It can be done much quicker though through the use of rainbow tables so it doesn't require those thousands of guesses per second to crack.

Being an IT type in a past life, and having had several classes on security and hacking --

I've found that im most cases, I can either find or guess a password in under 2 minutes, if I know the person. One friend was flabbergasted when I guessed his password, then totally freaked when I guess his second one on the first try (hint: his son was in cub scouts - the passwords were webelos and tuocs, not really toughies, as he had some scout stuff in his office).

I can't stress enough having characters in your password. Even just two numbers in there will take the probability of guessing from maybe to no way Jose'.

I am a network security consultant. I don't crack passwords except in the course of a security assessment, which always includes written authorization from the customer.

My desktop PC has a quad-core 2.8 GHz processor. I can typically crack 95% or more of a 500-user Active Directory domain's passwords in one day or less. Frequently the first 80% or more are cracked in the first few minutes.

Password complexity has a significant impact on the time it takes and the success rate.

Rainbow tables are only useful in certain circumstances, namely when the password to something is hashed and stored somewhere that is accessible to the person wishing to find your password. Proper security measures prevent anyone from gaining access to the hashed password. If they have the access needed to gain the hash of the password, why would they really need to crack it? They already have access to the data.

For encrypted data, they would be useless, as proper encryption software wouldn't need to store a password. For web passwords, if they don't have access to the server where the passwords are stored, rainbow tables would again be useless.

Just to add something: Nearly all real life methods of gaining a persons password revolve around some workaround, mainly because trying every single password is so time consuming. IMO, bringing things up like that in a discussion of password complexity tends to be counter-productive because it makes people think there is no point in a complex password if it can still be cracked so quickly.

I should have said for example rainbow tables, thats just one method. My point is that it doesn't take forever to crack passwords now, yes a longer or more complex password will make it take longer to some extent but don't rely on it to make that much of a difference.

Interesting to add that there is now 4 factor authentication.
1. Something you know - password, pin
2. Something you have - smartcard, token
3. Something you are - biometrics
4. Somewhere you are - location based.

Interesting thread!

A somewhat related article that may be of interest:

"Amazon servers can help hack WiFi networks: expert

A security researcher says he has figured out a quick and inexpensive way to break a commonly used form of password protection for wireless networks using powerful computers that anybody can lease from Amazon.com Inc."

http://www.theglobeandmail.com/news/tech...article1861706/

A lot of data breaches are related to "social engineering" like just asking for passwords, as AFLM points out. It's a point Kevin Mitnick often made about how he penetrated so many networks. Or how many times do you walk down the hall of some office and see an unattended PC that hasn't been logged off or locked in some way? The human element will likely always be the weakest link in computer security.

Are cracking passwords even that necessary anymore? How many secret, zero-day (i.e. not yet publicly known) vulnerabilities are out there in actual software right now, like in the operating system or applications? You don't even need to log in to burrow into a network. You have a lot of highly educated computer science folks from Russia, Ukraine, China, Brazil, etc. who are hired to work on penetrating just about anything on behalf of governments and criminals alike. The trend for computer services, even for corporations, out into "the cloud" is worrying to me from a security/privacy standpoint.

I've personally learned to assume that computer networks will be hacked and have tried to adjust my expectations accordingly for my personal online activities. Like storing important computer files in external hard drives or thumb drives, unconnected to the Internet, when they aren't needed. Not keeping highly sensitive information in my webmail account for long. I try to use those one-time disposable credit card numbers for online purchases so that when--not if--someone steals a million credit cards from an online merchant or credit card processor, it won't do anyone else any good.

I'm not paranoid. It's not like I put tinfoil on my windows and sweep for listening devices every morning. I'm just accepting the situation and reducing my exposure to risk. I have no pretense that I'm somehow invulnerable to having my webmail or credit card account hacked or that my PC might become part of some spam network someday. It happens.

As far as picking passwords goes, I have been a longtime fan of Diceware--using dice plus a word or symbol list to create random, secure passwords that aren't just gobbledygook, like Rx5KL+q. I think most IT folks are realizing that from a real world perspective, those kind of gobbledygook passwords just aren't practical because they are difficult to remember, especially when our lives often have so many different resources that require a password. And the use of dice avoids the second most common method of getting your password--guessing based on knowing something about you.

Our IT guys have written a script that checks for password security and awards points based on the complexity. My passwords are usually based on the quantity of characters, gibberish, upper/lower case, numbers and symbols and get high marks on this "system".

The downside - I need to write down the passwords so I can refer to it the first half dozen times. After that it becomes more and more automatic to enter. Then the *^$D@%!s at IT force me to change the password every 60 days and it can't be the same as my previous 6 passwords. The computers time out after 15 minutes of non-usage. Not only that but all the data on the machine is encrypted! All this makes for a royal pain in the touche' considering that there is no data stored locally (except in the memory cache) and everything is on the network!

Compare this to an online site like Amazon and they will allow passwords that are simple, easy and short. They do billions of dollars of business a day and yet private/public firms which are much less likely to be attacked have the most wicked security!

This all makes as much sense as parking on a driveway and driving on a parkway!

I guess I could have clarified myself better. Assuming we are talking only about strength of password (as the OP was) and ignoring the specific system, then my examples are sound. You aren't going to brute force a random 6 character password, there are simply too many combinations.

Depending on the system that is using this password, there is quite possibly some way to recover that password. We could go on all day talking about different techniques for cracking different systems, and most of them will be successful regardless of strength of password.

Unless you are encrypting your data, it isn't truly secure. Physical access to the machine renders pretty much all authentication pointless.

For those systems you don't control, there isn't much point worrying about all the what if's of how it could be compromised. The only thing you can do is use a secure password, which goes back to the original topic.

I have myself successfully brute-forced thousands of six character and longer passwords, using John the Ripper on a multicore PC. One 6 character password typically takes under a minute. I'd be surprised if a completely random 6 character password with all four character types would take an hour. Feel free to post the Unix or Windows hash of a 6 character random password, and I'll be glad to take a (forgive me) crack at it.

Six character passwords are too short.

It's worth stating again that I only crack passwords with written authorization from my customers.