This is how the LastPass leaked data would be cracked, for example.
Lastpass security breach reddit password#
This is assuming that a hacker has your password hash and understands the hashing algorithm and is (offline) trying to brute force match the hash. For people talking about websites blocking retries: this is not referring to that kind of attack. Most modern sites use AES 256 at a minimum, much slower to crack, sometimes by a lot, depending on how the hash is generated.Ģ. This “study” is based on MD5, a hashing algorithm that is known to be easily compromised with brute forcing. This article is bold clickbait, and totally irresponsible.ġ. all password less than 8 chars and those that do not have mixtures of number, letters and symbols). In short, it is pure bunkum to measure security by password length, a more appropriate way is to disable it after a number of tries, add in incremental delays (such as what Apple and Samsung did by adding time penalty for wrong password), as well as having 2FA.īlindly adopting password length and complexity requirements would make it less secured, and as a hacker, this actually helped me to remove list of passwords that I do not need to try (e.g. The other common 'expert' advice to create long and secure password is to use initial characters of your favourite phase, so Starwars fan's password would all likely be Mt4bwu.
A proper system would NEVER allow consecutive wrong attempts!!!Īnother point to note is that when password is too complex and long, what happened is that people have no choice but to write it down somewhere, or use a password with long length and has a certain pattern. Why? Because if you make 3 wrong attempts, the card is disabled!Īssessing security by the complexity of password is simply too childish. My ATM Pin has only 6 characters and it can only be numbers.
0 kommentar(er)
