next »

[Hijpo]

http://thehackernews.com/2011/10/gpu-cracks-6-character-password-in-4.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Daily+Cyber+News+Updates%29&m=1

Thas nuts

[Wooster]

Aye, they've been doing that for a while now with quad setups and such, but 4 seconds on an old card ain't bad.


...then again, maybe it is bad...for us all.

[Hijpo]

It doesnt say what method it used to crack them or what kind of password it was, random characters or dictionary words 

[corroded]

Yeah it does, it says 6 character strong passwords, which implies alpha numeric, punctuation and capitalisation.

It's not quite that simple. That'd simply be a hashed password, with no salting, probably some md5 or sha1 based hash. It'll be decent at cracking people who don't know how to set up any security (and probably exposing password upon password to another site, as people always use the same combination). Salting adding in that unknown factor adds a large factor of randomness to the hash..

I'm personally thinking of switching my passwords over to a system based on Diceware

[Wooster]

I had reason to bitch about some password policies recently.

It's a client site that requires a Username/PIN + RSA/Password.

Problem is, they request a monthly change on the Password, but it's a portal to a Telnet app I use (Citrix) that also requires a monthly change of password.. and they use different criteria when it comes to stuff like Caps/Non caps/Letters + Numbers etc.
Not only that, they have another site I use that has an entirely different set of criteria for logging in, and the password change request can occur monthly, quarterly or bi-annually.

My point was that making it so awkward, forces people to write things down.

.It isn't going to make any difference though, since their Admins will be following the standard Windows Server xxxx methodology, so it's going to be like it always was.
...turn over the keyboard, look in the top drawer...and somewhere, among the clutter, will be a bit of paper with all the details you need to know.  

[corroded]

I only have two passwords... one that leads to a drive, and one that leads to many others. And that is a fifteen digit long alpha numeric, punctuated beast that I've memorised.

[Hijpo]

What about ASCII symbols? Can they be used?

[corroded]

They can be... depends on the system supporting it I guess. Still not as good as a Diceware list though.

http://en.wikipedia.org/wiki/Password_strength