# Gmail "Critical security alert" message, hacking attempt blocked (long post)



## mwilke43 (Apr 7, 2018)

Hey, guys. Let me apologize in forward for this being a long post, but since this never happened to me before I just want to make sure I give you all the details to find out how this happened and help secure my account even more.



http://imgur.com/minU1zS


Recently I've received this message informing me that my account had a sign-in attempt blocked. Of course, this wasn't me since I've gotten this message both on my phone and my Gmail at 05:00 AM while I was sleeping so it leads me to believe that there was some hacking attempt and not some auto-login mistake some website or device I use made.

I live in Europe and the sign-in attempt was from the United States as seen in the picture below:



http://imgur.com/ClGJCcl


Now I have gone through all the Security Checkup steps from the link provided by Google in the first picture (assuming <no-reply@accounts.google.com> was from Google and not some phishing attempt) , and I have also scanned my computer for any malware using both Microsoft Security Essentials and Malwarebytes Anti-Malware (separately, not at the same time) and nothing was found, so I assume I'm safe.

I never give my passwords of any account to anyone and I'm extremely careful about what sites I use and where I log in with my Gmail account, so I honestly don't know how this happened. Any files I download I either download from a trustworthy source (Java, Microsoft, Google, etc...) or scan immediately with my antivirus programs to make sure it's safe to open.

I only have one suspicion as to what might cause this, and that is the recent Meltdown/Spectre vulnerability.

I have an Intel i5 2500K (2nd-Gen, Sandy Bridge) and a Windows 7 Ultimate x64 with the vulnerability patches/updates disabled. Now I know that I shouldn't have done that and that I'm exposing my PC to the vulnerability, the reason I did that is because those updates cause severe performance issues in video games, which is what majority of my time I'm doing on my PC.

Last question before closing:

When someone tries to access your account like this, do they actually get blocked and unable to change to change the password and use the account for any means? I'm asking this because my account is connected to my bank account and Paypal and other contact emails, so I'm wondering if those accounts as well are in jeopardy.

I've also removed any account access from unnecessary apps and websites in Manage Apps

This will be all, I hope someone will be able to help me figure this out. Once again I apologize for the long post.

Thanks in forward.


----------



## jboydgolfer (Apr 7, 2018)

If someone tries to log into your account , you should get a verification code on the phone number you have set as a bacup if they forgot password, etc , did you get that verification code? Unless they have full access, it could possibly be an app, etc. id suggest you switch your password, and ensure all security measures are in place.


----------



## RejZoR (Apr 7, 2018)

I recommend you start using 2FA (2 Factor Authentication). It's nearly impossible to bypass that. Or is way too much effort for casual script kiddies to bother with.


----------



## FordGT90Concept (Apr 7, 2018)

Is the Check Activity link legitimate (goes to https://*.google.com)?  If yes, change your password.  If you haven't enabled two-step verification, do so.  Should be all.



mwilke43 said:


> When someone tries to access your account like this, do they actually get blocked and unable to change to change the password and use the account for any means?


Yes.


----------



## jboydgolfer (Apr 7, 2018)

if you havent already, choose to "sign out all instances of your account"


----------



## mwilke43 (Apr 7, 2018)

jboydgolfer said:


> If someone tries to log into your account , you should get a verification code on the phone number you have set as a bacup if they forgot password, etc , did you get that verification code? Unless they have full access, it could possibly be an app, etc. id suggest you switch your password, and ensure all security measures are in place.





RejZoR said:


> I recommend you start using 2FA (2 Factor Authentication). It's nearly impossible to bypass that. Or is way too much effort for casual script kiddies to bother with.





FordGT90Concept said:


> Is the Check Activity link legitimate (goes to https://*.google.com)?  If yes, change your password.  If you haven't enabled two-step verification, do so.  Should be all.



Thanks for the replies guys.

Anyway, yeah I forgot to mention that I did enable 2-FA after changing my password (it wasn't enabled before), also yeah the link seems genuine, the full link is:



> https://accounts.google.com/Account...=5&rfnc=1&eid=1580538925598487199&et=0&asae=2


----------



## jboydgolfer (Apr 7, 2018)

mwilke43 said:


> Thanks for the replies guys.
> 
> Anyway, yeah I forgot to mention that I did enable 2-FA after changing my password (it wasn't enabled before), also yeah the link seems genuine, the full link is:



well, youve dont all you really can, id just suggest (as i mentioned above) that you sign out all instances, then keep an eye out.


----------



## mwilke43 (Apr 7, 2018)

jboydgolfer said:


> well, youve dont all you really can, id just suggest (as i mentioned above) that you sign out all instances, then keep an eye out.



Got it, but there's still a problem of finding the source of this.

 I genuinely have no idea how did they manage to find out the password to my account as I know for a fact that I don't sign in anywhere else except my PC and phone, and that I never log in to websites using "Login through your Google account" option.


----------



## jboydgolfer (Apr 7, 2018)

mwilke43 said:


> there's still a problem of finding the source of this.



your likkely not going to , so, just deal with your end, and thats about it. Google doesnt log failed log in attempts, so there is no record of it, other than the message. its security worked, just take the steps and your done.


----------



## mwilke43 (Apr 7, 2018)

jboydgolfer said:


> your likkely not going to , so, just deal with your end, and thats about it. Google doesnt log failed log in attempts, so there is no record of it, other than the message. its security worked, just take the steps and your done.



Ok, one more thing as I'm not 100% sure about this, but is it okay to leave the system without the Meltdown/Spectre patches like this ? Have there been any traces of these vulnerabilities being exploited/weaponized by malware creators and can this bypass AV programs ? The whole reason I did this is because of the performance loss people have reported on their sandy bridge and ivy bridge CPUs with Windows 7.


----------



## jboydgolfer (Apr 7, 2018)

mwilke43 said:


> Ok, one more thing as I'm not 100% sure about this, but is it okay to leave the system without the Meltdown/Spectre patches like this ? Have there been any traces of these vulnerabilities being exploited/weaponized by malware creators and can this bypass AV programs ? The whole reason I did this is because of the performance loss people have reported on their sandy bridge and ivy bridge CPUs with Windows 7.



i wouldnt lose any sleep over it, but if its really bothering You, do the update for Your bios. what motherboard do you have?

*intel says:*
Intel confirmed that the performance loss will be dependent on workload, and “should not be significant” for average home computer users

*regarding gaming, sources say:*
Phoronix tested _Dota 2, Counter-Strike: Global Offensive, Deus Ex: Mankind Divided, Dawn of War III, F1 2017, _and _The Talos Principle_ on a Linux 4.15-rc6 machine with a Core i7-8700K and Radeon Vega 64. None saw a frame rate change outside the margin of error range.

[ Further reading: The best graphics cards for PC gaming ]

Hardware Unboxed tested a handful of DirectX-based Windows games in the video linked above. *With DirectX hooking so deeply into Windows, gamers were worried about a potential performance degradation there. Fortunately, Hardware Unboxed observed virtually no frame rate loss in Ashes of the Singularity, Assassin’s Creed: Origins, or Battlefield 1*. Phew.


----------



## Toothless (Apr 7, 2018)

I get these all the time. As long as you have a really beefy password and they didn't get access you're good.


----------



## mwilke43 (Apr 7, 2018)

jboydgolfer said:


> i wouldnt lose any sleep over it, but if its really bothering You, do the update for Your bios. what motherboard do you have?
> 
> *intel says:*
> Intel confirmed that the performance loss will be dependent on workload, and “should not be significant” for average home computer users
> ...



The problem with these tests is that they were mostly conducted on the latest gen CPUs, so for someone who has quite old CPU i5 2500k (with AsRock Z77 Extreme4 motherboard which won't be getting any BIOS updates) Microsoft stated that the performance will be noticeable on older gen CPUs, even more on OS below Windows 10.


----------



## jboydgolfer (Apr 7, 2018)

mwilke43 said:


> The problem with these tests is that they were mostly conducted on the latest gen CPUs, so for someone who has quite old CPU i5 2500k (with AsRock Z77 Extreme4 motherboard which won't be getting any BIOS updates) Microsoft stated that the performance will be noticeable on older gen CPUs, even more on OS below Windows 10.



Yeah they touched on older CPUs as well, gaming didnt show terribly massive impacts apparently. One of my kids is running an Ivy Bridge CPU, he hasnt seen any massive losses. (Win7 pro, i5 3570.)

  you're faced with a decision ,do the patch ,or don't do the patch ,only you can make that choice.  Unfortunately here we can't do anything about the situation, it is what it is, everyone needs to make their decision. I personally wouldnt even bother if it was my personal PC, but I dont mind wiping and starting all over as i keep backups handy, and have nothing on this PC that is "sensitive", but i wouldnt expect anyone to hack my PC either, nor would i sweat it. i hope it works out for You.Good Luck


----------



## newtekie1 (Apr 7, 2018)

mwilke43 said:


> Ok, one more thing as I'm not 100% sure about this, but is it okay to leave the system without the Meltdown/Spectre patches like this ? Have there been any traces of these vulnerabilities being exploited/weaponized by malware creators and can this bypass AV programs ? The whole reason I did this is because of the performance loss people have reported on their sandy bridge and ivy bridge CPUs with Windows 7.



Here is the thing with Meltdown/Spectre, and the other vulnerabilities they are finding, they can't just be exploited remotely to exploit them the malicious program has to already have administrator access to your computer.  You have to run the program with the virus in it, and give it administrator level access, before it can do anything.  At that point, it is easier to just install a keylogger than it is to try to use meltdown/spectre to get your personal info.


----------



## RejZoR (Apr 7, 2018)

It's possible that Google blocked the login attempt straight away and nothing was compromised. They can track the login trends. If you're logging into account for several years from one location and all of a sudden there is an attempt for it from another continent, it's an alarm by itself. Or if you logged in same day in Europe and just hour later it's done from America, you know it can't be legit login.

Which gave me an idea for ProtonMail how to enhance their security... Nice


----------



## Assimilator (Apr 7, 2018)

You're ignoring the far most likely scenarios:

your previous password was insufficiently complex, allowing the attacker to guess or brute-force it
you used your previous password on website(s) other than Gmail, and one of those website(s) were breached
Set a strong password, *always enable two-factor authentication*, and you will never have problems.



newtekie1 said:


> Here is the thing with Meltdown/Spectre, and the other vulnerabilities they are finding, they can't just be exploited remotely to exploit them the malicious program has to already have administrator access to your computer.



Incorrect.


----------



## mwilke43 (Apr 7, 2018)

jboydgolfer said:


> Yeah they touched on older CPUs as well, gaming didnt show terribly massive impacts apparently. One of my kids is running an Ivy Bridge CPU, he hasnt seen any massive losses. (Win7 pro, i5 3570.)
> 
> you're faced with a decision ,do the patch ,or don't do the patch ,only you can make that choice.  Unfortunately here we can't do anything about the situation, it is what it is, everyone needs to make their decision. I personally wouldnt even bother if it was my personal PC, but I dont mind wiping and starting all over as i keep backups handy, and have nothing on this PC that is "sensitive", but i wouldnt expect anyone to hack my PC either, nor would i sweat it. i hope it works out for You.Good Luck



How much performance impact did your kids' Ivy system suffered ? Some users report up to 30% and that isn't something I could sneeze at. Nonetheless thanks for everything guys, normally I don't bother creating threads like this because I don't care about any of my accounts being hacked since I only register on some gaming forums and help others out with walkthroughs and whatnot, I can simply change the password if it ever gets hacked and forget about it. This was troublesome for me as this was my primary email address which is connected through bank accounts and paypal etc...


----------



## Assimilator (Apr 7, 2018)

Just to note, only Meltdown can be patched via Windows Update. Spectre requires a microcode update which is either part of the BIOS, or has to be loaded before Windows via a third-party (VMware) driver. Considering most motherboard manufacturers don't seem interested in offering updated BIOSes for anything older than Z170/X99, your only option to be protected against Spectre is to use the VMware driver or patch your BIOS yourself.


----------



## mwilke43 (Apr 7, 2018)

Assimilator said:


> Just to note, only Meltdown can be patched via Windows Update. Spectre requires a microcode update which is either part of the BIOS, or has to be loaded before Windows via a third-party (VMware) driver. Considering most motherboard manufacturers don't seem interested in offering updated BIOSes for anything older than Z170/X99, your only option to be protected against Spectre is to use the VMware driver or patch your BIOS yourself.



I'm not sure will I fiddle with that. I think I'll just wait until fall of 2018-mid 2019 as I was planning to upgrade that time seeing as how my i5 2500k is already starting to show it's age by bottlenecking 1080ti.

Thanks for everything guys.


----------



## jboydgolfer (Apr 7, 2018)

mwilke43 said:


> How much performance impact did your kids' Ivy system suffered ?



None that he has mentioned, he's big on csgo, and a lot of other games (much like many 17 y/o ), no losses.


mwilke43 said:


> I'm not sure will I fiddle with that. I think I'll just wait until fall of 2018-mid 2019 as I was planning to upgrade that time seeing as how my i5 2500k is already starting to show it's age by bottlenecking 1080ti.


sometimes i wonder if these "vulnerabilities are M$'s "reasons" for upgrading


----------



## eidairaman1 (Apr 7, 2018)

jboydgolfer said:


> if you havent already, choose to "sign out all instances of your account"



Just change his password to something complex


----------



## jboydgolfer (Apr 7, 2018)

eidairaman1 said:


> Just change his password to something complex



Yup..... something like Password123 (the hackers never expect it to be SO simple) , or your social security # + your DOB 

I usually spell numbers, and combine them with actual numbers , its pretty secure that way. 

@mwilke43 *use this tool, to test your password strength for brute force . *

mine scored in the Quadrillions of years to crack* 



*


----------



## Solaris17 (Apr 7, 2018)

mwilke43 said:


> Got it, but there's still a problem of finding the source of this.



That wont happen. Most likely someone has a list of email addresses and is just putting them through a password table.  Just make sure you don't have anything unnecessary using your gmail, apps that let you "login with your google account" in case one of them got compromised.



newtekie1 said:


> Here is the thing with Meltdown/Spectre, and the other vulnerabilities they are finding, they can't just be exploited remotely to exploit them the malicious program has to already have administrator access to your computer.  You have to run the program with the virus in it, and give it administrator level access, before it can do anything.  At that point, it is easier to just install a keylogger than it is to try to use meltdown/spectre to get your personal info.



Seriously. This just goes to show how seriously lacking security understanding is. Now every damn tool bar is going to be the product of meltdown or spectre. The reality is you will probably never even be vulnerable to this. the level of sophistication on the infection (which only even takes from running active memory and only a few BITS at that ) is complex and not worth "wasting" on the common man. I know I know you have "important" stuff on your PC but the reality is no one writes machine level exploits to get your FB password. There are far more interesting people on the planet. A+ for actually getting it. You restored my faith in security aware critical thinking skills.


----------



## RejZoR (Apr 7, 2018)

Just one special character turns 3000 years into 3 million years 

Or by going mad:
14,619,215,938,327,783 nonagintillion years


----------



## Bill_Bright (Apr 7, 2018)

I've had this happen a couple times over the years. As long as they didn't get in, there is nothing to worry about. And if they got in, they most likely would have changed the password and then you would not have gotten in. So again, nothing to worry about. 

But still, if you use this same password on other accounts, it would be a good idea to change it to a unique password. 

And btw, as a reminder, fancy, hard to remember, passwords with upper and lower cases, numbers and special characters are NO LONGER the recommended approach. For example, *ò0æ34yìøB&* is no longer considered a very strong password. Why? Because it is only 10 characters long. It takes a password hacking tool just as long to hack ò as it does to hack B or 3.

A better password would be: *The mark on Fluffy's nose looks like a heart*. Now the bad guy would have to crack a 44 character password. That is much much harder to crack (even if the bad guy knows your dog's name is Fluff) and would take way too long for them to fuss over  Plus, this one is easier to remember.


----------



## RejZoR (Apr 7, 2018)

That's incorrect. It doesn't take the same time to brute force password with ò compared to one without it. There are usually around 25 letters in alphabet and 10 numbers for each digit. That means just a limited number of combinations, but if you introduce a special character, it means you need to check entire ASCII character set. Do the math how many characters are in there. That expands the number of combinations dramatically.


----------



## Bill_Bright (Apr 7, 2018)

RejZoR said:


> That's incorrect.


 It is correct. Come on! Think about it for just a half a second before trying to argue, okay?

You're not even thinking - you are just arguing, huh?

First, you tell me to do the math and yet you ignore the fact that upper and lower letters automatically means 50 (52 in English) characters.
Second, I never said you cannot use numbers or special characters in that 44 character long password! In fact, there is already an apostrophe and several spaces too.
Third, the bad guys don't know if each character is upper case, lower case, a number or a special character. So they have to check for all and there are 256 of them in the standard and extended ASCII character sets.
Fourth, my point was clearly that short and "hard to remember" passwords are no longer the recommended approach.

So you do the math. 256^44 is MANY MANY TIMES a bigger number than 256^10.

256^10 = 1208925819614629174706176
256^44 = 9.1739944639602860464432835812083e+105

Clearly I was indeed correct and it will take MUCH LONGER to crack a 44 character password than a 10 character.


----------



## DRDNA (Apr 7, 2018)

if you are using a VPN every once in a while ( changing your area of location or your ip address) that could also be the issue. I'm not saying it is but it would cause this same kind of issue.


----------



## RejZoR (Apr 7, 2018)

Bill_Bright said:


> It is correct. Come on! Think about it for just a half a second before trying to argue, okay?
> 
> You're not even thinking - you are just arguing, huh?
> 
> ...



You literally didn't read what I posted. I was arguing your logic that weird O with a wink and one without it means the same brute force time which IS incorrect. I never mentioned the number of password characters because they weren't relevant to the discussion.

You also don't seem to understand the point of using weird characters. If attacker is aware that you can only use letters and numbers in the password, they can skip 8/10th of the entire bruteforce character set and be done with the bruteforcing in matter of minutes even for very long passwords because they'll just cycle through standard letters and numbers and that's it. But as soon as you introduce just 1 special character at any position, it means they need to check every position for ALL possible characters because they cannot know where it is placed. That is the whole point of complex passwords.

I don't know how you managed to write like 10 lines of text and in the end banging on your chest how right you were about a opic I didn't even comment on. I was talking of complexity per single password position, you were arguing the password length. Heh...


----------



## Bill_Bright (Apr 7, 2018)

Gee whiz. There you go with more IF statements. Why can't you just say you "I goofed"?

What you call a weird O with a wink (ó - ASCII code 162) as seen here is a very common letter (NOT a special character) in Spanish, *the 2nd most spoken language in the world and in the United States!!!! *

It is only weird to you because you don't use it in your language. And yes it does take the same brute force. Do you seriously think the Chinese or Russian or North Korean, or Iranian hacker knows what language your password (or pass phrase) is written in?



RejZoR said:


> But as soon as you introduce just 1 special character at any position, it means they need to check every position for ALL possible characters because they cannot know where it is placed.


Exactly!!!!  Now you get it! This is exactly why it does take the same brute force. Because they don't know what is in that space.



> I never mentioned the number of password characters because they weren't relevant to the discussion.


OMG! Of course they are relevant! They are totally relevant because the whole point was _"that *short* and 'hard to remember' passwords are no longer the recommended approach"._

So you are just totally wrong. It does take the same brute force to crack the upper case letter A (ASCII code 65) as it does to crack the lower case letter ö (ASCII 148) as it does to crack the special character, the English pound symbol £ (ASCII 156). And it takes a lot more force to break a 44 character "passphrase" than it does to crack a 10 character "password".


----------



## Devon68 (Apr 7, 2018)

Once google asked me if I signed in from Brasil. I was like wth. Changed the password right away.


----------



## RejZoR (Apr 7, 2018)

a) I didn't "goofed" anything, you're reading into things that aren't even there and were never even mentioned because they are not relevant to my point

b) stop banging your chest, you look like a retard

c) context and understanding of written words, you don't seem to understand either


----------



## Bill_Bright (Apr 7, 2018)

RejZoR said:


> you're reading into things that aren't even there


You said in #27 that I was incorrect. That is not true. Perhaps you need to understand what your own words mean. 

You said, "it doesn't take the same time to brute force password with ò compared to one without it." 
Sure it does. Why? Because AS YOU ALSO SAID, the bad guy does not know what you put there. And again, that is a very common character throughout the Spanish speaking world. 

I'm done here.


----------



## RejZoR (Apr 8, 2018)

Just because some weird letter is used in one language it doesn't mean it's widely used for passwords (because it most certainly isn't when 80% of passwords are still "password" and "12345678". Especially because majority of services, not that long ago only supported lower and upper case letters, numbers and only basic characters like - and _ and some were even stupid enough to limit the upper limit of characters to 8 or 12 characters. You were physically unable to use that weird O or 44 total characters...

And you're just automatically assuming brute forcer will always use full character set to do the brute forcing. That's not how things are done in practice... If you want to guarantee a password, sure, but if you want to even find one in a reasonable time, you adjust the parameters to optimize the process. In which case, your assumption doesn't apply. I see you only know the theory of brute forcing, not the actual practical application of it. I know the practical application... I don't give a shit about numbers you so gloriously post if you don't seem to understand the practical application of it.

And this is where my explanation of how that winked O changes search time of password compared to regular O within the password. If it's regular one and password only uses lower and upper case letters and numbers you will most likely be able to break it in few hours with adjusted brute force parameters. You may not find the password if it's not using just simple ENGLISH letters and numbers only, but you'll at least know that in few hours. If you do a full character set brute force it could take forever in which it's pointless to even do it. It all comes from assumption majority of users still use weak passwords despite all warnings.

If user inserts just one weird character outside of usual ENGLISH (happy?) lower and uppercase characters and numbers into the password, you cannot know which one and that changes PRACTICAL brute forcing time from short to insanely long. Do you NOW get it how there is a difference in password finding using brute force between normal O and the winked O ? This is what I've been talking the entire time. Practical application of brute force process. It's why there is also dictionary attack and bunch of other methods meant to optimize the process of otherwise pointless brute forcing.

You only do a full set test when you know for a fast that password is very short but complex. You ALWAYS adjust parameters when you know passwords are long. Because otherwise it's pointless to even try doing brute force. But with adjusted, you have a shot, maybe you don't guarantee results, but you might at least get them in your lifetime. Or today/this week.

How do I know this? I ran a distributed brute forcing event several years ago on our local tech forum where some user created an encrypted ZIP archive with a message encrypted in it and we did a distributed brute force on it. The person who found the password had to post the message inside of it. We divided search sequences between users so we brute forced the sequences in parallel, but each user got a different sequence which sped up things dramatically (yeah, we did it by hand without a tool that would distribute sequences automatically between participants like Folding apps do for example). For example, user1 got "a to aaaaaaaaaa", user2 got "b to bbbbbbbbbb", user3 got "c to cccccccccc" and so on. What we later found is that there was a bug in ZIP format where we found a password that successfully decrypted the ZIP, but wasn't a correct one because the message inside was gibberish XD It was a fun experiment that ended in a funny way because of a ZIP bug lol. So, yeah I know a thing or two about practical usage of shit and not just a theory.


----------



## FordGT90Concept (Apr 8, 2018)

Brute force difficulty is [possible characters]^[password length] which.  Possible characters is dictated by the rules.  These passwords are close to equal in difficulty:
[0-9] and 9 characters long: 10^9 = 1,000,000,000
[0-9, a-z, A-Z] and 5 characters long: 62^5 = 916,132,832

The former is stronger than the latter but not by much.

If the server has no rules beyond character set then the [possible characters] skyrockets. First example above uses decimal (base 10), the second is base 62.  UTF-7 is base 128, UTF-8 is base 256, UTF-16 (aka "Unicode") is base 65,536, and UTF-32 (pretty rare) is base 4,294,967,296.  Simply by not being restrictive with character set exponentially increases password strength.

That said, even UTF-32 can still accept bad passwords like "password."  Can't fix PEBKAC.  Additionally, even if the backend supports such flexibility doesn't mean users can easily input those characters meaning the added flexibility serves no practical purpose.


----------



## Vayra86 (Apr 8, 2018)

jboydgolfer said:


> If someone tries to log into your account , you should get a verification code on the phone number you have set as a bacup if they forgot password, etc , did you get that verification code? Unless they have full access, it could possibly be an app, etc. id suggest you switch your password, and ensure all security measures are in place.



This is not true, it depends how and when you used 2FA. I never get security tokens from Google, I just get an email notification asking if it was me with a button to click, and only if the IP / device used is not in the registered devices list on the account.

That said, if you get these kinds of messages, it means someone knows your password and you need to change that on ALL accounts you have, not just Google.


----------



## Bill_Bright (Apr 8, 2018)

RejZoR said:


> Just because some weird letter


This is really just ignorance - if not insulting to Spanish speaking people - or it is your refusal to accept reality.  It is NOT a "weird" letter. The mark over the o is an "accent mark" and it is used in many common words in the 2nd most widely used language in the world! And other languages too.

To say that is weird would like saying the word ĉe is weird simply because it not something English speaking people normally see (for others reading, it means "if" in Slovenian, a pretty common word RejZor likes to use).



RejZoR said:


> And you're just automatically assuming brute forcer will always use full character set to do the brute forcing.


I'm not assuming anything. You on the other hand, are assuming folks are going to only use "25 letters ... and 10 numbers" to create their passwords. You even ignore the 32 special characters (`~!@#$%^&*(){}><_-+= and a bunch more) on the typical American-English keyboard. 


> That's not how things are done in practice...


I didn't know you were a world renown expert on hacking.

I do agree that, sadly, "password", "12345678", "qwerty" and others often used. But this discussion is how to avoid getting hacked, not how to get hacked. For the record, I have accounts at 3 banks, 3 credit unions, my broker, insurance companies, Social Security, DFAS and other important (to me) sites. Not one of those sites would allow those 3 passwords. Instead, they must be at least 8 characters, use both UPPER and lower case, include at least 1 number and at least one special character.

I stand by what I said. *The mark on Fluffy's nose looks like a heart* is harder to crack than *ò0æ34yìøB&*. If you don't believe it, you're the experienced expert here and know all about how it is done, try it yourself.
​EnCt2337f10af92562d97f75a88a9d1c6250cf25d3a13337f10af92562d97f75a88a9AX+Q1QxlCwE​zHw4eyloDlq/ytv8BZQRR4JBj5NC22e4ymbSy2Ns3iZ1V5R6gImTeErFTmW+GloWh9w==IwEmS​​EnCt264266f933a58c9c29b3c0368c23d4a4b3ad88aa564266f933a58c9c29b3c0368I3DRbwhLTQK​HeTcfylobfuOG1vNPEEpkIwEmS​
There are two encrypted samples. Crack them. We'll wait. I'll even give some clues. 

One is a phrase created on a standard US layout keyboard, using any key, with and without the shift key. The other is a randomly generated string of characters created by my password manager. I am not saying how long or how many words are in the phrase. But the string of characters is 10 characters long. The encryption tool used  is open source.

For the record, I know for a fact I am not clever enough to hack those passwords without the encryption key. But if you can then I will eat my words and apologize profusely.


----------



## RejZoR (Apr 8, 2018)

Oh my god, it's like talking to an autistic brick. I'm done.

And if you want to be a smartass, it's "če". And for the record, majority of online services refuses to accept a character like "č" to be used for password. They'll blatantly demand you to use English characters and special signs also used in English.

Also, here is my rant from 2013 on this matter:
https://rejzor.wordpress.com/2013/11/01/why-the-hell-limit-the-upper-passwords-length/

I don't think things have improved much since then...


----------



## Bill_Bright (Apr 8, 2018)

RejZoR said:


> And if you want to be a smartass, it's "če".


My apologies to your countrymen then.


----------



## FordGT90Concept (Apr 9, 2018)

RejZoR said:


> I don't think things have improved much since then...


Some sites have.  I know Amazon and Steam accept uber passwords.  The vast majority of websites don't though.

At bare minimum, global websites _should_ not only allow regional characters, it should encourage their use.  Someone trying to brute force an English password will likely have no success against a Slovenian password, for example.  It inherently increases difficulty.


----------



## bogmali (Apr 9, 2018)

Reply bans issued. If you want to argue either do it via PMs, start your own thread or go to the lounge and stroke your egos there. My last warning to the usual culprits.


----------

