Only if an attacker is dumb enough to attempt to brute force a password. Any decent cracking tool appends/prepends common words, like Password (and combinations thereof), numbers, usernames etc. https://www.schneier.com/blog/archives/2007/01/choosing_secure.html http://arstechnica.com/security/2012/08/passwords-under-assault/ http://blog.erratasec.com/2012/06/linkedin-vs-password-cracking.html#.U-lV502KCUk etc.
I'm sure there's been a few articles posted to this list that have shown how same hackers attack an offline db. Pass phrases, by themselves, wouldn't be much more secure than randomly generated passwords (charaters vs. words), and by examining things like the RockWiz dump, and all subsequently cracked DBs (PS network etc.), attackers don't need to try and guess what dictionary words to use. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of James Button Sent: Tuesday, 12 August 2014 12:34 AM To: [email protected] Subject: RE: [NTSysADM] Re: Something to share with your users, so they can see how passwords matter Agreed, it adds massively to the decoding workload just to add your name before, or after what you consider the actual password Or even just add the text prefix "Password" which takes a 4 digit pin to a 12 character entry with caps, lowercase, and numerics JimB From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Melvin Backus Sent: Monday, August 11, 2014 1:56 PM To: '[email protected]' Subject: RE: [NTSysADM] Re: Something to share with your users, so they can see how passwords matter And in any password strength calculator I've ever used, that would be a good password. I just don't understand why people are so resistant to longer passwords. If you can type more than 30 wpm it really doesn't make any appreciable difference in the time it takes you to do anything. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Friday, August 08, 2014 11:10 PM To: ntsysadm Subject: Re: [NTSysADM] Re: Something to share with your users, so they can see how passwords matter Hmm. Not bad... Brute Force Search Space Analysis: Search Space Depth (Alphabet): 26+26+33 = 85 Search Space Length (Characters): 31 characters Exact Search Space Size (Count): (count of all possible passwords with this alphabet size and up to this password's length) 656,336, 167,528,024,399,498,994, 877,218,488,129,122,193, 814,033,553,713,843,935 Search Space Size (as a power of 10): 6.56 x 1059 Time Required to Exhaustively Search this Password's Space: Online Attack Scenario: (Assuming one thousand guesses per second) 2.09 hundred billion trillion trillion trillion centuries Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 2.09 thousand trillion trillion trillion centuries Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 2.09 trillion trillion trillion centuries Note that typical attacks will be online password guessing limited to, at most, a few hundred guesses per second. ... the password was "Steve Gibson can suck mah balls". -- Espi On Fri, Aug 8, 2014 at 5:21 PM, Angus Scott-Fleming <[email protected]<mailto:[email protected]>> wrote: I know some people here don't like GRC, but: Password Haystacks: How Well Hidden is Your Needle? https://www.grc.com/haystack.htm On 7 Aug 2014 at 14:29, Micheal Espinola Jr wrote: > > http://i.imgur.com/XuMUU0b.gif > > I saw it on reddit - I dont have a source for it. Seems to be from Intel, but > cant match the image > to any websites. > -- > Espi
