The hashes also need to be "salted", meaning have some random junk added that only the company you're logging into knows. That prevents use of precomputed tables of all possible hashes (rainbow tables).
Actually, that salt doesn't have to be secret; it can be stored right there with the hash, as long as it's unique to each hash. The best way to make it unique is to generate it randomly at hash time. Having a "secret salt" that is reused for each hash isn't a good idea for a number of reasons.
Former moderator of these forums. Lifetime sub since before launch. Been here since before public betas. Foundry author of "Franklin Drake Must Die".
nah been using the same password for email, this, wow, steam, origin, and my bank account and it has never been compromised, its 16 letters,numbers upper and lowercase mix trust me its safe
Seeing as increasingly the compromise is server side, I wouldn't be so confident.
"Tolerance and apathy are the last virtues of a dying society." - Aristotle
nah been using the same password for email, this, wow, steam, origin, and my bank account and it has never been compromised, its 16 letters,numbers upper and lowercase mix trust me its safe
While that password site is pretty neat (my password will be broken in 71 quadrillion years), it doesn't really do any good for all practical purposes. Still, it's fun to see whether your password is remotely up to snuff or not.
My password is nothing special and very secure. Why? Because I am not sharing it with anyone and ESPECIALLY because I am not entering it in some site that says give us your password and we will tell u if its save. Thats how most people get TRIBBLE, by being stupid.
One thing to note about that password cracking link in the OP: It's basing its estimate on a single, average desktop PC from today. Not from 10 years from now. And certainly not a cluster of field programmable gate arrays brute forcing on a hash table stolen from Cryptic. If you think those databases don't get stolen, it actually happens fairly often. That's the reason services nowadays will force global password resets if they even think that might have happened.
For everyone who thinks getting 30-50 years on that little password tester is good enough, it isn't. Bottom line is the passwords that people come up with off the top of their heads aren't good enough. Hackers are laughing at your attempts to be clever. Wherever possible, especially for high value accounts like banks, MMOs, or big online services (Apple, Google) you need to use a long, highly varied, preferably random password.
For reference, my password rated at 25 thousand years.
I can see what you're saying. Back in 2006 I did a contract at the North American HQ of a major company. Their IT dept set up an insolated test computer with hacker software, which I understood they downloaded from the internet. Everyone was invited to put in their password. I understand that the very best password, which IT considered complex, was TRIBBLE in 28 minutes. (and that was 7 years back) We were told at the time that it was good because impatience plays a role and a hacker is likely willing to move on to find that 30-second password instead.
It's over 14 characters when the system freaks out. I usually use passwords over 14, but had to downsize so I could actually log in.
Also if their account was TRIBBLE, how did they get around Cryptic's email code thing? Whenever I change locations or log in on a different PC it doesn't let me log in until I go copy/paste the code they send to my email. I doubt that both this persons email AND game account were TRIBBLE. Sounds like they shared account info with someone, which is a big no-no.
Yep, screws their fleet, and gets them banned from any PWE games. Great idea!
I can see what you're saying. Back in 2006 I did a contract at the North American HQ of a major company. Their IT dept set up an insolated test computer with hacker software, which I understood they downloaded from the internet. Everyone was invited to put in their password. I understand that the very best password, which IT considered complex, was TRIBBLE in 28 minutes. (and that was 7 years back) We were told at the time that it was good because impatience plays a role and a hacker is likely willing to move on to find that 30-second password instead.
In my Ethical Hacking Curriculum (working to get certified) one of the things I've learned, is a LOT of people use things that are near and dear to them, or close relation to them, or related to: Hobbies, work, school, childrens hobbies, relatives, Projects, personal car preferences, favorite tv shows, etc. Which when you're dealing with a true hacker, you can have someone meet you on the street, shoot the TRIBBLE with, share a few beers, and not realize, that guy you just met, isn't some random guy, he's truly out there to learn you, to gain HUMINT on you, for cracking the password into your login.
Even a Department Supervisor in a retail chain can be a target for corporate espionage. Companies will pay people under the table insane amounts of money, just to learn the Week To Date sales a store in XYZ city. Or to get ahold of training videos and training materials used to train company Zs employees.
Even to just learning what items are being shipped, when they are being delivered, list of vendors, etc. It's absolutely HUGE.And they'll pay hundreds, thousands, in some cases tens of thousands dependent on the criticality of the information obtained/being sold.
Overall, you should never have a password related to anything close to you. Pick some random BFE country for a password, some wierd bug or animal or something that has no relation, or that you don't even care or have any interest at all in, and never speak of it.
Comments
Actually, that salt doesn't have to be secret; it can be stored right there with the hash, as long as it's unique to each hash. The best way to make it unique is to generate it randomly at hash time. Having a "secret salt" that is reused for each hash isn't a good idea for a number of reasons.
so that is the account i gave $x million to rofl
I can see what you're saying. Back in 2006 I did a contract at the North American HQ of a major company. Their IT dept set up an insolated test computer with hacker software, which I understood they downloaded from the internet. Everyone was invited to put in their password. I understand that the very best password, which IT considered complex, was TRIBBLE in 28 minutes. (and that was 7 years back) We were told at the time that it was good because impatience plays a role and a hacker is likely willing to move on to find that 30-second password instead.
Yep, screws their fleet, and gets them banned from any PWE games. Great idea!
In my Ethical Hacking Curriculum (working to get certified) one of the things I've learned, is a LOT of people use things that are near and dear to them, or close relation to them, or related to: Hobbies, work, school, childrens hobbies, relatives, Projects, personal car preferences, favorite tv shows, etc. Which when you're dealing with a true hacker, you can have someone meet you on the street, shoot the TRIBBLE with, share a few beers, and not realize, that guy you just met, isn't some random guy, he's truly out there to learn you, to gain HUMINT on you, for cracking the password into your login.
Even a Department Supervisor in a retail chain can be a target for corporate espionage. Companies will pay people under the table insane amounts of money, just to learn the Week To Date sales a store in XYZ city. Or to get ahold of training videos and training materials used to train company Zs employees.
Even to just learning what items are being shipped, when they are being delivered, list of vendors, etc. It's absolutely HUGE.And they'll pay hundreds, thousands, in some cases tens of thousands dependent on the criticality of the information obtained/being sold.
Overall, you should never have a password related to anything close to you. Pick some random BFE country for a password, some wierd bug or animal or something that has no relation, or that you don't even care or have any interest at all in, and never speak of it.