1
   

is a password with only four totally random characters safe?

Forums: Passwords Safety, Call And Response Spam
Email this Topic Print this Page
 
 
pgmfordownloads
 
Thu 21 Nov, 2013 10:23 am
this is a question related to another question i posted few hours back.
Now, generally IT folks say password should be 8, 12 or even more characters. They say "4 character password" can be hacked easily if large number of login attempts are made... but i doubt websites like gmail, yahoomail, and other reputed sites will allow that many number of login attempts within a short span of time (let's say 7 or 10 days). ............. if i choose 4 characters in a totally random way, then for each character has totally 73 possible values (26 small alphabets+26 capital alphabets+11 special symbols+10 numerals). so, 73 multiplied by 73 multiplied by 73 multiplied 73 means totally 2,83,98,241 combinations.... that's nearly 30 million combinations. i seriously doubt gmail or yahoomail or facebook are so naive that they are going to allow such kind of login attempts... or do they? i don't know. as far as i am aware of, gmail or yahoomail will lock the account after a few failed login attempts, for example, in yahoomail's case the account may get locked after 10 to 14 login attempts. if the user has his cell phone number connected to his account, then they even send an alert of "unusual login activity" so that the user can reset the password. that way, isn't 4 characters chosen in a totally random manner (including numerals and alphabets) make it safe enough?...... please can any IT Guru enlighten me on this?
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Question • Score: 1 • Views: 1,901 • Replies: 7
Topic Closed

 
DrewDad
 
  3  
Thu 21 Nov, 2013 10:28 am
@pgmfordownloads,
Assuming the method used to hash the password is known, then the answer is "no."

There are methods to mitigate brute-force attacks like you're describing, but the reason for strong passwords is to protect against those times when the password file itself has been compromised.

Any admin has full access to the password file/password database. They can dump the file and attempt to crack the passwords against the offline version.
0 Replies
 
BillRM
 
  0  
Thu 21 Nov, 2013 11:00 am
@pgmfordownloads,
You are only looking at one mode of attacks as whole data bases of hash passwords of very major websites had been downloaded for offline attacks by hackers that are able t0 do many many billions of guesses a second.

One more just padding any passwords with simple repeating characters will greatly increase the time from milliseconds to trillions of years.

[four random characters] + @@@@@@@@@@ @ as a example of this.

From milliseconds to the end of the universe time frame.
0 Replies
 
BillRM
 
  1  
Thu 21 Nov, 2013 08:51 pm
You know the author of this thread and one other thread had posted in both threads promoting very very very weak passwords.

Passwords that could not stand up to any brute force attack of any kind for even a millisecond.

Do we have a hacker trying to made his life easier perhaps?


pgmfordownloads
 
  1  
Fri 22 Nov, 2013 03:06 am
@BillRM,
are gmail, yahoomail, facebook so naive that they are going to allow multiple failed login attempts (with 30 million possible random values) without giving alert to the account owner and without locking down the account? please answer to this point
BillRM
 
  1  
Fri 22 Nov, 2013 06:01 am
@pgmfordownloads,
I have no idea off hand how many online guesses to any one account google or the other services will allow however that is hardly the main danger to accounts security.

Once more fool or hacker online brute force attacks are not the only or the main danger that strong passwords guard against.

Hackers getting to the hash passwords databases and then running offline attacks on the whole database of passwords is the main risk,

Adobe for example just repeat just got at least 38 millions of it customers password hashes taken for offline attacks where many billions of guesses a second brute force attacks can and are being done to them.

If you has used a four character random number password on the Adobe sites your password would had been crack in a millisecond or so at most.

There is no reason to think that google or yahoo or any of the others will not have or even have not had their passwords files hack in the same manner as others major websites had have over the years and that are only the cases we know about.
pgmfordownloads
 
  1  
Fri 22 Nov, 2013 08:41 am
@BillRM,
Ok, thank you ....... now i understood much better, now i agree that any type of password with only 4 characters is not safe...... it is better to use much longer passwords than that :-)
DrewDad
 
  1  
Fri 22 Nov, 2013 02:19 pm
@pgmfordownloads,
The consensus among the security people I work with is that password length is by far the most important factor in how secure a password is.
0 Replies
 
 

Related Topics

is it safe to write passwords on paper? - Question by pgmfordownloads
 
  1. Forums
  2. » is a password with only four totally random characters safe?
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 04/23/2024 at 07:46:45