Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Short passwords are vulnerable - and by short, we mean 8-characters
Short passwords are vulnerable - and by short, we mean 8-characters
#1
The Register: Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

Or under 15 seconds if you have applicable rainbow tables and a GPU. (And who doesn't have a GPU nowadays?)


IMHO, this xkcd strip has a good idea but doesn't implement it correctly. (For one thing, Mr. Munroe implies his password is 25 elements {letters} long when it's actually 4 elements {common dictionary words} long.)
--
Rob Kelk

Sticks and stones can break your bones,
But words can break your heart.
- unknown
Reply
RE: Short passwords are vulnerable - and by short, we mean 8-characters
#2
Funny, the register's article points out that said password in fact works quite well.; it even refers to it and the strip in question directly

And no, what you are overlooking here is that it doesn't matter if the password is 4 elements, the cracker has no way of knowing anything more than there are 25 charecters there, and therefore must brute force each one. The ease comes in on the human side, where one uses personal memnotics associations to more easily create the long string needed.
Hear that thunder rolling till it seems to rock the sky?
Thats' every ship in Grayson's Navy taking up the cry!
NO QUARTER!

No Quarter by Echo's Children
Reply
RE: Short passwords are vulnerable - and by short, we mean 8-characters
#3
Basically, when you are dealing with 'random asshole trying to get access to your account' it matters how long he has to spend cracking your password because he has no specific need for you in particular. In such cases having a long but easily remembered password works fine because he's unlikely to access your personal records and history for hints, he just doesn't care enough. For the time spent cracking you he can have a dozen or more others. When you are dealing with 'somebody wants access to your account specifically' though that goes out the window and a random password generator becomes more reliably difficult to hack. Because he wants access to your account, and if that means some more legwork... he does that legwork, or has it done for him.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)