Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

How many passwords do you use online?

How many passwords do you use online?

  • 1

    Votes: 0 0.0%

  • 2-3

    Votes: 0 0.0%

  • 3-5

    Votes: 0 0.0%

  • 6-8

    Votes: 1 11.1%

  • 9-12

    Votes: 0 0.0%

  • 13-17

    Votes: 1 11.1%

  • 18-23

    Votes: 0 0.0%

  • 24+

    Votes: 1 11.1%

  • To Infinity and Beyond!

    Votes: 6 66.7%
  • Total voters
    9
Ghost

Ghost

Platinum Coder
I wrote an article today that explains how pretty much any webmaster can steal your passwords online. It can be done with established software such as WordPress, XenForo, etc. Pretty much any site that takes your login information can store it without encrypting it to then access other online accounts you have, get into your email potentially, and mess with your life.

So, my question is - How many passwords do you have memorized / do you use?

I have 4 "base passwords" and each one has 2-3 alterations, so I have around 10-12 unique passwords - but that's just for critical things like email, banks, etc. For forum, blog, and other sign ups (on sites not owned by massive organizations) I use a separate 1-2 passwords with a couple alterations, so that adds a few more.
Alterations means that "ghost" could be a password, and an alteration would be "ghost#32" and another would be "ghost55!". Obviously that is not my base password, but that's an example :)

Feel free to answer the question in the poll & tell us what you do to protect your data, finances, and other online holdings!
 
So I use a separate 30 digit password for each website and this includes uppercase, lowercase, numbers and special characters.
All are stored in a password safe which is also secured with a 30 digit password.
Therefore I will not participate in the survey because it theoretically goes into infinity.
 
That's very safe of you. Good job. You should be proud - A lot of people stick to 10-12 character passwords, use the same ones, and when they write them down they either do it on paper in their desk or on a file stored in their PC desktop...usually not encrypted either.
I added a new poll option for you! "To Infinity and Beyond!"
 
Tealk said:
Thanks
I even go so far as to use my own email address for most websites. This will also make it harder if the password becomes known.
Click to expand...

Have you ever heard of the concept of longer is better? In the sense that "hello this is my password today" is more secure than "h3@!#F-x" because of the character length...
What do you think of that?
 
Ghost said:
I wrote an article today that explains how pretty much any webmaster can steal your passwords online. It can be done with established software such as WordPress, XenForo, etc. Pretty much any site that takes your login information can store it without encrypting it to then access other online accounts you have, get into your email potentially, and mess with your life.

So, my question is - How many passwords do you have memorized / do you use?

I have 4 "base passwords" and each one has 2-3 alterations, so I have around 10-12 unique passwords - but that's just for critical things like email, banks, etc. For forum, blog, and other sign ups (on sites not owned by massive organizations) I use a separate 1-2 passwords with a couple alterations, so that adds a few more.
Alterations means that "ghost" could be a password, and an alteration would be "ghost#32" and another would be "ghost55!". Obviously that is not my base password, but that's an example :)

Feel free to answer the question in the poll & tell us what you do to protect your data, finances, and other online holdings!
Click to expand...



Perfect example of social engineering :) giving out too much information about password structure

Tealk said:
So I use a separate 30 digit password for each website and this includes uppercase, lowercase, numbers and special characters.
All are stored in a password safe which is also secured with a 30 digit password.
Therefore I will not participate in the survey because it theoretically goes into infinity.
Click to expand...


Perfect example of social engineering.. giving out too much information about password storage and storage password length ;)
 
You can have as much information as you want when the passwords are generated by a program. The information has no advantage at all.
 
However, many password managers are affected by this problem and it is also called in combination with windows, which I do not use.
But also the danger is very limited.
still better than entrusting your passwords to an external service
 
Antero360 said:
Sir, are you aware of this beauty right here? lol
www.zdnet.com

Severe vulnerabilities uncovered in popular password managers

Passwords stored in RAM could lead to theft, but the report has to be considered in a risk-based context.
www.zdnet.com www.zdnet.com
Click to expand...

The article is moot.
If "i accidently installed evil stuff on my pc" is your attack vector, then you're screwed either way.
Instead of digging around in RAM, that software could just log what keys you pressed and which programs were focused while you pressed them.

Password managers protect you from losing a bunch of accounts when a hashed (or cleartext) password of one account is leaked.
It doesn't (and can't) protect you from infecting your PC with shady software.

Antero360 said:
Perfect example of social engineering.. giving out too much information about password storage and storage password length ;)
Click to expand...

Security by obscurity never works.
If the password is long and complex enough you gain nothing from knowing the parameters.
For example: Knowing that my CodeForum password is 56 characters of upper/lower letters, numbers, and special chars, doesn't get you one iota closer to "cracking" it.
Simply because there are way too many combinations to try them all in a reasonable amount of time.

If you want some numbers:
My password has around ~350 bits of entropy.
Entropy tells you the average cost of randomly hitting the right password while brute-forcing it.
An entropy of n means that, on average, you will need 2^n-1 guesses before you hit a match.
In my case that means doing 2^349 guesses (that's a number with 106 digits).

If CodeForum is badly configured and uses a fast hash like SHA-1,
and if you happen to have 8 modern GPUs laying around that can (together) reach around 8-10 billion SHA-1 guesses per second,
you'd have to wait around 4x10^87 years until you find a match.

Renting a datacenter with 4096 GPUs would drop you down to 8x10^84 years.

Enslaving some countries to crack my password with one trillion GPUs (10^18) would still need 2x10^60 years.

So either way the universe should reach it's heat death before you get there.
 
Last edited:
sn0w said:
The article is moot.
If "i accidently installed evil stuff on my pc" is your attack vector, then you're screwed either way.
Instead of digging around in RAM, that software could just log what keys you pressed and which programs were focused while you pressed them.

Password managers protect you from losing a bunch of accounts when a hashed (or cleartext) password of one account is leaked.
It doesn't (and can't) protect you from infecting your PC with shady software.



Security by obscurity never works.
If the password is long and complex enough you gain nothing from knowing the parameters.
For example: Knowing that my CodeForum password is 56 characters of upper/lower letters, numbers, and special chars, doesn't get you one iota closer to "cracking" it.
Simply because there are way too many combinations to try them all in a reasonable amount of time.

If you want some numbers:
My password has around ~350 bits of entropy.
Entropy tells you the average cost of randomly hitting the right password while brute-forcing it.
An entropy of n means that, on average, you will need 2^n-1 guesses before you hit a match.
In my case that means doing 2^349 guesses (that's a number with 106 digits).

If CodeForum is badly configured and uses a fast hash like SHA-1,
and if you happen to have 8 modern GPUs laying around that can (together) reach around 8-10 billion SHA-1 guesses per second,
you'd have to wait around 4x10^87 years until you find a match.

Renting a datacenter with 4096 GPUs would drop you down to 8x10^84 years.

Enslaving some countries to crack my password with one trillion GPUs (10^18) would still need 2x10^60 years.

So either way the universe should reach it's heat death before you get there.
Click to expand...


Thank you Dr. Captain Obvious ;)
 
What do you mean?
You were spreading blatant misinformation and didn't mark it as sarcasm or joke in any way.
 
sn0w said:
The article is moot.
If "i accidently installed evil stuff on my pc" is your attack vector, then you're screwed either way.
Instead of digging around in RAM, that software could just log what keys you pressed and which programs were focused while you pressed them.

Password managers protect you from losing a bunch of accounts when a hashed (or cleartext) password of one account is leaked.
It doesn't (and can't) protect you from infecting your PC with shady software.



Security by obscurity never works.
If the password is long and complex enough you gain nothing from knowing the parameters.
For example: Knowing that my CodeForum password is 56 characters of upper/lower letters, numbers, and special chars, doesn't get you one iota closer to "cracking" it.
Simply because there are way too many combinations to try them all in a reasonable amount of time.

If you want some numbers:
My password has around ~350 bits of entropy.
Entropy tells you the average cost of randomly hitting the right password while brute-forcing it.
An entropy of n means that, on average, you will need 2^n-1 guesses before you hit a match.
In my case that means doing 2^349 guesses (that's a number with 106 digits).

If CodeForum is badly configured and uses a fast hash like SHA-1,
and if you happen to have 8 modern GPUs laying around that can (together) reach around 8-10 billion SHA-1 guesses per second,
you'd have to wait around 4x10^87 years until you find a match.

Renting a datacenter with 4096 GPUs would drop you down to 8x10^84 years.

Enslaving some countries to crack my password with one trillion GPUs (10^18) would still need 2x10^60 years.

So either way the universe should reach it's heat death before you get there.
Click to expand...


You do realize that there are such things as rainbow tables and lists of already hacked, usually most common, passwords that you can run any password up against right? Also, why would you use SHA-1... SHA256/SHA512 are better.

sn0w said:
What do you mean?
You were spreading blatant misinformation and didn't mark it as sarcasm or joke in any way.
Click to expand...

How is the article "misinformation"?

sn0w said:
What do you mean?
You were spreading blatant misinformation and didn't mark it as sarcasm or joke in any way.
Click to expand...

And as far as my comment is concerned, "no duh" that a key logger could be installed in order to track your input. but again, the focus of the "misinformation" I was "spreading" according to you.. was in regards to vulnerabilities found in password managers. But again, what do I know, right? :)
 

New Threads

Latest posts

Share this page

Buy us a coffee!

Code Academy Advertisement
DataCamp Advertisement

About Us

Code Forum is a community platform where coding enthusiasts can connect with other developers, engage in discussions, ask for help, and share their knowledge with a supportive community. It's a perfect place to improve your coding skills and to find a community of like-minded individuals who share your passion for coding.

Site links

Stay Connected

Back
Top Bottom