how long is your Password??

ZiNC · **Joined:** Aug 2007 **Posts:** 457

Cruor wrote:

Cracking passwords:

Code:

Pass Length.....All Characters..............Only Lowercase

characters....0.86 seconds................0.02 seconds
characters....1.36 minutes................0.046 seconds
characters....2.15 hours..................11.9 seconds
characters....8.51 days...................5.15 minutes
characters....2.21 years..................2.23 hours
characters....2.10 centuries..............2.42 days
characters....20 millennia................2.07 months
characters...1,899 millennia.............4.48 years
characters...180,365 millennia...........1.16 centuries
characters...17,184,705 millennia........3.03 millennia
characters...1,627,797,068 millennia.....78.7 millennia
characters...154,640,721,434 millennia...2,046 millennia

These times are for an average computer, attempting to brute force your password, meaning it assumes you have a completely random password; passwords with any form of words in them are far easier to crack, and using 1337-speak in attempt to hide it won't help you any.

The first column is what you could expect if Joymax let you use all ASCII characters, including uppercase and symbols.

We are all in the second column, because only a-z, 0-9 are allowed. It's best to at least change your password at least once within the time period it could be cracked in, however it's even better to change it on a daily or weekly basis.

it is shorter than that if the hacker is experienced and the victim is an dumbass.

PB_and_J · **Posted:** Sat Sep 22, 2007 9:13 pm

3.03 millennia woot woot

yoko · **Joined:** Jan 2007 **Posts:** 77 **Location:**

ZiNC wrote:

it is shorter than that if the hacker is experienced and the victim is an dumbass.

And significantly longer than that if the victim is reasonable clever and Joymax has not exposed their encrypted password list.

A reasonable advanced password, given 200 milliseconds latency and 10 minutes for extra for each 3 attempts, quickly becomes unwieldy to brute force fast enough.

I was however very annoyed when they reduced the characters you could use for your password. Suddenly I could not login to the web-site any longer since my password contained quite a few special characters. Logging in to the game still worked - so I did not notice until I planned to buy silk.

XemnasXD · **Posted:** Sat Sep 22, 2007 9:16 pm

Cruor wrote:

Cracking passwords:

Code:

Pass Length.....All Characters..............Only Lowercase

characters....0.86 seconds................0.02 seconds
characters....1.36 minutes................0.046 seconds
characters....2.15 hours..................11.9 seconds
characters....8.51 days...................5.15 minutes
characters....2.21 years..................2.23 hours
characters....2.10 centuries..............2.42 days
characters....20 millennia................2.07 months
characters...1,899 millennia.............4.48 years
characters...180,365 millennia...........1.16 centuries
characters...17,184,705 millennia........3.03 millennia
characters...1,627,797,068 millennia.....78.7 millennia
characters...154,640,721,434 millennia...2,046 millennia

These times are for an average computer, attempting to brute force your password, meaning it assumes you have a completely random password; passwords with any form of words in them are far easier to crack, and using 1337-speak in attempt to hide it won't help you any.

The first column is what you could expect if Joymax let you use all ASCII characters, including uppercase and symbols.

We are all in the second column, because only a-z, 0-9 are allowed. It's best to at least change your password at least once within the time period it could be cracked in, however it's even better to change it on a daily or weekly basis.

im so f*cked if someone wants to brute my pass....where do you find this stuff cruor, never cease to amaze me.

Cruor · **Joined:** Apr 2006 **Posts:** 1999 **Location:**

yoko wrote:

And significantly longer than that if the victim is reasonable clever and Joymax has not exposed their encrypted password list.

A reasonable advanced password, given 200 milliseconds latency and 10 minutes for extra for each 3 attempts, quickly becomes unwieldy to brute force fast enough.

I was however very annoyed when they reduced the characters you could use for your password. Suddenly I could not login to the web-site any longer since my password contained quite a few special characters. Logging in to the game still worked - so I did not notice until I planned to buy silk.

Yes, such speeds likely aren't attainable should the hacker merely try to brute force it through SRO, however if the user reused his password elsewhere and the hacker has access to that database, it could potentially be brute forced. Regardless, it does show you how much we are screwed over with our limited passwords and how much extra characters can help you out.

The weak point in the current system seems to be the secret question page, because all a hacker needs to change your password is your email and some research about you for the secret answer. A long, random password will probably keep you safe but if you aren't willing to remember one or type it in every time you want to log in, at least lock up your secret question. Because the secret question requires the hacker to have your email, you can basically make your email into a second password. Just go to Gmail or something and register an email account with a nice random name then change your SRO account's email to that and never use it for anything else. That will effectively protect your account from being outright stolen.

yoko · **Joined:** Jan 2007 **Posts:** 77 **Location:**

Cruor wrote:

Yes, such speeds likely aren't attainable should the hacker merely try to brute force it through SRO, however if the user reused his password elsewhere and the hacker has access to that database, it could potentially be brute forced. Regardless, it does show you how much we are screwed over with our limited passwords and how much extra characters can help you out.

Re-using passwords are not a good idea. It is easy to fall into the trap of doing so. I would personally recommend Password Safe for storing and generating your passwords. Most websites you can easily paste your very complex password in - for Silkroad, just practice it until your hands know how to type it and you be fine. I type my password very very quickly.

Cruor wrote:

The weak point in the current system seems to be the secret question page, because all a hacker needs to change your password is your email and some research about you for the secret answer. A long, random password will probably keep you safe but if you aren't willing to remember one or type it in every time you want to log in, at least lock up your secret question. Because the secret question requires the hacker to have your email, you can basically make your email into a second password. Just go to Gmail or something and register an email account with a nice random name then change your SRO account's email to that and never use it for anything else. That will effectively protect your account from being outright stolen.

The secret question (and the e-mail) is by far the most exposed details for Silkroad. Become friendly, ask for MSN (most people will have same MSN address as their Silkroad e-mail), then just ask innocent questions of favourite colour, where they are born, what film they like the most etc. etc. etc. Bingo - you got their account.

So, do as Cruor says, make an e-mail address just for the purpose of the game. Have a long password and learn it well. Do not use the password for any other place.

XemnasXD · **Posted:** Sat Sep 22, 2007 9:48 pm

i was going to make a new character anyway....this time i'll start it on a new account

MonstaH · **Joined:** Jun 2006 **Posts:** 1550 **Location:**

I'd have liked the ability of at least using lower and uppercase letters in your PWs ... and the fact that your first 3 characters have to be letters also limits the extra-protection it might give.

Nice footage btw Cruor ... you smartass

Barotix · **Joined:** Jul 2007 **Posts:** 9250 **Location:** Sand

MonstaH wrote:

I'd have liked the ability of at least using lower and uppercase letters in your PWs ... and the fact that your first 3 characters have to be letters also limits the extra-protection it might give.

Nice footage btw Cruor ... you smartass

the first 3 letter dont have 2 b numbers
>.>
<.<

TemJiN · **Posted:** Sat Sep 22, 2007 11:14 pm

Belgarath wrote:

My password is "This thread should be locked."

LMAO yea be afraid BE VERY AFRAID of me wanting to h4xur3d all of you. i think by the time i h4xur some one i'll be 17,184,705 millennia +9 yrs old

Rizla · **Posted:** Sat Sep 22, 2007 11:16 pm

Was using 12 when I was playing.

MiKe 51-50 · **Joined:** Dec 2006 **Posts:** 1284 **Location:**

Matrixman__ wrote:

i dont even know, havent typed it in such a long time, i use my G15 keyboard macro to enter username, password and hit enter for me all with only 1 button

I've heard ppl wrote their info in town by accident with that method.

EvilDiablo · **Joined:** Nov 2006 **Posts:** 361 **Location:**

lol my secret question was where i was born....the good thing on my part, is that the answer is a 15 digit # and letter string that i dont use anywhere else, good luck xD, cuz my pass is even harder than that, and i use a gmail address just like cruor said......security ftw!

Sylhana · **Joined:** Mar 2007 **Posts:** 3467 **Location:**

Long enough for it to be secure, short enough for me to remember

With practice, you could type any password quick enough.

Cloverleaf · **Joined:** Jun 2007 **Posts:** 488 **Location:**

My secret answer has nothing to do with the question

123noob · **Joined:** Jun 2007 **Posts:** 666 **Location:**

lol @ millennia.. haven't heard that word for quite some time

TemJiN · **Posted:** Sun Sep 23, 2007 5:09 am

G-mail?

whats that?

Sylhana · **Joined:** Mar 2007 **Posts:** 3467 **Location:**

TemJiN wrote:

G-mail?

whats that?

mail.google.com

XemnasXD · **Posted:** Sun Sep 23, 2007 5:27 am

Sylhana wrote:

TemJiN wrote:

G-mail?

whats that?

mail.google.com

do you have to be invited or can you just make one when you want

Itonami · **Joined:** Mar 2007 **Posts:** 3182 **Location:**

I change mine every inspection so it varies.

Sylhana · **Joined:** Mar 2007 **Posts:** 3467 **Location:**

XemnasXD wrote:

Sylhana wrote:

TemJiN wrote:

G-mail?

whats that?

mail.google.com

do you have to be invited or can you just make one when you want

EDIT: Before they require you to have an invite. I think you can just sign up now w/o one.

ZiNC · **Joined:** Aug 2007 **Posts:** 457

Sylhana wrote:

XemnasXD wrote:

Sylhana wrote:

TemJiN wrote:

G-mail?

whats that?

mail.google.com

do you have to be invited or can you just make one when you want

EDIT: Before they require you to have an invite. I think you can just sign up now w/o one.

ya now its like hotmail you just go and sigh up.

xzaz · **Joined:** Sep 2006 **Posts:** 1574 **Location:**

12 here, brute forcing takes time if its MD5 (lol @MD5 i still use that in my PHP >.>)

sheeplol6 · **Joined:** Sep 2007 **Posts:** 720 **Location:**

Twist wrote:

Belgarath wrote:

My password is "This thread should be locked."

Wow,mine too

shit thats mine! im gonna be hacked again! :o

Luoma · **Posted:** Sun Sep 23, 2007 3:14 pm

lol at "17,184,705 millennia"

good luck?

Twist · **Posted:** Sun Sep 23, 2007 3:15 pm

Lol,thats just bruteforce dont forget u can be keylogged,so 150 char pass will be taken in 3 seconds lol.

Burningwolf · **Joined:** Jun 2007 **Posts:** 2583 **Location:** :|

Cruor wrote:

Cracking passwords:

Code:

Pass Length.....All Characters..............Only Lowercase

characters....0.86 seconds................0.02 seconds
characters....1.36 minutes................0.046 seconds
characters....2.15 hours..................11.9 seconds
characters....8.51 days...................5.15 minutes
characters....2.21 years..................2.23 hours
characters....2.10 centuries..............2.42 days
characters....20 millennia................2.07 months
characters...1,899 millennia.............4.48 years
characters...180,365 millennia...........1.16 centuries
characters...17,184,705 millennia........3.03 millennia
characters...1,627,797,068 millennia.....78.7 millennia
characters...154,640,721,434 millennia...2,046 millennia

These times are for an average computer, attempting to brute force your password, meaning it assumes you have a completely random password; passwords with any form of words in them are far easier to crack, and using 1337-speak in attempt to hide it won't help you any.

The first column is what you could expect if Joymax let you use all ASCII characters, including uppercase and symbols.

We are all in the second column, because only a-z, 0-9 are allowed. It's best to at least change your password at least once within the time period it could be cracked in, however it's even better to change it on a daily or weekly basis.

FCK
they hack mine in 11 seconds ><

Silkroad Online Forums

how long is your Password??

Who is online