Account Password Security

there seems to be missing the all important:

users are as dumb as posts scams IE:

"hey WOW! this chat actually hides my password watch"

account: Blah blah blah password: ********

"see how cool is that? try it you'll see"

"while your at it type in your credit card number it comes up as *'S too"

"

sYkoDe4d wrote:

no option for a Authenticator App like the Battle.net has?
With the Authenticator the users will trust the Game more and will maybe use the Cash Shop more.
But yes, i would pay 10-20$ for an Authenticator.

A free of charge mobile app would be sweet. ;)

"

Myrmi wrote:

-do not register in strange sites
-Keep your antivirus software up to date
-and again.. use unique password..

"

The most common passwords are as follows. Is yours among them?

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123
Nicole
Daniel
babygirl
monkey
Jessica
Lovely
michael
Ashley
654321
Qwerty

SHIT... my password was princess.

very interesting topic .

"

zeto wrote:

The much simpler Ilikethis1! would take a couple years to a couple thousand years.

Those figures are meaningless. You cannot comment on how long it takes to crack a password unless you also take into account the attack method (on-line password guessing or cracking the password hash). Even then, the hash type and it's implementation will dramatically affect how long it takes to crack. Then you have man-in-the-middle attacks that mean you could get the password in clear text. Far, far too many variables in play to start quoting numbers at people and instil false confidence.

"

Seonid wrote:

"

zeto wrote:

The much simpler Ilikethis1! would take a couple years to a couple thousand years.

Those figures are meaningless. You cannot comment on how long it takes to crack a password unless you also take into account the attack method (on-line password guessing or cracking the password hash). Even then, the hash type and it's implementation will dramatically affect how long it takes to crack. Then you have man-in-the-middle attacks that mean you could get the password in clear text. Far, far too many variables in play to start quoting numbers at people and instil false confidence.

All these numbers assume an offline massive array attack. For the duration of this thread, the (I think) haystack calculator was used.

When one is talking about password strength, you must assume it's an offline attack scenario against a hashed password. All other scenarios either are too slow to matter or bypass the requirement to guess a password at all. Storage in clear text is then moot, and MITM are almost never feasible, but if either situation is true, then password strength means nothing.

So certain assumptions must be made in order to talk about password strength at all. The numbers provided are valid for almost all scenarios.

"

zeto wrote:

When one is talking about password strength, you must assume it's an offline attack scenario against a hashed password.

That's not the case in practice though. Regardless, I can promise you that an off-line rainbow table attack against a lanman hash takes significantly less time than against bcrypt, regardless of what characters your password uses or how long it is. Plaintext storage of passwords died in the late 80s and in some cases it is a regulatory requirement that you do not do so. Anyway, digressing a bit more than I planned, choose a good password and don't reuse it anywhere else is always sound advice as many others have said.

"

Seonid wrote:

"

zeto wrote:

When one is talking about password strength, you must assume it's an offline attack scenario against a hashed password.

That's not the case in practice though. Regardless, I can promise you that an off-line rainbow table attack against a lanman hash takes significantly less time than against bcrypt, regardless of what characters your password uses or how long it is. Plaintext storage of passwords died in the late 80s and in some cases it is a regulatory requirement that you do not do so. Anyway, digressing a bit more than I planned, choose a good password and don't reuse it anywhere else is always sound advice as many others have said.

Seonid Traighan? lol

"

Seonid wrote:

"

zeto wrote:

When one is talking about password strength, you must assume it's an offline attack scenario against a hashed password.

That's not the case in practice though. Regardless, I can promise you that an off-line rainbow table attack against a lanman hash takes significantly less time than against bcrypt, regardless of what characters your password uses or how long it is. Plaintext storage of passwords died in the late 80s and in some cases it is a regulatory requirement that you do not do so. Anyway, digressing a bit more than I planned, choose a good password and don't reuse it anywhere else is always sound advice as many others have said.

To sum up what does happen in practice: There are two common scenarios and one rare one.

The most common scenario is an online attack, this type of attack is EXTREMELY slow and almost not even worth considering. Includes people manually guessing and programs trying to guess until they are blocked. If your password is guessed by an online attack, it was really really weak or the attacker had a priori knowledge or had access to the next tier of cracking or performed an extremely rare MITM attack negating your password entirely.

The next most common is a hash dump, more than likely via an SQL injection or other method that is crossed with a rainbow table for the expected algorithm. However, the feasibility of rainbow tables quickly degrades with password size and almost any form of salt or any algorithm that isn't super popular (since rainbow tables for popular algorithms are HUGE). MD5 and Lanman are classic examples of rainbow weak, but have been replaced with more robust systems in most applications.

Last is brute force offline massive array against the hash list, which enthusiasts, cracking groups, and governments might use. These are the only real viable scenarios for passwords that are long or salted.

So again given this, when considering password strength, the only consideration is that of an offline massive array brute force scenario. In all other scenarios the strength of your password is nearly meaningless. In other words, if one encounters a scenario where you can use a rainbow table, man in the middle, or other a priori knowledge, then your password is easily cracked (weak pass) OR is easily bypassed (strong pass.)

"

Chris wrote:

Various services such as Linkedin and League of Legends have supposedly had their password databases compromised recently. Please make sure that your Path of Exile password is not the same as the password that you use for other services!

Edit: If you're interested, we store passwords securely as a salted hash. We do not store credit card information ourselves.

I hope your not using some simple salt/md5. Should really go with like SHA 512/Salt(Randomised)..... That combo makes life hell lol.