Hackers crack 16-character passwords in less than an HOUR
 

This is pretty disturbing

During an experiment for Ars Technica hackers managed to crack 90% of 16,449 hashed passwords. Six passwords were cracked each minute including 16-character versions such as 'qeadzcwrsfxv1331'

A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. It was unveiled in December by Jeremi Gosney, the founder and CEO of Stricture Consulting Group. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords.

The article
http://www.dailymail.co.uk/sciencete...ords-hour.html

350 billion guesses per second... :helpme

I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

example: take-fish-dirt-reed
example: sdfk-fjsd-weij-akji

Wow that's a lot of GPU power.

damn they're coming along nicely

most systems have brute force prevention in place to prevent this sort of stuff. But if they came in using a bot net you would be in trouble until you caught it.

Pass phrases were all the rage for a bit, but I think even those would be crackable, unless they are very long. Pretty soon we'll have to use a USB drive with a megabyte size password or something.

but this will work to unpack and unprotect files, to access your NET accounts, he can't do it via bruteforce, server and program will just take it down...

I doubt that would take much working out.

1. You have x4 dictionary words
2. Just putting 4 dashes in aint gonna fool no-one.

I think site owners really need to make their sites secure against multiple login attempts rather than getting us to remember 5%6Yy*5$fdd1$8>KKhJo)o or some such shit.

Actualy it's better to have password like "iliketurtlesandsausegeswithcream12345"which is long enough yet still easy to remember.

Beside as longest you have some sort of bruteforce protection things like this dont mean much.

Include numbers, special characters and uppercase/lowercase. Like this:

71#Testpassword

surrentlysober is pretty safe with Icunta4rdapassw0rd

great server if it allows you 3.5 billion tries a second.

I could do with it for my sites

:1orglaugh:1orglaugh

md5 hashing... this problem is not new

Likely, the crackers had the hashes available, and were cracking against the hashes, versus against a live server.

I use passwords like this: `#LG\`yf8tyLkx5([Rd9RA ....the only issue is some sites won't allow special characters...

I don't use a password, just leave it blank they can guess all they want they'll never solve it!!

Did any of you guys actually read the article? correcthorsebatterystaple is a little harder to crack, but not impossible. They use custom dictionaries that brute force multiple WORDS as well as multiple characters.

Because only retards use md5. If it was SHA512 we'd never see this article ;)

:1orglaugh

if your system is open to brute force then you pretty much deserve what happens...

That is awesome :thumbsup

Please read carefully. Whey did that on password hashes.

Against a hash .. which is an unlikely scenario in most cases. Against a weak remote web service, at 1,000/hr, I'm comfortable with 550 years of security versus 3 days.

I've started using password as my password, I figure it's so common nobody would code a cracker to waste testing it.

ok thanx 4 the stress :)

I use 'wrong' as password so when I don't type it properly site tell me: your password is wrong

You should change it to incorrect, I hear it's the new thing :pimp

:1orglaugh:1orglaugh:1orglaugh:1orglaugh

You did not really say this...

Anyway, md5 is so 1990, not even sure who hashes with md5 anymore.

Just buy a cheap server. A billion request will crash the motherfucker.

:1orglaugh