How safe is your password?

I am pretty paranoid and I change my Steam password like every week or when I think I clicked on a "bad" webside.

"It would take a desktop PC about 2 septillion years to crack your password" = 1000000000000000000000000 years

 

The hacker still have to type everything in the login fields and solve the captures at some point.
Sure he can use bots and stuff but its almost impossible to hack that way - at least steam accounts.

Here are my results from the website:
Just 3000000000000000000000000 years for my password and 0.015116544 seconds for the steam guard code which is just 5 chars. If you take this time.. have fun with my unusuals.

 

Not if you typed your real password and somebody used a sniffing
tool because http://www.passwordmeter.com isn't https actually.

 

The "S" in HTTPS stands for Secure

 

The length of the password is only as secure as the depth of the encryption. What do I mean with that?

For that, you have to dive into how encryption of the password works that is send to the other side. For example, if the site uses MD5 to hash your password before sending it from your browser to the site, the hash is only a 16 byte string. ( 3,4028236692093846346337460743177e+38 ) no matter the lenght of your password. The hacker only need to use a password that results in that specific hash. And there are lists about with hashes and their passwords.

There are a lot of ways to hash passwords. MD5 is just one of them.

The only way to ensure that the EXACT password is used to login to a site, is by the site using 2 significantly DIFFERENT hashed high bitcount hashes, that BOTH have to be correct. Its near impossible to have 2 different passwords lead to 2 exact the same hashes in 2 different hash algorithms. The number of passwords that that would work with is probably less then 10, and probably means using passwords longer then what is considered within the algorithm.

Thats another point: Beyond a certain lenght, a hash algorithm doesn't use the rest of the password string. If I remember correctly, Windows for example doesn't use more then 64 characters. your password can be longer, but the 65th and later character in the password is simply not used to generate the hash used by Windows. (can be changed now, this was regarding Windows 2003 Server I think).

Its then also up to the site to "salt" the stored hashes in their database(s). Salting is using a additional key PER stored hash to "encrypt" the hash. This is to slow hackers down. Salting is NOT a full deterrent to prevent hackers from hacking thru passwords. Salting gives you time to send emails to the users telling them they need to change their passwords, make it a requirement to change password, send out emails with new passwords, etc. The different hashes should be in separate databases, only once the first hash is correct, the second checked etc.
But this is beside the point.

So, now you are informed on how passwords are working, there is another issue. The characters used:
- numbers (0-9)
- upper and lower case letters (a-z / A-Z)
- special characters: ~`!@#$%^&*()-_=+[{]}\|;:'",<.> /?€ƒ etc etc

The larger the set of characters used per position, the stronger the password.
A tip is then to use alt-code, like: press alt, and type 159 in the keypad of your keyboard. "ƒ" is the old dutch "florin" sign. there are many available there. Each character is a 2 byte code, by the spacing with this, 9 bits of these 2 bytes are near always the same, by using alt-codes you can access such characters that are outside the possible typed characters on your keyboard in a password.

The last point, on length of password, closely is related with the above point: the less random the password is, the easier it is to "guess" the long password. Passwords with only letters, but as long as 64 characters are way easier to guess. for sake of argument:
- Password is 10 characters long, just upper and lower case
- 10 characters of 52 possibilities means therefore 20 bytes with each 2nd byte a variation of only 52 characters used of the 256.

But thats 52 possibilities out of 256 per character and I can asure you 520! is a lot LESS then 2^80.

Remembering the password... that is a point of using software to handle that for you. So you only need to have a main password.

And then is the last point: site security.
I'll leave a video the word
stupidity still reigns. Even among makers of sites/apps.

 

I actually just have a random password for every new site.. pretty long and cant remember it (1password for the win) on that one has a long password and i actually use 2 factor authentication which i need to use my phone to get the random digits and type them in. (google, 1password, apple etc)

 

I generated long ago on a bunch of different sites long password lists. Every time i need a new one, I take from each of those 6 lists a piece of a password, and mix that together, every time on a different way, and I remove the parts I used from these lists so I won't re-use them.

Even if those sites where corrupt, they can't guess my password, for they don't know what part I used and where, and what the other parts where.

 

2-Phase-Authentification ftw.

 

Good, you get a message on your PC to log into your phone?