Xeryon Posted November 6, 2007 Share Posted November 6, 2007 So my primary job for the last year and a half has been selling computer parts on eBay. Turns out my PayPal password was not strong enough and my business PayPal account was hacked this last weekend. No the info wasn't phished. I've been at this sh!t for 9 years now, I know all the normal tricks. Too bad I fogot about the most obvious one: brute forcing a password. Ultimately the person that broke in received nothing since I cought the error within a few minutes, but the resulting ripple effect of this will hurt my business for a while. My account is under special review and all transactions, incoming and outgoing, are locked. So my items are for sale on eBay, but I cannot accept payments for them. I am already getting complaints from angry customers. Ultimately this is going to hurt my paycheck pretty bad. This is my little rant to make sure all you guys/girls that buy, sell and bank online to make sure you have sufficiently strong passwords. Remember: a 6 character alpha-numeric password using only lowercase and numbers can be brute forced in as little as a couple weeks using a handful of decent computers. An 8 character can be done in about a year or two worst case. A 12 character password using alphanumeric, at least one capital and one special character would require 150+ years using every available computer in the world to generate your password. Make sure you passwords are way more then adaquet for your financial internet usage. Link to comment Share on other sites More sharing options...
Ben. Posted November 6, 2007 Share Posted November 6, 2007 sounds like someone had it out for you. Link to comment Share on other sites More sharing options...
TS John Posted November 6, 2007 Share Posted November 6, 2007 Sucks, man. I feel like brute forcing should be even faster than that. I mean, computers are pretty fast nowadays. Where do you get that data out of curiosity? Link to comment Share on other sites More sharing options...
Xeryon Posted November 6, 2007 Author Share Posted November 6, 2007 if you do a little google searching on system security you should be able to find the specifics. internet security scientists have the numbers all calculated per megaflop and gigaflop of cpu. With a little cross referencing you can find out the number of flops a common home computer can run and then do the rest of the math. i rattled those numbers off the top of my head. I am sure I remember them incorrectly, but the bit about the 12 character being 150+ is pretty close. think about this: 12 char alphanumeric: 10 digits, 26 letters, 26 capital letters, 30 (or so) common special characters means you have about 92 characters per slot. any pass generator has to start, for a 6 char password, with 92^6. Which is about 606 billion combinations right there. Not to much for a couple decent computers to generate and try to submit. Internet transit time slows down the brute forcing or it would actually be a little faster. And for each additional char you add you have grow the number exponentially so your password ends up being : 92^X where is the number of characters in your password. a 12 char is ~36^22, or 367666387654882241806336 combinations. Link to comment Share on other sites More sharing options...
Ben. Posted November 6, 2007 Share Posted November 6, 2007 okay way too f*cking much math going on in here. LOL. Link to comment Share on other sites More sharing options...
TS John Posted November 6, 2007 Share Posted November 6, 2007 Ah. I hadn't considered the special characters, nor the internet transit time. That makes more sense then. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.