Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

# What is a strong password?

2 replies to this topic

### #1 smak451

smak451

• Members
• 59 posts
• OFFLINE
•
• Local time:10:01 AM

Posted 28 September 2010 - 05:01 PM

So my girlfriend and I were putting pen to paper trying to get our arms around this question after a recent unpleasant experience and watching a few Youtube videos on hacking (not that we expected to see the Masters at work there) and reading a few academic papers on the subject and we focused on the "brute force" method -- maybe this would provide some food for thought.

Most alarming was an expose on the helpful "lost password retriever program" marketed as the Lightning Hash Cracker, which claims to process 608,000,000 passwords/sec using graphics acceleration (they might have been talking about hashes but I'll assume they amount to the same thing since we're real newbie's at this stuff -- and claims to be the most technologically advanced on the mkt today). So the math went something like this (she posted this in another forum but I thought it was fun and hopefully helpful here too).

The way we began to get our arms around that is to say there are (looking now) about 93 or so characters we can use on my keyboard right now, including the ~ thing and others like it. So, the formula for possible total # of permutations where order doesn't matter and repetition is allowed is simply N^x, where N is the pool to draw from and x is the number of characters in your pswrd. On average you would divide the result by 2 (he has on average to get through 1/2 of the combinations before hitting paydirt), but let's say luck is on his side and he gets it in the first 25% of all tries, so let's divide by 4 instead. Then let's say he's part of a well-funded organized crime group and strings together 100 computers, so the 608 MM/second becomes 60.8 B/sec (I think that's right so far). A 6 character password under this scenario would take 3 seconds to crack. Unless this napkin is wrong, a 12 character password would take....anyone, anyone, Bueler, Bueler? -- 546 centuries! I'm probably overlooking something, but exponents can be pretty powerful, so please correct me if I'm wrong, especially on the hash business.

Incidentally, does anyone know of a reference of what registry keys are commonly targeted by hackers and should be protected? Also looking for a guide on configuring Comodo to configure outgoing communications to trap the trojan from calling home if anyone has one anywhere (think I'm doing okay on incomings). Cheers -- S

### #2 quietman7

quietman7

Bleepin' Janitor

• Global Moderator
• 51,773 posts
• ONLINE
•
• Gender:Male
• Location:Virginia, USA
• Local time:11:01 AM

Posted 28 September 2010 - 08:58 PM

The Simplest Security: A Guide To Better Password Practices

You can use an online Password Generator to create a random password:-- Note: Be careful where you store the passwords and do not write down or leave records of them anywhere that you would not leave the information that they are designed to protect.

Another option is to use a third party Password Manager like KeePass Password Safe or Password Safe.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click

### #3 smak451

smak451
• Topic Starter

• Members
• 59 posts
• OFFLINE
•
• Local time:10:01 AM

Posted 29 September 2010 - 02:47 AM

Quietman7 -- The man who brought me back from the depths of despair! I hope you are well. I was just curious, but I've learned how to limit # failed logon attempts and lockout duration using cmd (which I've done naturally) -- but will that also defeat this hash matching thing? My guess is not.

You're right about the badguys not needing a warrant -- that's why we need a few online Dexters around -- great series on Showtime if you haven't caught it! Cheers, -- S

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users