With all of the concern about ID protection, Steve Gibson of Gibson Research Corp. has come up with a neat way for anyone to check the strength of the passwords that they tend to choose. This is not a password generator, or password cracker, but rather a means to examine the types of passwords that you would normally choose, for everyday use. It gives a better understanding of what it takes to generate a really secure password. Hope it is of use to some of you.


https://www.grc.com/haystack.htm

OB

Interesting. My passwords seem to pass the test. Thanks.


Cat

This is cool, I just tried to have this conversation last night. Now I have "Ammunition"

So you type in your pass words and just give them to a site you dont know?
I dont think so.

Do what you want, but Gibson Research is a well known and respected company that has been working in computer and internet security for a long time.

Looks like the fastest one would take 3.4 centuries to crack any of mine. I use very strong passwords.

I just made up a few new ones to try, didn't type any of my "real" one's in. Just in case... :)

Pretty good ideas.

Gee........I guess my luggage code 1-2-3-4 is not as good as I thought!


HA.......ha!

banger

1.21 centuries for mine. I don't think I'll worry too much!

This is how mine turned out.




Enter and edit your test passwords in the field above while viewing the analysis below.Brute Force Search Space Analysis:


Search Space Depth (Alphabet):
26+10 = 36


Search Space Length (Characters):
11 characters


Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
135,382,323,952,046,196


Search Space Size (as a power of 10):
1.35 x 1017


Time Required to Exhaustively Search this Password's Space:


Online Attack Scenario:
(Assuming one thousand guesses per second)
43.05 thousand centuries


Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
2.24 weeks


Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
22.56 minutes

So you type in your pass words and just give them to a site you dont know?
I dont think so.

From my original post: "but rather a means to examine the types of passwords that you would normally choose"

I checked mine, but I trust GRC. Say you were thinking of a new password. That is the purpose. If you have easy passwords and choose to stay with the same types, you increase your chances of being compromised. It's only a tool.

OB

Do you want strong passwords you can remember? Just type in a sentence you can remember that is 14 characters long or greater, capitalize every nth letter of each word and leave no spaces. Easy for you to remember, just about impossible to crack e.g.
ILoveMyWifeAndKids!

It is 19 characters and would take 1.47 trillion centuries to crack.

or

ILoveMyBlueHouse!

It is 17 characters long and would take 2.03 billion centuries to crack.

Passwords don't have to be hard to remember stuff like 1Blue@lph!6. What you need to know is that the length of the password matters much more than the complexity of its readability to humans. It has to do with the nature of cracking passwords being a problem that falls into a class of problems called NP problems. So every letter you add, makes it exponentially harder to crack. Computers see those characters as zeros and ones, the letter "A" is no harder for a computer to guess that the symbol "@". It makes no difference, data is data to a computer. What really matters is how many permutations it has to try to come up with the right answer. The longer your password, the harder it will be to crack. 14 characters or longer and no system known to man can crack it. So do yourselves a favor, make your passwords phrases that you can remember that are 14 characters or longer. You'll make your life easier and make your passwords impossible to crack.

One I'm considering: Brute Force Search Space Analysis:


Search Space Depth (Alphabet):
26+33 = 59


Search Space Length (Characters):
29 characters


Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
2,302,143,312,315,097,
670,688,384,719,958,037,
783,979,712,069,444,899


Search Space Size (as a power of 10):
2.30 x 1051


Time Required to Exhaustively Search this Password's Space:


Online Attack Scenario:
(Assuming one thousand guesses per second)
7.32 hundred trillion trillion trillion centuries


Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
7.32 million trillion trillion centuries


Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
7.32 thousand trillion trillion centuries



Since Obama has already cracked the current one (.029 seconds) seems like it would be prudent to change.

Of course I had to be childish. Here are the results for password; Iloveboobies4Life.

Search Space Depth (Alphabet):26+26+10 = 62
Search Space Length (Characters):17 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)3,004,142,822,311,
961,681,685,446,617,322
Search Space Size (as a power of 10):3.00 x 1030
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second)9.55 hundred thousand trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
9.55 billion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
9.55 million centuries


Stringing together three of four random words makes for a very secure password. Just make sure they aren't the names of family members for obvious reasons. I need to change quite a few of mine even though they were generated w/ a program and contain everything possible.

Of course one wouldn't put in ones' actual passwords. They are a highly respected and reputable company. So is Microsoft. And who could be more trustworthy than the NSA? :)

I just typed in passwords of the same style and length as mine.


Cat

That's a very interesting website and it makes me think. I had never thought about the difference between length and randomness and how length is more important in a brute force attack.

This week.
The folks that care keep improving.


Looks like the fastest one would take 3.4 centuries to crack any of mine. I use very strong passwords.

interesting

I entered an eight digit password that I used in the past , three letters followed by five digits

with the letters all lower case it's 92.27 years

make one letter upper case and it is 70.56 centuries

Cool stuff.

I use a lot of passwords at work, for several different systems, and the varying requirements are frustrating. One requires 8 to 12 characters, with at least one capital, one number, and one special character, while another won't allow special characters, etc..

Of course they're all supposed to be different so if one gets hacked they can't get them all, but I know most people either try to make them the same or at least close, or keep them all written down somewhere, defeating the purpose. Then on top of that most of them are required to be changed periodically.

I does not appear to look at dictionary attacks. By the way the above site looks like a great way to build a huge dictionary of passwords. Also evaluate P@$$w0rd probably in the first 50 guesses of any 15 year old with IT knowledge.

I'm impressed. Mine came in as:
GRC's Interactive Brute Force Password “Search Space” Calculator
(NOTHING you do here ever leaves your browser. What happens here, stays here.)






https://www.grc.com/image/GreenLight.png

3 Uppercase







https://www.grc.com/image/GreenLight.png

6 Lowercase







https://www.grc.com/image/GreenLight.png

2 Digits







https://www.grc.com/image/GreenLight.png

1 Symbol







12 Characters














Enter and edit your test passwords in the field above while viewing the analysis below.
Brute Force Search Space Analysis:


Search Space Depth (Alphabet):

26+26+10+33 = 95



Search Space Length (Characters):

12 characters



Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)

546,108,
599,233,516,079,517,120



Search Space Size (as a power of 10):

5.46 x 1023



Time Required to Exhaustively Search this Password's Space:


Online Attack Scenario:
(Assuming one thousand guesses per second)

1.74 hundred billion centuries



Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)

1.74 thousand centuries



Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)

1.74 centuries



Note that typical attacks will be online password guessing
limited to, at most, a few hundred guesses per second.

Hmmm seems a few of mine were a bit weak, easy to crack, so have just updated them. I typed in similar types of passwords and not ones in use then used the information to strengthen mine. Ones for important places are longer for obvious reasons.

Here is the result:-

Brute Force Search Space Analysis:


Search Space Depth (Alphabet):
26+26+10+33 = 95


Search Space Length (Characters):
19 characters


Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
38,
136,800,256,227,897,272,
064,940,472,866,626,495


Search Space Size (as a power of 10):
3.81 x 1037


Time Required to Exhaustively Search this Password's Space:


Online Attack Scenario:
(Assuming one thousand guesses per second)
12.13 trillion trillion centuries


Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
1.21 hundred thousand trillion centuries


Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
1.21 hundred trillion centuries






Hmmmt hat should about do methinks :razz:

I does not appear to look at dictionary attacks. By the way the above site looks like a great way to build a huge dictionary of passwords. Also evaluate P@$$w0rd probably in the first 50 guesses of any 15 year old with IT knowledge.

Using a simple sentence that is 14 characters or longer like I suggested will defeat dictionary attacks as well so long as you don't use something like "ThisIsMyPassword".

I just found this thread. Very interesting. While I don't choose easy passwords, I do use the same one for any site that is of no consequence if hacked. Such as Cast Boolits. I try to use unique passwords for critical sites(bank accounts, credit card accounts, brokerage accounts, etc.) and change them occasionally.

I haven't gone to the referenced site yet but will and will probably change many of my passwords.

I am curious if anyone has a comment about my passwords for sites than have no financial consequences.

I am curious if anyone has a comment about my passwords for sites than have no financial consequences.
I do the same. They all aren't the same but I do use a few of them repeatedly. This is one of the few forums where my password is unique due to how and when I signed up.

I just changed the passwords on several sites that would have financial impact if hacked. One of them limited the length to 12 characters. Another was not case sensitive. The first had no impact on security and the second(comparison below) appeared to me to be significant.



Search Space Depth (Alphabet):
26+10+33 = 69


Search Space Length (Characters):
10 characters


Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
2,
482,167,502,723,212,150


Search Space Size (as a power of 10):
2.48 x 1018


Time Required to Exhaustively Search this Password's Space:


Online Attack Scenario:
(Assuming one thousand guesses per second)
7.89 hundred thousand centuries


Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
9.47 months


Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
6.89 hours






Search Space Depth (Alphabet):
26+26+10+33 = 95


Search Space Length (Characters):
10 characters


Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
60,
510,648,114,517,017,120


Search Space Size (as a power of 10):
6.05 x 1019


Time Required to Exhaustively Search this Password's Space:


Online Attack Scenario:
(Assuming one thousand guesses per second)
19.24 million centuries


Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
19.24 years


Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
1.00 weeks




On the site that didn't recognize alpha case differences, I didn't change the password. I probably will at some later time. Also my passwords are not memorable. I have to write them down. It is somewhat inconvenient if I need a password while away from home, but I accept that. An intruder might possible find my list but he would have to stay in the house much longer than would be comfortable,

I like this one:

Tea42AndILoveYou!

Brute Force Search Space Analysis:


Search Space Depth (Alphabet):
26+26+10+33 = 95


Search Space Length (Characters):
17 characters


Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
4,225,684,238,917,218,
534,300,824,429,126,495


Search Space Size (as a power of 10):
4.23 x 1033


Time Required to Exhaustively Search this Password's Space:


Online Attack Scenario:
(Assuming one thousand guesses per second)
1.34 billion trillion centuries


Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
13.44 trillion centuries


Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
13.44 billion centuries

I should be in purdy fair shape.

Brute Force Search Space Analysis:


Search Space Depth (Alphabet):
26+10+33 = 69


Search Space Length (Characters):
11 characters


Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
171,
269,557,687,901,638,419


Search Space Size (as a power of 10):
1.71 x 1020


Time Required to Exhaustively Search this Password's Space:


Online Attack Scenario:
(Assuming one thousand guesses per second)
54.46 million centuries


Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
54.46 years


Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
2.83 weeks

Seven Characters and a Capital works for me

DocSleepyGrumpyBashfulHappyDopeySneezyLansing

:)
Kevin

I would hope that no one is posting actual passwords that they intend to use.

For those who have a lot of passwords, I recommend LastPass. It keeps track of all of your passwords. I don't even know my passwords as they are randomly generated by LastPass. The Chrome extension auto fills the passwords. There is also an app for iOS and Android.

By default it generates passwords that are 12 characters and contain uppercase, lowercase, and numbers. It says that a randomly generated password would take 1.04bil centuries to crack using the online fast method. Good enough for me.

I keep a backup encrypted spreadsheet just in case something ever happens to LastPass.

For those who have a lot of passwords, I recommend LastPass. It keeps track of all of your passwords. I don't even know my passwords as they are randomly generated by LastPass. The Chrome extension auto fills the passwords. There is also an app for iOS and Android.

By default it generates passwords that are 12 characters and contain uppercase, lowercase, and numbers. It says that a randomly generated password would take 1.04bil centuries to crack using the online fast method. Good enough for me.

I keep a backup encrypted spreadsheet just in case something ever happens to LastPass.

I love this app. Makes work so much easier where the sites require a 9 character password.

As the website says, there are two types of password strength. One is the complexity and the other is the dictionary strength. By using a string of characters that is not a word you increase the dictionary strength considerably. The string need not be very long. Something like zpKx or the a letter from the name of some family members with a mix of upper and lower case would seriously increase the dictionary strength.

You can test your password on the OP's link by entering a different combination of characters that has the same quantity of upper case, lower case, punctuation and numeric characters as your actual password. The results will be the same in the test.

David