Guide | How To How secure is your password?

[DoxThis]

Also please note guys that site is trash, not trying to be rude but an average desktop pc is not that good.
When you talk about cracking hashes obtained from a web server, lets be honeste you are not messing with your grandma's pc when cracking hashes, you are going to either
1. Use an online hash cracker that uses server grade hardware OR
2. Buy 4 R9 290X's overclock them and use them with a hashcracking program and a nice password list like the one from Cain and Abel

 

[viktik]

How about using cryptographic HEX hash value as password

Even if the users can remember word "cat" , he will be using SHA-3 (512bit) hash value "B2FAF80C85BD36029DC3F804CBF439888FD1CA195AB0E3DECB872F8AA9EF767E4866186EBB8B5ECFA1237147A94775F8302648BE0FD0AE3A6EBBDF931F423360" as password.

user just need to remember easy word "cat' and the hash function SHA-3 (512bit).

the HEX hash value is 128 character long. Anyone trying to crack this will fail.

This 128 character password is very difficult to crack.
Even if todays supercomputer gets 1 trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion times better ( which in reality it cannot ), it will take 52.64 million trillion centuries to crack it.

 

[WinXPert]

you can generate random passwords, but how will you remember it.

https://addons.mozilla.org/en-us/firefox/addon/password-hasher/

make sure you enable Use a master password in Firefox

@DoxThis Yup!

 

[DoxThis]

How about using cryptographic HEX hash value as password

Even if the users can remember word "cat" , he will be using SHA-3 (512bit) hash value "B2FAF80C85BD36029DC3F804CBF439888FD1CA195AB0E3DECB872F8AA9EF767E4866186EBB8B5ECFA1237147A94775F8302648BE0FD0AE3A6EBBDF931F423360" as password.

user just need to remember easy word "cat' and the hash function SHA-3 (512bit).

the HEX hash value is 128 character long. Anyone trying to crack this will fail.

View attachment 57082

This 128 character password is very difficult to crack.
Even if todays supercomputer gets 1 trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion times better ( which in reality it cannot ), it will take 52.64 million trillion centuries to crack it.

View attachment 57083

View attachment 57085

Personally, I would not recommend using a hash for a password because there are databases that store hashes that result in a very small password such as that...
EG www.crackstation.net
CrackStation uses massive pre-computed lookup tables to crack password hashes.

 

[DoxThis]

Like I said before its not a very good idea regardless UNLESS you are using SHA-3 Because the hash is so freaking large

 

[DoxThis]

Also, how would that password work on 99% of sites that have a limitation on the characters/ Require special characters etc.



If only every webserver in the world used extremely hard to crack salting on hashes as well, we would never have breakins of accounts except from MITM attacks

 

[viktik]

Personally, I would not recommend using a hash for a password because there are databases that store hashes that result in a very small password such as that...
EG www.crackstation.net
CrackStation uses massive pre-computed lookup tables to crack password hashes.

They keep hash database of passwords. Still they are not using SHA-3 (512bit).

Even if they have SHA-3 (512bit) hash database it won't work.
If i used "cat" as password then it would be very easy to crack. But i am using the hash value "B2FAF80C85BD36029DC3F804CBF439888FD1CA195AB0E3DECB872F8AA9EF767E4866186EBB8B5ECFA1237147A94775F8302648BE0FD0AE3A6EBBDF931F423360" as password. So normally they will be searching for hash value of this password, which will be "F1650CB4543DCC9E4B855541054295F43DE0CADAB9071D96187119855E136E743CE855E143258ED05348682416231CB7178A554D577B25600463DA21AEFA10EF" if SHA-3 (512bit) is used . They will never find the match.


How about doing multiple hash?
hashing "cat" gets "B2FAF80C85BD36029DC3F804CBF439888FD1CA195AB0E3DECB872F8AA9EF767E4866186EBB8B5ECFA1237147A94775F8302648BE0FD0AE3A6EBBDF931F423360"


hashing "B2FAF80C85BD36029DC3F804CBF439888FD1CA195AB0E3DECB872F8AA9EF767E4866186EBB8B5ECFA1237147A94775F8302648BE0FD0AE3A6EBBDF931F423360"
gets
"F1650CB4543DCC9E4B855541054295F43DE0CADAB9071D96187119855E136E743CE855E143258ED05348682416231CB7178A554D577B25600463DA21AEFA10EF"

hashing "F1650CB4543DCC9E4B855541054295F43DE0CADAB9071D96187119855E136E743CE855E143258ED05348682416231CB7178A554D577B25600463DA21AEFA10EF"
gets

"AE7F5C8C097A0F2C217BDF86F1992070D419C3E3DC6A90BA8A0C517716E9C3C1AB23D7E50FF248D2C78F4309B1C5F63A34FC5355F60B7BBD3EDFE4B330419684"

this final hash value will be used as password.

user needs to remember three things

• Easy word "cat"
• The hash function SHA-3 (512bit)
• Number of times hash was done : 3

Anyone trying to crack it using general method will fail, unless he knows all the three thing mentioned above

what if i concatenate all three hashes to get even more lenghty password : "B2FAF80C85BD36029DC3F804CBF439888FD1CA195AB0E3DECB872F8AA9EF767E4866186EBB8B5ECFA1237147A94775F8302648BE0FD0AE3A6EBBDF931F423360F1650CB4543DCC9E4B855541054295F43DE0CADAB9071D96187119855E136E743CE855E143258ED05348682416231CB7178A554D577B25600463DA21AEFA10EFAE7F5C8C097A0F2C217BDF86F1992070D419C3E3DC6A90BA8A0C517716E9C3C1AB23D7E50FF248D2C78F4309B1C5F63A34FC5355F60B7BBD3EDFE4B330419684"

this is 384 character password. it cannot be found in any database. Obviously it cannot be cracked.


hashing "cat" ten times using SHA-3(512 bit) we get hashes

cat

1. B2FAF80C85BD36029DC3F804CBF439888FD1CA195AB0E3DECB872F8AA9EF767E4866186EBB8B5ECFA1237147A94775F8302648BE0FD0AE3A6EBBDF931F423360
2. F1650CB4543DCC9E4B855541054295F43DE0CADAB9071D96187119855E136E743CE855E143258ED05348682416231CB7178A554D577B25600463DA21AEFA10EF
3. AE7F5C8C097A0F2C217BDF86F1992070D419C3E3DC6A90BA8A0C517716E9C3C1AB23D7E50FF248D2C78F4309B1C5F63A34FC5355F60B7BBD3EDFE4B330419684
4. CBBA91B52162FE79666609C0178C3AD043837EA95FBF30D5834D30B7FC4A7C5CC85B040B7DCDEAAAB24EB4DA030A22EC9C3E40B5377C99C1DEAA894970934D09
5. 208385B1E83A6879D10B274B8A42ADF9E54D515D9B14FB8FC939A39B0A38B1BE61DDEEBDA31845EACAE3BD094ABD75E272A97D68E22D25A275D6D0F84ECEB10E
6. 8D95E1F68C0E10E1100F55858D78926BA7602CEA9417B358511346E2DE34A3F01DB89DE196E8A76F39660C6A0A28E0E93BF2796DF2040EAFFA549BB8D842EAEF
7. 02E57A7DA1F486CDB62AD399123B5857969117CA79A9630B21C1C45913B4FBE4055AF1221E01FD748975DD64622556F187516131DCB5E4EC5CCD40B117C489D7
8. 80E323CDB602CFF4C42005850F278C9A2CE05DB0035EB1EC75F837A57CEA9B2B0022050CA0623D56EABCF74E2FC2522F340103C94B175D83B4D5196C9150D6FB
9. EC0DFCFF56DD2C611F59E934FB3C3100E8AF474FEED754131E68CA76713D1797A7374F007BC610B625FBE2917941B6DE3E28F8E1751F51E2C3B4CEE7E0523406
10. 6CE9EBE1C3BD3E85F5BE7695F8580EA842F66780343CFF578400D4D73AC3D23FF2BE6749481ED471A7CD97304CC6C16FC7EED959A7B56BEF7D3BB8AA5935B5F8

What if we concatenate hashes from 6 to 10 to get password
8D95E1F68C0E10E1100F55858D78926BA7602CEA9417B358511346E2DE34A3F01DB89DE196E8A76F39660C6A0A28E0E93BF2796DF2040EAFFA549BB8D842EAEF02E57A7DA1F486CDB62AD399123B5857969117CA79A9630B21C1C45913B4FBE4055AF1221E01FD748975DD64622556F187516131DCB5E4EC5CCD40B117C489D780E323CDB602CFF4C42005850F278C9A2CE05DB0035EB1EC75F837A57CEA9B2B0022050CA0623D56EABCF74E2FC2522F340103C94B175D83B4D5196C9150D6FBEC0DFCFF56DD2C611F59E934FB3C3100E8AF474FEED754131E68CA76713D1797A7374F007BC610B625FBE2917941B6DE3E28F8E1751F51E2C3B4CEE7E05234066CE9EBE1C3BD3E85F5BE7695F8580EA842F66780343CFF578400D4D73AC3D23FF2BE6749481ED471A7CD97304CC6C16FC7EED959A7B56BEF7D3BB8AA5935B5F8

This becomes 640 character password. Very hard to guess and obviously impossible to crack

 

[jamescv7]

My password which uses majority in here (MT), and Yahoo: 377 Billion Years
Email add like Hotmail: 68 Million Years

The combination of my password is a little bit related on my personal information but it doesn't mean I'm vulnerable; because on some instances a typical user cannot make any brute force attack even a weak one; he/she need a lot of research and tools and try to know the password; In these days; login based is protected which makes the account locked due to incorrect passwords and easily access by answering the verification details.

 

[yigido]

Why should I write my password on this site ? This guys can use your password lol This sounds a bit weird but it is possible, I know my password is uncrackable

Spoiler: Screenshot

 

[comfortablynumb15]

I..didn't even know that was a word

 

[Atlas147]

Wondering if the password cracker the site is based off on uses dictionary to try to hack the password, it might significantly decrease the timing for it to be hacked if it does