Link to check password strength
Can anyone suggest some links to check password strength?? I've tried a couple & they were fine. But I would like to get some suggestions from some really great security gurus.
Thanks!!
Thanks!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Like your windows login or something like a hotmail/msn login?
Password strength is relitive to the hash and security used to secure that password. Windows login passwords are weak for the following reasons
Case Insensitivity, passwords cut into 2 seven character halves, the same hash is used on each half. The password qwerty12345678 is actually two seperate passes, qwerty1 and 2345678
There are rainbow tables for the LM hash, basically all possible passwords already written down, all one has to do is search for the pass. There are other hashes that can be rainbow tabled as well.
Passwords should, as indicated above, be as long as possible, and use pass-phrasing and I recommned mispellings and wrong context pass's as well like: "Iamknow1'sfewl" (I am no ones fool)
789tinelevendy (seven eight nine ten elevendy) Things of that nature, cases should be varired. Substitution is good too, 3=E and i=1 or i=! L=| or L=1 and naturally o=0
If you want to test the pass against a bruteforcer, give "john the ripper" a try. Here is a good article by the author of jtr http://www.securityfocus.com/columnists/388
These are all good reads too: http://www.google.com/search?sourceid=navclient-ff&ie=UTF-8&rls=GGGL,GGGL:2005-09,GGGL:en&q=site%3Aschneier.com+password+strength
-rich
Password strength is relitive to the hash and security used to secure that password. Windows login passwords are weak for the following reasons
Case Insensitivity, passwords cut into 2 seven character halves, the same hash is used on each half. The password qwerty12345678 is actually two seperate passes, qwerty1 and 2345678
There are rainbow tables for the LM hash, basically all possible passwords already written down, all one has to do is search for the pass. There are other hashes that can be rainbow tabled as well.
Passwords should, as indicated above, be as long as possible, and use pass-phrasing and I recommned mispellings and wrong context pass's as well like: "Iamknow1'sfewl" (I am no ones fool)
789tinelevendy (seven eight nine ten elevendy) Things of that nature, cases should be varired. Substitution is good too, 3=E and i=1 or i=! L=| or L=1 and naturally o=0
If you want to test the pass against a bruteforcer, give "john the ripper" a try. Here is a good article by the author of jtr http://www.securityfocus.com/columnists/388
These are all good reads too: http://www.google.com/search?sourceid=navclient-ff&ie=UTF-8&rls=GGGL,GGGL:2005-09,GGGL:en&q=site%3Aschneier.com+password+strength
-rich
Good points richrumble,
Windows passwords have a maximum length of 127 characters - and there is a very good reason for that.
The password/passphrase "This is my password, it is long and complicated. Let's see someone guess this" is good in that it has 3 of 4 complexity requirements (no numbers) but it is still only 68 characters long (i think, i counted quickly)
To REALLY harden that, you could add the key points made by richrumble - typos and substitution - i also like throw in some German words (because I am learning it at the moment)
The problem then becomes, how are you going to remember all of that? You probably wont :)
My day to day password is 9 characters long, but fulfills all 4 complexity requirements, is spelt wrong and includes substitution.
But, my admin account passwords are 25 digits long (it is an old windows95 registration code, which I have memorised for some reason) to make that harder, I hold down shift for every other 3 characters.
So s8d0sdks097j would become s8d)SDks0(&J without making it any harder for me to remember. The same should be possible for a simple phrase. "this is a hard password" = "thiS Is a HARd pASSworD" Throw in some substitution numbers and you are done.
Way back in the old days, I coupled my 25 digit 95 code, with another 25 digit 2000 code, and a 20 digit F-Secure code. Plus my shift trick, and it was mighty hard, and yet still rememberable (if that is a word!)
-red
Windows passwords have a maximum length of 127 characters - and there is a very good reason for that.
The password/passphrase "This is my password, it is long and complicated. Let's see someone guess this" is good in that it has 3 of 4 complexity requirements (no numbers) but it is still only 68 characters long (i think, i counted quickly)
To REALLY harden that, you could add the key points made by richrumble - typos and substitution - i also like throw in some German words (because I am learning it at the moment)
The problem then becomes, how are you going to remember all of that? You probably wont :)
My day to day password is 9 characters long, but fulfills all 4 complexity requirements, is spelt wrong and includes substitution.
But, my admin account passwords are 25 digits long (it is an old windows95 registration code, which I have memorised for some reason) to make that harder, I hold down shift for every other 3 characters.
So s8d0sdks097j would become s8d)SDks0(&J without making it any harder for me to remember. The same should be possible for a simple phrase. "this is a hard password" = "thiS Is a HARd pASSworD" Throw in some substitution numbers and you are done.
Way back in the old days, I coupled my 25 digit 95 code, with another 25 digit 2000 code, and a 20 digit F-Secure code. Plus my shift trick, and it was mighty hard, and yet still rememberable (if that is a word!)
-red
LM passes (the default hash since nt3.1) and NTLM are what is sent by default when you login, connect to a windows share etc... LM is case insensitive, and NTLM is case sensitive. LM is also the one that uses 2 seven character halves, 14 char limit, and NTLM is all one hash maximum 127 chars. If you have an LM password over 14 chars, the hash is turned to null, and NTLM is relied upon. 0182BD0BD4444BF8 is a null hash
https://www.experts-exchange.com/questions/21282957/Increasing-Minimum-Password-Length.html
Still I think we'd need some clarification onwhat pass your trying to test the strength of... a password of 1234567812345678 is "stronger" when encrypted using AES or MD5 as opposed to NTLM because it takes longer for MD5 or AES to "crack" than it would for NTLM... That pass is really insecure overall, but it is stronger under one hash than another... again passphrases are likely to be stronger than passwords... although fundimentally they aren't that different than one another.
-rich
https://www.experts-exchange.com/questions/21282957/Increasing-Minimum-Password-Length.html
Still I think we'd need some clarification onwhat pass your trying to test the strength of... a password of 1234567812345678 is "stronger" when encrypted using AES or MD5 as opposed to NTLM because it takes longer for MD5 or AES to "crack" than it would for NTLM... That pass is really insecure overall, but it is stronger under one hash than another... again passphrases are likely to be stronger than passwords... although fundimentally they aren't that different than one another.
-rich
ASKER
Gee, you guys are amazing!! This is absolutely the most intense info I've gotten on this site. All of it is great!!
But what I was looking for was some links I could use to test the strength of some of my clients passwords. So I could demonstrate just how weak they are & convince them to crank them up a notch or 2. I've found a couple. One was a MS site, which I don't know if it's any good or not. I've never thought that MS had anyone that could do security.
I DO have to thank you for the above, as it is really useful & appreciated!!
But what I was looking for was some links I could use to test the strength of some of my clients passwords. So I could demonstrate just how weak they are & convince them to crank them up a notch or 2. I've found a couple. One was a MS site, which I don't know if it's any good or not. I've never thought that MS had anyone that could do security.
I DO have to thank you for the above, as it is really useful & appreciated!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, Rich! You mentioned JtR before & I had downloaded it. The installation instructions don't seem to coincide with what files are included. There are files missing that are mentioned in the installation instructions, so I've been sort of lost on how to install & use it. Is there a "novice" JtR site where I can get a better idea of what is suppose to done to get JtR up & running??
Thanks again for your help!!
Thanks again for your help!!
There are guides out there that can help you, basically you dump the pass's, and open john from the cmd line and run it against those pass's...
http://xinn.org/john-the-ripper.html
There is no real install per se, merley unziping and cd'ing to that folder inside john and running the exe. John runs much faster on linux than win32, still faster than LC5 nonetheless. Cain&Able is a good tool to have also.
-rich
http://xinn.org/john-the-ripper.html
There is no real install per se, merley unziping and cd'ing to that folder inside john and running the exe. John runs much faster on linux than win32, still faster than LC5 nonetheless. Cain&Able is a good tool to have also.
-rich
If you want simple password cracking, get Cain and Abel from oxid.it...
in my opinion it is much simpler than JtR.
Cain and Abel also has quite a few other fun tools built in...
I love the sniffing feature... jsut be careful with the Arp Poisoning feature... It really hoses my switches.
in my opinion it is much simpler than JtR.
Cain and Abel also has quite a few other fun tools built in...
I love the sniffing feature... jsut be careful with the Arp Poisoning feature... It really hoses my switches.
one of my passwords that i like to use is 17 chars, and if you're talking about a password for online access to something, a lot of sites oddly enough wont let you have that many chars.
one of the things i did (i have a crazy password for admins, and online access etc) but once you get pass that, you also need passwords for everything, messengers accounts, email, EE, everything and a lot wont let you have long passwords, but you still want them to be as secure as possible.
couple general recommendations i have, some people, once they come up with a secure password for online things, use it for everything. you don't want that. especially since online passwords are easier to break. but, some things i would group under the same password (though it depends)
its very difficult to remember a large number of SECURE passwords. i have journal accounts that i rarely use, so those all have the same password, but i also set my settings to email me if something changes, including if i change my settings. i haven't used the accounts in two years, but they're set to active email addresses, and i dont have to worry.
also, if you're trying to figure out how to remember your password, try and choose something repetitive sounding, not repetitive. i was once given a temporary password (you know how sites email you teporary passwords to make sure the email is yours) and it was very secure, uppercase and lowercase letters, as many chars as the site let you have, numbers, and ascii chars as well some random #* thrown in. but if you read it outloud, it was repetitive and easy to remember, almost like a nursury ryhme, it followed a sing songy pattern. since then, i've tried to make my passwords do that. doesn't make them any less secure (especially if you test them) but it sure makes them easier to remember
one of the things i did (i have a crazy password for admins, and online access etc) but once you get pass that, you also need passwords for everything, messengers accounts, email, EE, everything and a lot wont let you have long passwords, but you still want them to be as secure as possible.
couple general recommendations i have, some people, once they come up with a secure password for online things, use it for everything. you don't want that. especially since online passwords are easier to break. but, some things i would group under the same password (though it depends)
its very difficult to remember a large number of SECURE passwords. i have journal accounts that i rarely use, so those all have the same password, but i also set my settings to email me if something changes, including if i change my settings. i haven't used the accounts in two years, but they're set to active email addresses, and i dont have to worry.
also, if you're trying to figure out how to remember your password, try and choose something repetitive sounding, not repetitive. i was once given a temporary password (you know how sites email you teporary passwords to make sure the email is yours) and it was very secure, uppercase and lowercase letters, as many chars as the site let you have, numbers, and ascii chars as well some random #* thrown in. but if you read it outloud, it was repetitive and easy to remember, almost like a nursury ryhme, it followed a sing songy pattern. since then, i've tried to make my passwords do that. doesn't make them any less secure (especially if you test them) but it sure makes them easier to remember
The way I remember my main strong password is that I used it so many times - at one stage I had it written on the wall.
And that is the key right there - write your password down. There is a far greater chance of your password being cracked, than by someone stealing or social engineering it off you - good personal sercurity will protect an otherwise meaningless string of characters.
When I want to remember a new strong password, I write it down and carry it with me. But, I do not write down the username, or what site/client/whatever it is for - and, I obscure the password a bit by adding 4 random characters to the start and to the end - there is little or no chance of someone a) getting it off me in the first place and b) knowing what to do with it.
After about 10 uses, I know it off by heart and that is it!
-red
And that is the key right there - write your password down. There is a far greater chance of your password being cracked, than by someone stealing or social engineering it off you - good personal sercurity will protect an otherwise meaningless string of characters.
When I want to remember a new strong password, I write it down and carry it with me. But, I do not write down the username, or what site/client/whatever it is for - and, I obscure the password a bit by adding 4 random characters to the start and to the end - there is little or no chance of someone a) getting it off me in the first place and b) knowing what to do with it.
After about 10 uses, I know it off by heart and that is it!
-red
there are also password keepers, which are relatively secure. if you have a REALLY secure password for your computer and your password keeper that is, and don't keep anything of vital importance like bank records in there.
of course my dad got this great one, which you got to try for a long time. i didn't take it from him, because, well, my dad (youll see why) but my sister did, and then, well, they liked it, and decided to buy it but forgot to and then one day my sister comes into the living room and says "can we buy that program? all of my passwords are in there and I can't get them out now!"
yah. so while there's a fair bit of technology and knowing how passwords work involved in being secure, and having secure passwords, theres a fair amount of just plain old common sense, which shockingly enough, most people need to be taught, so you can buy dozens of books on it.
once you know the tech stuff though, just keep your head on your shoulders. which sounds relatively simple, but youd be suprised
as my dad said, "we havn't paid for that?"
Cheers,
lovewithnoface
of course my dad got this great one, which you got to try for a long time. i didn't take it from him, because, well, my dad (youll see why) but my sister did, and then, well, they liked it, and decided to buy it but forgot to and then one day my sister comes into the living room and says "can we buy that program? all of my passwords are in there and I can't get them out now!"
yah. so while there's a fair bit of technology and knowing how passwords work involved in being secure, and having secure passwords, theres a fair amount of just plain old common sense, which shockingly enough, most people need to be taught, so you can buy dozens of books on it.
once you know the tech stuff though, just keep your head on your shoulders. which sounds relatively simple, but youd be suprised
as my dad said, "we havn't paid for that?"
Cheers,
lovewithnoface
ASKER
>if you have a REALLY secure password for your computer and your password keeper
I use Roboform to keep passwords for all of my computers. It is really good & suppose to be secure. Here is a link to its features:
http://www.roboform.com/features.html
What I was looking for in this post was sites that will test a password to tell you just how secure it is. You enter the password into a box & it tells you if it is weak or strong. I have clients that I would like to go to a link, enter their password & show them how weak it is. If they see this on a site that looks like a professional security site, maybe they will do a better job of choosing passwords. Most don't even know how to create a strong password. They think that if they have one that has at least 4 letters & a number that it is very secure.
Thanks!!
Again, it's all realitive... if their password is 14 chars or less, and used for Windows login, consider it weak, due to rainbow table programs like OphCrack and Rainbow Crack, let alone the numerous other tools that can use those tables. JohnTheRipper and LC5, Cain&Abel and hundreds more can brute force pass's in a week or less on modern hardware. http://www.rainbowcrack.com/ https://www.isc2.org/cgi-bin/content.cgi?page=738
There are rainbow tables for a dozen other hash's now as well... but they take much much longer to complete. If the password is the password to "open" a document in M$ office, that is the strongest password in any M$ office product, but if someone has a dozen computers at their disposal, the password, regardless of length can be found in a matter of hours, as the work can be distributed via Elcomsoft's program.
You can make a simple script that checks for, varied cases, symbols, and numbers and factors in how long the pass is... again, you could have the most secure pass there is, but if it's stored in a weak hash or substirution cipher, the password complexity means nothing.
buyA!!Cc0Un+$TH15passis53c
ohlN!!nPp0Ha+$GU15cnffvf53
-rich
There are rainbow tables for a dozen other hash's now as well... but they take much much longer to complete. If the password is the password to "open" a document in M$ office, that is the strongest password in any M$ office product, but if someone has a dozen computers at their disposal, the password, regardless of length can be found in a matter of hours, as the work can be distributed via Elcomsoft's program.
You can make a simple script that checks for, varied cases, symbols, and numbers and factors in how long the pass is... again, you could have the most secure pass there is, but if it's stored in a weak hash or substirution cipher, the password complexity means nothing.
buyA!!Cc0Un+$TH15passis53c
ohlN!!nPp0Ha+$GU15cnffvf53
-rich
>> What I was looking for in this post was sites that will test a password to tell you just how secure it is. You enter the password into a box & it tells you if it is weak or strong.
I already posted links on that in my first post, as I am sure others have
-red
I already posted links on that in my first post, as I am sure others have
-red
ASKER
Thanks for all of the help!! I really learned alot!!
Rich, posted alot of info & good reading for security issues & passwords. Thanks!!
Red, thanks for the links to the online checkers. These will work great for my clients!! I can now with this info, get my clients to create better passwords. Thanks!!
Rich, posted alot of info & good reading for security issues & passwords. Thanks!!
Red, thanks for the links to the online checkers. These will work great for my clients!! I can now with this info, get my clients to create better passwords. Thanks!!
The only way I got my clients to do that was by enforcing it with password policies.
Some people get terribly fond of 3 digit passwords - or worse yet "password"
Good luck!
-red
Some people get terribly fond of 3 digit passwords - or worse yet "password"
Good luck!
-red
i had password as a password for one stupid site that insisted i sign in, and i couldnt figure out why i needed a username and password to begin with, as i don't even think they made me fill in my email address, or that i did anything on the site (no posting comments) i think it was a power trip, and it annoyed me
man, what website was that?
i hope they can spell password properly...
man, what website was that?
i hope they can spell password properly...
ASKER
There are only a few of my clients that I would like to use these sites for. And they have been very good at following my suggestions. I feel like some others that work with them need me to "prove officially" that their passwords are weak. But thanks for the input!!
That's what an "Audit" is for ;) Having them give you written permission to dump thier passwords, and see how long it takes to crack, those are the true test's, or at least a better indicator. You can use Cain&Able's password calculator to output a plain-text pass in a variety of hash's, and see how long they'd take to crack using bruteforce, forgetting that you know the value before hand.
-rich
-rich
ASKER
Thanks again Rich! I downloaded & installed C&A & am trying to figure it out. I am reading thru the link you posted for John-the-Ripper as well.
If U need Invitation then tell me..
Google's Gmail is Safe Secure and Perfect......
Siddhant Sanyam