How Pathetic is your password??

NicoleRussell · #1 (**permalink**) 01-21-2007, 01:26 PM

How Pathetic Is Your Password?

Tue Apr 4, 2006 1:36PM EDT

Think putting a "1" on the end of "daisy" is going to stymie crackers intent on breaking your password? Turns out that with a reasonably up-to-date computer, a dedicated hacker should be able to break it, by brute force, in about an hour and a half.
Lockdown.co.uk has a handy document that shows just how secure your password really is, based on its length and the type of characters you use in it (all numbers, letters and numbers, uppercase/lowercase, special symbols, etc.).
Think about your most common passwords, then visit the site. You'll be most interested in the results for a "Class D" attack, which represents somone with a single, very fast PC. (Class E and Class F represent multiple PC attacks and aren't as likely to be involved with someone trying to break into your eBay account.)
As an example, the site notes that a password like "darren" would take all of 30 seconds to break. "Land3rz" would take 4 days. And "B33r&Mug" would take 23 whopping years.
Key to great security isn't just length, but adding in non-traditional characters, too: A great password should be eight characters long (or more), and include at least one number, one uppercase letter, and one special character like an ampersand. To make it easy on yourself, try using the same button on the keyboard in both lower- and uppercase versions. For example: "JjKkIi*8" requires you only hit four different keys (plus Shift), and they're all clustered in a tight group.

Sleepy_FF · #2 (**permalink**) 01-21-2007, 01:34 PM

oooooh.

Sleepy_FF · #3 (**permalink**) 01-21-2007, 02:42 PM

hmm... cant seem to view the link

JuliusSqueezer · #4 (**permalink**) 01-21-2007, 03:30 PM

It's probably been hacked

Sleepy_FF · #5 (**permalink**) 01-21-2007, 03:38 PM

hahaha....

JuliusSqueezer · #6 (**permalink**) 01-21-2007, 03:54 PM

In my younger days, I was a brutal little hacker punk and since I don't do that kind of stuff any more, here's how I used to crack passwords and gain access to dial up accounts. I never raided bank accounts or anything. I just never paid for internet access...ever...for YEARS.

Locally it was way too easy back in the windows 3.1 days. All I did was pop into a circuit city or someplace, find the display computer that was hooked to the internet, pretend to be checking it out and write down stuff, flip through the control panel stuff and make notes on a notepad about the bus speed, ram, harddrive space...anything really...didn't much matter as this was just to throw off the employee standing there about what you were really up to. Then in windows 3.1 version of the ISP software, if you open the ini file in ms notepad, the password was logged and not decrypted and I would jot that down too

Then go home and use their account for awhile. Later when win95 came out, they decrypted the password but there was a program called "wrench" that fit neatly on a diskette and all you had to do was pop in the disk when noone was looking and run wrench.exe and a little box would pop up revealing any stored password obscured with ****. This program may even still work for all I know. I quit using such things long before it ever stopped working. The only notable crack I ever pulled off from afar was Maury Povich's AOL account. His password was the same name of his production company that he must have thought very clever. MOPO is not clever Maury

Props to Oprah for not using Harpo for hers. Circuit City's was actually kinda hard to crack even after looking at it and jotting it down because they used uppercase i, lowercase L and the little bar thing that looks like | so their passwords would be something like llIIll||Il| and depending on your font, kinda hard to read.

I'm not bringing this up to brag. I'm bringing it up so you guys can maybe get a clue as to how easy it is and lock your stuff down better. Nobody really hacks internet accounts anymore. Now they want your ebay account, your paypal account, your bank account...your MONEY!

JuliusSqueezer · #7 (**permalink**) 01-21-2007, 04:19 PM

I can't believe I left out the latest and easiest ISP password crack. Depending on the rep you get when you open a Bellsouth account, your startup password will way too often be set at either 1234 or Welcome. It's alarming how many people don't change that! CHANGE your ISP assigned TEMP password!

morti · #8 (**permalink**) 01-21-2007, 05:56 PM

Also: if you get a new router, change it's password as well. A router is a good firewall, but once a hacker gets inside the defenses, they own you.

natas · #9 (**permalink**) 01-22-2007, 05:00 PM

I remember back in the day using war dialers to find modems and then running dictionary programs I wrote to crack passwords. This was all fun and games until I had some police enforcement show up at my house. My dad was mad!!

This was about 14-15 years ago

Back when BBS's where the thing. The internet back then was for science and math geeks (mostly college geeks).

BWSmith · #10 (**permalink**) 01-22-2007, 05:14 PM

Cool. I am at 253 days

toker · #11 (**permalink**) 01-22-2007, 05:19 PM

back in the day I lost a password to some of my zip files, lol, funny thing was I put a password on them to be more secure. oy... any who, I could buy a program to give me the password, but being really cheap I decided to write one based on the BF attack.

Took 26hrs but it found it. This was on a P90

Here at work, they have a network policy that requires passwords to be 8 long with upper and lower, at least one number and at least one special character. No three letters or number can increment (abc or 123). AND If that was not bad enough, passwords are only good for two months and you can not repeat any of your previous passwords.

Got to love security!!

amercnwmn · #12 (**permalink**) 01-22-2007, 05:37 PM

Question, do the firewalls really help?

Some great information for those that do online bill paying, ebay, or pay with cc's or the like.

JuliusSqueezer · #13 (**permalink**) 01-22-2007, 06:02 PM

Back in the BBS days it was super easy. The most common password was "God". People thought they were soooo clever lol. Variations of elite followed. Ereet, Er33t, 3r33t, L33t etc. None of thise would help get you into anything specific but going down a list of addresses would usually yield a few hits.

morti · #14 (**permalink**) 01-22-2007, 06:09 PM

Quote:

Originally Posted by VoodooChile

Question, do the firewalls really help?

Some great information for those that do online bill paying, ebay, or pay with cc's or the like.

Firewalls help with what they are good for: They stop port scanning and port spoofing attacks as well as most remote session takeovers. What they are not good for is preventing your secure information from falling into the wrong hands. A secure password scheme is your best friend there. Like I said in my last post: If you leave your router password at it's default settings, the firewall is STILL not going to do any good.

Slithers · #15 (**permalink**) 01-22-2007, 06:13 PM

i wont go so far as to incriminate myself by revealing my stories of a mispent adolescence...but I agree - Computers are scary...be careful with your information. Also be aware of what you are downloading and what your kids are downloading.

there are PW loggers too that dont decode your pw...they just hide in the background and watch you type. then it automatically emails the password to a preset email account. they conartist then retrieves his email fresh with login and pw info. Back when aol was the norm, I got my PW stolen a million times.

NicoleRussell · #16 (**permalink**) 01-22-2007, 07:02 PM

how do you change your routers PW?

toker · #17 (**permalink**) 01-22-2007, 07:16 PM

After thinking about this for a second, it hit me, this bit of info, be it true to some extent is far from as bad as it seems.

Is it possible for a computer to think of every possible combination of letters numbers and symbols, YES, no doubt, I myself have wrote programs to do just that, but that is where it ends.

You see, even if you have a list of passwords, the only way to know if any of them is YOUR password, is for the same computer or computers to try them. Any web site worth its salt will lock or block an account if the wrong password is entered three or more times.

So lets just ponder this for a second.

Say your password is "ABC" and the computer actually knows your password is only three letters.

To find that password using the brute force method the following passwords would be generated…

AAA
AAB
AAC
ABA
ABB
ABC
ACA
ACB
ACC

Now, granted this list is not complete, but you get the idea. It would be impossible for said computer to break into your account trying all those passwords without locking it out.

Just as an example, there are brute force attacks on my ftp server at home all the time, but after 5 tries, the ip is blocked. So what good is a list of a billion passwords if you can only try 5, lol. And lets not even get started on if the computer actually knows what your user name is, lol

Keep your passwords secret, and not simple, and you will be ok.

toker · #18 (**permalink**) 01-22-2007, 07:18 PM

Quote:

Originally Posted by NicoleRussell

how do you change your routers PW?

Go in though the config of the router, same place you set it to connect to your ISP

Most home networks are http://192.168.1.1 or its what ever your base ip is if you changed it.

Look in the book that came with your router, or if you dont know where that is, check out the web site of who makes it. They will have a copy there.

Advertisement