Posts: 25,580
Threads: 2,060
Joined: Feb 2005
Reputation:
12
Short passwords are vulnerable - and by short, we mean 8-characters
02-16-2019, 10:31 AM
The Register: Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs
Or under 15 seconds if you have applicable rainbow tables and a GPU. (And who doesn't have a GPU nowadays?)
IMHO,
this xkcd strip has a good idea but doesn't implement it correctly. (For one thing, Mr. Munroe implies his password is 25 elements {letters} long when it's actually 4 elements {common dictionary words} long.)
--
Rob Kelk
Sticks and stones can break your bones,
But words can break your heart.
- unknown
Posts: 3,278
Threads: 137
Joined: Sep 2002
Reputation:
2
RE: Short passwords are vulnerable - and by short, we mean 8-characters
02-17-2019, 11:08 AM
Funny, the register's article points out that said password in fact works quite well.; it even refers to it and the strip in question directly
And no, what you are overlooking here is that it doesn't matter if the password is 4 elements, the cracker has no way of knowing anything more than there are 25 charecters there, and therefore must brute force each one. The ease comes in on the human side, where one uses personal memnotics associations to more easily create the long string needed.
Hear that thunder rolling till it seems to rock the sky?
Thats' every ship in Grayson's Navy taking up the cry!
NO QUARTER!
No Quarter by
Echo's Children
Posts: 1,954
Threads: 4
Joined: Sep 2012
Reputation:
0
RE: Short passwords are vulnerable - and by short, we mean 8-characters
02-17-2019, 11:22 AM
Basically, when you are dealing with 'random asshole trying to get access to your account' it matters how long he has to spend cracking your password because he has no specific need for you in particular. In such cases having a long but easily remembered password works fine because he's unlikely to access your personal records and history for hints, he just doesn't care enough. For the time spent cracking you he can have a dozen or more others. When you are dealing with 'somebody wants access to your account specifically' though that goes out the window and a random password generator becomes more reliably difficult to hack. Because he wants access to your account, and if that means some more legwork... he does that legwork, or has it done for him.