That's some password security, man!

HCHTech

HCHTech

Well-Known Member
Reaction score
4,024
Location
Pittsburgh, PA - USA
Took over a client recently from a larger MSP in our area. In their data dump, there were a ton of insane passwords, over 100 characters. The main M365 admin password was (now changed, of course):

Rbt2bRjgEtHNgk9m!2.4dk7QJDT46d9_9FmcCFNLr@yjGRNGDRsEMFeCc.kt.kXP3x4oc.sYV9qRRu2VL-6DxrHGNh_po@LR!m9o=

I mean, if your only access is from a computer that you can copy & paste from your documentation system, why not, I guess, but my only wish for them is that they have to on occasion, type those monsters in by hand!

Is this level on nonsense normal on any plane? Really?
 
Hive Systems release an updated graphic annually based on the best available consumer hardware at the time.

Considering your example password meets criteria of the right-hand column... you hit the nail on the head with "nonsense"

Things like AWS, Azure and ChatGPT are possible game changers though. In theory anyone can hire something with the equivalent processing power of 100's or even thousands of RTX 4090's. Would have to be a very, very juicy target for it to be worthwhile though. Nobody's doing this to obtain a small business's Office365 login.


Hive Systems Password Table - 2024 Rectangular.pngy is
 
SAFCasper said:
Hive Systems release an updated graphic annually based on the best available consumer hardware at the time.

Considering your example password meets criteria of the right-hand column... you hit the nail on the head with "nonsense"

Things like AWS, Azure and ChatGPT are possible game changers though. In theory anyone can hire something with the equivalent processing power of 100's or even thousands of RTX 4090's. Would have to be a very, very juicy target for it to be worthwhile though. Nobody's doing this to obtain a small business's Office365 login.


View attachment 16518y is
Click to expand...
According to this chart, my p/w would take 164 million years to break? One would think scripts would be developed to run through each character of a password simultaneously and break it down within minutes.
 
ThatPlace928 said:
According to this chart, my p/w would take 164 million years to break?
Click to expand...

Not a surprise, every additional character adds significantly greater difficulty, and each character class required adds even more.

It takes an awfully long time to brute force try every permutation of 12 characters each of which could be an uppercase letter, lowercase letter, digit, or special character. And depending on what qualifies as the range of special characters, it gets even more complicated.

While I've put MFA on anything "important" I have never, to my knowledge, had a password hacked, and that was long before I started combining UC/LC/Digit/Special in all of them. Length alone, even if all characters, goes a very long way toward making a password "unguessable" if you don't use either a single dictionary word or a phrase that's very easy to guess.

I challenge anyone to guess something like 1951SouthLakesTN! in any reasonable period of time with existing technology. It's people who use passwords like 1234567 or their birth dates or anything else that can be easily researched in relation to them, with no other qualifiers, who are easy to hack. I've been teaching
for years now. My entire world of passwords has slowly been converted to portmanteaus since I decided that was the way to go.
 
Last edited:
britechguy said:
Not a surprise, every additional character adds significantly greater difficulty, and each character class required adds even more.

It takes an awfully lont time to brute force try every permutation of 12 characters each of which could be an uppercase letter, lowercase letter, digit, or special character. And depending on what qualifies as the range of special characters, it gets even more complicated.

While I've put MFA on anything "important" I have never, to my knowledge, had a password hacked, and that was long before I started combining UC/LC/Digit/Special in all of them. Length alone, even if all characters, goes a very long way toward making a password "unguessable" if you don't use either a single dictionary word or a phrase that's very easy to guess.

I challenge anyone to guess something like 1951SouthLakesTN! in any reasonable period of time with existing technology. It's people who use passwords like 1234567 or their birth dates or anything else that can be easily researched in relation to them, with no other qualifiers, who are easy to hack. I've been teaching
for years now. My entire world of passwords has slowly been converted to portmanteaus since I decided that was the way to go.
Click to expand...
Thankfully, none of mine have ever been hacked either.
 
ThatPlace928 said:
One would think scripts would be developed to run through each character of a password simultaneously and break it down within minutes.
Click to expand...

They do exist. That is quite literally how you brute force a password hash by iterating through every possible combination until a matching hash is found.

However, a 9 character password with uppercase, lowercase, numbers and symbols has 572,994,802,228,616,704 possible combinations.
Increase to 12 characters and it's 475,920,314,814,253,376,475,136

Fancy script or not, it's taking a LONG time to try all those combinations.
 
HCHTech said:
Is this level on nonsense normal on any plane? Really?
Click to expand...
You know how there's plenty of people believe that 2 AV's is better than 1? These are probably the same ones think that a 30 character password with upper, lower, symbol and numerics is the perfectly normal.

I can remember when NIST changed their recommendations around 2k or so where they said that making a password with strings of words along with some l33t stuff is more than sufficient to protect.
 
HCHTech said:
Is this level on nonsense normal on any plane? Really?
Click to expand...
Not for your average consumer but I make my passwords as long and complicated as possible. If a website says the password needs to be between 8-60 characters, you bet your ass I'm making a 60 character password. I use a password manager so why not? When LastPass was breached the only thing that protected me was that my master password was a passphrase that was over 240 characters long. That thing isn't going to be brute-forceable anytime soon. By the time it is those accounts will be long dead so it won't matter.
 
sapphirescales said:
hat thing isn't going to be brute-forceable anytime soon.
Click to expand...

Nor is a 12-character password of mixed characters as shown earlier.

You gain nothing of any practical use with these insanely long passwords. It's fine if you want to use them, but don't kid yourself that after a point they make even a scintilla of difference, because they don't.

Risk assessment is about accuracy in assessment.
 
britechguy said:
Nor is a 12-character password of mixed characters as shown earlier.
Click to expand...
I've learned not to underestimate how fast technology moves. There's literally no downside to using a long password. I'd hate to get caught with my pants down using some weak 12 character password when quantum computing or AI or some other breakthrough happens, or even when regular computers or GPUs just get fast enough in 5 years or whatever. You don't buy a 6TB hard drive when you've got 5TB of data you need to store. Heck, you shouldn't even buy a 12TB hard drive. Spring for the 18TB. You'll fill it up before you ever thought possible.
 
  • Love
Reactions: GTP
sapphirescales said:
Not for your average consumer but I make my passwords as long and complicated as possible. If a website says the password needs to be between 8-60 characters, you bet your ass I'm making a 60 character password. I use a password manager so why not? When LastPass was breached the only thing that protected me was that my master password was a passphrase that was over 240 characters long. That thing isn't going to be brute-forceable anytime soon. By the time it is those accounts will be long dead so it won't matter.
Click to expand...
Same here apart from me being the "password manager."
I don't trust anyone (and I mean password managers) with my passwords.
 
I use much shorter passwords, but also mandate MFA so... good luck.

And those tables? Every time nVidia pumps out a new GPU DECADES fall off, and sometimes CENTURIES.

I've said it before... the age of the password is OVER. They will NEVER be LONG ENOUGH.
 
Last edited:
sapphirescales said:
I've learned not to underestimate how fast technology moves. There's literally no downside to using a long password. I'd hate to get caught with my pants down using some weak 12 character password when quantum computing or AI or some other breakthrough happens, or even when regular computers or GPUs just get fast enough in 5 years or whatever. You don't buy a 6TB hard drive when you've got 5TB of data you need to store. Heck, you shouldn't even buy a 12TB hard drive. Spring for the 18TB. You'll fill it up before you ever thought possible.
Click to expand...
I can guarantee one sure fact! My passwords will never appear on any website list of "cracked" passwords.
If that means I go to extremes that others think are inane then so be it!
 
sapphirescales said:
I've learned not to underestimate how fast technology moves.
Click to expand...

And I've learned not to overestimate how fast technology moves.

I suggest anyone look at how long it would take for a 19-character password to be brute forced with today's technology, and ask themselves, "Do I really need more?"

If quantum computing comes to pass, all of current cryptography passes with it.
 
GTP said:
I don't trust anyone (and I mean password managers) with my passwords.
Click to expand...
Password managers use zero knowledge encryption. Unless your master password that you use to protect all your passwords is 12345 you don't have anything to worry about.

GTP said:
My passwords will never appear on any website list of "cracked" passwords.
Click to expand...
Those passwords come from websites themselves being compromised, not password managers. There have been instances of password managers being compromised but there's nothing for you to worry about unless you use a weak master password.

britechguy said:
If quantum computing comes to pass, all of current cryptography passes with it.
Click to expand...
It's not like we're going to wake up one day and all encryption will become useless. As quantum computers become more and more powerful, new cryptographic algorithms will be created to replace the ones that are close to being broken by quantum computers. I'm more concerned about the ability of powerful quantum computers being able to brute-force more and more complicated passwords. First your weak 12 character password will become brute-forceable, then your 19 character password a few weeks/months later. Then in another month a 30 character password will be useless. Having a long password gives you the luxury of time, even in the event of a technological breakthrough like quantum computing. Though it might happen faster than my example. Maybe my 60 character password will only give me a week. But I want that week.
 
I'm coming back to say take the password table with a huge pinch of salt.
It's very specifically tested on passwords hashed with 32 iterations of bcrypt. While this is largely becoming the standard it is absolutely not guaranteed.

If you look at 2023's table below, which uses the same hardware, it has wildly different results due to testing on MD5 instead.

As for quantum - NIST currently have 4x recommended "quantum secure" hashing algorithms. But again no guarantee that your website/service is actually going to use them. Adoption is far from widespread currently.

1719922134006.png
 
I'm confused. Obviously to break a password you will need to try combination after combination of letters/numbers/characters. But, I don't know of a system in use today that won't cut off the password user session after 3 or 5 bad tries. Nothing that I'm aware of will sit and let you try 93 billion times. Passwords today are stolen, not hacked.
 
Diggs said:
I'm confused. Obviously to break a password you will need to try combination after combination of letters/numbers/characters. But, I don't know of a system in use today that won't cut off the password user session after 3 or 5 bad tries.
Click to expand...
Passwords are generally not cracked with brute force against a web-based login, that's why.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Further challenged by a client I politely tried to fire.
Replies
3
Views
4K
britechguy
britechguy
Kitten Kong
Hirens 13 - Now released
2
Replies
31
Views
17K
eloria
E
Kitten Kong
  • Sticky
Questions and Answers relating to Microsoft Licencing Guidelines.
Replies
3
Views
12K
Rosco
Rosco
T
A good Software List..must see!!
Replies
11
Views
7K
nesrinamb
N
Back
Top