security of passwords

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
MrYoop
Registered User
Posts: 99
Joined: Sat Dec 27, 2003 1:02 pm
Location: Wisconsin, USA

Post by MrYoop »

:lol: :wink:
MrYoop
I Yoop ... So You Don't Have To!
Novice Supporter Not Provided over PM!
Always Backup & Save!!!
<!-- News: Use Of Support Template Speeds Up Support!! --!>
Gud
Former Team Member
Posts: 597
Joined: Fri Sep 07, 2001 11:02 am

Post by Gud »

Outofmymindyo wrote:
Saubloed wrote:If you have a password with only 4 or 5 character it will take only some seconds to bruteforce it.


Actually, brute force of a 3-letter password (no numbers or special characters) would take anywhere from a few weeks to a few months to crack. I've done the research, simply because I needed to get a password out of my FTP program that I couldn't remember. Brute forcing takes a VERY long time because of the amount of combinations it checks, therefor is basically useless to the everyday hacker/cracker.



Uhm, you could bruteforce a threeletter password MANUALLY within an hour. ;)
User avatar
Saubloed
Registered User
Posts: 42
Joined: Fri Aug 24, 2001 2:56 pm
Location: Germany
Contact:

Post by Saubloed »

MrYoop wrote: Actually no.

Acording to that Chart you supplied
A 6 charactor password would take up to 3 Months.


As i wrote above a Athlon 1.53 Ghz can do the bruteforce 50 times faster as in the chart.
Due to the fact that phpBB uses all printable charactors for passwords.


phpBB only use what you choose as password. And you can NOT enter non-printable singns AFAIK (even if you can how do you remember them).
Also as a Side note: I personally do not have one password that is less then 16 charactors. They all use every type of printable charactor, and also do not even hint at forming any word/phrase.

And that is what i suggest to everyone who is worried about their passwords to do.


But only if you use a safe browser (not Microsoft Internet Explorer or based on them) and a safe e-mail-programm and so on. :D
DanielT
Former Team Member
Posts: 3324
Joined: Tue Aug 27, 2002 10:55 am
Contact:

Post by DanielT »

hmmm,

i was attempting to make a md5 list of the following characters:

abcdefghijklmnopqrstuvwxyz(and in caps),./;'#[]0987654321\`<>?:@~{}+_)(*&^%$£"!=


in every combination possible, i got up to about ===== (as a test) in about two hours, using a simple php script, (on a 1.8GZ, 256mb machine, run through command line not through a web browser)

(i have the 18GB output file if you want it ^_^)

so outty i think you 'weeks' estimation was slighty wrong :P
SLSTEK
Registered User
Posts: 36
Joined: Sat Aug 17, 2002 1:45 pm
Location: 1001001000001100
Contact:

Post by SLSTEK »

well -- you cheated using php, because he was going to type them all in by hand :)
Help, at least do no harm.
DanielT
Former Team Member
Posts: 3324
Joined: Tue Aug 27, 2002 10:55 am
Contact:

Post by DanielT »

SLSTEK wrote: well -- you cheated using php, because he was going to type them all in by hand :)


Outofmymindyo never said she was going to write them by hand :)
Locked

Return to “2.0.x Discussion”