Jump to content

Strong password: between 3 and 32 characters


CnCNet

Recommended Posts


Passwords of length 3 are not strong. Why is the minimum 3?


And why is there a maximum?




3 can be strong enough: yOU,HEr,hiM, (52 ^ 3 = 140,608 that is without the special characters)
32 is more than enough: 52 ^ 32= 8.1678 e+54
Link to comment
Share on other sites


Strong enough for what?



To be a good password.
Include the special characters such as - ,_ , @ , %, $, +,( ,) ,^ ,& , etC. and it's becoming even stronger.
Use just 10 of them: 52+10=62 62^3 = 238,328
h_E
Link to comment
Share on other sites


To be a good password.



Use just 10 of them: 52+10=62 62^3 = 238,328


h_E




Not at all, I hashed a 4 character password: h_E@
Hash: b77ef9eb5ced73987987fb8846775f24
I then bruteforced it with my GPU using these characters:
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~⌂

Starting from [ ] (4 spaces)
Hash type: MD5, Hash: b77ef9eb5ced73987987fb8846775f24
Device #0: [GeForce 9600 GT] 1500.00 Mhz 48 SP
Found password: [h_E@], HEX: 68 5f 45 40
Processed 92 274 688 passwords in 1s.
Thus, 173 775 306 password(s) per second in average.

I know IPB uses salts but if you have access to the hash then you'll almost always know the salt too.
Link to comment
Share on other sites


Not at all, I hashed a 4 character password: h_E@


...



Processed 92 274 688 passwords in 1s.


Thus, 173 775 306 password(s) per second in average.



That's nice.
Now is the time to try it on a live board.
In less than 1 second, with good luck in less then one millisecond you should be able to login.
Without good luck, such as the board has protection against repeated failed login attempts it can take a little longer.
Sending the passwords through the Net,some time for the server to process them could take a few milliseconds as well...
Link to comment
Share on other sites


That's nice.


Now is the time to try it on a live board.


In less than 1 second, with good luck in less then one millisecond you should be able to login.


Without good luck, such as the board has protection against repeated failed login attempts it can take a little longer.


Sending the passwords through the Net,some time for the server to process them could take a few milliseconds as well...




And what if someone got their hand on a dump of the DB? We're back to 1 second.
Link to comment
Share on other sites



And what if someone got their hand on a dump of the DB? We're back to 1 second.




Perhaps they can see the content in less than a second because when their hand is on a dumped database they don't need a password.
Link to comment
Share on other sites

  • 4 weeks later...

I personally don't see an issue with this that requires "fixing". If you want your password longer than 3 characters, then make it longer. Nobody is forcing you to make it 3 characters. When they say "You should choose a strong password" they're merely suggesting it. I usually don't go beyond 20 characters when I create a password, so 32 seems like a fair amount if I wanted to go beyond 20+ characters IMO. It's not like I'm opening up a bank account or anything that requires me to come up with a password of more than 32 characters.

Link to comment
Share on other sites

  • 3 weeks later...

Not really. But that's besides the point. The current limits are just silly and should be fixed.




I've fixed mine my self to this...

Choose a strong password, between 8 and 32 characters. Hint: Including numbers and punctuation in a mixed case password will generally create a more secure password, which would be exponentially harder to recover using a brute force password discovery method.
Link to comment
Share on other sites

  • 8 months later...

I've fixed mine my self to this...



Choose a strong password, between 8 and 32 characters. Hint: Including numbers and punctuation in a mixed case password will generally create a more secure password, which would be exponentially harder to recover using a brute force password discovery method.




You've changed the language, but you haven't changed the actual complexity of the password requirement. If a user picked a 3-character password, it would still work. Unless of course you DID change the actual complexity of the password requirement. If that is the case, how did you do it?
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...