Submitted via IRC for TheMightyBuzzard
CynoSure Prime, a "password research collective", has reversed the hashes of nearly 320 million hashed passwords provided by security researcher Troy Hunt through the Pwned Passwords searchable online database.
Their effort, pulled off with the help of two other researchers, revealed many things:
- Interesting statistics regarding these real world passwords exposed in data breaches,
- The fact that this database also contains some 2.5 million email addresses and 230,000 email/password combinations (Hunt intends to purge that data from the database), and
- Some bugs in the Hashcat password recovery tool.
"The longest password we found was 400 characters, while the shortest was only 3 characters long. About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less," the collective shared.
"Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters."
Source: https://www.helpnetsecurity.com/2017/09/05/researchers-reverse-320-million-hashed-passwords/
(Score: 2) by FatPhil on Wednesday September 06 2017, @02:58AM
It's less than a 9-digit PIN
It's less than all word-word-digit passwords
If you're using one of the 320000000 most likely passwords, as measured by a statistical model, then you're screwed anyway, as that many hash calculations is almost instant nowadays.
Any attack which focuses on attacking low-hanging (easy to manage in human memory) passwords will now dominate humans abilities to memorise passwords. Your only options are:
1) pray the attacker's view on what's low-hanging mis-models your brain; or
2) don't memorise them
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves