down your passwords *and make sure that list is
secured*.  (The equivalent is to keep them encrypted by a master
key that's very secure.)  This is because of the large number of
passwords people now need.  Of course, you shouldn't use the same
password for multiple uses.

Quoted text here. Click to load it

     I'm also not a security expert, but the usual measure of a
key's security is number of bits of entropy.  For truly random
data, you can find this from the log base 2 of the number of
combinations.  For your password scheme, that's just under 48
bits.  That's considered weak and easily crackable.  DES is 56
bits and considered to be too easy to crack.

Arthur T. - ar23hur "at" speakeasy "dot" net
Looking for a good MVS systems programmer position

Re: Password Security

Joseph wrote:
Quoted text here. Click to load it

A good page to address your questions can be found here:


Re: Password Security

Quoted text here. Click to load it
A dictionary attack only uses words in the dictionary, so  if numbers and
other symbols are included, a dictionary attack is worthless.  I've cracked
many passwds using John The Ripper and I never used wordlists.  john -i
passwd_file That's it.
Of course most of those were dictionary passwds, some were pretty funny like
user frog, passwd leap, stupid things like that.
Quoted text here. Click to load it
Brute force is another story.  If a passwd is strong, it could take forever
but that's when you move on to the next file or look for  a weaker entry

Re: Password Security

On Sat, 21 Jan 2006 23:59:22 +0000, Joseph wrote:

Quoted text here. Click to load it

I always tell people to forget about using words for their passwords, use

For example;

When It Rains It Pours But When The Sun Comes Out It's Warm
A Bird In The Hand Is Better Then Two In The Tree

Then use only the first letter of every word

thus having;

Then swap letters for numbers;
a=4 e=3 i=1 o=0 s=8 p=9 l=7

would translate to;

Other possible flips could be to use the number in place of the word e.i,

one=1 four=4 and so on.

You could also use the '&' in place for the word 'and'

You can make the flip anything you want but make it so that you will
remember what that flip is. Then add punctuation as needed.

Password generators are good to and their passwords have no reason behind
then and this makes them good but it also make it harder to remember them.

Also never use short phrases.  At least 10 letter long.  15 or more is
even better.

There is no such thing as an in-crackable password.  Given enough time all
passwords can and will be cracked.  We just have to make it harder for the
cracker and hope that he will be caught before he can crack the password.



Smile... it increases your face value!

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- The #1 Newsgroup Service in the World! 120,000+
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Re: Password Security

Robert wrote:
Quoted text here. Click to load it

What I tell people is to use a mangled passphrase that is complex and memorable,
and can be written down "securely". It usually looks like "l337 Sp3ak" (elite
speak) used by hackers.

What I do:
1) pick 3 words out of a book randomly so that don't relate to each other. (Each
word must be at least 4 characters long)

2) Remove all spaces and punctuation.

3) Capitalize all words.

4) change some lowercase letters to numbers (l=1, e=3, g=5, g=6, t=7, b=8, p=9)

5) change some lowercase letters to symbols (a=@, i=!, s=$, x=*)

6) write the unmangled phrase down and keep it secure.

You now have a passphrase that is long, includes upper/lower case letters,
numbers and symbols. Those "random" words are difficult the first 2 or 3 times.
After that, the phrase sticks in your memory like the lyrics of a bad song.

Then if you've forgotten the phrase, get the written copy and mangle it in your

phase 1: handed design change
phase 2: handeddesignchange
phase 3: HandedDesignChange
phase 4: Hand3dD3si6nChan63
phase 5: H@nd3dD3s!6nCh@n63

If they need a more secure phrase increase the size of the phrase with 5 or 6
words, use extended characters between the words, and throw a misspelling in.



Dave Keays

Re: Password Security

on 1/21/2006 3:59 PM Joseph said the following:
Quoted text here. Click to load it

As others have suggested, it really depends on how many combinations per
second an attacker can try.

Your example is 2.18e14 combinations (2.18 x 10^14)
The number of seconds per year: 3.15e7

If an attacker can "try" one per second, on average, then it will take
about 7 million years. (6.9e6) (Yes, as other commentators said, you
really are looking at the 50/50.  So divide all my results by 2 if you must)

Now that's an actual calculated number, but for the purposes of
discussion, remember you can divide by subtracting exponents.  So the
exponents become very important.  Add three to the exponent, and you
multiply the difficulty by 1000.

Example, Just adding two digits, so the password is at least 10
characters makes it 62^10 or 8.4e17.  In one try per second land, it now
takes 26 Billion years, a truly significant leap in entropy. To that,
allow the following 19 characters: !@#$%^&*(){}[]<>?~`.  Now the
attacker must try 81^10 combinations, 1.21e19.  Now, we're really talking!

The practical problem, as many have mentioned, is the difficulty of
creating, remembering and protecting such a password.



Re: Password Security

Quoted text here. Click to load it
Quoted text here. Click to load it
Here are some passwds for servers running Front Page (right column).
test             (iqstech)
pdgt             ( rkm)
4210             ( esven)
rules            (ahold)
Look how weak they are  It took John The Ripper about 4 minutes to crack
them.  That's 4 out of 31 in the file that I created.
I'll let JTR run on the file for no more than 2 days at the most.  Noone in
their right mind is going to spend months trying to crack them unless it's
one company trying to find out what their competitor is doing or something
else that might mean a lot of money and if it means that much, I'm sure they
will look for another way to enter.  The point is that it's just not
necessary to ANALyse passwds that much.  If you force your users to go w/
the 8 mixed characters or more or as someone said, use phrases, that's the
end of the story.   BTW, if you're using front page, make sure that
/_vti_pvt/service.pwd is not readable.

Re: Password Security

Most of the pro's that have written about the subject suggest a
password with a length of 10-13 random characters for the best
security.  The little extra length adds allot more calculations to a
brute force attack.  We have a free password generator link on our web
site and a free password protection program (blowfish encryption) that
you can download for secure storage of your passwords.

You'll only need to remember one pass to get into the program.  Bruce
Schneir wrote it.  It saves getting  into the habbit of writting down
all your passwords on a pad around your computer.


*   (no logs Internet)
* Anonymous Secure Offshore SHH-2 Surfing Tunnels
* Anonymous Mail & News through SHH-2 Tunnels
* Free Resources and Privacy Software

Re: Password Security

(admins) privacyoffshore wrote:

Quoted text here. Click to load it


It's not necessary to go through your data mining site to get Password
Safe. Here is the actual URL people.... /

Quoted text here. Click to load it

Bradenton, Florida is off shore now? Or did you mean off shore from some
other perspective?

Quoted text here. Click to load it

Anonymous, Eh? Perhaps you can explain how you can offer any real
anonymity in light of the fact that you're a subscription based, single
point of contact, and open to easy traffic analysis as a result of
being real time...??

Why are you using squid if you're not logging?

Where would these alleged "off shore" servers reside? Care to name them?
Or are you afraid to have them scrutinized? Maybe they're not as off shore
as you claim?

Over half your "advertised" servers are inside EU member nations. Are you
unaware of the recent developments regarding forced logging of ALL
connection data in those member nations? The forced log retention? Or do
you just not care?

Why do you still have servers in Hong Kong after it's been shown that it's
easier to force information out of that Government than it is to get it
(legally) in the US?

Why are you stealing bandwidth from the Tor network for your profit? If
you're really an ANONYMOUS service, why would you need it?

Are you going to be just like the rest of your puppet service's puppets
and dodge these honest questions?

I'm betting you will......

Re: Password Security

Well it looks like the trolls are back,

Quoted text here. Click to load it

That would be you troll

Quoted text here. Click to load it

Go crawl under your rock troll and read their web site, stay anonymous
and use re-mailers, then we'll know you haven't got an agenda, LOL

Re: Password Security

If you use letters, numbers, symbols and notprintable characters such
as esc, and other commands, the real number of password combinations
would be 256^n diffrent ones, where n is the number of characters in
your password. for a 7 digit password, there would be 72057594037927936
diffrent pwd combinations. thats alot.

Re: Password Security

on 1/24/2006 12:22 AM Lars said the following:
Quoted text here. Click to load it

Yeah, 7.2e16 . . . Far less than my example of a 10 digit pass with a
smaller character set. 81^10 = 2.1e19.  Use your character set and you
get the same place with 8 digits.  (1.8e19).

The point is not to play silly math games.  The point is to demonstrate
that a relatively small increase in password length can have a profound
effect on the strength of the password.


Re: Password Security

Hash: SHA1

Quoted text here. Click to load it

For 128 bit password you need 16 characters.
1 Byte=8 bits 16*8=128
Your password is 8 characters long:
Your password could be 64 bits strong, but only if you would
use upper and lower alphabetic characters, numbers, special
characters and *higher ANSI characters*. You are using only a
part from that, and probably not perfectly random, so you
password is *much* less than 64 bits strong (usually 40 bits
or even less).

"RSA Laboratories
Recommended Key Sizes"

"Minimum symmetric security level 80 bits-Protection Lifetime
of Data 2010, Minimum symmetric security level 112
bits-Protection Lifetime of Data 2030"

Like you see you need minimum 80 bits (or better 90 bits)
strong password for your data if you want them to stay secure
next few years. For such protection 12 *random* characters
(96 bits) would be sufficient (theoretically). If you are
using a strong cryptosystem, password has to be minimum 16
characters long, and because you are not using all possible
characters and the password is probably not truly random,
lenght of 25 or more characters is recommended.

For online passwords, system passwords etc. you should use
minimum 12 characters, for strong cryptosystems 25 or more.

Quoted text here. Click to load it

LC5 (L0pth Crack-a Windows password audit and recovery tool)
is working on my machine with speed about 5 000 000
combinations per second when cracking hashes from Windows SAM
file. (brute force method) Good strong cryposystems are
slowing down password cracking speed, but it is still a big

Crypto-Gram Newsletter
October 15, 1999
by Bruce Schneier /

"(...)Many keys are generated from passwords or passphrases.
A system that accepts 10-character ASCII passwords might
require 80 bits to represent, but has much less than 80 bits
of entropy. High-order ASCII bytes won't appear at all, and
passwords that are real words (or close to real words) are
much more likely than random character strings. I've seen
entropy estimates of standard English at 1.3 bits per
character; passwords probably have less than 4 bits of
entropy per character. This means that a 6-character
passphrase is about the same as a 32-bit key, and if you want
a 128-bit key you are going to need a 98-character English

(...)Some have dealt with this problem by requiring stronger
and stronger passwords, but that is no longer effective. Over
the past several decades, Moore's law has made it possible to
brute-force larger and larger entropy keys. At the same time,
there is a maximum to the entropy that the average computer
user (or even the above-average computer user) is willing to
remember. You can't expect him to memorize a 32-character
random hexadecimal string, but that's what has to happen if
he is to memorize a 128-bit key. These two numbers have
crossed; password crackers can now break anything that you
can reasonably expect a user to memorize. Good passwords are
difficult to memorize, he will complain, but this difficulty
is precisely why they are considered good.(...)"


Version: PGP 8.1


Site Timeline