How hard is it for someone to crack a google password?

Discussion in 'Networking, Telephony & Internet' started by Funkman, Dec 30, 2016.

  1. Funkman

    Funkman New Member

    Joined:
    Oct 29, 2016
    Messages:
    27
    I just got some notifications on the 20th December that someone in Wollongong had signed into my gmail accounts. I breifly lived in Wollongong in late 2013 for 3 months, and I had a falling out with my flatmates, thats why I left. I suspect it must be them, they are obviously very vindictive that they are trying to crack my password and presumably take my personal information.

    The password was 8 characters long with a capital and a number in it.

    How hard is it to crack a password like that? Is there some dark net software people can buy that will do it?

    I have changed all my passwords to new ones unrelated to the old ones.

    I am just worried they might do it again.

    Is this a valid fear?
     
  2. clonex

    clonex Member

    Joined:
    Jun 30, 2001
    Messages:
    17,428
    Location:
    north pole
    doesnt it tell you what device was used to sign in? Not a old device of yours maybe?
     
  3. OP
    OP
    Funkman

    Funkman New Member

    Joined:
    Oct 29, 2016
    Messages:
    27
    No I only got the notification on my tablet not on my PC for some reason. It didnt say what device and no, the only device I had at the time I was living in Wollongong was a PC which is here in my room with me.
     
  4. clonex

    clonex Member

    Joined:
    Jun 30, 2001
    Messages:
    17,428
    Location:
    north pole
    Is your password something silly like mothers maiden name or dog etc?
     
  5. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    30,846
    Location:
    Brisbane
    Google let you review devices and activity history:

    https://myaccount.google.com/security#activity

    Do that, and check everything is sane. If not, use the security tools to log out all devices, and change your password.

    Google have A LOT of customers, many of them large companies. Hacking into an account is not some sort of script-kiddie affair, assuming you didn't do something silly like use a dictionary word as a password.

    If in doubt, download the Google authenticator app, and set up dual-factor authentication:

    https://support.google.com/accounts/answer/1066447?hl=en

    You can set it up so every device is remembered for 30 days, so that's a nice balance between security and ease of use (needing to enter a password and code every single time is tedious, even if it is more secure).

    That will ensure even if they have your password, they're not able to log in without your phone as well.

    BE CAREFUL - lose your phone, and you can lock yourself out of your account. Ensure you take the necessary steps to set up a secondary method of contact (alternate phone number for SMS, or a printed sheet of one-time passwords for emergency access). Again, tedious, but worth the effort to keep your account safe.
     
  6. ipv6ready

    ipv6ready Member

    Joined:
    Feb 10, 2014
    Messages:
    1,470
    Location:
    North Sydney
  7. OP
    OP
    Funkman

    Funkman New Member

    Joined:
    Oct 29, 2016
    Messages:
    27
    Perhaps the notification appeared on my tablet in error?

    When I review my account history the login history does not show Wollongong.

    And no my password was not something silly, it was something quite hard to guess.
     
  8. James086

    James086 Member

    Joined:
    Mar 25, 2010
    Messages:
    2,271
    Location:
    Perth
    Assuming it was a genuine compromise of your account, the vulnerability isn't with Google, they guessed it.

    The best passwords come from a password manager. I use Lastpass and highly recommend it but you pay for the advanced features. Keepass is a free alternative that I haven't used but have heard good things about.

    If you change it to something that can't be guessed, not an obscure memorable word, but a truly random string that you commit to memory then it should keep them out.


    As for hackers:

    A hash is a one-way jumble of the password as in you can't unjumble it, you can't tell what the password was from the hashed string. For example password becomes 5f4dcc3b5aa765d61d8327deb882cf99 using the md5 hash.

    So when you create your account it hashes the password and stores just the hashed version. Then each time you log in, it hashes the password and compares it to the hashed one it has stored, if they match, then your password was correct and it lets you log in. That way nobody can download the list of passwords, they can only download the list of hashes.

    When you use password cracking software, it tries to guess every combination possible. It calculates the hashes for everything until it finds a match. You can also download "rainbow tables" which contain already calculated passwords and the hash so you can just look it up.

    They can't even start that without a dump of the hashes however, and that's not going to be easy to get from a giant like Google. It also assumes they aren't salting the passwords which Google will be.

    tl;dr:

    They guessed your password.
     
  9. OP
    OP
    Funkman

    Funkman New Member

    Joined:
    Oct 29, 2016
    Messages:
    27

    Interesting, thanks.
     
  10. death

    death Member

    Joined:
    Dec 8, 2002
    Messages:
    1,536
    Location:
    Melbourne Australia
  11. Aetherone

    Aetherone Member

    Joined:
    Jan 15, 2002
    Messages:
    8,459
    Location:
    Adelaide, SA
    [​IMG]

    The rainbow tables (every possible combination already hashed for quick & easy searching) for 8 characters are smaller to download than many complete HD TV series.

    Short passwords are a computational triviality in the modern world. IT has spent 20 years training everyone to use short trivial passwords :mad:
     
  12. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,677
    Rainbow tables are only helpful if you have a hash of the file and the stupid site owner was stupid enough not to use salted hashes.

    I would dare say if someone had access to google hashes they wouldn't be cracking some randoms account that lived with that person.

    I would also doubt that google has unsalted hashes, the day google does get hacked is coming, it's not impossible but i also think they have enough engineers trying to stay ahead of the ballgame i would think.

    As for your google, if your worried just turn on two-factor

    The likelihood of anyway brute forcing a password these days is very remote unless they can get the database and do the cracking offline, online is way too slow, and will get detected fairly quickly. It's far easier/faster to social engineer your way into an account anyway.
     
  13. Sphinx2000

    Sphinx2000 Member

    Joined:
    Sep 16, 2001
    Messages:
    5,343
    Location:
    Brisbane
    If only 90% of the systems out there (that you don't control yourself) actually let you use long phrases without numbers and symbols. :rolleyes:
     
  14. Bold Eagle

    Bold Eagle Member

    Joined:
    Jun 28, 2008
    Messages:
    6,732
    Location:
    Brisbane
    My gmail account was hacked once and google sent the IP Address of the source of the hack.

    They locked the account and informed me via my other account.

    A reverse lookup of the IP of the source of the hack was from mainland China - some military complex.

    I have since changed my password to the first line from a favorite song and the password is around 40-50 characters long now.
     
    Last edited: Dec 31, 2016
  15. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,677
    what sort of music do you like Bold Eagle?
     
    Last edited: Dec 31, 2016
  16. Bold Eagle

    Bold Eagle Member

    Joined:
    Jun 28, 2008
    Messages:
    6,732
    Location:
    Brisbane
    Abba - especially Money.............
     
  17. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,677
    Told you social engineering was faster than brute force!
     
  18. James086

    James086 Member

    Joined:
    Mar 25, 2010
    Messages:
    2,271
    Location:
    Perth
  19. Aetherone

    Aetherone Member

    Joined:
    Jan 15, 2002
    Messages:
    8,459
    Location:
    Adelaide, SA
    The performance of these crackers is only getting better and better...
    223,000 pwd/sec = 19,214,594,300 passwords per day... on old slow graphics cards :wired: what could you do with four titans and a 24 core / 48 thread E7-8890 v4?
     
  20. Bold Eagle

    Bold Eagle Member

    Joined:
    Jun 28, 2008
    Messages:
    6,732
    Location:
    Brisbane
    Looks like it's time to start seriously considering biometrics from my domestic security - especially as fingerprint scanners can be bought for as little as $15.

    For example:
    A world without passwords: Windows Hello in Microsoft Edge
     
    Last edited: Jan 5, 2017

Share This Page