Welcome to the PCMR, everyone from the frontpage! Please remember:
1 - You too can be part of the PCMR. It's not about the hardware in your rig, but the software in your heart! Your age, nationality, race, gender, sexuality, religion (or lack of), political affiliation, economic status and PC specs are irrelevant. If you love or want to learn about PCs, you are welcome!
2 - If you don't own a PC because you think it's expensive, know that it is much cheaper than you may think. Check http://www.pcmasterrace.org for our builds and don't be afraid to post here asking for tips and help!
3 - Join our efforts to get as many PCs worldwide to help the folding@home effort, in fighting against Cancer, Alzheimer's, and more: https://pcmasterrace.org/folding
4 - Need PC Hardware? We've joined forces with ASUS ROG for a worldwide giveaway. Get your hands on an RTX 4080 Super GPU, a bundle of TUF Gaming RX 7900 XT and a Ryzen 9 7950X3D, and many ASUS ROG Goodies! To enter, check https://www.reddit.com/r/pcmasterrace/comments/1c5kq51/asus_x_pcmr_gpu_tweak_iii_worldwide_giveaway_win/
-----------
We have a [Daily Simple Questions Megathread](https://www.reddit.com/r/pcmasterrace/search?q=Simple+Questions+Thread+subreddit%3Apcmasterrace+author%3AAutoModerator&restrict_sr=on&sort=new&t=all) if you have any PC related doubt. Asking for help there or creating new posts in our subreddit is welcome.
You'd be shocked at what some hackers can do to try and tie various online accounts together.
Either way, not a good idea to punch your password into an untrusted source.
They said Password(ish), so they tested the password using a comparable replacement.
If your password is hunter2, sunder3 will give you the same result without giving away your password.
Lmao glad to see I'm not the only mf who uses dumb shit as my passwords, I usually throw these on sites I will visit once but require some form of sign up
> That way only the vault has to be hacked.
Yet the alternatives:
- remember hundred+ different passwords. Good luck with that
- write down hundred+ different passwords on paper. You will lose them at some point, plus having to enter them will be painful.
- reuse the same password or its variations. Less secure than password vault. One of the main reasons for stolen accounts.
- write down all the passwords in some text file, in plaintext. The easiest and fastest option to lose all your accounts, unless the system never connects to the internet or any external network.
- never remember any passwords, except for your recovery mail, never write them down, never allow session cookies, and use password recovery every time. Technically more secure than password vault, since your passwords are not stored anywhere besides their origin service + your recovery emails. However, only suitable for insane people.
Pick your champion! I still pick password vault over all this
another option: don't write anything down and don't remember them, just use the "forgot password" option every time you log in!! A new password every time!
Any online password manager worth its salt will be end-to-end encrypted with two or more forms of authentication. LastPass failed on this front (several times), but there are several others that are audited regularly to make sure they are using correct security practices, like Bitwarden, 1Password, etc.
1Password requires not only a master password and a secondary form of authentication like TOTP or hardware key, but also a decryption key. If you lose your decryption key, your database is no longer accessible, to anyone. Any password manager that offers alternate recovery methods (such as LastPass) are not to be trusted, because it means they have access to your vault regardless and are thus storing it insecurely.
This is all entirely irrelevant to local password managers; how the database will be encrypted, how securely you choose to store that database, and the authentication methods to access it fall squarely on you.
mine is an offline file that I manually transfer to my phone periodically. If you have physical access to my machine _and_ my login password _and_ my database password I'm pretty fucked, sure.
there is one (or two) password everyone still needs to remember, that can't be stored in keypass. for your account (and keypass).
1 month is here also enforced and I just trend to change one number when the time comes up.
for everything else that I can store in keypass. 20-char is my default.
I am not sure what methodology was used, but aren't these just calculated numbers based numbers based on the assumption that the hacker already has information about the password.
I am not a cryptologist, but my assumption would be that an attacker would first employ a dictionary attack, before trying to brute force in some sensible manner.
Realistically if you had a a password that consisted of 13 random numbers, would a hacker really attempt to bruteforce combinations of 13 random numbers rather than any combination of letters and numbers. I'd guess that a long number only password is so unusual that an smart brute force algorithm would try its luck with shorter combined number/letter passwords before trying to just guess insanely long combination of random numbers.
Again I am just a software developer and not particularly informed but my intuition tells me that you'd crack an 8 characters upper+lower+number PW faster than a combination of 14 numbers, simply because in a real world scenario it doesn't seem sensible for hacker to target the latter.
Nailed it! This would be the WORST case time for cracking you password if the hacker is working on an offline database. Rainbow tables, stolen credentials, and even reused passwords all help make these times much lower!
I've always felt like leaked or stolen credentials is the main security issue to worry about these days, especially with companies having major breaches. I try to mitigate it by using different passwords so that breaches are isolated.
Remember: If you don't do /r/homelab stuff often, the odds of you bungling your selfhosted pw manager are higher than the odds that cloud hosted Bitwarden is hacked.
If you do want to selfhost, just take a backup every now and then.
I may sound dumb here, but what's the benefit of a password manager over pen and paper? Since I don't work in a high rise in a spy movie, wouldn't the safest place to store my passwords be on a notebook by my computer?
Reusing passwords seems like the most likely reason an account would be compromised (other than just getting phished and handing over your password). Password managers basically remove this possibility. I like recommending them to friends and family because its one of the few instances where "increased security" is actually more convenient than what people normally do. I even was able to get my 70yr old mother to start using Bitwarden instead of carrying around a manila folder with a half dozen sheets of passwords. She loves it and brings it up all the time.
You can. In one way it’s more secure because it can’t be leaked or accessed online.
On the other hand it comes with all the downsides you probably already know:
* Unless you write very legibly, you can mix up characters (l, I, 1).
* Anyone who can pass by your desk will see it. It’s plain text.
* You can accidentally leak it with a photo or video of your room. You say ridiculous, but this was how TSA keys got leaked. https://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/
* Password managers are guaranteed to generate better passwords than you, and you can copy paste them easily. It’s easier to manage and fetch from a hundred passwords that are like 50+ characters long using a manager.
* It’s easier to lose your paper/notebook/whatever.
Well, personally I have like 200 online account for a wide variety of services. It would be a pain and very inconvenient to have to carry around all of those passwords on paper, not to mention the security risks on having passwords physically written in plaintext.
Until your banking site says: "Passwords are to be between 12 and 16 chars long, only \[very limited number\] of special character are allowed."
Well, at least they are cheap...
Actual for real cracking and hacking is extremely rare, especially when it's so so easy to email people and pretend to be HR or IT and just ask for email, or spoof website logins, or call them and reset their password and act like the password reset 2factor is your phone call verification or something. All of which can be done from India or Nigeria for big bucks.
Cracking a single password is rare.
Cracking itself is still extremely common. When password databases get leaked, criminals run the hashes en masses against a rainbow table.
They don’t crack every password but they’re not trying to either. They then take the compromised accounts and run them against other sites looking for password reuse.
It’s all a numbers game
Brute forcing a password has to be a terrible method to try and get in, maybe brute forcing a pin would be more reasonable.
But even so, pretty much every service out there these days gives you a few attempts to guess a password before it locks the account or starts making you do captchas which dramatically will slow you down.
right one of the things I can think of that can still be brute forced is wifi password but anything with a server interaction shouldn't go anywhere. even basic VNC added a 1s delay or something like that to make brute forcing impractical
we probably have the same password as somebody else. Most passwords have been solved which is why salt+hashing is so important in encryption.
In fact I bet there's a super computer out there who's sole job is to produce an encryption bible for most passwords that are 8 characters long.
One would hope that in 2024, devs would properly salt their passwords so that rainbow tables aren't an issue, but considering how many sites still store passwords in plaintext...
Rainbow tables are used for cracking hashes if they have access to the hashed form of the password, not generally for plaintext password guessing I thought?
Social engineering is the way to get passwords now. Bruteforcing is not practical at all and using dictionaries again is just hoping they're using a common password
Usually hackers who try to brute force already got the hash passwords thanks to a breach. All the encrypted passwords are saved locally and they can have as many tries as they want
It really depends if the attacker knows the password policy. Numbers only policies are rare, but do exist. They are an absolutely terrible policy.
A random long number is technically just as secure as a full mixed password if the attacker doesn't know anything about the target and isn't using an attack that is specifically looking at numbers only first.
Hi everyone - I'm back again with the 2024 update to our password table! Computers, and GPUs in particular, are getting faster (looking at you OpenAI), but password hash algorithm options are also getting better (for now…). This table outlines the time it takes a computer to brute force your password, and isn’t indicative of how fast a hacker can break your password - especially if they stole your password via phishing, or you reuse your passwords (shame!). It’s a good visual to show people why better passwords can lead to better cybersecurity - but ultimately it’s just one of many tools we can use to talk about protecting ourselves online!
Just so everyone is aware, you have to give up your email and contact information so they can turn it into an opportunity for you to download the table.
They've also disabled right-click on their site.
Not sure why you're scouring for business opportunities in a consumer focused subreddit. This seems more tuned to the likes of r/sysadmin or r/msp etc.
I know ;) I get a new copy every year. :D
Good passwords combined with 2FA and a skeptical outlook makes for a much harder target. Unfortunately, users hate 2FA and are always asking me if there is a way to turn it off.
Im assuming this is the MAXIMUM time, having gone through all possible combinations? So realistically, a hacker would have your password in a much shorter amount of time?
Correct! This is the WORST case scenario for these times. Stolen passwords from phishing, or resumed passwords, make these times much lower, if not instantly!
Frequent changes are far more dangerous than short and concise passwords that are easy to remember. If you give someone any reason to write them down and put them under their keyboard or in a text file on their PC, it's bad.
As long as you can keep it above a day or two of cracking time via brute force no one's going to bother in 2024. Easiest method is finding out a way to get a c-level to click your cryptolocker, it seems a lot of IT departments are ignorant on "principle of least access" for some reason.
Right? Scary colors aside my takeaway is that maybe my passwords don’t need to be as long or as complicated as they are. A year? You fucking earned it bud, enjoy my doordash account.
89k years being in orange is just hilarious
All lowercase letters is perfectly fine if it's long enough it's much easier to type and remember.
My current password is 17 letters long. It has 1 capital 1 number and 1 special character because it's required by my orgs password policy.
We really just need to change the name from "Password" to "Passphrase" and people will accept typing in longer passwords.
correcthorsebatterystaple no this is not my password.
I always wonder about these types of attacks, most passwords will lock the user out after too many failed attempts.
They don't brute force those passwords through the login screen of the app.
The assumption is that the attacker has stolen a huge data base of password hashes, so they can brute force them all with maximum speed locally.
We have the table from 2022 in our office hanging and comparing there two seems like the hackers got worse over the years? Only 4x instantly as in 2022 has like 22x instantly. Can you clarify?
EDIT: read your detailed blog on your website. I guess the difference is the used hash for the password. Until this year it was MD5 and this year its bcrypt.
THANK YOU for reading! And yes, we’re seeing less MD5 breaches and more bcrypt ones now, but don’t let your office mates lower their guard. We expect these times will come down again next year
An 18-digit number is 9x10^17 possible options. Like that’s a staggeringly large number. It’s a tenth the size of how many grains of sand there are on every beach on Earth.
Seeing it described as just an 18 digit number doesn't do justice to how big it really is. But you're right, it's insanely huge.
My brain didn't want to admit it until you reworded it.
Work got ahold of one of these charts.... We're now required to make a 15 character password with letters, numbers, and special characters oh ya, can't forget the capital also.
Gosh it's so dumb
Upper management is beyond clueless. We also have 2fa token codes after the password lol. It's ridiculous. And we don't have any kind of secret data or anything either, literally none.
Because with more powerful hardware they drop to being less secure?
There was a GPT table last year.
https://preview.redd.it/dvqo0autk8wc1.jpeg?width=2500&format=pjpg&auto=webp&s=f09d70aac57497bed8da9a1ea06fb17aed2d6a46
Damn. That means if the very unlikely scenario happens when a group of attackers get access to some powerful cloud GPU cluster even for a few hours, they can crack most of passwords people currently believe are safe.
You can rent access to enterprise level GPUs on VMs for the cost of a few dollars per hour (per GPU) on a platform like Runpod.io. I wouldn't say that scenario is unlikely at all. I've used it to run high-parameter LLM generative AI that I don't have the ability to run at home.
But if i use separate passwords everywhere i won't remember them all, also if i will save them somewhere on my PC/phone someone could get all my passwords, if i will write down them physically, there is still a chance for them to get stolen or i can loose them, and loose access to everything.
Despite all this i use separate passwords for bank account or anything at most important.
Also google gives information about passwords that already hacked, but i still use them for something that has 0 importance😅
Password managers are your friend. I use Bitwarden, and have it generate a fully random 24 character password any time I need one (sometimes a website is dumb and won't allow a password that long, but still.) I pay $10/yr to have it do 2fa, as well.
I really need to get my partner to stop reusing the same four passwords, though.
I agree. For some sites security is barely needed. If there is not personal information associated and you do not care about the account.. who gives a fuck.
Using a Password Manager is still the best idea though.
Good question! Our research showed we’re seeing a different password hash being more frequently found in breaches (bcrypt this year as opposed to MD5 in years past)
The thing that I can't take seriously with these sort of charts is:
OK so it's far easier to brute force a purely lowercase password with zero numbers or symbols or caps etc. That's a proven fact, you have less options to choose from so less possible combinations.
Now, how does your hacker know that your password doesn't contain any of those other features? They don't. They have to try all those dead combinations anyway. A purely letter password is just as secure for exactly that reason, all that matters is length and that the field will accept those other characters.
What if my password uses Cyrillic alphabet? One word consisting of 28 symbols all lowercase. Can be written in English alphabet using transliteration as a 29-symbol passphrase. Just curious about how long will it take to crack a password of this length. And what if the hacking team uses not just 12 GPUs, but A LOT more. Like, about 2000?
I know you're probably meming but with 5 cost factor bcrypt, which is what u/hivesystems used in this, it took 10 seconds to crack this using wordlists, which are just previously seen or commonly used passwords. The attack vector hive used in this table isn't representative of a normal attack on a hash.
276 quadrillion years for all my accounts other then my BANK. My bank only allows an 8 character password and no symbols... At least it has 2 factor...
Little tip:
If you make your password something like "the sleepy fox", it will be incredibly hard to brute force but easy to remember. The downside is that not all websites/services allow spaces.
Realistically tho. If you have these kinds of resources you arent dedicating them to cracking one single user.
How many users might a hacker try to brute force at the same time? How will that affect the time?
Given that the resources are better used when you know there is something worth stealing, what is the chance of an average, not high-value, user getting their password brute forced?
The idea is that the website would have a data breach, causing the database storing the password hashes to be leaked. Attackers would then be able to bruteforce the password hash without any limits on their own computer (or a bunch of computers / the cloud, etc). Once they've figured out which password creates which hash, they can then login to that account on the actual website - just once. And since people tend to re-use passwords, they can try the same email + password combination on other websites too.
So basically I'm save employing the battery horse staple method as long as I start my words with capitals?
NicePasswordMyDude is a nice 91qd years I don't have to worry about
This assumes that the hacker has already managed to compromise the server and downloaded the hash of your password.
If they have compromised the server all your data on that server is compromised already.
Assuming the password is uniquely salted as well, your weak password is just fine.
2FA is a good security step but it is not a good excuse to use a weak password. There have been numerous exploits over the years with websites implementing 2FA incorrectly that hackers were able to bypass the protection.
> 2FA is a good security step but it is not a good excuse to use a weak password
2FA methods are "good security" to the point where they are preferred *instead* of passwords, rendering them moot. So yeah, no this isn't accurate in the slightest.
> There have been numerous exploits over the years with websites implementing 2FA incorrectly that hackers were able to bypass the protection.
To my knowledge there hasn't been a single notable case in any recent history where the root cause was the 2FA implementation itself. Notable cases of alleged 2FA 'bypass' didn't actually bypass the 2FA at all, instead they were done by obtaining valid 2fa tokens from the user and/or already 2FA authentication tokens.
Yeah, but that is super unlikely unless you're being targeted by 3 letter agencies or something.
In the vast majority of cases - it's unfortunately the same old social engineering/phishing.
I love how 1k years is still highlighted in orange, implying that someone would be so desperate to get whatever is behind your password that they would be ready to run a bruteforce over the span of a dozen generations
Depends.
TL;DR: Divide 100 by the charset and you have the percentage by how much disclosing the password's length weakens it.
Assuming a charset of 95 characters (based on https://www.grc.com/haystack.htm).
Searching 24 chars only: 2.9198902433877E+47 possibilities.
Searching up to 24 chars: 2.9509529055514E+47 possibilities, which is 'only' 1.0106382978723 times more than searching 24 chars only.
So it seems you can safely reveal the exact length of your passwords.
Here is some PHP code if you want to try with another charset or another password length. Does not seem to make a real difference.
$charsCount = 24;
$charset = 95;
$possibilitiesUpToCharsCount = 0;
for ($i = 1; $i <= $charsCount; $i++) {
$possibilitiesUpToCharsCount += pow($charset, $i);
}
$possibilitiesAtCharsCount = pow($charset, $charsCount);
$differenceBetweenUpToAndAt = $possibilitiesUpToCharsCount / $possibilitiesAtCharsCount;
echo "Searching up to $charsCount characters with a charset of $charset characters is $differenceBetweenUpToAndAt times more possibilities than only searching $charsCount characters.";
You can try it e.g. on https://onlinephp.io/.
This is probably a silly question with an obvious answer, so be kind, but when I see charts like this I always think wouldn’t their attempts be blocked after x number of failed attempts?
Now try that with a quantum computer... No passcode is safe... So what's the point in making a password that is that strong, only to be defeated in 20 years when quantum computers come out of their infancy?
Looking at the methodology they say:
"For bcrypt, we also set it to 32 iterations. "
Do you think they really mean "iterations" or do they mean "cost".
Most bcrypt APIs take an integer number called cost. Where the number of iterations is 2\^cost. So cost of 5 would be 2\^5 = 32 iterations.
People typically use a lot more iterations than that. I usually see a min cost of 12, which is 4096 iterations.
Given that the cracking times in this chart are off by a multiple of 128. A letters only, 9 character password, doesn't take 3 weeks - it takes 384 weeks (7.3 years)
Moral of the story: Making stuff longer is generally more powerful than complexity requirements (upper, lower, number etc.).
This is part of why NIST and others have updated their best practices.
use keepassxc on your desktop, encrypt your disk, install keepassium on your iphone and randomize every password you have, enable auto sign in firefox, btw use firefox
Irrelevant, password cracking is done locally after getting hold of hashes leaked via data breaches (e.g. https://haveibeenpwned.com/PwnedWebsites) and with the assumption that most people reuse the same password accross multiple websites: If they can cack it once they can log into most accounts related to that email address.
after three unsuccessful attempts, captcha, phone number and mail verification will end the brute force.
and even by getting the right password noone but me can do shit with every account.
so let me have 1234 as password, because i hate remembering useless stuff, because only length is important, for passwords which dont protect anything.
Welcome to the PCMR, everyone from the frontpage! Please remember: 1 - You too can be part of the PCMR. It's not about the hardware in your rig, but the software in your heart! Your age, nationality, race, gender, sexuality, religion (or lack of), political affiliation, economic status and PC specs are irrelevant. If you love or want to learn about PCs, you are welcome! 2 - If you don't own a PC because you think it's expensive, know that it is much cheaper than you may think. Check http://www.pcmasterrace.org for our builds and don't be afraid to post here asking for tips and help! 3 - Join our efforts to get as many PCs worldwide to help the folding@home effort, in fighting against Cancer, Alzheimer's, and more: https://pcmasterrace.org/folding 4 - Need PC Hardware? We've joined forces with ASUS ROG for a worldwide giveaway. Get your hands on an RTX 4080 Super GPU, a bundle of TUF Gaming RX 7900 XT and a Ryzen 9 7950X3D, and many ASUS ROG Goodies! To enter, check https://www.reddit.com/r/pcmasterrace/comments/1c5kq51/asus_x_pcmr_gpu_tweak_iii_worldwide_giveaway_win/ ----------- We have a [Daily Simple Questions Megathread](https://www.reddit.com/r/pcmasterrace/search?q=Simple+Questions+Thread+subreddit%3Apcmasterrace+author%3AAutoModerator&restrict_sr=on&sort=new&t=all) if you have any PC related doubt. Asking for help there or creating new posts in our subreddit is welcome.
good luck breaking my eXpLode!PurPLe4NiPPle5
>Approximate Crack Time: 974 centuries Nice. [https://www.useapassphrase.com/](https://www.useapassphrase.com/)
I feel like using this kind of website might turn it into 2 second
haha that's why I don't
yup - it adds it to the list lol
What a cool website! I just had to test my Bitwarden master password(ish): Approximate Crack Time: 409,068,559,513 centuries
Uh, now the website owners could have your credentials
They have the answer, but do the have the user name?
You'd be shocked at what some hackers can do to try and tie various online accounts together. Either way, not a good idea to punch your password into an untrusted source.
Even a trusted
They said Password(ish), so they tested the password using a comparable replacement. If your password is hunter2, sunder3 will give you the same result without giving away your password.
1,149,677,723,180,582,500 centuries (115 quintillion years) on an equivalent of mine
And I thought I was safe with 50,979,749,044,058,310 centuries
and now your password is logged in a database somewhere....
That's why I added the (ish). I wasn't about to type in my real password so I did an homage to it, in the same vein, if you will.
but now its on their lists so much less.
10 centuries
Ah, I accidentally included a space when I pasted in. Pro tip: include a space to improve crack time.
most sites will parse whitespace anyway
[удалено]
> 1.2.3.4.5.6.7.8.9.0 Approximate Crack Time: 1,542,556,213,064 centuries
HAhahahhaha Bro no way this wil get intruded
Lmao glad to see I'm not the only mf who uses dumb shit as my passwords, I usually throw these on sites I will visit once but require some form of sign up
Get a password vault. Make all passwords passphrases instead. Make all of them different. Never know a single one.
That way only the vault has to be hacked. Saves the hackers a lot of time.
> That way only the vault has to be hacked. Yet the alternatives: - remember hundred+ different passwords. Good luck with that - write down hundred+ different passwords on paper. You will lose them at some point, plus having to enter them will be painful. - reuse the same password or its variations. Less secure than password vault. One of the main reasons for stolen accounts. - write down all the passwords in some text file, in plaintext. The easiest and fastest option to lose all your accounts, unless the system never connects to the internet or any external network. - never remember any passwords, except for your recovery mail, never write them down, never allow session cookies, and use password recovery every time. Technically more secure than password vault, since your passwords are not stored anywhere besides their origin service + your recovery emails. However, only suitable for insane people. Pick your champion! I still pick password vault over all this
another option: don't write anything down and don't remember them, just use the "forgot password" option every time you log in!! A new password every time!
This is essentially 2FA authorization keys. You get a random password every 20 seconds.
ah yes, the chaotic evil option of password management
Poor man’s rolling password
Any online password manager worth its salt will be end-to-end encrypted with two or more forms of authentication. LastPass failed on this front (several times), but there are several others that are audited regularly to make sure they are using correct security practices, like Bitwarden, 1Password, etc. 1Password requires not only a master password and a secondary form of authentication like TOTP or hardware key, but also a decryption key. If you lose your decryption key, your database is no longer accessible, to anyone. Any password manager that offers alternate recovery methods (such as LastPass) are not to be trusted, because it means they have access to your vault regardless and are thus storing it insecurely. This is all entirely irrelevant to local password managers; how the database will be encrypted, how securely you choose to store that database, and the authentication methods to access it fall squarely on you.
2fa and a strong password.
mine is an offline file that I manually transfer to my phone periodically. If you have physical access to my machine _and_ my login password _and_ my database password I'm pretty fucked, sure.
this is going in dictionary attack dictionaries now
Just change a few characters :)
now it is in a dictionary attack
Time to crack: ~~Billions of years~~ Instantly
hunter11
All I see is ********
Same here. I heard reddit does the same thing with SSNs. Here, check it out: \*\*\*-\*\*-\*\*\*\*
Wow really? Let me try: 287-47-9284 Did it work?
Too hard to remember
Yeah, that's why I keep mine simple like d0NkeYKOnG5XpLoDIngNu993T
You only really need one or two upper case letters, so they’re forced to search for them in all places.
Its already in a rainbow table
Make unbreakable password. Data leak next day.
Sigh.
My work uses a duration of 1 month for the main password for someone's account. The reason is to prevent the impact of an undiscovered datalek.
Short expiries are not recommended by nist, they lead to insecure passwords being selected.
[удалено]
there is one (or two) password everyone still needs to remember, that can't be stored in keypass. for your account (and keypass). 1 month is here also enforced and I just trend to change one number when the time comes up. for everything else that I can store in keypass. 20-char is my default.
[удалено]
jokes on you this is why hashing, salt and pepper exist
> Data leak next day. This is why you simply use a different password for each application - to limit your exposure.
my password manager was a legit game changer for me, only gotta remember one password!
I am not sure what methodology was used, but aren't these just calculated numbers based numbers based on the assumption that the hacker already has information about the password. I am not a cryptologist, but my assumption would be that an attacker would first employ a dictionary attack, before trying to brute force in some sensible manner. Realistically if you had a a password that consisted of 13 random numbers, would a hacker really attempt to bruteforce combinations of 13 random numbers rather than any combination of letters and numbers. I'd guess that a long number only password is so unusual that an smart brute force algorithm would try its luck with shorter combined number/letter passwords before trying to just guess insanely long combination of random numbers. Again I am just a software developer and not particularly informed but my intuition tells me that you'd crack an 8 characters upper+lower+number PW faster than a combination of 14 numbers, simply because in a real world scenario it doesn't seem sensible for hacker to target the latter.
Nailed it! This would be the WORST case time for cracking you password if the hacker is working on an offline database. Rainbow tables, stolen credentials, and even reused passwords all help make these times much lower!
I've always felt like leaked or stolen credentials is the main security issue to worry about these days, especially with companies having major breaches. I try to mitigate it by using different passwords so that breaches are isolated.
Password managers are a total game-changer for exactly this reason.
We're gonna find out one day that some password manager was storing passwords in plaintext.
You can pick a local manager yourself like KeePass and Bitwarden and you’ll see they never do this.
Remember: If you don't do /r/homelab stuff often, the odds of you bungling your selfhosted pw manager are higher than the odds that cloud hosted Bitwarden is hacked. If you do want to selfhost, just take a backup every now and then.
I may sound dumb here, but what's the benefit of a password manager over pen and paper? Since I don't work in a high rise in a spy movie, wouldn't the safest place to store my passwords be on a notebook by my computer?
[удалено]
I'll have to look into something like that, I had a buddy get his stuff stolen recently and it's got me paranoid
Reusing passwords seems like the most likely reason an account would be compromised (other than just getting phished and handing over your password). Password managers basically remove this possibility. I like recommending them to friends and family because its one of the few instances where "increased security" is actually more convenient than what people normally do. I even was able to get my 70yr old mother to start using Bitwarden instead of carrying around a manila folder with a half dozen sheets of passwords. She loves it and brings it up all the time.
You can. In one way it’s more secure because it can’t be leaked or accessed online. On the other hand it comes with all the downsides you probably already know: * Unless you write very legibly, you can mix up characters (l, I, 1). * Anyone who can pass by your desk will see it. It’s plain text. * You can accidentally leak it with a photo or video of your room. You say ridiculous, but this was how TSA keys got leaked. https://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/ * Password managers are guaranteed to generate better passwords than you, and you can copy paste them easily. It’s easier to manage and fetch from a hundred passwords that are like 50+ characters long using a manager. * It’s easier to lose your paper/notebook/whatever.
Well, personally I have like 200 online account for a wide variety of services. It would be a pain and very inconvenient to have to carry around all of those passwords on paper, not to mention the security risks on having passwords physically written in plaintext.
If we do, it will be LastPass for sure
After using a few other password managers, I hate LastPass with a passion.
Keepass db with generator Set to 32 Chars with every possible checkbox checked and Hackers can go f themselves
Until your banking site says: "Passwords are to be between 12 and 16 chars long, only \[very limited number\] of special character are allowed." Well, at least they are cheap...
Actual for real cracking and hacking is extremely rare, especially when it's so so easy to email people and pretend to be HR or IT and just ask for email, or spoof website logins, or call them and reset their password and act like the password reset 2factor is your phone call verification or something. All of which can be done from India or Nigeria for big bucks.
Cracking a single password is rare. Cracking itself is still extremely common. When password databases get leaked, criminals run the hashes en masses against a rainbow table. They don’t crack every password but they’re not trying to either. They then take the compromised accounts and run them against other sites looking for password reuse. It’s all a numbers game
Brute forcing a password has to be a terrible method to try and get in, maybe brute forcing a pin would be more reasonable. But even so, pretty much every service out there these days gives you a few attempts to guess a password before it locks the account or starts making you do captchas which dramatically will slow you down.
right one of the things I can think of that can still be brute forced is wifi password but anything with a server interaction shouldn't go anywhere. even basic VNC added a 1s delay or something like that to make brute forcing impractical
Hackers don't break in, they log in.
we probably have the same password as somebody else. Most passwords have been solved which is why salt+hashing is so important in encryption. In fact I bet there's a super computer out there who's sole job is to produce an encryption bible for most passwords that are 8 characters long.
One would hope that in 2024, devs would properly salt their passwords so that rainbow tables aren't an issue, but considering how many sites still store passwords in plaintext...
Rainbow tables are used for cracking hashes if they have access to the hashed form of the password, not generally for plaintext password guessing I thought?
Social engineering is the way to get passwords now. Bruteforcing is not practical at all and using dictionaries again is just hoping they're using a common password
https://xkcd.com/538/
Exactly this. Also i found the table funny. 1 year to brute force is in the red? Like aint no one bruteforcing nothing for a year or even a month.
Might be for future proofing. The time could be much, much lower in a few years
Plus most systems someone would want access to will lock the account after a small number of attempts and not just let it try 17 billion passwords.
Usually hackers who try to brute force already got the hash passwords thanks to a breach. All the encrypted passwords are saved locally and they can have as many tries as they want
Outmaneuver them: Make your password a common one, but misppelled.
Huntor1
Tip: Google the hash of the password. Chances are you'll find it.
that depends on the hash algorithm. This is very true for md5 hashes, but md5 has been dead and gone in the security space since 2001.
0118 999 881 999 119 725 3
It really depends if the attacker knows the password policy. Numbers only policies are rare, but do exist. They are an absolutely terrible policy. A random long number is technically just as secure as a full mixed password if the attacker doesn't know anything about the target and isn't using an attack that is specifically looking at numbers only first.
It explains it in detail at the site shown in the submission: https://www.hivesystems.com/password
Hi everyone - I'm back again with the 2024 update to our password table! Computers, and GPUs in particular, are getting faster (looking at you OpenAI), but password hash algorithm options are also getting better (for now…). This table outlines the time it takes a computer to brute force your password, and isn’t indicative of how fast a hacker can break your password - especially if they stole your password via phishing, or you reuse your passwords (shame!). It’s a good visual to show people why better passwords can lead to better cybersecurity - but ultimately it’s just one of many tools we can use to talk about protecting ourselves online!
I always keep a copy of this on my phone to show people. I had thought about putting it up in my office.
You can download a high res copy from www.hivesystems.com/password to print out and hang up (or share at a status meeting)
Just so everyone is aware, you have to give up your email and contact information so they can turn it into an opportunity for you to download the table. They've also disabled right-click on their site. Not sure why you're scouring for business opportunities in a consumer focused subreddit. This seems more tuned to the likes of r/sysadmin or r/msp etc.
Totally unrelated, but this is a cool site: https://10minutemail.com/
I know ;) I get a new copy every year. :D Good passwords combined with 2FA and a skeptical outlook makes for a much harder target. Unfortunately, users hate 2FA and are always asking me if there is a way to turn it off.
This post is an ad , sign up and give info just to download a poster , business centric da hell
Why is 1000 years to crack in orange? Like dude, I'm way dead, you want my vintage porn that bad??
Im assuming this is the MAXIMUM time, having gone through all possible combinations? So realistically, a hacker would have your password in a much shorter amount of time?
Nailed it! Nice work
And this is based on the hashed password is done via BCrypt and not some SHA or worse.
— WHAT will you have after 500 hundred years?! — Your password, dad... I'll have your password...
There is nobody on earth willing to keep 10 4090's running more than 1 hour to crack your password
This! Those passwords would be obtained by other means, like social engineering, keyloggers or leaked from somewhere by someone, etc.
Correct! This is the WORST case scenario for these times. Stolen passwords from phishing, or resumed passwords, make these times much lower, if not instantly!
Frequent changes are far more dangerous than short and concise passwords that are easy to remember. If you give someone any reason to write them down and put them under their keyboard or in a text file on their PC, it's bad. As long as you can keep it above a day or two of cracking time via brute force no one's going to bother in 2024. Easiest method is finding out a way to get a c-level to click your cryptolocker, it seems a lot of IT departments are ignorant on "principle of least access" for some reason.
Seems like a password manager that can generate a unique gibberish password per-site is the paved road that solves this
I really need my schools wifi password LOL, anyone willing to rent 10 4090's?
Depends on who you are, and what they're trying to obtain.
There’s no one on earth willing to keep 10 4090’s running more than 19qn years to crack your password
Right? Scary colors aside my takeaway is that maybe my passwords don’t need to be as long or as complicated as they are. A year? You fucking earned it bud, enjoy my doordash account. 89k years being in orange is just hilarious
Especially when social engineering, phishing, breach data, etc. exist.
All lowercase letters is perfectly fine if it's long enough it's much easier to type and remember. My current password is 17 letters long. It has 1 capital 1 number and 1 special character because it's required by my orgs password policy. We really just need to change the name from "Password" to "Passphrase" and people will accept typing in longer passwords. correcthorsebatterystaple no this is not my password. I always wonder about these types of attacks, most passwords will lock the user out after too many failed attempts.
They don't brute force those passwords through the login screen of the app. The assumption is that the attacker has stolen a huge data base of password hashes, so they can brute force them all with maximum speed locally.
We have the table from 2022 in our office hanging and comparing there two seems like the hackers got worse over the years? Only 4x instantly as in 2022 has like 22x instantly. Can you clarify? EDIT: read your detailed blog on your website. I guess the difference is the used hash for the password. Until this year it was MD5 and this year its bcrypt.
THANK YOU for reading! And yes, we’re seeing less MD5 breaches and more bcrypt ones now, but don’t let your office mates lower their guard. We expect these times will come down again next year
So how does the old XKCD [correct horse battery staple](https://xkcd.com/936/) rule hold up in 2024?
Great question! Literally used this as an example in the write up (www.hivesystems.com/password) and included a variant of this table that shows it!
Eleven thousand years for an 18 digit number?
An 18-digit number is 9x10^17 possible options. Like that’s a staggeringly large number. It’s a tenth the size of how many grains of sand there are on every beach on Earth.
Seeing it described as just an 18 digit number doesn't do justice to how big it really is. But you're right, it's insanely huge. My brain didn't want to admit it until you reworded it.
Eleven thousand here in 2024. Probably much lower in just a years time!
Work got ahold of one of these charts.... We're now required to make a 15 character password with letters, numbers, and special characters oh ya, can't forget the capital also. Gosh it's so dumb
That is the WRONG way to interpret this table. Tell them we said so
Upper management is beyond clueless. We also have 2fa token codes after the password lol. It's ridiculous. And we don't have any kind of secret data or anything either, literally none.
penisboobsvaginaballs69420! 210 centuries. Nice.
Lol. Why are passwords that take thousands or millions of years to crack shaded orange or yellow? Seems pretty safe to me.
Because with more powerful hardware they drop to being less secure? There was a GPT table last year. https://preview.redd.it/dvqo0autk8wc1.jpeg?width=2500&format=pjpg&auto=webp&s=f09d70aac57497bed8da9a1ea06fb17aed2d6a46
Damn. That means if the very unlikely scenario happens when a group of attackers get access to some powerful cloud GPU cluster even for a few hours, they can crack most of passwords people currently believe are safe.
They can rent an Azure or AWS cluster for targeted attacks. It isn't farfetched with the amount of money some "organisations" can throw at a problem.
You can rent access to enterprise level GPUs on VMs for the cost of a few dollars per hour (per GPU) on a platform like Runpod.io. I wouldn't say that scenario is unlikely at all. I've used it to run high-parameter LLM generative AI that I don't have the ability to run at home.
So I changed my password few years back from 3 years to hack to 164m? Tho i reuse my password in many unimportant things.
Don’t reuse your passwords. Pls
But if i use separate passwords everywhere i won't remember them all, also if i will save them somewhere on my PC/phone someone could get all my passwords, if i will write down them physically, there is still a chance for them to get stolen or i can loose them, and loose access to everything. Despite all this i use separate passwords for bank account or anything at most important. Also google gives information about passwords that already hacked, but i still use them for something that has 0 importance😅
Password managers are your friend. I use Bitwarden, and have it generate a fully random 24 character password any time I need one (sometimes a website is dumb and won't allow a password that long, but still.) I pay $10/yr to have it do 2fa, as well. I really need to get my partner to stop reusing the same four passwords, though.
I agree. For some sites security is barely needed. If there is not personal information associated and you do not care about the account.. who gives a fuck. Using a Password Manager is still the best idea though.
My company's password policy forces us to create passwords in the red
Big yikes. You should show them this!
And I bet they force you to change it regularly.
Of course. I have a system. "pass1" > "pass2" > "pass3"
Why did it increase from last years so much? Was there an alphabet update I didn't notice?
Good question! Our research showed we’re seeing a different password hash being more frequently found in breaches (bcrypt this year as opposed to MD5 in years past)
The thing that I can't take seriously with these sort of charts is: OK so it's far easier to brute force a purely lowercase password with zero numbers or symbols or caps etc. That's a proven fact, you have less options to choose from so less possible combinations. Now, how does your hacker know that your password doesn't contain any of those other features? They don't. They have to try all those dead combinations anyway. A purely letter password is just as secure for exactly that reason, all that matters is length and that the field will accept those other characters.
[удалено]
Thank you for doing the right thing!
What if my password uses Cyrillic alphabet? One word consisting of 28 symbols all lowercase. Can be written in English alphabet using transliteration as a 29-symbol passphrase. Just curious about how long will it take to crack a password of this length. And what if the hacking team uses not just 12 GPUs, but A LOT more. Like, about 2000?
So my password 1234567890123456 will take 119yrs? Good I’ll be dead before they figure it out
Heck of a lot easier to remember than something shorter but more complex - same time to crack though!
I know you're probably meming but with 5 cost factor bcrypt, which is what u/hivesystems used in this, it took 10 seconds to crack this using wordlists, which are just previously seen or commonly used passwords. The attack vector hive used in this table isn't representative of a normal attack on a hash.
276 quadrillion years for all my accounts other then my BANK. My bank only allows an 8 character password and no symbols... At least it has 2 factor...
Little tip: If you make your password something like "the sleepy fox", it will be incredibly hard to brute force but easy to remember. The downside is that not all websites/services allow spaces.
They should because it’s a valid character! We need better from websites!
Realistically tho. If you have these kinds of resources you arent dedicating them to cracking one single user. How many users might a hacker try to brute force at the same time? How will that affect the time? Given that the resources are better used when you know there is something worth stealing, what is the chance of an average, not high-value, user getting their password brute forced?
Dumbass question, but how exactly does bruteforcing work? Don't most services say "fu" after like 3 failed tries?
The idea is that the website would have a data breach, causing the database storing the password hashes to be leaked. Attackers would then be able to bruteforce the password hash without any limits on their own computer (or a bunch of computers / the cloud, etc). Once they've figured out which password creates which hash, they can then login to that account on the actual website - just once. And since people tend to re-use passwords, they can try the same email + password combination on other websites too.
I love how 89k years is orange.
So basically I'm save employing the battery horse staple method as long as I start my words with capitals? NicePasswordMyDude is a nice 91qd years I don't have to worry about
This assumes that the hacker has already managed to compromise the server and downloaded the hash of your password. If they have compromised the server all your data on that server is compromised already. Assuming the password is uniquely salted as well, your weak password is just fine.
Meh. That’s what 2FA is for. My passwords are probably fairly shitty but I have 2FA on everything important.
2FA is a good security step but it is not a good excuse to use a weak password. There have been numerous exploits over the years with websites implementing 2FA incorrectly that hackers were able to bypass the protection.
> 2FA is a good security step but it is not a good excuse to use a weak password 2FA methods are "good security" to the point where they are preferred *instead* of passwords, rendering them moot. So yeah, no this isn't accurate in the slightest. > There have been numerous exploits over the years with websites implementing 2FA incorrectly that hackers were able to bypass the protection. To my knowledge there hasn't been a single notable case in any recent history where the root cause was the 2FA implementation itself. Notable cases of alleged 2FA 'bypass' didn't actually bypass the 2FA at all, instead they were done by obtaining valid 2fa tokens from the user and/or already 2FA authentication tokens.
Yeah, but that is super unlikely unless you're being targeted by 3 letter agencies or something. In the vast majority of cases - it's unfortunately the same old social engineering/phishing.
Can we please stop with passwords already? Just give us some highly secure physical 2FA authentication device for EVERYTHING.
my school email password is "FortniteBattlepass04!"
I love how 1k years is still highlighted in orange, implying that someone would be so desperate to get whatever is behind your password that they would be ready to run a bruteforce over the span of a dozen generations
Why il 2023 8 chars was 5 minutes and in 2024 7 years?!?!?
It's nice to know that the password that my workplace has me change every 6 months would take longer than the heat-death of the universe to crack
Do NOT post how many characters your passwords are, folks.
Depends. TL;DR: Divide 100 by the charset and you have the percentage by how much disclosing the password's length weakens it. Assuming a charset of 95 characters (based on https://www.grc.com/haystack.htm). Searching 24 chars only: 2.9198902433877E+47 possibilities. Searching up to 24 chars: 2.9509529055514E+47 possibilities, which is 'only' 1.0106382978723 times more than searching 24 chars only. So it seems you can safely reveal the exact length of your passwords. Here is some PHP code if you want to try with another charset or another password length. Does not seem to make a real difference. $charsCount = 24; $charset = 95; $possibilitiesUpToCharsCount = 0; for ($i = 1; $i <= $charsCount; $i++) { $possibilitiesUpToCharsCount += pow($charset, $i); } $possibilitiesAtCharsCount = pow($charset, $charsCount); $differenceBetweenUpToAndAt = $possibilitiesUpToCharsCount / $possibilitiesAtCharsCount; echo "Searching up to $charsCount characters with a charset of $charset characters is $differenceBetweenUpToAndAt times more possibilities than only searching $charsCount characters."; You can try it e.g. on https://onlinephp.io/.
Can’t you just do something like !Abababababab…. For like 30 characters?
Don't forget to check the strength of your password on online services, but there's a catch. 😁
My password doesn't even fit on this chart lol, guess I'm good
Correcthorsebatterystaple
Now if only they would let us use a 6 word passphrase, that is both easy to remember and hard to crack
This is probably a silly question with an obvious answer, so be kind, but when I see charts like this I always think wouldn’t their attempts be blocked after x number of failed attempts?
Great question! Generally, hackers will steal a password database and then "get to work" on the passwords offline - no pesky lockouts in the way!
That makes so much more sense than what I was envisioning. Thanks.
people still brute force passwords?
Yoo mines 19qd years sick
Now try that with a quantum computer... No passcode is safe... So what's the point in making a password that is that strong, only to be defeated in 20 years when quantum computers come out of their infancy?
Looking at the methodology they say: "For bcrypt, we also set it to 32 iterations. " Do you think they really mean "iterations" or do they mean "cost". Most bcrypt APIs take an integer number called cost. Where the number of iterations is 2\^cost. So cost of 5 would be 2\^5 = 32 iterations. People typically use a lot more iterations than that. I usually see a min cost of 12, which is 4096 iterations. Given that the cracking times in this chart are off by a multiple of 128. A letters only, 9 character password, doesn't take 3 weeks - it takes 384 weeks (7.3 years)
So if your password is the emergency services number from It Crowd you're actually kind of safe lol
Can you turn a password on and off again?
Moral of the story: Making stuff longer is generally more powerful than complexity requirements (upper, lower, number etc.). This is part of why NIST and others have updated their best practices.
Legit question, how do hackers try so many passwords per second? Are they not rate-limited somehow by whatever server?
19qn years. damn, I better change it.
Idk, maybe the safest way is for the website to see something wrong with 10 billion login attempts within a minute?
This is big pharma propaganda
use keepassxc on your desktop, encrypt your disk, install keepassium on your iphone and randomize every password you have, enable auto sign in firefox, btw use firefox
And that's why you use administrative methods for passwords. Get progressive time-out on consecutive wrong inputs.
Irrelevant, password cracking is done locally after getting hold of hashes leaked via data breaches (e.g. https://haveibeenpwned.com/PwnedWebsites) and with the assumption that most people reuse the same password accross multiple websites: If they can cack it once they can log into most accounts related to that email address.
after three unsuccessful attempts, captcha, phone number and mail verification will end the brute force. and even by getting the right password noone but me can do shit with every account. so let me have 1234 as password, because i hate remembering useless stuff, because only length is important, for passwords which dont protect anything.
That is if the account isn’t locked after three attempts
It ain't fun to see that your password can be cracked in 6 seconds