Confused about breaking passwords

[Tringa]

I think I posted this - https://www.itsecurityguru.org/2023/05/18/time-taken-for-hackers-to-crack-passwords-revealed/ - here before which has a table of how long it would take to break a password.

What I'm confused about is it relevant?

On the odd times I've forgotten a password I get, I think at most, three goes and after that I have to ask for it to be reset, usually by way of an email and a code to my phone.

With even the simplest eight character password, which the table suggests can be broken instantly, there are thousands of possible combinations so the chances of a hacker hitting on the correct one in three goes seems vanishingly small.

Am I missing something?

Dave

 

[sirch]

The issue is that people use the same password on multiple sites. For example if the back-end facebook database gets hacked giving access to the hashed passwords, they can then be cracked offline and used to access other sites. Generally the hackers don't care who's account they have, just one that works.

We have seen that on here.

 

[AndrewFlannigan]

The issue is that people use the same password on multiple sites.

I agree.

You should use a different password for each site and beware of falling into the trap of using a skeketon like "{clever password}name of site", which happens all too often. Once a cracker has that "clever password", your data is theirs.

 

[Tringa]

The issue is that people use the same password on multiple sites. For example if the back-end facebook database gets hacked giving access to the hashed passwords, they can then be cracked offline and used to access other sites. Generally the hackers don't care who's account they have, just one that works.

We have seen that on here.

Thanks, I think I understand now. I'd thought a hacker breaking a password would get thousands of possible combinations and have to try each one in an attempt to access data(which would not work), but I see now if they do manage to hack the passwords stored on website they will get the actual password.

Therefore, having a long password with a combination of letters, numbers and symbols, makes the time needed to hack it impossibly long.

Cheers

Dave

 

[sirch]

I'll add that even with your password they have to find a site of interest for which they have the correct username or email. Hackers generally don't want to impersonate you on some general information site, they can't make money from that. Typically what they have is a username/password combination, they search the web for the username and then impersonate you on sites where they can make money. So having different usernames, particularly for financially significant sites, as well as passwords can prevent exploitation.

 

[Mr Bump]

just use google to generate complex passwords for each site and let google manage them for you

 

[Nod]

Just don't do anything "valuable" on the web.

 

[Mr Bump]

Just don't do anything "valuable" on the web.

everything is now on the web though
I have 2x Cash ISA's that are actually web only.

 

[AndrewFlannigan]

everything is now on the web though

Exactly.

For most people, advice like "Just don't do anything "valuable" on the web" is much the same as "don't go out after dark" - both boil down to "let the criminals rule your life".

 

[Mr Bump]

Exactly.

For most people, advice like "Just don't do anything "valuable" on the web" is much the same as "don't go out after dark" - both boil down to "let the criminals rule your life".

one of the tings i raised a while ago is protecting access to your phone with SIM lock
most crims will compromise stuff using your phone number as this is often the way to reset your password with a text code to your phone

 

[Nod]

everything is now on the web though
I have 2x Cash ISA's that are actually web only.

No, it's not. ALL my banking is done in person and my dealings with my stockbroker are done face to face, including the ISA.

 

[Mr Bump]

No, it's not. ALL my banking is done in person and my dealings with my stockbroker are done face to face, including the ISA.

but that is your choice though
the world has moved on a lot of services are online only like the best banks
I now bank with Revolut

 

[onomatopoeia]

I think I posted this - https://www.itsecurityguru.org/2023/05/18/time-taken-for-hackers-to-crack-passwords-revealed/ - here before which has a table of how long it would take to break a password.

What I'm confused about is it relevant?

On the odd times I've forgotten a password I get, I think at most, three goes and after that I have to ask for it to be reset, usually by way of an email and a code to my phone.

With even the simplest eight character password, which the table suggests can be broken instantly, there are thousands of possible combinations so the chances of a hacker hitting on the correct one in three goes seems vanishingly small.

Am I missing something?

Dave

These tables start from the premise that hacker already has an MD5 hash of the password by compromising the site and taking its data, and tell you how long it will then take to find the password that hashes to that value (and assumes there is no salt in use, or the hacker knows it).

 

[Nod]

but that is your choice though
the world has moved on a lot of services are online only like the best banks
I now bank with Revolut

Yes but YOUR assertion was that "EVERYTHING is now on the web". It's not, as I showed.

 

[sirch]

just use google to generate complex passwords for each site and let google manage them for you

What when your google account gets compromised?

 

[Mr Bump]

Yes but YOUR assertion was that "EVERYTHING is now on the web". It's not, as I showed.

You didn't show anything you just declared you went to see a man in a smelly suit in a dimly lit office because you choose to.
Every service the normal person needs is now online from banks, savings investments, gas, leccy mobile phone.

Tell me a service out there you cannot access online?

 

[Mr Bump]

What when your google account gets compromised?

I trust the technology more than i trust remembering or writing down or what?

 

[Raincloud]

All my passwords are 60 characters long and in an alien, non human format.

 

[Mr Bump]

All my passwords are 60 characters long and in an alien, non human format.

of course they are klingon?

 

[Nod]

You didn't show anything you just declared you went to see a man in a smelly suit in a dimly lit office because you choose to.
Every service the normal person needs is now online from banks, savings investments, gas, leccy mobile phone.

Tell me a service out there you cannot access online?

Your bank might have smelly suits and dark offices - mine don't.

I can't access any services online because I have opted out of it. Never had my details compromised.

 

[AndrewFlannigan]

I can't access any services online because I have opted out of it. Never had my details compromised.

Statista suggests that the proportion of UK bank customers, who use online services, reached 86% in 2022.

UK: online banking penetration 2007-2024| Statista

Online banking usage in the UK increased steadily between 2007 and 2024.

www.statista.com

 

[Mr Bump]

Statista suggests that the proportion of UK bank customers, who use online services, reached 86% in 2022.

UK: online banking penetration 2007-2024| Statista

Online banking usage in the UK increased steadily between 2007 and 2024.

www.statista.com

old people mate they dont trust tech or understand it

 

[andya700]

You didn't show anything you just declared you went to see a man in a smelly suit in a dimly lit office because you choose to.
Every service the normal person needs is now online from banks, savings investments, gas, leccy mobile phone.

Tell me a service out there you cannot access online?

You can really be a most snarky person at times, when someone points out that you are not correct. Just climb down off that high horse.

 

[andya700]

old people mate they dont trust tech or understand it

And another perfect example - this time ageism.