We should all know the requirements for security password setup: Use a complex long password; use a mix of numbers, uppercase and lowercase letters, and special characters as much as possible; the same password should not be reused; different websites use different passwords. But is short passwords really dangerous?
Let's take a look at a user's question about the password: Should I receive a warning about the password being too short?
- When I use TrueCrypt, a warning window is often displayed when I define a new password: "The password is too short and vulnerable to brute force cracking ".
- I have been using an 8-character password, usually a combination of uppercase and lowercase letters and numbers. Such a password is not based on a dictionary.
- For example, the password sDvE98f1
- How easy is it to crack such a password? How long does it take?
- I know that the cracking speed depends largely on the hardware. You can give an answer based on the hardware configuration.
- Brute-force password cracking not only loops through all combinations, but also attempts to decrypt each guess combination. This takes time.
- In addition, is there any brute-force cracking tool for TrueCrypt software? I want to use brute-force cracking to find out how long it takes and whether it is really "easy "!
- Is it dangerous to use a short password with random characters?
Let's take a look at what brute-force cracking requires?
- If attackers can access hash files with passwords, brute-force cracking is very easy, because it takes only a certain amount of time for the attacker to perform hash matching.
- The hash "strength" depends on the password storage method. The generation time of MD5 hash is obviously shorter than that of SHA-512 hash.
- In Windows, passwords are stored in LM hash format. The passwords are converted to uppercase characters, divided into two groups of 7 characters, and then hashed. If your password is 15 characters long, it does not matter because it only stores the first 14 characters. This type of password can be easily cracked, because the brute-force cracking is not a 14-character password, but a two-group 7-character password.
- If you think it is necessary, you can download The program for testing. The testing software can use John The Ripper or Cain & Abel.
- I remember that LM hashes can generate 0.2 million hashes per second. Brute-force cracking on TrueCrypt software passwords. If you can roll back the hash from the lock, the cracking time depends on the storage mode of the hash.
- Brute-force cracking attacks are generally suitable for attackers who have a large number of hashes to perform checks. If a common dictionary attack cannot be cracked, the attack is cracked by a combination of characters. For example, a password of less than 10 digits, letters and numbers, letters and symbols, letters and numbers, and special characters. The attack success rate depends on the target. Generally, a specific account is not the target of an attack.
Further explanation
- The effects of brute-force attacks are not very good. If an attacker knows nothing about the user's password, he may not be able to crack the password by 2020. Of course, as hardware advances, the future success rate may increase.
- If you want your account to be super secure, you can insert an extended ASCII character in your password (Press and hold the Alt key and enter a number greater than 255 on the keyboard ). This approach ensures that violent attacks are ineffective.
- TrueCrypt users should consider the potential defects of Software encryption algorithms. Through the defects of encryption algorithms, attackers can easily obtain users' passwords. Of course, if your machine has been attacked, it is useless even if you use the world's most complex password.
Original article: www.howtogeek.com/165#/are-short-passwords-really-that-insecure/
