ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Password Cracking Made Easy Thanks to the GPU

<< < (4/6) > >>

mwb1100:
LOL. He's thinking too high of users. A ongoing discussion we're having in another forum about the recent imposition of better passwords is showing that most people there is dumb and don't care about their security.
-Lashiec (October 25, 2007, 07:27 PM)
--- End quote ---

But then again, the password you use for a forum probably isn't particularly sensitive.  While I wouldn't particularly  want anyone to know my DC password, I'm not losing any sleep worrying about it, even though DC has the credits which have something to do with money - with most forums all a password gets you is the ability to post.  I haven't looked at the code for any forum software, but I'd be willing to bet that in most cases the password is stored in some recoverable fashion (probably even in plaintext) in the database - potentially a much bigger security risk than allowing weak passwords.

In my quick sample of 3 forums I have accounts on, I found that when I log on:


* one sends my password in plaintext
* one sends an MD5 hash of my password.  More secure, but a rainbow table dictionary lookup will have no problem getting pretty much any password less than14 characters long
* one sent a SHA1 hash of the password combined with the userID and sessionID.  That's not too bad.
Am I worried? No.

On the other hand, my passwords for work and banking are something I take a bit more seriously.  And when I access them over the Internet, I ensure that SSL is used.

f0dder:
If something sends a hash of passphrase+whatever, it means your passphrase is stored in plaintext (or at least automatically recoverable) form somewhere server-side... If just a hash is sent, it could be that just the hash is stored serverside, but then of course the hash is just as good as your passphrase.

mrainey:
I know next to nothing about this subject and have a question.  How secure would a well-designed twelve-character password be if it had to be used in combination with a specific user name?

tinjaw:
I know next to nothing about this subject and have a question.  How secure would a well-designed twelve-character password be if it had to be used in combination with a specific user name?
-mrainey (October 26, 2007, 12:16 PM)
--- End quote ---
Could you provide an example? There are several ways to interpret your question.

mrainey:
I guess I was thinking of a situation where a dialog requested a user name and a password as separate entries.  This is the way I protect certain pages of my website (using .htaccess and .htpasswd files).

As you can readily see, I don't have much of a handle on how all this works.   ;D

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version