Account hacked and various dodgy emails, PMs and images sent out to loads of people.

How on earth do they do this? My password was pretty bombproof and I hadn’t logged in / out for over a year (never use it). It is linked to my Facebook business page, so there are tweets from my posts on FB – could it have been compromised this way?

Password now changed to something even more bombproof so I’ll forget it in a week…

Do you use the same password for any other accounts?
How sure are you it is bombproof: https://howsecureismypassword.net

I use Oplop to generate passwords – https://oplop.appspot.com/

Basically you put in a keyword in the top field – say singletrackworld, amazon, facebook – whatever you want to call the site you want to generate a password for. In the second box you use a master key.

Then click create password and it generates a string based on an MD5 Hash of 8 characters (as most websites will be happy with that).

Whilst the password is reasonably secure because the password is pretty random you can easily get a reminder by filling in the details again.

The idea being that you use a unique website name and the same master key to generate each password and only have to remember one long, difficult to guess password.

A tip in this respect – use symbols in place of some letters eg:

th1$ismyp@ssword4S1ngletr@ckworld (its not of course but you get the idea).

You can also use something like keepass to store all your passwords. Again – this is locked using a single but very secure password like the one above.

I liked xkcd’s take on it: linky

poly – I stuck in a similar password to my own on that site and it reckoned 15 hours to crack 😮

danny – cheers for the link – off for a look.

Not sure how accurate the how secure my password site is – apparently if my password was ‘popularpassword’ it’d take 13,000 years to crack , I’ve always tried to use symbols & numbers to make them more secure..

http://www.theregister.co.uk/2013/08/20/twitter_oauth_token_hack/

PrinceJohn – the howsecureismypassword site uses a brute force attack calculation. If you look at the details it does warn that dictionary attacks may be quicker for real words. e.g. it suggests singletrackworld would take 345 thousand years – but clearly that would be worth a guess on this site early on!

I liked xkcd’s take on it: linky

I worked somewhere which required you to use computer generated passwords which got changed every month. They had a format which meant they were only semi-gibberish, but everybody I knew wrote the password down somewhere. As somebody with better than average memory for these sort of things I found that a good way to predict when it was about to require a new password was when I’d finally managed to memorize the current one. Complete failure to understand the weak points in computer security – the irony being that I was working on computer security systems at a far higher level than our corporate systems (I wasn’t even cleared to a high enough level to know who our customers were), yet corporate wouldn’t take the advice of those people who knew better in our department.

I’ve always tried to use symbols & numbers to make them more secure..

See above.

It would seem the most secure password I have is my computer login which would take 9 million years to crack, tbh it the easiest one I have to remember, nothing complicated about it at all.

My computer login for the ‘Big Machine’ upstairs is one keystroke

😳

My password on here would take 63 million years to crack apparently. 😛

You folks revealing how long it would take to crack your password – you do realise that by doing so you’re making it easier to crack?

Which is why I put in a similar password, rather than the real deal. We, (the Human Race) are not as stupid as you like to think we are.

You twit.

We, (the Human Race) are not as stupid as you like to think we are.

Most of you are more stupid – though I’ll allow that you’re the exception.

length, length, length.

By making passwords incredibly complex but restricting the length, we merely make them difficult for humans to remember and easier for computers to guess.

But as above, it’s actually unlikely that anyone has brute forced it, what a waste of time that would be. They’ll have taken some alternative route as the hacker highlighted appears to have done.

I use lastpass for my password needs and it’s pretty good – so long as you trust a third party with all of your passwords. It generates unique passwords for each site for you (complexity as you define) and stores them, does auto-login etc… Them being stored in this way does also mean that you can get at all of your passwords from any device with a browser. Granted, if anyone gets your master password you’re pretty screwed.

poly – Member
Do you use the same password for any other accounts?
How sure are you it is bombproof: https://howsecureismypassword.net
POSTED 10 HOURS AGO # REPORT-POST

This site appears to be based on how many letters you type in. If you keep typing “b”, it goes from cracked instantly to 19 years. I think it’s just stealing passwords.

This site appears to be based on how many letters you type in. If you keep typing “b”, it goes from cracked instantly to 19 years.

yup, that’s what I said.

I select a passwords’ strength based on how important the data stored within the system/site is to me. Therefore for STW it’s ‘unimportant’ and therefore the password is easily remembered for me.

For the bank I use 2FA, while Paypal and the like is strong, but rememberable (sic).

But as above, it’s actually unlikely that anyone has brute forced it, what a waste of time that would be. They’ll have taken some alternative route as the hacker highlighted appears to have done.

so not true but hay it’s nice to think that. i compromised an entire network the other day with a very simple password brute force.

although in this instance i would say the chances are either password reuse with the twitter email/password being used on another site that got compromised, or a password reset being forced though a compromised email account. afaik there haven’t been any xss issues in twitter recently

There is also the issue of Rainbow Tables – lookups of encrypted passwords. It may take 1,000 hour [on what system I wonder] to crack a password, but that don’t mean nuffink if someone’s already saved the answer in a rainbow table – it’s just a lookup.

And there’s the issue of GPUs turning a 1,000 password into a 10 minute one 🙁

rainbow tables are only any use once you have the hash though. the time to crack a password hash isn’t just dependent on the password strength it’s also highly dependent on the hashing algorithm used too, things like unixcryp(des) and lanman are case insensitive so cracking them is much quicker then say a linux sha512. also most rainbow tables can be defeated by salting password hashes.

And it gets even more complicated when you’re trying to crack something which uses a unique identifier to formulate the hash, for example wireless encryption. Then you can only build the rainbow tables (which takes a long time), once you have the access point SSID.

For the bank I use 2FA, while Paypal and the like is strong, but rememberable (sic).

You can use 2FA with Paypal now as well.

I think what you’ve all missed – is yes howsecureismypassword takes a very simplistic view of how secure a password is or isn’t – but the OP’s “bombproof” password could be hacked by bruteforce in 15 hrs.