Just awful!

[Guest]

Look at me continue to quad post,

anyways

there are

62 * 62 * 62 * 62 possible 4 character alphanumeric case sensitive passwords, and I'm pretty sure those are considered weak.

[Zephyrus]

Ten people have the hash, or access to it. Any of those ten could mess up my account just as easily without the password. I guard only a secret which cannot be deduced from access to the account, and chances are, the admins already know it. I may as well use a sequence I've memorized.

[Veranor]

Ten people have the hash, or access to it. Any of those ten could mess up my account just as easily without the password. I guard only a secret which cannot be deduced from access to the account, and chances are, the admins already know it. I may as well use a sequence I've memorized.

Yes but in other places those 10 admins can gain access to things that you may not like.

[The Beatles]

Nitpick: The details of the H-Bomb are not a secret. The making of it is merely a matter of resources, I believe.

[Devari]

IF it's in the dictionary, it is quite possible that you could get it in 3 seconds from http://www.tydal.nu/se/security/md5.php , if you had the hash. I know my insecure password I used for years would crack open in an instant, and and alpha-numeric password under 6 characters is probably easily cracked with md5crack in a matter of minutes. And that is on my slow computer!

But I've only ever cracked my own password. So you don't need to worry.

[The Unregistered Beatles]

Then again if you have the hash, it might be all you need. Many sites require the password when logging in, but when a session has been established, need no more than the md5. So you could in theory 1. just send the hashed version pretending you are in the middle of a session (like in RWL) or 2. create a session in your name, then change it to the person you are trying to impesonate (like InvisionBoard)

[Devari]

Right. I forgot about the fact that cookies tend to have the password in hashed form... At least with promisance.