Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Networking, Telephony & Internet

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 30th December 2016, 9:09 PM   #1
Funkman Thread Starter
New Member
 
Join Date: Oct 2016
Posts: 27
Default How hard is it for someone to crack a google password?

I just got some notifications on the 20th December that someone in Wollongong had signed into my gmail accounts. I breifly lived in Wollongong in late 2013 for 3 months, and I had a falling out with my flatmates, thats why I left. I suspect it must be them, they are obviously very vindictive that they are trying to crack my password and presumably take my personal information.

The password was 8 characters long with a capital and a number in it.

How hard is it to crack a password like that? Is there some dark net software people can buy that will do it?

I have changed all my passwords to new ones unrelated to the old ones.

I am just worried they might do it again.

Is this a valid fear?
Funkman is offline   Reply With Quote

Join OCAU to remove this ad!
Old 30th December 2016, 9:21 PM   #2
clonex
Member
 
clonex's Avatar
 
Join Date: Jun 2001
Location: north pole
Posts: 15,873
Default

doesnt it tell you what device was used to sign in? Not a old device of yours maybe?
__________________
Quote:
Originally Posted by de_overfiend View Post
I feel a lot safer in my 20yo VS commodore than in some newer eurohatch or similar
clonex is offline   Reply With Quote
Old 30th December 2016, 9:25 PM   #3
Funkman Thread Starter
New Member
 
Join Date: Oct 2016
Posts: 27
Default

No I only got the notification on my tablet not on my PC for some reason. It didnt say what device and no, the only device I had at the time I was living in Wollongong was a PC which is here in my room with me.
Funkman is offline   Reply With Quote
Old 30th December 2016, 9:26 PM   #4
clonex
Member
 
clonex's Avatar
 
Join Date: Jun 2001
Location: north pole
Posts: 15,873
Default

Is your password something silly like mothers maiden name or dog etc?
__________________
Quote:
Originally Posted by de_overfiend View Post
I feel a lot safer in my 20yo VS commodore than in some newer eurohatch or similar
clonex is offline   Reply With Quote
Old 30th December 2016, 9:28 PM   #5
elvis
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,504
Default

Google let you review devices and activity history:

https://myaccount.google.com/security#activity

Do that, and check everything is sane. If not, use the security tools to log out all devices, and change your password.

Google have A LOT of customers, many of them large companies. Hacking into an account is not some sort of script-kiddie affair, assuming you didn't do something silly like use a dictionary word as a password.

If in doubt, download the Google authenticator app, and set up dual-factor authentication:

https://support.google.com/accounts/.../1066447?hl=en

You can set it up so every device is remembered for 30 days, so that's a nice balance between security and ease of use (needing to enter a password and code every single time is tedious, even if it is more secure).

That will ensure even if they have your password, they're not able to log in without your phone as well.

BE CAREFUL - lose your phone, and you can lock yourself out of your account. Ensure you take the necessary steps to set up a secondary method of contact (alternate phone number for SMS, or a printed sheet of one-time passwords for emergency access). Again, tedious, but worth the effort to keep your account safe.
__________________
Play old games with me!
elvis is offline   Reply With Quote
Old 30th December 2016, 9:30 PM   #6
ipv6ready
Member
 
Join Date: Feb 2014
Location: North Sydney
Posts: 620
Default

Could the notification be fake?

See if this helps

https://support.google.com/accounts/answer/162744?hl=en
__________________
4k nut UP3214Q, UP2414Q and U28D590D
MSI Z77a-GD80, Cosmos II, i7-3770k, Swiftech H240-X, Gigabyte G1 GTX1070, G.Skill 32mb 1600, 256GB Samsung Pro 840, 120GB Sandisk Extreme, LSi 9261, 8 x 1TB WB Black HDD, Seasonic 660w Platinum, Cyberpower UPS
ipv6ready is offline   Reply With Quote
Old 30th December 2016, 9:48 PM   #7
Funkman Thread Starter
New Member
 
Join Date: Oct 2016
Posts: 27
Default

Perhaps the notification appeared on my tablet in error?

When I review my account history the login history does not show Wollongong.

And no my password was not something silly, it was something quite hard to guess.
Funkman is offline   Reply With Quote
Old 30th December 2016, 11:16 PM   #8
James086
Member
 
James086's Avatar
 
Join Date: Mar 2010
Location: Perth
Posts: 2,229
Default

Assuming it was a genuine compromise of your account, the vulnerability isn't with Google, they guessed it.

The best passwords come from a password manager. I use Lastpass and highly recommend it but you pay for the advanced features. Keepass is a free alternative that I haven't used but have heard good things about.

If you change it to something that can't be guessed, not an obscure memorable word, but a truly random string that you commit to memory then it should keep them out.


As for hackers:

A hash is a one-way jumble of the password as in you can't unjumble it, you can't tell what the password was from the hashed string. For example password becomes 5f4dcc3b5aa765d61d8327deb882cf99 using the md5 hash.

So when you create your account it hashes the password and stores just the hashed version. Then each time you log in, it hashes the password and compares it to the hashed one it has stored, if they match, then your password was correct and it lets you log in. That way nobody can download the list of passwords, they can only download the list of hashes.

When you use password cracking software, it tries to guess every combination possible. It calculates the hashes for everything until it finds a match. You can also download "rainbow tables" which contain already calculated passwords and the hash so you can just look it up.

They can't even start that without a dump of the hashes however, and that's not going to be easy to get from a giant like Google. It also assumes they aren't salting the passwords which Google will be.

tl;dr:

They guessed your password.
__________________
CPU: i7 2600K 4.3 GHz RAM: 16GB 2133MHz GPU: GTX 970 Folding PPD: 250 000
James086 is offline   Reply With Quote
Old 31st December 2016, 12:18 AM   #9
Funkman Thread Starter
New Member
 
Join Date: Oct 2016
Posts: 27
Default

Quote:
Originally Posted by James086 View Post
Assuming it was a genuine compromise of your account, the vulnerability isn't with Google, they guessed it.

The best passwords come from a password manager. I use Lastpass and highly recommend it but you pay for the advanced features. Keepass is a free alternative that I haven't used but have heard good things about.

If you change it to something that can't be guessed, not an obscure memorable word, but a truly random string that you commit to memory then it should keep them out.


As for hackers:

A hash is a one-way jumble of the password as in you can't unjumble it, you can't tell what the password was from the hashed string. For example password becomes 5f4dcc3b5aa765d61d8327deb882cf99 using the md5 hash.

So when you create your account it hashes the password and stores just the hashed version. Then each time you log in, it hashes the password and compares it to the hashed one it has stored, if they match, then your password was correct and it lets you log in. That way nobody can download the list of passwords, they can only download the list of hashes.

When you use password cracking software, it tries to guess every combination possible. It calculates the hashes for everything until it finds a match. You can also download "rainbow tables" which contain already calculated passwords and the hash so you can just look it up.

They can't even start that without a dump of the hashes however, and that's not going to be easy to get from a giant like Google. It also assumes they aren't salting the passwords which Google will be.

tl;dr:

They guessed your password.

Interesting, thanks.
Funkman is offline   Reply With Quote
Old 31st December 2016, 12:37 AM   #10
death
Member
 
Join Date: Dec 2002
Location: Melbourne Australia
Posts: 1,530
Default

there is a way to log out of all devices logged in. you should do that then turn on two factor authentication

http://time.com/4177486/gmail-remotely-sign-out/
https://support.google.com/accounts/answer/185839?hl=en
death is offline   Reply With Quote
Old 31st December 2016, 12:40 PM   #11
Aetherone
Member
 
Aetherone's Avatar
 
Join Date: Jan 2002
Location: Adelaide, SA
Posts: 8,372
Default

Quote:
Originally Posted by Funkman View Post
The password was 8 characters long with a capital and a number in it.


Quote:
Originally Posted by Funkman View Post
How hard is it to crack a password like that?
The rainbow tables (every possible combination already hashed for quick & easy searching) for 8 characters are smaller to download than many complete HD TV series.

Short passwords are a computational triviality in the modern world. IT has spent 20 years training everyone to use short trivial passwords
Aetherone is offline   Reply With Quote
Old 31st December 2016, 1:34 PM   #12
evilasdeath
Member
 
Join Date: Jul 2004
Posts: 4,570
Default

Quote:
Originally Posted by Aetherone View Post
The rainbow tables (every possible combination already hashed for quick & easy searching) for 8 characters are smaller to download than many complete HD TV series.

Short passwords are a computational triviality in the modern world. IT has spent 20 years training everyone to use short trivial passwords
Rainbow tables are only helpful if you have a hash of the file and the stupid site owner was stupid enough not to use salted hashes.

I would dare say if someone had access to google hashes they wouldn't be cracking some randoms account that lived with that person.

I would also doubt that google has unsalted hashes, the day google does get hacked is coming, it's not impossible but i also think they have enough engineers trying to stay ahead of the ballgame i would think.

As for your google, if your worried just turn on two-factor

The likelihood of anyway brute forcing a password these days is very remote unless they can get the database and do the cracking offline, online is way too slow, and will get detected fairly quickly. It's far easier/faster to social engineer your way into an account anyway.
evilasdeath is offline   Reply With Quote
Old 31st December 2016, 2:24 PM   #13
Sphinx2000
Member
 
Sphinx2000's Avatar
 
Join Date: Sep 2001
Location: Brisbane
Posts: 4,650
Default

Quote:
Originally Posted by Aetherone View Post
Short passwords are a computational triviality in the modern world. IT has spent 20 years training everyone to use short trivial passwords
If only 90% of the systems out there (that you don't control yourself) actually let you use long phrases without numbers and symbols.
Sphinx2000 is offline   Reply With Quote
Old 31st December 2016, 2:41 PM   #14
Bold Eagle
Member
 
Bold Eagle's Avatar
 
Join Date: Jun 2008
Location: Brisbane
Posts: 5,593
Default

My gmail account was hacked once and google sent the IP Address of the source of the hack.

They locked the account and informed me via my other account.

A reverse lookup of the IP of the source of the hack was from mainland China - some military complex.

I have since changed my password to the first line from a favorite song and the password is around 40-50 characters long now.
__________________
PC3: Cardboard Box, peanut dispenser, highly conc caffine intravenous drip, little monkey w "electro El Shocko rectal probe", 3DMarkVantage=276818768

Last edited by Bold Eagle; 31st December 2016 at 2:44 PM.
Bold Eagle is offline   Reply With Quote
Old 31st December 2016, 2:57 PM   #15
evilasdeath
Member
 
Join Date: Jul 2004
Posts: 4,570
Default

what sort of music do you like Bold Eagle?

Last edited by evilasdeath; 31st December 2016 at 3:17 PM.
evilasdeath is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 7:31 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!