• ArtVandelay@lemmy.world
    link
    fedilink
    English
    arrow-up
    26
    arrow-down
    1
    ·
    9 months ago

    It’s a good thing not just everybody can afford a raspberry pi zero that would be necessary to crack an MD5 in seconds

    • viking@infosec.pub
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      4
      ·
      edit-2
      9 months ago

      That really depends on the password complexity. Sure, you can crack a password of 6-8 characters in below 30 minutes, but anything more complex than that will take days and longer.

      My default password is 22 characters long and includes a unique identifier for each service plus a checksum. Say as an example (similar enough to my actual use case) for Adobe I’ll have “Ae” (first and last letter of the service) and “41” in a specific position (A = 41 in Hex).

      That way even if I repeat the other 18 characters (including symbols, upper and lower case characters) it will take years or even decades on a consumer grade system to crack my password, and the hash is unique for each service/website, so there won’t be any collateral damage either, even if some service I used got breached and my password somehow fully exposed.

      • ReginaPhalange@lemmy.world
        link
        fedilink
        English
        arrow-up
        26
        arrow-down
        2
        ·
        9 months ago

        Why do people humble brag about their password strength, but then tell the whole world how to construct rainbow tables designed to crack their passwords?

        • InnerScientist@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          9 months ago

          Iirc rainbow tables are currently useless due to good seasoning salt.

          Though password crackers can take a known pattern to drastically increase speed it would still have to do the whole calculation for every password.

        • viking@infosec.pub
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          9 months ago

          Like I mentioned, I’m using a related pattern, nothing as simple as the one I sketched out here.

          • LostXOR@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            As long as the other 18 characters are randomly generated that seems secure enough, and a decent way to keep track of which passwords are associated with which accounts.

            • LordKitsuna@lemmy.world
              link
              fedilink
              English
              arrow-up
              8
              ·
              9 months ago

              Feels like just a roundabout an exceptionally more difficult way to achieve a strong password versus just a password manager. Where you can do ridiculous things like have a 100 character long password

              Only to discover that the website will accept 100 characters in the box but actually truncate it to like 40 without telling you

      • noodlejetski@lemm.ee
        link
        fedilink
        English
        arrow-up
        19
        ·
        9 months ago

        I think I’ll stick with a password manager and its randomly generated passwords instead of doing an algebra problem every time I want to check my email