4

I just tried to register an account at www.mysonicwall.com (irrelavent) and got this error message:

This password is publicly available in hacking/security forums and can be easily compromised. Please use a different password.

My password is a collection of randomized letters including capitals, a symbol, and a number. It will pass any password requirements, so this is solely an issue of exposure.

Does anyone know what hacking/security forums they check my password against? Can I search well-known password lists for my password? Most importantly, where should I go from here? Should I start resetting all my passwords?

EDIT: I've contacted customer support for the site and as it turns out, they're having an issue evaluating the strength of passwords. The whole experience has been a wake-up call for my password lifestyle, however, as I've been tweaking the same base password since the 3rd grade (I'm 26 now). I'll be employing KeePass from here on out and will leave the question open for others to learn from my scare. I'll mark the rainbow tables as an answer for now, and will mark another as the answer if it is more comprehensive or demonstrates a safe way to check if your password is floating around the net.

Improve this question
8
  • Is that a Windows or web site message?
    – CharlieRB
    Commented Jun 12, 2014 at 15:56
  • "I just tried to register an account at www.mysonicwall.com"
    – Wutnaut
    Commented Jun 12, 2014 at 15:57
  • " "I just tried to register an account at www.mysonicwall.com" – Wutnaut"
    – Digital Chris
    Commented Jun 12, 2014 at 16:01
  • 1
    You say 'my password' - do you use the same password for multiple sites? If so, that's possibly your biggest security problem right there.
    – Randy Orrison
    Commented Jun 12, 2014 at 16:16
  • 1
    @Wutnaut you don't need to use an online password vault, you can use something with strong encryption like KeePass. If you've been using the same password on many sites for many years then yes, it's probably in the wild.
    – Digital Chris
    Commented Jun 12, 2014 at 16:31

1 Answer 1

Reset to default
2

Most likely they check the password against publicly known rainbow tables. If the password appears in one of them, they will not let you use it.

From Wikipedia:

A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. It is a practical example of a space/time trade-off, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack unfeasible.

In short, a rainbow table is a database of common and uncommon passwords, converted into various hashes. By having the end result of a password hash, you dont have to use brute force to hack it.

Its likely your password, as random as you think it may be, is in one of the known rainbow tables. Check this website to see actual rainbow tables.

Improve this answer
4
  • freerainbowtables.com is amazing, but the rainbow table is over9000 gigs. Is there a more convenient way to check if my password is floating around the internet?
    – Wutnaut
    Commented Jun 12, 2014 at 16:14
  • You could always use dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html to check the strength of your password and see if it gives you the reason why it's supposedly insecure
    – Lawrence
    Commented Jun 12, 2014 at 16:19
  • as per zxcvbn: entropy: 41.171 crack time (seconds): 123804950 crack time (display): 5 years score from 0 to 4: 4 calculation time (ms): 3
    – Wutnaut
    Commented Jun 12, 2014 at 16:30
  • zxcvbn is interesting, but it leaves out common practices, like not using your (user)name, birthdate, etc.
    – Keltari
    Commented Jun 12, 2014 at 18:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .