Jump to content

How Good Is Your Password?

nikster

By nikster
in IT and Computers

 Share

Recommended Posts

nikster Diamond Member

nikster

Posted
Posted

This program allows you to generate RSA key pairs (I think). But the most fun part about it is that it will tell you exactly how long the password you put in the RSA key would last, given an industrial-strength brute force attack on it.

http://www.hammerofgod.com/tgp.aspx

The author makes a few assumptions, but not much - he leaves out dictionary attacks completely because if you use any of the words in a dictionary, you are basically an idiot and your password can be cracked in a fraction of a second.

So the assumed attack does this: First it goes through the dictionary, and if you used any word in there, you are toast. 10,000 words takes a fraction of a second. Then try a few variations with "I" replaced by 1, o by 0 (zero) and s by $, which adds another fraction of a second. These passwords don't count, they are considered trivial.

Then it starts to try all combinations starting with "a" and moving to longer passwords at a rate of 1 Bn/second.

Try the program, it might surprise you. For example I have a "very secure" computer password. It's a random jumble of letters, so impossible to guess. I also have a weak password for non-security-relevant websites.

Well - under brute force my secure password would last all of 16 seconds. The weak one did a little better, with 30 seconds.

My two special extra-long banking/paypal passwords at least scored 1000 and 3000 years. Those should be OK for a while.

But this is a great thing to help you come up with secure passwords. It's not hard - the main thing is to use special characters, and to make it long - more than 9 characters preferably.

Tywais Star Member

Tywais

Posted
Posted

How do we know this program doesn't send your ultra-secret password home and add it to the authors dictionary? ;)

Was wondering that myself so hope nobody is using their bank account passwords to test it. ;)

Would you trust someone using a disclaimer like below with your secrets? :D

IOW, even if your head explodes while using any HoG software, don't come crying to me. But

if you get video of that, it would be cool.

elkangorito Platinum Member

elkangorito

Posted
Posted

'M' : Bond, how did you get access to my computer?

007: That was easy maam. I simply used this website - http://www.hammerofgod.com/tgp.aspx

'M' : How did you know that I tested my password strength on that website?

007: It's my website. I have all the passwords to many top secret sites...but don't worry. MI6 is safe...for now. BTW, I didn't know that M stood for...

'M' : Utter one more word Bond & I'll have you killed.

siamect Silver Member

siamect

Posted
Posted

Well - under brute force my secure password would last all of 16 seconds. The weak one did a little better, with 30 seconds.

It's a joke... obviously you cannot calculate this at all.

Most systems have does not send the reject/accept message immediately.

Just releasing a calculator for this is just... it's like... how long time does it take to guess the recipe of your favorite pizza sauce. Mainly depending on how long time it takes to produce it and taste it.... not the complexity of the recipe itself.

Stay with your GPG instead...

nikster Diamond Member

nikster

Posted
  • Author
Posted

Of course it doesn't - it's a program to generate RSA key pairs. Sending the RSA keys or passwords back would pretty much defeat its purpose. So while I can only go from evidence, the smart bet here would be, no, it's not sending anything back. But you can always get a packet sniffer and find out.

Sure I can calculate how long it takes?! As explained on the site, the only assumption he makes is about the character set used, and only in very broad categories- only alpha, alpha and numbers, alpha, numbers, and the top row special characters, or everything available from the keyboard. I don't think this matters too much. That is if you have a strong password, then brute force attempts take 1000s of years and you're OK in any case - 1000, or 10,000 doesn't really matter. Likewise, if the attacker did't know which general set of characters I used, they have to assume the worst case - but for a weak key the difference is measured in seconds.

I know how many keys there are, and how many I can test per second.

BTW as for most system gating the number of allowed attempts - sure. The program creates RSA key pairs, and tests the strength of the passphrase. The pass phrase is something you need when you have obtained the RSA key already (you have the hard disk, basically). Hence it makes sense such a brute force would be possible. For logins into websites, banking limits it to 3 wrong attempts, for example, and even if it weren't limited, the website response time would limit the speed with which you try so much that brute force would be impossible.

Nevertheless - a neat way to find out how your password would hold up in a worst case scenario!

lopburi3 Legendary Member

lopburi3

Posted
Posted

The problem in this case is such exchange of information with providers with no history is a very, very bad idea. In the area of passwords suspect I would limit myself to Steve Gibson (GRC.COM) as he has a track record of long standing and offers password creation services free of charge and in several formats for download. His site is checked/used by very savoy people and if malicious it would soon be found out.

siamect Silver Member

siamect

Posted
Posted
For example I have a "very secure" computer password. It's a random jumble of letters, so impossible to guess. I also have a weak password for non-security-relevant websites.

Well - under brute force my secure password would last all of 16 seconds. The weak one did a little better, with 30 seconds.

My two special extra-long banking/paypal passwords at least scored 1000 and 3000 years. Those should be OK for a while.

Sorry should have quoted more...

In this scenario,computer passwords or banking stuff, it is impossible to calculate.

It is depending on the evaluation time.

If you have the private key and you know the evaluation time then it will work...

Martin

nikster Diamond Member

nikster

Posted
  • Author
Posted

The problem in this case is such exchange of information with providers with no history is a very, very bad idea.

What exchange of information are you talking about? You're running a program on your computer. This program does not connect to the internet.

nikster Diamond Member

nikster

Posted
  • Author
Posted
For example I have a "very secure" computer password. It's a random jumble of letters, so impossible to guess. I also have a weak password for non-security-relevant websites.

Well - under brute force my secure password would last all of 16 seconds. The weak one did a little better, with 30 seconds.

My two special extra-long banking/paypal passwords at least scored 1000 and 3000 years. Those should be OK for a while.

Sorry should have quoted more...

In this scenario,computer passwords or banking stuff, it is impossible to calculate.

It's a bit silly to make this statement without reading the link I provided, where it's explained, in detail, how the calculation works. All the assumptions and prerequisites for the calculation are laid out.

The guy who made this is a security researcher who makes a commercial program that provides public key encryption for your data. I don't know but I think he may know a thing or two about the topic?!

elkangorito Platinum Member

elkangorito

Posted
Posted

Most 'programs' have an extension of .exe or .com (& on some occasions, .bat)

As such, they are very vulnerable to virus &/or malware attacks. If such a program is attacked by a virus or malware, information could be passed from the 'infected' program to another computer.

I would NEVER check/test my password strength in this manor, unless I thoroughly deleted the program after carrying out such a test. I would certainly NEVER conduct such a test whilst 'online'.

siamect Silver Member

siamect

Posted
Posted

It's a bit silly to make this statement without reading the link I provided, where it's explained, in detail, how the calculation works. All the assumptions and prerequisites for the calculation are laid out.

The guy who made this is a security researcher who makes a commercial program that provides public key encryption for your data. I don't know but I think he may know a thing or two about the topic?!

yea right, everybody are silly except you...not one mistake from you side ever... well

It never occurred to you that you brought in that nonsense about computer passwords and bank stuff in the first place, and that after you actually read that cheap page...

Why didn't you give us a link to something useful instead...Would you use that software that this guy put there? Honestly?

I assume not...

Tywais Star Member

Tywais

Posted
Posted

I remember when this forum was quite a friendly place. :(

Well, it has improved a lot since the Linux people got their own forum. :D

JetsetBkk Star Member

JetsetBkk

Posted
Posted

I remember when this forum was quite a friendly place. :(

Well, it has improved a lot since the Linux people got their own forum. :D

Ah-ha! That's where they all went!

Actually, that'll be a good resource once I've finished with XP - in about 4 years time I guess, when MS stop supporting it.

No way in h*ll will I use 7! :bah:

Linux here I come!

But slowly. :D

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.



ASEANNOW

ASEANNOW (formerly Thai Visa) Thailand's oldest and most popular forum for expats and foreigners.

Sign up today and have your say

MORE INFO

POPULAR AREAS

CONTACT US

219/59 Asoke Towers, 15th Floor, Soi Sukhumvit 21, Watthana, Bangkok 10110
(+66) 99 196 1100
[email protected]

×
×
  • Create New...