http://caedis.files.wordpress.com/2009/06/bruteforce.jpg?w=500&h=400

Have you ever typed in your password while logging into a page and it has that little password strength bar on it that fills up the more you type? How accurate is it? Can you even trust such a novel multi-colored doo-dad?

Why guess? I went to the trouble of getting together a spreadsheet that can definitively tell you exactly how secure you are using that password of yours. It can even give suggestions as to how to improve your password. Be warned, it’s not always pretty to see the honest truth.

Give it a try by clicking here (http://drop.io/caedishax/asset/bruteforcecalc-xls), then click “Download”
(Updated 6/5/09)

Added extended data validation to prevent accidental entry of erroneous data.
Cleaned up the document to fix some grammatical errors
Added a "Galactic Years" option that gives a better frame of reference for larger passwords.
Additional tweaks and fixes to improve visibility and visual appeal.


(Updated 6/4/09)

I took all the comments and criticism I received and revamped the calculator to use speeds derived from the Nvidia GTX295 to calculate estimated brute force times.
Additionally I added a box at the bottom of the calculator that can be used to quickly and easily copy your score to any forum or blog you want. A solid password really is something to be proud of, show it off!

Here's my good password-
All times relative to Nvidia GTX 295 GPU assuming ~4788000000000 Keys/Sec
Password length of 44
Total Password Entropy of 1.44648363739316E+56
Estimated time to crack:
Days 629,387,547,598,665,000,000,000,000,000,000,000,00 0,000.00
Years 1,723,205,997,972,500,000,000,000,000,000,000,000, 000.00
Centuries 17,232,059,979,725,000,000,000,000,000,000,000,000 .00
Galactic Years 7,658,693,324,322,230,000,000,000,000,000.00
BULLETPROOF password
Get this test at http://bruteforce.caedis.net

Additionally if you want to link to the calculator I have added a entry in my domain name for just such a purpose:
http://bruteforce.caedis.net
Link there if you plan to repost, don't link directly to the file. (as I have been approached by several people already about this)

What is brute force?

Brute force attacks are when your password is guessed by blindly going from one password to the next without little or no reguard for what is being tried. Bascially doing the following:


a
aa
ab
abc
abc1
abc11
abc12
abc121
abc122


As you can see it’s just adding more onto the guess until it gets it right.

This method is the only remaining method to get passwords in situations where the person hasn’t put any real words or significant dates or numbers into the password.

If the person does put words or significant combinations of numbers (like anniversaries or birthdates) then a dictionary attack is usually tried first as it is exponentially faster.

When multiple combinations of common words or combinations of words/numbers are checked. This is often done first as it can sometimes take SECONDS to crack a password this way. If you have a password such as “myDogSkip” the cracker will just have to combine “my” “dog” and “Skip” into the right order to get the password. When this is especially effective is when the person knows even a little about you. Many times this is done by simply asking a friend/co-worker off-hand about some trivial part of your life. Your dogs name? Your wife’s name? or even more easily by going to your Facebook or Myspace page and getting a few key words off it. Think of all the words you use on your profile pages, then think if ANY of them could be used in any way to get a password of yours. If the answer is anything but a strong “NO” then you probably need to re-evaluate what you have secured with that weak password. Which is worse? Identity theft, or an annoying password that’s hard to type in quickly?


Originally posted on my blog at Caedis.net (http://bruteforce.caedis.net)

hmmm ya to lazy to read the whole thing... but this is suspicious. reported

edit... oh ya... definitly reported... promoting your own site cmon man.

hmmm ya to lazy to read the whole thing... but this is suspicious. reported

edit... oh ya... definitly reported... promoting your own site cmon man.

He has other legitimate posts and a few stickies on these forums. IMO he is legit.

Also here is a formula for calculating password entropy: *info taken from Wikipedia (http://en.wikipedia.org/wiki/Password_strength)*

http://upload.wikimedia.org/math/1/7/f/17fc16b5e23ca94b3c92c2c227b748c9.png

*This formula assumes the use of random characters*
L = Password Length
N = Number of possible printable characters. (see below)
Digits only (0-9) : N = 10
Single characters (a-z) : N = 26
Single characters and Digits (a-z, 0-9) : N = 36
Mixed characters and Digits (a-z, A-Z, 0-9) : N=62
Use of all ASCII printable characters : N = 94NIST recommends H = 80-bits for the most secure passwords

It would take 13 completely random ASCII printable characters to achieve greater than a 80-bit password strength.

hmmm ya to lazy to read the whole thing... but this is suspicious. reported

edit... oh ya... definitly reported... promoting your own site cmon man.Give me a break, you didn't even have the decency to read it? :rolleyes:

The guy is legit.

For reference and to keep this thread on track... This has been vetted - Caedis is legit.

Also, he's taken the time to migrate other useful high quality articles from his website to make them part of this forum, so linking back to his own domain within those posts is fine.

Caedis,

Do you still subscribe to the opinion that adding a space in a password is still more secure then typing a password like a 12yr old script kiddie on meth?

i.e. H3rE B t|-|3 passw0rd!

Mostly just wondering because the 12yr old script kiddie description is something I heard from a few different folks I know who do Pen Testing for a living.

hmmm ya to lazy to read the whole thing... but this is suspicious. reported

edit... oh ya... definitly reported... promoting your own site cmon man.

Of course I promote my site. It's common practice, and it's original content so it's not like I made a post saying "Here is my site, go here" and that's it.

For reference and to keep this thread on track... This has been vetted - Caedis is legit.

Also, he's taken the time to migrate other useful high quality articles from his website to make them part of this forum, so linking back to his own domain within those posts is fine.

Thanks for the props I.M.O.G :D

Caedis,

Do you still subscribe to the opinion that adding a space in a password is still more secure then typing a password like a 12yr old script kiddie on meth?

i.e. H3rE B t|-|3 passw0rd!

Mostly just wondering because the 12yr old script kiddie description is something I heard from a few different folks I know who do Pen Testing for a living.

I think when you add so many spaces it reduces the keyspace since it's the same ASCII key over and over, additionally when you use leet speak in a pass it can be used in dictionary attacks if the leet is too common. So, i don't think my POV on this has changed. A space is just another symbol. if I typed
"asd32d o.gfh"
that would still have the same key strength as
"asd32d&o.gfh"

hmmm ya to lazy to read the whole thing... but this is suspicious. reported

edit... oh ya... definitly reported... promoting your own site cmon man.
Linking to your own site has never been against the rules AFAIK.. just in sigs.

Does using alt+XXXX characters increase the strength (if allowed)?

So short of using caps, letters, numbers, spaces and symbols along with a password that is long and probably unlikely to be remembered, what is your suggestion for making stronger passwords?

Obviously, not using the same password on everything is the first suggestion.

So short of using caps, letters, numbers, spaces and symbols along with a password that is long and probably unlikely to be remembered, what is your suggestion for making stronger passwords?

Obviously, not using the same password on everything is the first suggestion.

I have a few suggestions, the one i use has become my defacto method for memorizing ludicrous passwords. I memorize a garbled 6-10 digit psuedo-random jumble. it's hard for the first week or 2 but after typing it in many many times I memorize it to muscle memory. Once i have that password perfectly committed to memory after a few months I add 6-10 more digits of psudo-random trash. In this way i only have to memorize the password block sequences, not the whole password. so I'll make an example:

I write this down and memorize it by making it my desktop login password:
"wR-oB/"
simple? only 6 chars.

Once that's easy to remember (in a few months) then I just kind remember it as my "wr" password.

then I just add
"kPY+/#"
to the end.

so now we have "wR-oB/kPY+/#"

Then I'll mix it up and start over with "e-EagY"

after a few months that password becomes trivial to remember.

Then I jsut combine all 3

"e-EagYwR-oB/kPY+/#"

and when I need to write it down for safe keeping (should I forget this trash) I just write my little password shorthand for each block:

ed - wr - kp

of course the shorthand varies per password but all that matters is that I know what the sequence of block is. And since I have the block memorized to a fault, it's no problem to rattle off the whole thing while typing it in.

Wash, rinse, repeat. I'm up to a 44 character jumbled blob now after 3 years. and I have 24 digits worth of even more password garbled goodness memorized and I'll add that to the 44 digit one and be at 68 digits of psuedo-random ASCII junk that no one in their right minds with a server farm of PS3's running day and night for an eon could decipher.


The second method I like to use add's even more impossibility to the equation. But can be used on not so impossible passwords to beef them up.

I use Firefox with the "Password Maker" extension (https://addons.mozilla.org/en-US/firefox/addon/469).

I just enter my "master" password for the extension and it hashes the domain of the page I'm visit with the pass I gave it, (plus some extra salt (http://en.wikipedia.org/wiki/Salt_(cryptography)) that I've manually specified in the options of the extension) to make unique passwords for all the sites I visit. I, of course back up the resulting pass in a password safe program like KeePass, but I don't have to remember the password for day to day browsing. Each site get's a unique pass and I'm kept bulletproof even on the shadiest of sites since that pass can only compromise that site. If the site tries to use it's knowledge of me to login to the other sites I use, too bad... outta luck.

:D

hmm... interesting

it found that that my password that i use for stuff at home is "weak" but it found a 4 word passphrase separated by spaces to be nearly impossible to crack.

hmm... interesting

it found that that my password that i use for stuff at home is "weak" but it found a 4 word passphrase separated by spaces to be nearly impossible to crack.

You contradicted yourself in your own sentence. This calculator is for brute force not dictionary attacking. Dictionary attacking is trivial and could only take mere seconds.

Quoted from the top of the spreadsheet is big bold letters:

USE TO ESTIMATE TIME FOR THE SLOWER, MORE DIFFICULT BRUTE FORCE ATTACK ONLY
(Dictionary lookup attacks which are tried usually first take seconds and get an average of 25% of all passwords. See the disclaimer at the bottom of the “How to use this calculator” tab for an explanation.)

Further more on the How to tab it says

DISCLAIMER: Using the bottom (red) method is a more "idealistic" method as the passwords above are NOT purely random, they are standard words/phrases.
When you use family pets, spouses names, birthdays, credit card numbers, Social Security Numbers, Drivers License Numbers, etc you SUBSTANTIALLY reduce the power of your passwords, as anyone can obtain at least some of that information with little to no effort on the internet. For instance, using Facebook/Myspace to find out when you were born, your spouse or significant other's name or birthday your wedding date, even your phone number. And you may think, "Only my friends have access to that info" well, true, but what about who THEY let on their computers, or even talk to. What if they login to a site with that info at a library and leave for a few minutes and forget to log out? it's not who you trust, it's who they trust. You aren't just relying on your friends to keep personal information safe, your relying on them to be airtight about it.
Simply put, don’t use trivial words or number for your password, try to think up something at least somewhat random looking.

sorry, didn't read the whole thing. just wasting a few free minutes at work ;)

Personally, I find the hard to remember password thing to be a cop out - we all have to enter passwords a bunch of times daily. As a test once for curiousities sake, I used a 30 character semi-random password to login to all the major systems I work with. Estimated, I would say this was used for about 10 logins/reauthentications to various resources a day.

At that rate, I used the note I had with the password written down for 2-3 days, and after that the password was committed to memory - not just memory, but really muscle memory. Maybe I couldn't say my password to someone if they asked without having a little trouble, but I could sit in front of a keyboard and enter it without problem. This was the password I was using:

uhos.hjc?,gk)qv~imogIlmb!4232h

When you have a long, difficult password, you could be surprised how quickly you can commit it to memory just by using a note at first (which you obviously must keep secure until you destroy it). Its cumbersome referencing the note, so committing it to memory and making it automatic follows pretty naturally. Give it a few days depending on how often you actually use the password to login, and you'll likely find you soon no longer need the note you started with.

Btw, the password is semi random because the first half alternates between left and right hand on the dvorak keyboard, which made it a little quicker to type and the second half is just other phrases or passwords I've used in the past.

Personally, I find the hard to remember password thing to be a cop out - we all have to enter passwords a bunch of times daily. As a test once for curiousities sake, I used a 30 character semi-random password to login to all the major systems I work with. Estimated, I would say this was used for about 10 logins/reauthentications to various resources a day.

At that rate, I used the note I had with the password written down for 2-3 days, and after that the password was committed to memory - not just memory, but really muscle memory. Maybe I couldn't say my password to someone if they asked without having a little trouble, but I could sit in front of a keyboard and enter it without problem. This was the password I was using:

uhos.hjc?,gk)qv~imogIlmb!4232h

When you have a long, difficult password, you could be surprised how quickly you can commit it to memory just by using a note at first (which you obviously must keep secure until you destroy it). Its cumbersome referencing the note, so committing it to memory and making it automatic follows pretty naturally. Give it a few days depending on how often you actually use the password to login, and you'll likely find you soon no longer need the note you started with.

Agreed 100%, that's exactly what I do. Only I just keep adding to the password blob to make it even longer and longer.

uhos.hjc?,gk)qv~imogIlmb!4232h


Btw

Upper Case Letters 1
Lower Case Letters 18
Numbers 4
Special Characters 6

password length in Characters 29

9,980,042,515,629,710,000,000,000,000.00 days
27,324,450,870,642,200,000,000,000.00 years
273,244,508,706,422,000,000,000.00 centuries

Conclusion: You have a BULLETPROOF password, kudos. Now the trick is not to write it down anywhere and memorize it.
/\ My Sheet don't lie ;) /\

Lawls.

sorry guys... just seemed fishy to me... never seen him post before... IMOG sent me a pm explaining the situation.

then again, i suppose the calculator is still correct about a longer passphrase type password being more difficult to crack when it comes to just using brute force. but like you said, dictionary attacks are a whole different animal :)

in one of the security courses i took in college, we basically took the role as "white hat" hackers to test security and this is an exercise that we did with our passwords to see how secure they really were. we used LCP to audit different passwords that we made up of different complexities to show how long it would take with increased complexity to break using brute force, dictionary or combined methods. it really opens your eyes to how quick a password can be broken even if you think it might be secure.

I took all the comments and criticism I received and revamped the calculator to use speeds derived from the Nvidia GTX295 to calculate estimated brute force times.
Additionally I added a box at the bottom of the calculator that can be used to quickly and easily copy your score to any forum or blog you want. A solid password really is something to be proud of, show it off!

Additionally if you want to link to the calculator I have added a entry in my domain name for just such a purpose:
http://bruteforce.caedis.net
Link there if you plan to repost, don't link directly to the file. (as I have been approached by several people already about this)

Updated the OP with a new calculator!

Added a new version of the calculator! Enjoy!

Give it a try by clicking here (http://drop.io/caedishax/asset/bruteforcecalc-xls), then click “Download”
(Updated 6/5/09)

Added extended data validation to prevent accidental entry of erroneous data.
Cleaned up the document to fix some grammatical errors
Added a "Galactic Years" option that gives a better frame of reference for larger passwords.
Additional tweaks and fixes to improve visibility and visual appeal.

I use a simple passphrase that includes uppercase, lowercase, numbers and special characters that all make sense (34 characters total). It's a sentence, but it would only make sense to me (it's a proper sentence though). It's very simple for me to remember yet apparently would take 89,227,231,079,342,000,000,000,000,000.00 centuries to crack.

As long as it's not entirely common, I think passphrases are the way to go and I have been trying to convince my manager to let me make them mandatory for our domains at work.

I use a simple passphrase that includes uppercase, lowercase, numbers and special characters that all make sense (34 characters total). It's a sentence, but it would only make sense to me (it's a proper sentence though). It's very simple for me to remember yet apparently would take 89,227,231,079,342,000,000,000,000,000.00 centuries to crack.

As long as it's not entirely common, I think passphrases are the way to go and I have been trying to convince my manager to let me make them mandatory for our domains at work.

I like that approach, even though the usual passphrase I use has 10 special charecters(6 letters & 4 numbers) I've had that creeping feeling that I could do much more to enhance security.

@Caedis, thank you for your helpful, informative postings dealing with security, as well as your posts in the "Alternative" OS section.

sorry guys... just seemed fishy to me... never seen him post before... IMOG sent me a pm explaining the situation.
Your caution and vigilance is commendable.

Personally, I find the hard to remember password thing to be a cop out - we all have to enter passwords a bunch of times daily. As a test once for curiousities sake, I used a 30 character semi-random password to login to all the major systems I work with. Estimated, I would say this was used for about 10 logins/reauthentications to various resources a day.
...etc.
SSH keys solved the "I'm sick and ****ing tired of typing this password" problem at work and at home...I find them better than oodles of passwords. Revoking them is a pain in the rear if you lose them, but I haven't lost my key yet.

Passwords are a lousy solution, but it's the one we have.

OMFG

OVERKILL!!!!!!

Calculator is a good idea, what it should be used for....instead of tryingto type out 68 characters EVERYtimeyou want to login to something (jeez)

Create a nice short password that takes 12 months to crack
Change your password every 90 days

You contradicted yourself in your own sentence. This calculator is for brute force not dictionary attacking. Dictionary attacking is trivial and could only take mere seconds.


i dont mean to thread jack if it sounds like it, but isnt dictionary attacking still considered brute force? since you're still trying items out of a wordlist?


in my net security class last year i had to use john the ripper to brute force salted passwords. it was a eye opener noless common passwords even in a VM took very little time to crack. with the default wordlist

our teacher also made us come up with a password policy for a fake org too. it was a fun project

i dont mean to thread jack if it sounds like it, but isnt dictionary attacking still considered brute force? since you're still trying items out of a wordlist?
The distinction lies in that a brute force attack would try a, b...etc., while a dictionary would much more quickly arrive at words like love, sex, secret, password, and...god. :cool:

in my net security class last year i had to use john the ripper to brute force salted passwords. it was a eye opener noless common passwords even in a VM took very little time to crack. with the default wordlist
I would imagine you could write a brute-force cracker in under ten lines of Python...all you have to do is generate random strings... It wouldn't be fast, but it would be fast enough.

There's nothing particularly magical about this.

I see your GPU based password algorithms and raise you a quantum cryptography communication network.

http://www.sciencedaily.com/releases/2009/04/090430065454.htm

Interesting idea creating a calculator for this :) I know a lot of people are suspicious of opening spreadsheets from unknown sources (macro viruses and all), so I'd suggest making a post down in the Programming Tips and Tricks section to see if anybody is interested in translating it into Javascript. The math isn't particularly difficult, and it wouldn't be hard to whip up some code.

One suggestion I'd make is to add a disclaimer about password strength also being a function of the hash algorithm it's stored in. Windows (if using the stronger NT hash (http://www.thebitmill.com/articles/nt_password.html)), Linux, and many websites use 128-bit hashes. Regardless of how random and long your password is, a 128-bit hash limits you to a keyspace of "only" 1e38. While a longer password will generally be stronger than a shorter one, a 100 character password won't be much stronger than a 50 character password in 90% of the cases, since the hash will have less entropy than the password itself.

JigPu

I found this to be a great read. I would have never thought of putting so much time and effort into breaking it down like this. My password is pretty serious also but I created it just for the hell of it:

7,298,016.49 days
19,981.31 years
199.81 centuries
0.00 Galactic Years

I see your GPU based password algorithms and raise you a quantum cryptography communication network.

http://www.sciencedaily.com/releases/2009/04/090430065454.htm

I see your "whatever" and raise you a phishing attack. :beer:

All times relative to Nvidia GTX 295 GPU assuming ~4788000000000 Keys/Sec
Password length of 20 Total Password Entropy of 2.82594197779251E+27
Estimated time to crack:
Days 12,296,113,451,130.00
Years 33,665,642,943.81
Centuries 336,656,429.44
Galactic Years 149.63
BULLETPROOF password
Get this test at http://bruteforce.caedis.net

Tested using a passphrase I am working with