How to truly test password security?

So I am sitting here inserting a password I made up our of special characters, numbers, letters, in alternating case, and every thing that comes up gives me a full green bar. However, how do I really know that its that secure?

Is there a user side benchmark for passwords? Do I just run aircrack against it and see when the machine explodes?

I found this link on L1T. I dont know if it answers your question tho, I’m a total newbie.

Publish it on the internet and see if you get hacked!!

[email protected]~8NlfOk&o~CbsA$2eTv come at me bro!

I generally don’t trust the sites where you have to enter your password and they evaluate it. Some of the sites are client side or can be run as stand alone on your machine. You can use those sites to get a sense of security, just don’t use your actual passwords.

I tend to go for longer, random passwords and don’t get too hung up on the size of the keyspace or if there are at least 3 different kinds of symbols or no more than 3 capital letters in a row, but at least 4 non-numeric, non-symbol, non-lowercase characters in a row.

I think 100+ to 250 bits of entropy is secure for our lifetime, depending on the content that the password is protecting. I also use a password manager so that I don’t have to remember 20+ random characters for each password that I use.

2 Likes

I don’t have a good enough ROT with my devices being in flux all the time LOL

to know if your password secure you have to know what hackers do to crack them.

kind of password is best?.
upper/lower case, numeric and special chars with 10 or more characters is currently to long to crack in any reasonable time. if the hacker is using brute force.
thats not to long to crack, but will take days or weeks even, on a 3090ti or equiv
basically the longer the better.

if your password hash has been leaked then its a case of is the hash crackable. (psst most are).
then its a simple case of running a python script to brute force the hash and reveal its secrets.
this is way quicker as the gpu is just making hashes from a wordlist and comparing it to your leaked hash. if its the same, they print the word that creates that hash.
password cracked :confused:

2 Likes

And to boot, there are ways to narrow down the search space, based on common patterns- such as an word followed by 2 numbers or two words with symbol in the middle. It turns out that, as a species, we are terrible at picking secure passwords.

I used to run min 100 letters, capitalized letters, numbers, symbols and ASCII special characters. Even a few dedicated data center will take some time cracking it down with brute force. Then my browser had a glitch and copy paste was broken so it required a way to type it manually. :neutral_face: So I downgraded it to something more reasonable. 50 letters, capitalized letters, numbers, and symbols.

And then, I encountered using passwords in a machine that isn’t mine and without a password manager installed so from there, I switched to a passphrase salted with a few numbers and symbols and kept it on a more reasonable word length, plus a vernacular word that isn’t likely to be used in a dictionary attack. On my next round of password replacement, it will be for all.

Also, mind you, the classic XKCD comic:

security

Works for the government, private organization, criminals, mafia, drug lords, etc…

5 Likes

XKCD are always correct!

HaveIBeenPwned has their password hashes available for download:

If you’re unaware of HIBP, when there’s a data leak online HIBP collects the passwords and puts them in their collection, so you can at least protect against credential stuffing / password reuse.

Couple that with something like this: (I’ve not used this exact software, so I cannot vouch for the safety of it) and you can check passwords offline.

For maximum paranoia, put it in a VM with no network. If they’re in the hash, they’re “known” and probably going to end up in a credential stuffing attack at some point.

more XKCD:

7 Likes

Run Hydra against it with Rockyou dictionary. That’s a good start at least. Make sure to use GPU to speed things up.

1 Like

there we go a real fin answer

ty

I only know about rainbowtables and its been a hot minute since I grabbed the full list. Last I recall it was roughly 1.23TB

1 Like

like i said not in any reasonable time.
hydra is good for about 6-8 letters and numbers in a hour or 3. with a gpu and using rockyou

9 letters your looking at a day at least.
10 letters up to a week.
more than 10 letters. good luck with your electricity usage.
and that isnt even with adding special chars to the words in rockyou.

1 Like

BTW, if you happen to think about designing your own password storage while in the middle of some random project because you learned a bit of crypto and found some handy APIs … don’t.

Either use bcrypt or use pufferfish2 if you’re feeling fancy.

If you need to use a password to derive a key (as opposed to using a random material as a key; which you could store securely), don’t just hash something once, use a KDF (key derivation function like argon2id).


These all combine multiple rounds of SHA (or BLAKE) to make it expensive time wise to brute force stuff. … and/or make it both memory expensive as well, in order to resist being able to parallelize cheaply. (e.g. computing on GPUs or on custom ASICs).

2 Likes

Dude my life RN needs to be more calm and relaxed than an album by Owen. I don’t really have the energy for that right now.

1 Like

A password is as secure as the protocols that communicate the password. Those are to be tested, not really a password with random characters in it. Those usually have enough entropy to be unguessable.

If you want to generate a password with as much entropy as possible just use dices to generate it. Diceware if you want a password that a human can remember, just assigning random characters to a number if you want to go for pure chaos.