The Dirt On Password Cracking

 Where to start?  I read an open topic where the author stated that by making their password longer they made it un-crackable. (In our lifetimes) Now in a perfect world, this is true. However, Cryptography is not perfect. I'll give you a brief rundown on how this works most the time.Server (or Program) asks for a password. You give your password. Application on server turns your password into a confusing amalgam of numbers and letters. ie. (85E6990264C86E55C412B7BFE2CFEA91)(MD5) Now, it saves this file. This is called a hash.You go to facebook, put in your user/pass. Facebook, will hash your password and, using that hash file, the Server will check to see if your password's hash matches the hash it has on file. If the hashes match, it grants you access. Now, if someone steals this file, they can run a brute force program that will hash an outrageous amount of passwords trying to find yours. (Which is why "password" and simple words like "egg" are bad) But now there are Collision attacks. (We'll get there in a second) There are also other more complicated and more effective ways to crack your password, but we won't get into those now.Alright, so let's assume that every single possible password produces a unique hash. Yay. Cryptography is perfect, no more need for security experts. Unfortunately, this is not possible. When two passwords create the same hash a collision occurs.  If my password is, "E*d&ve%odc(/ou@3hecDe8532." I might assume it is un-crackable. I'd probably be right unless there was a simple word that produced the same hash. (Such as "egg")"But Cyber", you say, "What are the chances of that?" to which I reply, It really depends on the hashing function your Server/Site/Application uses and whether or not any of the sites you have ever visited have ever had their password files dumped.(Stolen) Crackers (Black Hats) will often times upload their hash dumps (Your Username and Password Hash) to the internet and give them to whoever as a form of bragging. Then twenty other Crackers (More Bad guys) will download them and start trying to crack them with either a collision attack or brute forcing. Brute forcing usually comes first, because after 16 hours it will have 90% of the passwords (Because some people still use Password or shark 15 as their password.) Then they can sell this list of decrypted passwords/usernames to anyone willing to buy them.The only reason this is effective and profitable is because people use the same password for different sites. So as a recap: Use different passwords for different sites (Safe). Use more complicated passwords (Safer). Finally, just because you have the most complicated password in history (Safest)... DO NOT assume you are protected for eternity(Not Safe).  A good security posture is to change your password(s) every three months.(Yes for every site) But if you don't really care about how secure your Myspace Page is, leave it. The password on that site is now different from all the others, and you aren't doomed to financial ruin(Or mockery on Facebook) in the event you get cracked. I also highly recommend you get a password manager, and or write these passwords down. (Please do NOT let your browser manage your password either.) Hopefully, this is helpful and entertaining,CyberSync.