ZDoom

[boris]

and testing your password's strength against known cracking algorithms with this tester

Entering your password on some random website that "tests" your password is a bad idea. They could as well store it in a dictionary.

[4thcharacter]

I think this is the time where the "Add foe" function works well. Report the trolls, then add them as foes.

[scalliano]

Just changed my password, logged out, and THEN got the "too many login attempts" message as I tried logging in again. Is it time to panic?

[Slax]

WELP. Time to upgrade the forums.

[wildweasel]

WELP. Time to upgrade the forums.

I'm not sure that this would help anything, considering our troll has been getting in by random brute forcing.

[Slax]

Well, an IP ban on too many login attempts would be good. Proxy or not, it should help soothe the issue.
I dunno. It's something at least.

[NeuralStunner]

Is it time to panic?

Nope. Just shows that someone was trying to guess your password from a different system.

Numbers and capital letters are highly overrated.

From a technical standpoint, 62^len is less breakable than 26^len.

Aside from some random sequence of characters, the best password is still some phrase that only has meaning to you.

This is why I suggested a hybrid of the two.

Entering your password on some random website that "tests" your password is a bad idea. They could as well store it in a dictionary.

I've seen this particular site recommended by the folks at Windows Secrets (who I've always seen on the ball about security-related things).

[Gothic]

Entering your password on some random website that "tests" your password is a bad idea. They could as well store it in a dictionary.

But you don't click anything on that site, you just type and the result appears, like Google Translator.

[DoomRater]

You do that on Google.com as well and that data is sent to Google...

[demo_the_man]

I didn't even realize this happened. I thought i was banned the whole time,then i realized that the captcha need a space

[Graf Zahl]

Numbers and capital letters are highly overrated.

From a technical standpoint, 62^len is less breakable than 26^len.

But that's not how password cracking works. A random combination of small letters is still more secure than a real word where some characters have been capitalized or where 'o's have been replaced with '0's.

[boris]

Entering your password on some random website that "tests" your password is a bad idea. They could as well store it in a dictionary.

But you don't click anything on that site, you just type and the result appears, like Google Translator.

The days where you had to press a button to send data to a server have been gone for a long time. Each time you type something into the Google translator this data is sent to Google, and the Google servers reply with the translation. This technique is called AJAX and very common nowadays.

[NeuralStunner]

But that's not how password cracking works. A random combination of small letters is still more secure than a real word where some characters have been capitalized or where 'o's have been replaced with '0's.

If we're talking about using a personal phrase, that's still real words. For most people, the phrase is still going to be somehow related to the site it's used on (unless they're reusing it across sites), and even one bizarre substitution (I.E. not something as obvious as o->0) is going to be unpredictable.

I admit I might be biased on the "but is it worth it" front since I can use an obtuse password and still remember it. (Through repeated use, if nothing else.)

[Caligari87]

Our current woes are probably related to the slew of recent password dumps, as noted in this Reddit admin announcement. From that post, here's a decent write-up on modern password cracking, which I believe is what Graf's getting at. "H0r53" bay contain more entropy than "horse", but dictionary cracking is wise to leet-speak replacements, so it's liable to be higher on the list than a brute-force attack (which are really outdated).

As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second. These guessers might run for months on many machines simultaneously.

They guess intelligently. They don't run through every eight-letter combination from "aaaaaaaa" to "zzzzzzzz" in order. That's 200bn possible passwords, most of them very unlikely. They try the most common password first: "password1". (Don't laugh; the most common password used to be "password".)

A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One guesser I studied starts with a dictionary of about 1,000 common passwords, things like "letmein," "temp," "123456," and so on. Then it tests them each with about 100 common suffix appendages: "1", "4u", "69", "abc", "!" and so on. It recovers about 24% of all passwords with just these 100,000 combinations.

Basically, at this point you need to be using completely passwords like D9#%Rf9@pA* to be even close to secure.

[Accensus]

Some of my passwords are long and complicated enough that I need to do some air keyboarding to remember exactly how it goes. That moment when muscle memory > actual memory. I know the phrases, but, beat me with a stick, I can't type them on my phone. I forget how far I've typed halfway there.