Current Events > So it's accepted that password1 isn't a secure password...

(+) Yeah! (+)

What about password7

Has anyone ever guessed that
---

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered
---

Your password must contain a minimum of 16 characters, 4 numbers, no non consecutive numbers or letters, and can't be similar to one of your previous or anyone else's passwords (we know)
---

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

Nope because 1) its short, 2) its 1 word and 1 number which is trivial to achieve in a dictionary attack and 3) "password7" or any other password like that is dumb dumb dumb
---

Complete_Idi0t topic.
---

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

That software will always have the easiest passwords loaded onto it already.
---

Rika_Furude posted...

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

Nope because 1) its short, 2) its 1 word and 1 number which is trivial to achieve in a dictionary attack and 3) "password7" or any other password like that is dumb dumb dumb

I hate people that come into a fun joke topic and take it seriously.
---

From what I understand, and please correct me if I'm wrong, the methods used to break past passwords really have more difficulty with large numbers of characters as opposed to using goofy combinations of them or strange symbols and numbers. So, a long sentence like "doyoulikeplayinggames" is more secure than "2$ah%W1".

Your definition of fun is bizarre
---

1password is safer

chill02 posted...

Your password must contain a minimum of 16 characters, 4 numbers, no non consecutive numbers or letters

Hold on. Is that saying your letters or numbers must be consecutive?
---

Funkdamental posted...

chill02 posted...

Your password must contain a minimum of 16 characters, 4 numbers, no non consecutive numbers or letters

Hold on. Is that saying your letters or numbers must be consecutive?

maybe
---

Rika_Furude posted...

Your definition of fun is bizarre

You saying there's something wrong with deriving fun from low quality joke topics on an Internet forum?
---

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

Let's assume that your password can contain any alphanumeric character on your keyboard plus the symbols - roughly 94 characters. Therefore, each character has 94 possibilities to be.

If you brute forced the password up to the 9 character password that is password1, you would have to brute force through all 1-character, 2-character ... 9-character passwords. So in other words, the maximum number of passwords needed to check would be

94 + 94^2 + 94^3 ... + 94^9 = 579,156,036,661,182,474 passwords.

Now that seems like a lot, doesn't it?

Now, I don't know the standard for this kind of thing, but some quick Googling revealed something about a 25-GPU cluster that can try 350 billion (350,000,000,000) passwords per second. Link - https://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

With our previous number, that is 1,654,731.5 seconds - about 19.2 days nonstop.

But then you can make the program even more efficient. Some passwords have limiting characteristics - for example, you might be required to have a special character (that being ! @ # $ % ^ & * ( ) - _ += [ ] \ ; ' , . / { } | : " < > ? I believe) which itself can chop off a lot because that means "oh, hey, I only have to check passwords that have those characteristics." Same thing for requisites of other types, like length, having certain other characters, etc.

Plus I imagine an average brute forcing program would be the type to check the Top X (however many X is) used passwords, just in case, right off the bat.
---

NeoShadowhen posted...

From what I understand, and please correct me if I'm wrong, the methods used to break past passwords really have more difficulty with large numbers of characters as opposed to using goofy combinations of them or strange symbols and numbers. So, a long sentence like "doyoulikeplayinggames" is more secure than "2$ah%W1".

It all depends on whether someone knows your password scheme. "Do you like playing games" becomes much easier to crack if I'm using a dictionary attack.
---

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

Incidentally, "passwordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpassword" is ridiculously secure.

no but password! is
---

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

No, it's not secure because the following.

1. hackers have "hash dictionaries" with many common passwords pre-hashed which they can literally just ctrl+f (not literally) for things like "password1" salt helps, but the attacker likely has access to the salt as well. Remember they don't try to crack your password by repeatedly logging in, they steal the database that contains your hashed password and crack it at millions of attempts per second locally with no restriction.

2. Even if we were to assume that they were attempting to guess every possible combination of letters/numbers/special characters, it's 9 characters long, even if they started at "0" it wouldn't take more than a few days to crack it.

3. If they have access to a previous password in password change schemes, there is a good chance they can guess it outright. A guy whose password is "password7" probably had the password "password6" a few months ago and "password5" before that.

password restrictions are tricky because humans will behave in predictable patterns and the more restrictions you impose on someone, the more predictable the pattern will be. An unintuitive bad restriction is a very large minimum length. IF you require a password be at least 20 characters long, there is a good chance that most of your passwords will be exactly 20 characters long.
---

Anteaterking posted...

NeoShadowhen posted...

From what I understand, and please correct me if I'm wrong, the methods used to break past passwords really have more difficulty with large numbers of characters as opposed to using goofy combinations of them or strange symbols and numbers. So, a long sentence like "doyoulikeplayinggames" is more secure than "2$ah%W1".

It all depends on whether someone knows your password scheme. "Do you like playing games" becomes much easier to crack if I'm using a dictionary attack.

while xkcd is correct in that "correcthorsebatterystaple" is more secure than "tr0b4dour&!", "correcthorsebatterystaple" is still not a secure password.
---

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

no because any good hacker program would take the most common passwords and put a number in the front or end of them

and that means password[0-9][0-9] is the first thing the program would try

on the other hand

p1AsswOr3d would be a strong password

unless alot of people do this and they specifically code to tray all combinations like this which might be the case
---

jenningsnash313 posted...

Rika_Furude posted...

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

Nope because 1) its short, 2) its 1 word and 1 number which is trivial to achieve in a dictionary attack and 3) "password7" or any other password like that is dumb dumb dumb

I hate people that come into a fun joke topic and take it seriously.

I hate people who have nothing worthwhile to add to a topic, and attack those who do.
---

Can we just get on with the eyeball sensor thing so I don't have to make up and remember randomness
---

EpicMickeyDrew posted...

jenningsnash313 posted...

Rika_Furude posted...

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

Nope because 1) its short, 2) its 1 word and 1 number which is trivial to achieve in a dictionary attack and 3) "password7" or any other password like that is dumb dumb dumb

I hate people that come into a fun joke topic and take it seriously.

I hate people who have nothing worthwhile to add to a topic, and attack those who do.

Hear hear. I like serious posts in joke topics personally
---

Anteaterking posted...

It all depends on whether someone knows your password scheme. "Do you like playing games" becomes much easier to crack if I'm using a dictionary attack.

I'm guessing that with any reasonably sized dictionary this would actually be extremely hard to crack still.
---

Password1! is better. Involves capitals, numbers, and special characters. 10 characters long.
---

What about p1a2s3s4w5o6r7d8 ?
---

philsov posted...

Password1! is better. Involves capitals, numbers, and special characters. 10 characters long.

will be one of the first 20 tried combinations
---

My passwords are all very different, long strains of random letters (some capitalized and some not), numbers and symbols.
---

ChromaticAngel posted...

Anteaterking posted...

NeoShadowhen posted...

From what I understand, and please correct me if I'm wrong, the methods used to break past passwords really have more difficulty with large numbers of characters as opposed to using goofy combinations of them or strange symbols and numbers. So, a long sentence like "doyoulikeplayinggames" is more secure than "2$ah%W1".

It all depends on whether someone knows your password scheme. "Do you like playing games" becomes much easier to crack if I'm using a dictionary attack.

while xkcd is correct in that "correcthorsebatterystaple" is more secure than "tr0b4dour&!", "correcthorsebatterystaple" is still not a secure password.

On the flip side "correc!horseBattarystap1e" is AMAZINGLY secure
---

fire_bolt posted...

ChromaticAngel posted...

Anteaterking posted...

NeoShadowhen posted...

From what I understand, and please correct me if I'm wrong, the methods used to break past passwords really have more difficulty with large numbers of characters as opposed to using goofy combinations of them or strange symbols and numbers. So, a long sentence like "doyoulikeplayinggames" is more secure than "2$ah%W1".

It all depends on whether someone knows your password scheme. "Do you like playing games" becomes much easier to crack if I'm using a dictionary attack.

while xkcd is correct in that "correcthorsebatterystaple" is more secure than "tr0b4dour&!", "correcthorsebatterystaple" is still not a secure password.

On the flip side "correc!horseBattarystap1e" is AMAZINGLY secure

not now that youve posted it here
---

Microwaved_Eggs posted...

fire_bolt posted...

ChromaticAngel posted...

Anteaterking posted...

NeoShadowhen posted...

From what I understand, and please correct me if I'm wrong, the methods used to break past passwords really have more difficulty with large numbers of characters as opposed to using goofy combinations of them or strange symbols and numbers. So, a long sentence like "doyoulikeplayinggames" is more secure than "2$ah%W1".

It all depends on whether someone knows your password scheme. "Do you like playing games" becomes much easier to crack if I'm using a dictionary attack.

while xkcd is correct in that "correcthorsebatterystaple" is more secure than "tr0b4dour&!", "correcthorsebatterystaple" is still not a secure password.

On the flip side "correc!horseBattarystap1e" is AMAZINGLY secure

not now that youve posted it here

That was simply a follow up on Chromatic's proof of concept. The idea is that it defeats most standard hard hacks by using a combination of upper and lower case letters, symbols, numbers, long strings, AND misspelled words. No hash dictionary is prepped hardcore enough to deal with that and brute force is gonna have to go thru the entire ASCII set to get each position.
---

Wait it's not. God dammit brb

don't tell my workplace
---

Axiom posted...

Wait it's not. God dammit brb

are you firebolts alt or something
---

Microwaved_Eggs posted...

Axiom posted...

Wait it's not. God dammit brb

are you firebolts alt or something

Nah, I thinks he's referring to the topic title. My only alts are all variations on the "bolt" theme
---

fire_bolt posted...

Microwaved_Eggs posted...

Axiom posted...

Wait it's not. God dammit brb

are you firebolts alt or something

Nah, I thinks he's referring to the topic title. My only alts are all variations on the "bolt" theme

oh i get the joke now
---

EpicMickeyDrew posted...

I hate people who have nothing worthwhile to add to a topic, and attack those who do.

But you did exactly what I did, so you added nothing worthwhile except attacking me, which is a bad decision since I am notoriously loved by all. I won't accept what you said as fact unless you admit to hating yourself as well.

Checkmate.
---

Wow I had to change my password 10 times because of this topic. How are you guys doing this?
---

jenningsnash313 posted...

Rika_Furude posted...

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

Nope because 1) its short, 2) its 1 word and 1 number which is trivial to achieve in a dictionary attack and 3) "password7" or any other password like that is dumb dumb dumb

I hate people that come into a fun joke topic and take it seriously.

This.
---

i used to use the automated passwords 4chan would give you so you could delete your own posts after the fact; i actually still use a few of them.

eight letters long and they mix numbers and letter cases. hope that's good enough?
---

legendarylemur posted...

Wow I had to change my password 10 times because of this topic. How are you guys doing this?

not good enough

I already hacked your account
---

What if you spell it wrong like passwird1?
---

ChromaticAngel posted...

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

No, it's not secure because the following.

1. hackers have "hash dictionaries" with many common passwords pre-hashed which they can literally just ctrl+f (not literally) for things like "password1" salt helps, but the attacker likely has access to the salt as well. Remember they don't try to crack your password by repeatedly logging in, they steal the database that contains your hashed password and crack it at millions of attempts per second locally with no restriction.

2. Even if we were to assume that they were attempting to guess every possible combination of letters/numbers/special characters, it's 9 characters long, even if they started at "0" it wouldn't take more than a few days to crack it.

3. If they have access to a previous password in password change schemes, there is a good chance they can guess it outright. A guy whose password is "password7" probably had the password "password6" a few months ago and "password5" before that.

password restrictions are tricky because humans will behave in predictable patterns and the more restrictions you impose on someone, the more predictable the pattern will be. An unintuitive bad restriction is a very large minimum length. IF you require a password be at least 20 characters long, there is a good chance that most of your passwords will be exactly 20 characters long.

It sounds like you're talking about rainbow tables, where you precalculate hashes and store them so that you don't have to spend time cracking the hashes. But those take a really long time to create and, especially with salts, take up an enormous amount of space. With dictionary attacks, you have a list of possible passwords and you use a program to hash each word in the list and compare it to the hash you're trying to crack.
---

ForestLogic posted...

jenningsnash313 posted...

Rika_Furude posted...

green butter posted...

in theory wouldn't password1 be a fairly secure pw if someone was just running software that was trying to get every combination of numbers and letters? even moreso if capital letters were considered

Nope because 1) its short, 2) its 1 word and 1 number which is trivial to achieve in a dictionary attack and 3) "password7" or any other password like that is dumb dumb dumb

I hate people that come into a fun joke topic and take it seriously.

This.

Rika_Furude posted...

Your definition of fun is bizarre

---

Passw0rd1
---

Do people still try to brute force passwords in the era where every site makes you use multiple captchas the moment you get your password wrong twice.
---

What if it's

420pASSword69

and it's case sensitive?
---

Fun fact: 63% of passwords on the internet are now correcthorsebatterystaple

GiftedACIII posted...

Do people still try to brute force passwords in the era where every site makes you use multiple captchas the moment you get your password wrong twice.

It's assumed that we're talking about an instance where the attacker has the hashes.
---

My passwords are based on memes with some variation depending on the website.

So i have 1 constant set of characters that i use in every single of my password, and 1 variables that are different based on the site's characteristics,,name or other thing.
---