Welcome and bye bye {- forum password length}



  • @herosrest said in Welcome and bye bye {- forum password length}:

    my way of protecting passwords is excellent

    No, it's not. Any 8 character password can be cracked in around 2 hours and that's considering you're using special characters and it's truly random. Given that you most likely have a very shallow password so you can remember it, it's pretty certain your passwords could be cracked much faster. Get yourself a password manager and forget about remembering passwords. Personally I only have about 4 or 5 passwords in my head, but they're all over 20 characters. Vivaldi isn't one of them. If anything, 12 characters is far too short, should be double that length.



  • Hi, my mobile is 4 digit and my bank account is 5 digit passwords limited from the bank.
    Try to crack it, no way.
    I think these "I can crack a 8 digit password in n amount of time" has nothing to do with the real world.
    Even my router kicks you after 3 wrong passwords, how to crack?

    Cheers, mib


  • Ambassador

    @mib2berlin , My bank apart from a password uses the value of a custom coordinate card they gave me.


  • Vivaldi Translator

    @mib2berlin said in Welcome and bye bye {- forum password length}:

    Hi, my mobile is 4 digit and my bank account is 5 digit passwords limited from the bank.
    Try to crack it, no way.
    I think these "I can crack a 8 digit password in n amount of time" has nothing to do with the real world.
    Even my router kicks you after 3 wrong passwords, how to crack?

    Cheers, mib

    Your statement that fast cracking of 8-digit passwords has nothing to do with the real world is plain wrong.

    While does happen that passwords are cracked by repeatedly testing to log in to a site with random passwords, that's not really what you should be worried about. Most websites and other services have systems to prevent this (rate limiting, locking accounts after X tries, etc.).

    This is not how most hackers work. Instead, they hack into servers and steal databases with user account information. The stolen information typically includes the usernames and password hashes from thousands of users. Now that the hacker has access to the hash from your password, all they have to do is run a program on their own PC which hashes random passwords until they find a match.

    And if the database they stole had millions of user records in it? Then they can compare every hash from their "random password hasher" program to each of those password hashes. If there are weak passwords in that list, they will find those.

    Now that they have the usernames and passwords for a bunch of accounts, they will try those on hundreds of different sites (including the likes of Amazon, bank sites, etc.) in case people are re-using passwords.

    Database thefts like this are not rare, either. Take a look at https://haveibeenpwned.com/. They have records of over 9 billion accounts (typically usernames, emails and password hashes) stolen from many, many different sites. And haveibeenpwned has collected this information by finding it available online, so it's not just that someone steals the database and tries to hack accounts, but they also sell these databases (or release for free) to give even more hackers and others the ability to crack them.



  • @Komposten
    Hehe, for this you need the encryption password for the server files. 😉
    OK, this really happen to often, criminal elements gets there hands on user data.
    I hadn´t thought of that, thanks for the hint.

    Cheers, mib


  • Moderator

    @Komposten is quite correct. This is a huge problem. Even to this day, we still see news of breaches where a site stores passwords as plain text, or as a simple hash that can then either be cracked offline by brute-force or searched against rainbow tables for simple passwords. Even databases with salted passwords are vulnerable to targeted cracking as compute power gets more plentiful and cheaper. We all need to use longer, stronger passwords and/or better 2-factor authentication, and ideally not SMS-based schemes that can be compromised by those who gain access to SS7 or through a phone number port-out.


  • Ambassador

    @xyzzy , I consider 2FA with SMS more an added risk than extra security, due to the poor security that mobile phones have against a PC. I think it is better to use a second email is better if you want 2FA or a security question. Or use another system, like my bank does, with a custom coordinate card (after enter the password, the ask me to enter the 4 caracters in the coordenate E7 in this card, for example).



  • @herosrest said in Welcome and bye bye {- forum password length}:

    12 character

    Hi herorest,
    please, do use a password manager (lastpass, keepass, ...) to access your sites: just choose one and stick to it, password managers are WONDERFUL.

    What you'll then need to remember is just one password, 12, or 15+ long, and that will be the last password you'll ever have to remember.

    I personally remember only three passwords:

    • my lastpass password (which opens the vault of the other 188 passwords I use (20+ long))
    • my online banking access password
    • my online banking orders code
      The password I use to access my notebook, is the same password I use with LastPass, so it's a password I type every day and that I can't forget.

    Move without any hesitation to a password manager, whatsoever, and you'll see how much more secure you'll be.

    Give it a try: they're incredible simple to use and your online life will change forever 🙂


  • Ambassador

    I checked my passwords on haveibeenpwned.com.

    Ironically, my least secure password of 9 characters has not been pwnd while by second strongest password of 21 characters has been.


  • Ambassador

    @Pesala , none of mine


  • Moderator

    @greybeard said in Welcome and bye bye {- forum password length}:

    the same for almost 15 years

    preferably in an odd number range. the forum does not display dd-mm-yy of the passwd last change neither send the "your pw expired, enter a new one that was not used for the last 13 months. @kahukura can confirm it since our jobs is similar.


  • Moderator

    @xyzzy Even the IBM displays the pw in plain between your logon procedure and auth. that not would be mindful to post which software.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.