Has my password been compromised?

4

I just tried to register an account at www.mysonicwall.com (irrelavent) and got this error message:

This password is publicly available in hacking/security forums and can be easily compromised. Please use a different password.

My password is a collection of randomized letters including capitals, a symbol, and a number. It will pass any password requirements, so this is solely an issue of exposure.

Does anyone know what hacking/security forums they check my password against? Can I search well-known password lists for my password? Most importantly, where should I go from here? Should I start resetting all my passwords?

EDIT: I've contacted customer support for the site and as it turns out, they're having an issue evaluating the strength of passwords. The whole experience has been a wake-up call for my password lifestyle, however, as I've been tweaking the same base password since the 3rd grade (I'm 26 now). I'll be employing KeePass from here on out and will leave the question open for others to learn from my scare. I'll mark the rainbow tables as an answer for now, and will mark another as the answer if it is more comprehensive or demonstrates a safe way to check if your password is floating around the net.

Wutnaut

Posted 2014-06-12T15:54:46.800

Reputation: 724

Is that a Windows or web site message? – CharlieRB – 2014-06-12T15:56:25.280

"I just tried to register an account at www.mysonicwall.com" – Wutnaut – 2014-06-12T15:57:49.127

" "I just tried to register an account at www.mysonicwall.com" – Wutnaut" – Digital Chris – 2014-06-12T16:01:37.120

@DigitalChris that impression is spot on. – Wutnaut – 2014-06-12T16:15:55.717

1You say 'my password' - do you use the same password for multiple sites? If so, that's possibly your biggest security problem right there. – Randy Orrison – 2014-06-12T16:16:21.033

@RandyOrrison Yes, it's an issue, I just don't think I have the mental capacity to have a different password for every account. I don't trust password vaults either. – Wutnaut – 2014-06-12T16:20:19.947

1

@Wutnaut you don't need to use an online password vault, you can use something with strong encryption like KeePass. If you've been using the same password on many sites for many years then yes, it's probably in the wild.

– Digital Chris – 2014-06-12T16:31:06.673

@DigitalChris Thanks for the suggestion... I was hesitant at first but after reading up on KeePass, I feel this is the way to proceed. For those still visiting the question, I'd still like to know if there's a way to hunt my own password down in the wild. – Wutnaut – 2014-06-12T16:46:27.657

Answers

2

Most likely they check the password against publicly known rainbow tables. If the password appears in one of them, they will not let you use it.

From Wikipedia:

A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. It is a practical example of a space/time trade-off, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack unfeasible.

In short, a rainbow table is a database of common and uncommon passwords, converted into various hashes. By having the end result of a password hash, you dont have to use brute force to hack it.

Its likely your password, as random as you think it may be, is in one of the known rainbow tables. Check this website to see actual rainbow tables.

Keltari

Posted 2014-06-12T15:54:46.800

Reputation: 57 019

freerainbowtables.com is amazing, but the rainbow table is over9000 gigs. Is there a more convenient way to check if my password is floating around the internet? – Wutnaut – 2014-06-12T16:14:51.913

You could always use https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html to check the strength of your password and see if it gives you the reason why it's supposedly insecure

– Lawrence – 2014-06-12T16:19:58.833

as per zxcvbn: entropy: 41.171 crack time (seconds): 123804950 crack time (display): 5 years score from 0 to 4: 4 calculation time (ms): 3 – Wutnaut – 2014-06-12T16:30:32.740

zxcvbn is interesting, but it leaves out common practices, like not using your (user)name, birthdate, etc. – Keltari – 2014-06-12T18:55:15.497

Asked: 2014-06-12T15:54:46.800

Viewed: 430 times

Active: 2014-06-12T17:03:22.497