If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it? Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.
- Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
- The last 4 digits of your social security number.
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth – yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love”
Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do… Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.) One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here. So, how would one use this process to actually breach your personal security? Simple. Follow my logic:
- You probably use the same password for lots of stuff right?
- Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
- However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site or a cryptocurrency wallet you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
- So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
- Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
- But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)
And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection. Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying. Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
| Password Length | All Characters | Only Lowercase |
|---|---|---|
| 3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters | 0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia | 0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia |
Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster. Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night? Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it. Here are some password tips:
- Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0’, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
- Randomly throw in capital letters (i.e. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
- Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
- You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
- Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
- Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.
By request I also created a short RoboForm Tutorial. Hope it helps… Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important? Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you! Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned. I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain. Please, be safe. It’s a jungle out there.
EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
Or this ABC World News report:
This is why I have several passwords. One I use specifically for my bank account, one I use specifically for my email, and one I use for all the frivolous sites. Good article, though. I never realized how fast one could crack a password through brute force. I’m going to doubly make sure my passwords are as complex as I can remember.
I’ve tried a few softwares (including roboform) to remember my passwords for me but I always have problems when I’m away from my computer where I have this software installed. I don’t have a laptop, but I do use my GF’s computer when I’m over there and my folks computer when I’m at home and making a bunch of complicated passwords didn’t work well for me. A friend of mine turned me onto this online solution at http://WWW.MITTO.COM that works pretty well. It’s all on the web like my Gmail, so I can use it to log in to my accounts from anywhere. I’ve been using Mitto for a few months now and I like it, but I was wondering if you had tried it or had an opinion on it.
Fantastic article! I would only add one additional solid reason as to why you should have different passwords for different sites: You never know what’s going on behind the scenes. I had an incident where a sales person at a company had full access to my password…and even emailed it to me asking, “is this you?” as we were troubleshooting my account. POOR excuse for security and privacy, I wrote about it here: http://al.bsharah.com/post/2009/09/01/Security-Your-On-Line-Identity-and-ZipRealtys-Poor-Example.aspx
Again, thanks for sharing this! It’s unfortunate how many people don’t realize how insecure their information is.
AL
Thanks for driving the point home Curtis.
I’d also like to point out that passwords are not just for Websites. We use them for corporate logins, PIN codes for phone systems, etc. So what’s at stake here is far more than your online life.
In addition, for people who truly understand the risks we should use multiple login names and passwords so that breaches in one site’s security do not affect you on another site.
John P.
You make a very strong point and you make it very clear that you have a strong point by constantly stating the same point in all capital letters.
The bottom line is, and remains, that if people used stronger passwords, they’d be better protected. If John’s article were to cover every single one of the finer points of a truly secure password, the article would’ve been long enough to be a book and we all know that.
I think the most important thing to glean from his writing here is that putting a little more effort into your password makes you that much safer. Not an article targeted at advanced users, but users with a lack of imagination when it comes to locking down their various user names and accounts across the web.
I say he did a bang up job on the article and he’s earned a bookmark from me.
I’m glad to know it will take 17,184,705 millennia to crack my gmail password, and at least 154,640,721,434 millennia to crack my laptop password (laptop password is 19 characters long)
Well with your uber leet skillz on password hacking I hardly think you’d be cracking even my lowest security passwords.
This is more an article on basic common sense, anyone who doesn’t know better deserves what they get.
By the way you are trying to run way too many scripts on this page for my liking, I mean like 8 different domains like wtf….
You are never 100% secure even if you password is a whole song :). In fact I do know a blogger that is using a whole sentence as a password… which seems kinda of crazy.
Some of you might or might not be aware that now days it’s much easier to get a remote keylogger on someone’s pc, thus get their pass as they type it, instead of brute force it.
Another thing is, with the introduction of CUDA *Compute Unified Device Architecture* – few top notch gaming cards in SLI mode, all you need is a CD of Blacktrack, Pyrit and Cowpatty and you will achieve around 15,000 passphrases per second, which with better CPU and overclocked cards can go up to 50k.
So suddenly now every enthusiast with spare bucks good PC and VGAs can brute force your regular 8 letter pass in few hours.
i love this website!!! super awesome!
I work at an ISP, and recently, we started going over the OpenLDAP with password strength requirements. Part of that included an audit, and out of 6000 accounts, only 518 were considered “strong.” Many of the rest were just… just awful. Some thing I want to mention:
– Hacker’s dictionaries HAVE the “substitute 0 for o, 1 for I/L, 4 for A,” and so on. Making your password “pa$$w0rd” will be hacked just as fast. Same with “4/for, %/oo,” and so on. “f%d4a11” is the same as “foodforall” in the dictionary.
– A lot of hacker’s dictionaries don’t have the space character, mostly because most older password forms don’t allow it. But some logins do allow it, so there’s a trick to try.
– DON’T DON’T DON’T make your password the same as your login. Gees! “fwilliam@example.com” should not have the password “fwilliam.” We must have has a thousand of those alone.
– If you blog a lot, talk about your life, sometimes a targeted hack can guess a password that way. “I had a childhood home in Cherry Creek,” and your password is cherrycr33k… easy to figure out. That’s why they also tell you not to use pet names.
– This is important, PEOPLE CAN FIND OUT YOUR MOTHER’S MAIDEN NAME ON GENEALOGY SITES. Or a Picassa picture of your maternal grandmother’s gravestone. This is important for bank “failsafe” info to reset a password, which use this by default. So… be careful out there. No one is saying you have to use your REAL mother’s maiden name. One of my friends says “Spiderman,” for instance (and he’s not a comic book fan, so that makes it even harder to crack).
What do you think about awlg.org? -> Associative Word List Generator
This, to me, has always been the greatest hurdle to implementing secure passwords — the sites themselves limiting my choices to only certain characters, certain lengths, etc.
I haven’t seen 4 character passwords, but I have seen sites that prevent you from entering longer than 7 or 8 characters, and prohibit numerics and symbols. Just insane to limit people to weak passwords.
Any kind of limitation significantly shrink the pool of passwords that the hacker needs to search and make the site inherently less secure.
I think one of the best bits of advice I read is to get away from thinking of it as a pass-word- and come up with pass-phases-.
Dude,
Why not just ask the cops to say home… Crackers get in because people and software companies are lazy. If it was required that software could not go out the door unless it was bullet proof things would be a lot better today… If Microsoft would be held accountable for all the Crap Windows lets by (I am talking prision time for the CEO and Board) you be you would have one rock solid OS… But now we just blame the Crackers.
BTW perhaps you should grow up and stop using the work Hacker. A hacker is one who creates things.. Crackers are the cyber theives.
Of course, a keylogger can even defeat a super strong password.
Not a bad argument for stronger passwords, but still does not justify the ridiculous algorithms and silly software people invent to protect their most puny assets all the way to their most important ones.
It’s pretty simple to evaluate each site on their security and use a simple password on the ones that lock out accounts or use other measures to defeat outside brute force attacks. All the other ones can use a second simple password since they cannot have any possible value worth protecting (if they do, then people should not be using them).
There’s a million ways a site can give away your password, NO MATTER HOW STRONG WE MADE IT. Get this, if they send someone clear text who guesses your mother’s maiden name, then it DOESN”T MATTER HOW STRONG WE MADE IT. If the bad guy installed a keystroke sniffer or the connection is cleartext or, or, or, or then IT DOESN”T MATTER HOW STRONG WE MADE THE PASSWORD.
Bottom line is that poor security means IT DOESN”T MATTER HOW STRONG WE MADE OUR PASSWORD because brute force attacks are relatively easy to defeat and only a fraction of the possible ways that a password can be obtained in cleartext with all of its fancy extra characters determined by clever algorithms or local software (especially if that software is poorly written, i.e. deterministic).
OK, thanks for harassing us to use better passwords. Now, could you start harassing those websites (like united.com) that don’t let you use special characters when you enter a password!
Was the “All Characters” calculation based on the keys on a standard US keyboard.
I ask because there are other options than just an @ or * (I know there are much more on a keyboad). Just as an example, hold ALT and press the following combination 1 –> 4. Release the ALT key and you will get ♫ 1 –> will give you ☼.
And yes, I just used a dingbat (couldn’t resist).
Ultimate Cool Characters
Alt Codes
I recommend KeePass (for Windows) or KeePassX for Mac and Linux. They are free, encrypted, authentication organizers that share a common database file. One file can contain all the myriad passwords for all your needs in one easy to use location. You can keep the data on a USB stick or DropBox. Then you just need to remember one password to benefit from using long, randomly generated passwords.
Use the Google to locate the two project websites.
These programs are regularly maintained and widely used. DropBox is also encrypted, so there is one more layer of protection.
A great reminder to us all, thanks John. Not sure if I spotted it in any of the comments but I use 1Password on my macs as a password generator and safe storage of all private data, including passwords for websites. It’s a cracking, (pun intended), bit of software that’s easy-peasy to use. There, that’s my tuppence worth! ;-)
The problem with wanting to include special characters is that MANY, if not Most sites will Not allow special characters in passwords! Some still won’t even let you include the simple dot (.) !
And others won’t let you use long passwords but smack you with a limit of 6-7-8 characters. I’ve seen some who only allow 4 characters! Really bad!
On another note: How safe are smartphones, iPhones, etc. in this regard?
I used to use a normal 8 character password for most things. However, I’ve since come up with a fairly useful scheme for creating long passwords that include numbers, letters, and punctuation. Essentially, it works like this:
[basicpassword]![url].[extension]
So, let’s say be old password was:
4995hype
It’s not, but let’s say it was. To create a password specifically for this site, onemansblog.com, I’d use this password:
4995hype!onemansblog.com
At 24 characters, it will take a long time to brute force. It includes letters, numbers, and ‘.’ and ‘!’.
Just Simply add a number by algoritm whith a random number to the start and end, is a good idea either. Thank You.
All I can say now is: Thank you One Man! 8^)
This method should work, so long as the prefix and suffix are sufficiently random. You will be far more secure than anyone around you, so you should be fine. ;-)
John P.
Oh, and in the second point, I asume that the hacker hasn’t deciphered any of the passwords previously. If he knew a couple of passwords, obviously he could deduce the formula and then break the rest, that’s not what I’m talking about.
Hi, great, great post, you’ve convinced me and now I’m on a mission to protect my data… but I have a couple of noobie questions (I’m sorry for asking, but I think that they’re interesting):
1- if I use a common word (a name or a sustantive) inside a complex set of characters, would that word be a weak spot?. I’m talking about something like:
“lh956J#´q{MOMMY}ouKlm78”
I know I could simply avoid putting mommy in there… but, even when I’m trying to come up with an inexistent word, I google it and it’s always a real word in the dictionary of some obscure language! XD. (Well, not always, but now I’m just curious about the issue).
2- Let’s say that I use a rule to generate unique passwords for each web or service I register in, with a formula like:
[string A]+[vowels of the web’s name]+[string B]
being the strings ALWAYS the same for EVERY pass I use.
Could a hacker (the evil type, not the “ethical”) compare a bunch of passes and figure out the simmilarities?, I mean: would it be any different if the passwords didn’t have any common fragments?
Maybe both questions are about the same issue, let me rephrase: do the “fragments” of the pass have to be “secure” or do the hackers only see the pass as a whole?. I hope I’m making sense.
Thank you so very much for reading this.
Wow that opens my eyes to lot of my stuff that is pass word protected. thanks for the heads up!!!
It is very easy to get complacent about things like this. I never really thought about people hacking passwords on low security web sites that give you unlimited attempts and then using that to make attempts on imformation sensitive sites. I just downloaded Roboform from your link. I have so many different password combinations that this will help me keep them in check better and obviously make for much better security. Thanks John!
Brian
I recently changed all of my passwords using a random hexadecimal number generator. I think this is probably the most secure password you can get – but impossible to remember them all!
There are some good pointers here.
Maybe you are trying to use fear to scare people into changing habits, but realistically brute force won’t work on a web site. Even if they didn’t lock an account after a few tries (which they usually do), it still takes seconds per attempt, so that table is a little inaccurate.
I think maybe the point is that hackers could be doing an attack on many sites for many different users in parallel hoping that *one* works. But then you just have to make sure your password is not a dictionary word.
Also, I’ll throw my suggestion out there. supergenpass.com is a pretty good tool for internet passwords. It is a browser bookmarklet that generates you a password for a site using a digest that includes the domain name and a master password. Then you get a very strong unique password for every site and you only have to remember one good one. Plus you don’t need to install anything so its good for libraries, etc.
I’m one of the ones you mentioned that are learning the hard way. I got lazy and they hacked my facebook and then thru my facebook, hacked my hotmail.com account. I won’t be a slacker any more about passwords. I loved the article. It’s a scary world out there…
Dave
Great article. Just by adding a random number to the end of an easily remembered password isn’t a good idea either. If you run a search in your favourite search engine, you can find a lot of sites that generate passwords.
Lastpass.com GREAT tool. I recently began to be aware of what you are talking about and changed from using the same somewhat complex password on all sites to a different one via lastpass for each site. I’m also working on changing my default settings from Att to Nonbroadcasted SSID, MAC FILTERING, and WPA2. I’m starting to realize even if it happens once in my life, it will be one to many. Accessing my gmail would be the worst! Privacy online is something to be serious about!
By the way, my password is 43 characters long and generated.
Or more simply, use a password generator. It’ll save a lot of time in the end when you figure out you’ve been hacked.
Your information is very benificial. As I’m a blind person and have a keen interest in computer technology, I also would like you to write something on the accessibility. Anywat, I apreciate your gtreat contributin to make peple conscious in the computer-secutrity regard.
Thank you, really appreciated this info, this is a topic of my final year project and you have provided me with lots of info.
Thanks again
Well, I know what I am going to do…..go for the 14 character password….only thing now is, what the heck is it going to be?
Good post by the way.
John P., not to be a buzzkill but what you described is a “best case scenario” for hackers. That table you gave with times, where do all those numbers come from? It seems like what would happen if someone had an absolute control over your computer, which in real life is hardly the case. If any hacker attack comes via the Internet most web sites have a built in time delay to prevent such brute attack and thus your timing will greatly increase. So keep that in mind…
I love the examples of passwords though — that’s hillarious. My favorite story though is when I convinced my coworker to create a “good” password for our customer database at work and then she wrote it down on a piece of paper and put it into a desk drawer right next to it… LOL
I think I’m going to change my passwords right now.
@Karen
Its like telling a burglar that the best way into a house is breaking a window. They already know.
Well, the table is really very nice. But, don’t you think this kind of information shall also benefit the hackers?
The better and more innovative your hackers are, the wealthier and safer your community will be…
hey, thanks a lot for the article and the recommendations. Helped my mum and dad a lot. Just showing my appreciation here. *grins*
blotto box..nuff said.
DEAR HACKERS:
Aren’t you sick of being $laves to this destructive system? Please do us all a big favor and do your best to destroy Civilization.
If you want to know why: Read Endgame by Derrick Jensen.
I have data stored on a Lexar Jumpdrive Secure and I forgot my password. I can’t even reformat the drive because it says I need to log in to the secure before I can do it. How can I hack or retrieve my password. I have a hint on it but it seems to be wrong. I’m so frustrated. HELP
LOL, many of the guesses are almost spot on.
This is pretty cool! I always enjoy your posts! This will give me something WAY cool to tell my friends about each day at school! Thank you so much for all of these little “gifts”! Haha thanks :)
Using bruteforce is old style.Today exploits are the most top thing.Ofcourse if you know how to write one :)
sorry about that first link i mess up here you go
http://www.youtube.com/watch?v=jCkCWxv3kUE&feature=related
normal i dont mind spammers but this one is evil i mean evil how do i
know they are the NEW World Order what is so bad about them, they
wont to shutdown the internet ,one of members that want this done
is US Senator jay rockefeller http://www.youtube.com /watch?v=Ct9xzXUQLuY also look up eugenics scary stuff heres
some good info on this http://www.youtube.com/watch?v=TPOCKf1zUHo
hi guys i need some help with this one guy that keeps spamming this
one site called .infowars. blog and i wonder if you guys could do me
a favor by shutting down this site if you can http://www.alientrend.com/
I have a HUGE problem. I usually chose different passwords for different websites and always make sure to put in at least one digit in. But recently I can’t get into my yahoo account (the password had 14 letters – one capital letter – and 2 digits)-and I’m guessing somebody broke into it, changed my password and the answer to the secret question. So I keep blocking it everyday by trying to log in several times-so that the person who did this will be unable to log in and read my private data. When scanning my computer with AVG I found yeldmanager in the cookie folder as a threat-was that used to hack my mail?
So the question is – is there any way I can permanently block that account, find the person who did this, or retreive/change my password? I wrote to yahoo, but I received no reply yet and I’m quite desperate about this.
Looking forward to your reply.
This is so sad! So sad that I know people are using these passwords everyday. I know I am guilty of using these at work, quick access. But i would never dream of having any of those at home.
Wow, how i needed to read this before. My personal blog got hacked hard this last month, and they did a real job on me. Deleted past post, changed links, heck who knows what else. I am dreading the decision to completely wiping out this current install and all other files on my account and start over. Just because i have no way of knowing if there is unwanted code hidden somewhere. I have had this blog for years and had hundreds of post on it. Now with hackers, spammers, and the whole hype on this stage in the Internet’s growth its a total war out there. Instead being able to focus on quality content now you need to worry about all the other BS. Thx John for being so insightful, your blog will forever be in my daily reads. thx/lew
This is one of the best posts on Passwords that I have read. Thank you for the time you took to bring together this great information.
Gordon
If they want in they will get in. What is the value in caps, etc. Choose a solid pass, but don’t be too confident. Caps, special characters, length, done deal! Just do it. Andrew’s revelation is probably not the best being that it defeats the purpose of 12 characters. Mine is 13. LOL
All you need is determination, there are no protection against it. The human mind is inherently sloppy and vulnerable.
Oh yeah and one more thing that cuts it down even more you said numbers and letters… So if you don’t have any special characters then that cuts it down even further O_o just givin you a heads up that you don’t put that kind of information out on the web.
Oh thankyou Andrew Croft now I know exactly how long your password is (your a genius). Now I can skip about 5,062,982,072,492,057,196,544 different combinations while I hack your computer, and destroy your life.
well he probably went into your boot sec i believe then he checked out your security logs. My friend did this to me once, but he wouldn’t show me how I just got to see certain parts of the process. He wouldn’t show me the command prompt paths that he followed. More than likely your fiance is a C++ professional so you can look into that, but the books on that are huge.
I am not bragging or anything but my password is 12 characters long, and contains numbers and letters. Nobody will be cracking mine anytime soon. One tip though if you used shared computers, and firefox always remove the private data after. I have come accross a few peoples passwords by mistake when they havent cleared the data. Yes it is that easy!
Hi thanks for sharing this useful tips. Actually people are still using weak passwords and falling as a prey for hackers.
Hackers…
On the note of hacking…why not become a vigilante like in the movies…ultraviolet or batman…and have some fun. You can totally DOS the illegitimate spammers/scammers like wholesaledrugspass.com or onlinepillspro.com company websites…and trash their revenue flow. If you are a hacker just learning, enjoy learning on their systems. They spammers think they are smarter than the world…a good opportunity to f$%k-up a parasite. Its like casual gaming for hackers…
If you are really really good at hacking, find the source, get their info, distribute, hack into the spamming databases and add them, etc…crush the peawods. Or, write a bot, that finds any site advertising with their fake contact numbers (1(210) 888-9089) and brutalize them. Of course to do it right it would need to avoid blogs discussing spammers/scammers.Sooo many options. ;)
There is a time for vigilantes. It looks like hackers are the only ones with the opportunity to be a vigilante.
Below are just a few, likely easy, spammers to take out. Most of them are probably on the same severfarm…take em out with a DOs and you take them all out.
And, when you are done taking them out…sent a notice to news sites and blogs and others about your terror on spammers…would make a great read for many.
****Love you Hackers!*****
SPAMMERS
wholesaledrugspass.com
onlinepillspro.com
amazing-drugs.com
pharmascop.com
ithecanadianmeds.com
supermedswell.com
http://www.spamhaus.org/statistics/spammers.lasso
in what page i can use to know in what time a hacker can decode my password
You seem pretty confident in your abilities here….Bet ya couldn’t get through the one password (or two I guess) that I need…
I think you need to ditch your fiance and move on, if you have these kind of security issues!
The only problem with the whole make sure you use capital letters part is that a lot of websites now are making passwords “non-case sensitive,” for people too stupid to remember if they made their password capital or not, or if they are retarded and accidentally hit caps lock.
Wow that’s pretty scary! Luckily most sites you register to have minimum standards for passwords with a combo of upper and lowercase so i’d hope it would be harder than you have said. But still, scary :O
My fiance hacked my passwords yrs. ago by somehow searching through data on the computer I entered my passwords on; I’m pretty certain he didn’t use key logging programs. My question is, how can I do the same – find out his email password by simply having access to his computer. I do not want to break into his email hence I will have to reset the password, a huge red flag. I want to gain his password un-noticed and don’t want to use a key logger b/c I doubt I could download one without him knowing, he’s very computer suave. Thank you, any help would be appreciated!
That time count don’t work if u send trojan into highly visited web portal that installs inself for every user he visits. Then it uses brute force , so 1 000 000 000 or even more computers is used to hack one password. My password has 10 chars (all symbols) in it and i think it is big enough, but it will take just 2000*1000*365*24/1 000 000 000= 17,72 hours. All i wana say: u can not protect yourself from professionals.
http://www.istartedsomething.com/20070827/i-work-for-you-youre-paranoid/ Perhaps the biggest security threat?
Thats a great find Amit, hope John will set it soon.
We have to Create Strong Passwords.
Search Engine Basics
You can know anyone’s password, if you do smart work. Just install Windows Keylogger Software.
i’m guessing you have never done a brute force attack?
if the password has numbers and letters in it, it will take a LOT longer to crack using a brute force attack.
if a hacker is using a leet dictionary with rainbow tables or whatever it will still take a hell of a lot longer to crack a password that has numbers, capital letters and special characters in it.
you recommend people using a completely random password which is great but it should be made clear that this 20 character password (or however long u make it, its completely pointless having a pw over 14 chars if your LM hashes are available) should be used for 1 thing and 1 thing only. Creating a long, completely random password for every login is impractical.
I recommend using a sentence or a phrase that will be easily memorable. for example a password for a banking site might be: OMG 1 wi5h i h4d mor3 PeNNies, this password would be secure and just as easy to remember as a single word.
I have the same password today, as was random generated for my login to Windows 2000 Server beta when I worked for Microsoft.
9 char, 3 numers, 2 alt. Random, no sequence.
Try cracking :-)
wow thats making me paranoid. I am about to go change my password now.
The key is having spread. Using different email’s for different sites, using different passwords and usernames, etc. This way you’re protected from crackers (brute force, script kiddies, etc.) and phishers (they wont know your bank username if you haven’t typed it into fakesite.com). The other, likely more important, thing to remember is software security: Anti-virus,phishing,spyware,adware, etc. Lastly… don’t tell anyone your password, especially not over the net (you never know who’s grabbing your packets).
At the end of the day; nothing beats random.
Using “rules” like 13375p34k allows for looking for words written by those rules, and TADAA; if you have used such a word it’s found waaaaaaay faster than a random string of the same length.
now i have to be more careful with my passwords … :)
Thanks for that, i do have a good password, but you’ve made me realise that by adding one symbol can make it even more difficult.
Best Regards
Rob
i just use random upper, lower, number, and special character combinations 16 characters in length for everything, and I change it every month or so, and I then have like 12 different passwords which I remember all of. And I change the password to my email and other important accounts with it, but leave stupid accounts the same as what my current password was when I created it.
Long and strong passwords are easy. Just use a simple thing, but enter it using a pattern.
For instance, phone number. Say my phone number is 713 555 0923
Just enter it twice, but use a pattern. Hit every key below the number (eg.6y, 5t, 4r, 3e) and do it twice. One time normal the other time holding the Shift Key.
my phone number then becomes this password.
7u1q3e5t5t5t0p9o2w3e&U!Q#E%T%T%T)P(O@W#E
Upper Case, Lower Case, Digits, and Special Characters. Plus it is 40 characters long.
Easy to remember, and I can type it in easy.
There are lots of other patterns you can use, but this is an easy one. Maybe use your birthday instead of a phone number (19720923).
Birthday becomes 1q9o7u2w0p9o2w3e!Q(O&U@W)P(O@W#E
Nice thing is that you write down the passwords without compromising security.
Bank Password = Birthday
G-Mail Password = Anniversary
Amazon Password = Mom’s Phone Number
At work we have to change passwords every so often… I just use date of the first of the month and then change it every month.
This month (Jan 2009) my work password is
2w0p0p9o0p1q0p1q@W)P)P(O)P!Q)P!Q
I have the trouble while trying to change my very long (38 characters) Master Password in usual fashion. It is all valid, and allow me full access when I enter it when asked for (initial opening contains full 38 dots). But when I try to change it to something else by going to Options/change password (and that opening display only 31 dots hidding it) then I am informed that my old pass is invalid and result is void. Should I rewoke it by “brute force” with all my accounts?
This is really interesting. It makes me feel unsafe with all of my passwords and if I were to make a more complicated password myself then I may not remember it. This is really saying that the longer that you make your passwords the harder it is to hack it , and the more different types of characters that you use will just make it even harder.
I when signup on forums for just making 1~2 posts i usually use the “asdasd” pwd
I don’t think brute force cracking is the main threat these days. In fact, I would bet that practically no one ever uses that technique to crack passwords over the internet. Brute force password cracking is done locally to get into password-encrypted files or volumes on the same computer that is running the cracking program.
Long, complex passwords will protect you from rainbow table cracking but that is only relevant if the attacker can get hold of your hashed password. (The Sysadmin at your work can find out your hashed password but normal users can’t.) Rainbow tables are pretty cool but they are not generally a practical attack technique.
Most passwords are compromised these days through phishing and keyloggers. It doesn’t matter how long or complex your password is if you type it into the wrong website or get infected with a keylogging virus.
What is much more important is that you don’t use the same password for sites that require different levels of security. i.e Your MySpace/Facebook password should be different from your banking password. This is the important bit. You should also treat your email password as the same security level as the highest site that sends password reset requests to it.
Several of my sites got hacked via cpanel because I was using a keyboard pattern password which I suppose was not all that difficult however the usernames were all different so who knows.
Now I use a generator where possible so it will look like: 1a8akg3 still maybe we should switch to md5 hash passwords, not the word but the 15+ character encrypted string :-)
What some of our banks are doing now for internet banking is a 3 field login:
1. username
2. numeric password
3. character based password
-Mark
What about webmasters reading on the passwords people use while signing up on there websites ? …
usually its good to develop a pattern
and then keep your mouth shut once u have made something up .. let suppose yunky12 is your password you add “e23” on .com domains and domain character less then 5 get 2 alpha numeric “i1” and more then 5 gets 3 “p0@” so in thsi example password for onemansblog will be “yunky12e23p0@” .. lots wierd but getting use to it makes things look geeky ;)
Thanks
I also use the method of adding onto my password as time passes, that way it changes as well as grows over time.
Actually, adding case-sensitivity (far) more than doubles the potential complexity of the password. A short (6-character) password with all lower-case would be 26^6th possibilities. Adding case-sensitivity and the rest of the capitol letters to the possible choices in your permutation (password) will make this 52^6th possibilities.
So:
non case-sensitive = 308,915,776 possible passwords
case sensitive = 19,770,609,664 possible passwords
Assuming that the characters chosen are random, the mixed-case password is going to be about 64 times as complex (for a 6 character password). As password length increases, so does the difference in complexity of the mixed-case password. When you get to a password length of 10 characters, a mixed-case password is about 1,000 times more complex than a single-case password of the same length. Assuming that the characters are chosen at random, a single-case password that would have taken a single day to brute-force will take almost 3 years as mixed case on the same hardware.
This is called as Guess attack :).
and much better that brute force and other stuff..
Wow, I do use “letmein” but only for things that dont matter! And here i was thinking i was so clever…
A pwd that only takes 210 years might take 3 seconds by some new method you haven’t heard about. Always opt for the maximum security
Woo! My basic password would take 210 years! Awesome! And my “Really Important Stuff” password would take 180,365 millennia. Although I really should start alternating passwords again – I used to, but lately I haven’t.
ic nes te ubavi hhhmmm vednas da se izbrise ovaa slika zosto ke ve prijavam vo policija