Undecryptable password?

[Piu]

Well, as you know, most of the sites you see on the internet are vulnerable to all sorts of database breaches. Although they use several encryption systems (Most commonly md5 with two salts, Tip.It uses that.), they can be bruteforced with several wordlists, most commonly the rainbow table.

 

I'm just wondering, what sort of passwords would be more difficult to decrypt using said tables? A mix of words like horsecowman? Or mix of random letters and numbers like a3j1mdc?

 

Thanks.

[HexiledRazz]

As far as i'm concerned, a mixture of letters and numbers like 08kjy18piuwtgy6138hiot as long as you can bare to remember, is the best. Just open note pad and bang your head on the keyboard. I use that type of password with all my accounts of importance.

[Star.]

And punctuation marks if they're allowed.

[Sy_Accursed]

A mixture of letters, numbers and punctuation (where allowed) is the hardest to crack especially if no "real" words are used. Anything that is a known word, be it from literature or the dictionary or a name, will be on a list somewhere to be used for cracking. For example I personally use a lot of character names from my fantasy manuscripts (split up and jumbled a bit of course) as passwords as they are essentially made up and do not occur elsewhere*; but if/when I get published I'll be ditching those passwords asap (assuming any are still using that).

 

*I specifically use the weirder names, and all my fantasy names (mostly) are entirely made up and quickly ditched if I find them elsewhere.

[The Observer]

No passwords are "undecryptable", especially with MD5. Your best bet would just to help increase the amount of time it takes.

 

Honestly, the best thing to do would be to make a unique password for Tip.it (or for any other site you visit). That should be your first option no matter what type of password you use. This is because if someone gains access to it via a database, it won't matter whether or not they have it because they can't do anything with it (since most likely the site would've been taken down in time due to what happened).

 

In cases such as email, there are other security features such as two-step verification for Gmail.

 

A good rule of thumb are to make them as complicated as you can make them without making them difficult to remember, making use of punctuation (like star suggested), mixed case, numbers, letters and symbols.

[obfuscator]

That's incorrect. MD5 by definition cannot be decrypted. When you're talking about matching hashes with a rainbow table, that's one thing, but it's not decrypting.

 

At any rate, using passwords as long as possible with the biggest character variety (numbers, letters and symbols) is generally the safest.

[Sbrideau]

Also it's much safer when using a password longer than 8 characters long as well.

[Guy]

Length is a big issue - even if you have a mixture of symbols, special characters, letters (upper and lower case), and numbers, if the password is under ~15 characters then anyone who really wants to get in will just bruteforce it within a reasonable amount of time. If you're super-concerned about people getting access, choose a password above 20 or so characters, although I doubt people care enough to get into your TIF account. Make sure not to use any words, even a mixture of them. Also no birthdays or names of people who you know which could easily be guessed, eg name of SO.

[Sy_Accursed]

Length is a big issue - even if you have a mixture of symbols, special characters, letters (upper and lower case), and numbers, if the password is under ~15 characters then anyone who really wants to get in will just bruteforce it within a reasonable amount of time. If you're super-concerned about people getting access, choose a password above 20 or so characters, although I doubt people care enough to get into your TIF account. Make sure not to use any words, even a mixture of them. Also no birthdays or names of people who you know which could easily be guessed, eg name of SO.

 

Those numbers sound excessively high; if you take a basic 62 character set (A-Z, a-z and 0-9) even a five character password means there is 916,132,832 possible combinations to attempt to brute force it. Which is really more than enough to block out the majority of basic brute forcers.

Heck factor punctuation into our previous numbers gives at least 100 characters in the set and that zooms five characters up to 10,000,000,000 combinations

 

Sure more character is better, but still 5 or 6 upwards is more than enough for most things; and any brute force attack who really wants to can manage any length, there are a finite number of combinations after all.

 

15 characters (on the 62 set) would give 7.68909705 × 10^26 combinations (768,909,705,000,000,000,000,000,000)

Just had to do the math out of curiosity lol.

[Stormfolk]

Changing your password every X amount of time helps too. For example in companies for the more mportant stuff the password changes daily.

[Sbrideau]

 

Sure more character is better, but still 5 or 6 upwards is more than enough for most things; and any brute force attack who really wants to can manage any length, there are a finite number of combinations after all.

 

 

The key length of characters is 8. At least that's what I learned in college. Lower than 8 characters is apparently easy to crack whatever the case.

[Piu]

Thanks for the answers, guys. :D

[JoWie]

It uses a single iteration of md5? really?

[Piu]

Of course not. Personally, I know the encryption method they use for their passwords, but I would assume they won't want it publicly known.

[MageUK]

There seems to be some confusion over what Rainbow Tables actually are. Rainbow tables don't have a "chance" of cracking the hash. If the Rainbow Table has been made for 8 characters in length and the character set a-zA-Z0-9 then it will crack any alphanumeric password of 8 characters or less. Rainbow tables are often used by malicious people to decrypt easier passwords, but they consume vast amounts of storage space once they start getting big and they're very costly to generate as well since it requires pretty much doing the equivalent of a brute force for every password in your selected character set and length.

[Piu]

I was just asking what type of passwords would be more difficult to decrypt/unhash?

[MageUK]

Long ones including uppercase, lowercase and symbols. A good idea is to use an actual sentence which you can easily remember, for example:

Do I like chocolate?

Contains uppercase, lowercase, spaces, symbols and is a decent length, making it unfeasible to crack.

[Mercifull]

Sadly RuneScape doesnt allow you to use capitals or special characters in your password :(

[Sbrideau]

Sadly RuneScape doesnt allow you to use capitals or special characters in your password :(

That must pretty new since I do have a capital letter and some punctuation in my Rs password.

[Sy_Accursed]

Sadly RuneScape doesnt allow you to use capitals or special characters in your password :(

That must pretty new since I do have a capital letter and some punctuation in my Rs password.

 

Special characters =/= punctuation in all contexts.

Special character generally refers to the ones you get via alt codes and such opposed to the ones on the keyboard anyway.

 

Also you can type capitals into rs passwords, but it doesn't matter as they are not case sensitive.

Eg

Bob

BOB

bob

bOb

etc.

Are all the same password.

[Sbrideau]

So I guess I know why so many people are getting their passwords stolen in Rs. Passwords aren't secure. Only way to have a good password would seem to be to add numbers.

[Guy]

Sadly RuneScape doesnt allow you to use capitals or special characters in your password :(

That must pretty new since I do have a capital letter and some punctuation in my Rs password.

 

Special characters =/= punctuation in all contexts.

Special character generally refers to the ones you get via alt codes and such opposed to the ones on the keyboard anyway.

 

Also you can type capitals into rs passwords, but it doesn't matter as they are not case sensitive.

Eg

Bob

BOB

bob

bOb

etc.

Are all the same password.

Wait, what? That's just.. that's just stupid.

[MageUK]

Sadly RuneScape doesnt allow you to use capitals or special characters in your password :(

That must pretty new since I do have a capital letter and some punctuation in my Rs password.

 

Special characters =/= punctuation in all contexts.

Special character generally refers to the ones you get via alt codes and such opposed to the ones on the keyboard anyway.

 

Also you can type capitals into rs passwords, but it doesn't matter as they are not case sensitive.

Eg

Bob

BOB

bob

bOb

etc.

Are all the same password.

Wait, what? That's just.. that's just stupid.

 

I personally thought that was a well known fact about RuneScape. Apparently not lol.

[Sy_Accursed]

Sadly RuneScape doesnt allow you to use capitals or special characters in your password :(

That must pretty new since I do have a capital letter and some punctuation in my Rs password.

 

Special characters =/= punctuation in all contexts.

Special character generally refers to the ones you get via alt codes and such opposed to the ones on the keyboard anyway.

 

Also you can type capitals into rs passwords, but it doesn't matter as they are not case sensitive.

Eg

Bob

BOB

bob

bOb

etc.

Are all the same password.

Wait, what? That's just.. that's just stupid.

 

I personally thought that was a well known fact about RuneScape. Apparently not lol.

 

So did I, doesn't it even say on all the password changing and sign up screens right by the password box 'Not case sensitive'

[Guy]

I personally thought that was a well known fact about RuneScape. Apparently not lol.

 

So did I, doesn't it even say on all the password changing and sign up screens right by the password box 'Not case sensitive'

I haven't properly played RS for a while now, so I haven't seen those pages for a loooong time.