The importance of strong passwords...

Hi there

So the length of password is more important, I see.

I doubt that this table is worth something. the reason is that in almost all websites there is a certain limit of tries it allows you to enter your password. after that number your account is normally locked and you need to unlock it via email, etc.

Besides, most websites today use 2-way verification like sending SMS to your phone, so this table only shows how powerful PCs are today but not how easy it is to hack your password.

A good password system will have a max. number of attempts and an increasing time between authentication requests to counter measure the brute-force method.
For a single attack, even 4 digit passwords will take time. Considering there are 10.000 possibilities and you can only do 4 before the I.P. gets blacklisted for 15/30/60/120/240/480/etc minutes ....

That is why hacker groups use botnets, they hit a server with a few hundred different I.P.s all farming on different password ranges, this way the odds will favor the attacker.

With this in mind, the times presented on the chart seem correct.

ilan said:

Besides, most websites today use 2-way verification like sending SMS to your phone, so this table only shows how powerful PCs are today but not how easy it is to hack your password.

Click to expand...

SMS verification is considered unsafe since 2005, because phone numbers can be cloned. And that is why in the E.U. Banks are ending the use that method for home banking.
Out of curiosity a cloned phone number and SMS verification was part of the method used to hack Vodafone Portugal servers and bring the entire mobile network down, last February.

Num3 said:

SMS verification is considered unsafe since 2005, because phone numbers can be cloned. And that is why in the E.U. Banks are ending the use that method for home banking.
Out of curiosity a cloned phone number and SMS verification was part of the method used to hack Vodafone Portugal servers and bring the entire mobile network down, last February.

Click to expand...

Sorry I don't think this is correct, as most banks in India insist on 2-step login/fund transfer verification using SMS pin code. I do not know about UK though. But I know GMail also uses SMS as 2-step login verification.

The problem with us programmers is that we always think a solution of a problem as logic steps.

1. ask user name and pass
2. verify
3. next steps etc.

The hackers do not go to such lengths. Real passwords are available for dime a dozen in dark net, hacked from real financial websites.

Still today we read in newspaper how by simple phone call to senior citizens criminals are siphoning out all their hard earned money. They put fear in victims mind so that they do not get time to think rationally. And when they find out, it is too late.

how by simple phone call to senior citizens criminals are siphoning out all their hard earned money. They put fear in victims mind so that they do not get time to think rationally.

Click to expand...

This goes under the "social engineering" topic well described in Mitnick's books.
A couple of recommended titles:
- The art of deception (year 2002)
- The art of intrusion (year 2005)

udg said:

This goes under the "social engineering" topic well described in Mitnick's books.
A couple of recommended titles:
- The art of deception (year 2002)
- The art of intrusion (year 2005)

Click to expand...

So the 'money stealer' are reading books ?

Well, a professional (honest or criminal) should always stay ahead of competition

When you discover to have some skills and knowledge is up to you how to use them.
I often refer to the "knife example": you could use it to ease food cutting or to kill someone. The knife itself is "neutral".
So they are the knowledge and the skills we develop.

Num3 said:

Considering there are 10.000 possibilities and you can only do 4 before the I.P. gets blacklisted for 15/30/60/120/240/480/etc minutes ....

Click to expand...

but the username is the same so it will not help much. the username will be blocked. try to do something like this in google.com

i use in many accounts 2-way verification and in my opinion, it is safe enough. if it would not be safe enough banks, google, amazon, would not use it.

This is why I always use 3 numbers > 123 sometimes I follow this with these characters >> easy - why fight the flow - do the unexpected - - - - -