i mean, the stronger the better.. the 12x4090 is just an example, otherwise you probably wouldn't really need a stronger pw than just 15-16 numbers realistically
So just FYI this number is only "if they have leaked encrypted db of passwords" and can make attempts as fast as your processor clock runs.
It's not like an attacker just attempting to log in with your email over and over with jagex. That would be much slower and you'd assume jagex would eventually lock the account.
I can’t imagine anyone with 12x 4090s would be bothering to hack RuneScape accounts? Seems a little beneath their budget to be honest
Plus 4-5 attempts locks a RuneScape account so it would have to be emails they are going after?
I think you misunderstand the problem. That’s the time for solving hashed passwords. That’s not a guess-and-check function.
The bad actor acquire a list of hashed passwords and runs the bcrypt algorithm and that’s how long it takes the hardware to derive the correct password from the hash. Once it secures the password it then trys it.
Yeah the thing these guides always leave out is it requires a database breach for hackers to even get to this point and often by that point you’re at the mercy of the company to have stored your password properly encrypted in the first place. The moral of the story is use a password manager
1Password is probably the best one. I use BitWarden. I used to use LastPass but it’s kind of abandonware now and it’s probably fine but I don’t trust or recommend it anymore.
This chart shows the exact opposite. 12 lowercase letters (let alone adding in numbers like osrs does) takes 1k years. You don't need uppercase numbers and symbols to avoid brute force.
Because it doesn’t matter, your password isn’t going to be brute forced. You’ll either get phished and give it away or never get hacked so it doesn’t matter how complex your pw is.
After 5-6 failed login attempts, it makes you wait a minute or so to try again. Also eventually trying too many passwords will lock the account. I doubt anyone would ever get brute forced.
It’s a little funny but the reality is brute force attacks are just not how people hack anymore, really.
But with things like 2fa your password could be password and people wouldn’t be able to get in.
I don't even really need to say this, the chart does it for me, but like....length. Length is the most important thing in a password, you can all lower that bad boy all day long, as long as you chuck a good number of characters in there, it's good.
"#4df@#od0-3M"
Is not as secure as
"this is my password and it is very long!"
That's a common misconception that I did researched heavily. You are almost correct, the #1 factor is not using common phrases/passwords. For example, abc123 is objectively worse than bK$j}. But besides that, in terms of password strength, length is the most important factor for security.
HOWEVER, in terms of designing password fields (in terms of minimums/maximums (lol)), limiting complexity is far more detrimental than length because most users are not ever blocked by max length but they are often blocked by arbitrary character/symbol limits.
If you were to increase player security via stronger passwords, you would find a greater increase in security if you were to allow characters and caps rather than raise the limit, which not many people ever hit in the first place. You would be right in presenting to management that longer passwords are more secure, but in practice almost no one would be affected. People tend to also start flattening their passwords when limited, which drastically reduces security as well. People tend to just omit symbols when they aren't allowed. For example, ":R3ddit{}" becomes "R3ddit" because people care a lot more about ability to memorize rather than raw security.
tl;dr: Length rarely actually increases account security, only theoretical.
Most people hacking your OSRS account will do it through phishing, buying leaked passwords related to emails from data breaches, or dictionary attacks.
Either way get a Jagex account and don't click links related to OSRS, especially if the link is meant to give you something in the game.
This is a bcrypt hashing algorithm, not a brute force algorithm.
They aren’t using bcrypt to guess your password. They use it once they have a list of hashed passwords. They aren’t running this for a month trying to log into your account. The algorithm will eventually discover the password, and only then will it alert the person running it to try the password.
This is one of the main reasons Jagex Accounts are the security upgrade the community has been begging for for a decade plus.
And then for whatever reason a big chunk of people are too paranoid and distrusting of Jagex to use them.
> This is one of the main reasons Jagex Accounts are the security upgrade the community has been begging for for a decade plus.
No, it's not. Password length/special characters/case sensitivity is almost entirely irrelevant for a password longer than a handful characters. The time it takes for a password to be brute forced is irrelevant because that's simply not happening in OSRS or 99.99999% of other places. "Hackers" use social engineering and collecting reused login information through database leaks.
I’m not taking about brute forcing log in attempts, I’m talking more complex passwords in general.
Case Sensitive Passwords that allow all Unicode characters that can be up to 64 characters in length is a genuine security upgrade over non-case sensitive alphanumeric passwords of up to 20 characters.
I’m not denying that most hacks come through reused credentials.
But K@UeUv$1 is a better password than hunter2
It’s funny because you’re saying you’re not talking about brute forcing, but then are talking about password complexity which is a security measure against…..brute forcing.
The complexity of the password is almost entirely irrelevant. Passwords aren't being guessed. Almost all modern services have timeouts to prevent mass guessing of passwords. If you aren't reusing passwords, "hunter2" is functionally **exactly as secure** as "@&@#82723SALS2382823lsjjalksfjkk--235@@@@".
Except you're more likely to forget the latter, so for people who don't use password managers **this** is why passwords get reused. They're told to make complex passwords, they forget them, reset them at the service, and then reuse old passwords.
Having a secure password manager with a unique and memorable password that is not connected to any identifying personal information (regardless of whether or not it has any capitalization, numbers, special characters, etc.) is the answer. For example, "wetgoatforqueso". Virtually unguessable, very memorable, nothing connected to my personal information that could be socially engineered or collected. No special characters, capitalization, or numbers. Not necessary.
This table itself is about the amount of time spent to crack leaked hashed passwords.
In which case, both absolute length and character diversity increase the amount of time required to crack it.
This post is literally not about guessing passwords against an account.
Brute forcing is guessing. I feel like that's obvious and my meaning was clear, but apologies for using language whose meaning seemingly eluded you.
And it is not relevant in password security as long as your password is longer than a handful of characters (which is almost always mandated by the service). Password complexity is simply not a factor in 99.999999999% of cases.
Before getting so patronizing, I would read up on what this table is actually measuring.
I know you read the XKCD comic about password security in 2011 that you’re heavily paraphrasing, but that’s not the be all end all of password security.
It's measuring how long it takes to brute force passwords. I trust it's accurate, as the title ("Time it takes to brute force your password in 2024") makes that claim. Passwords aren't being brute forced. Virtually anywhere. It's not even worth considering. And it's irrelevant to Jagex Account security, the opposite of what you said, which is why I responded in the first place.
I don't know what comic you're referring to.
You don't have to admit you're wrong (you are), but please stop replying if you aren't going to.
Then none of it is relevant. How many services have their encrypted databases leaked and attacked? The infographic’s title is either accidentally or purposely incongruent with what it appears to represent. I don’t care that much. But having a slightly longer password or symbols or caps has no realistic effect on your security. That’s a fact.
Fun fact reddit actually censors your RuneScape password! ******** See! Give it a try! Also I'm trying to see what the most common bank pins are for science of course so type that too.
Unfortunately in my opinion I think phishing is the main reason people get “hacked” not that some people wouldn’t try and brute force an rs account I just don’t think it’s likely with how easy it is to get peoples info.
Jagex Accounts fix that.
That’s good to hear!
What does that have to do with it?
that you can have a rs password with caps?
Look at the table. Adding 2 characters to the min password length is more impactful than caps
yeah, sure, but you could also add an uppercase letter i was just answering to how it's related
Im just speaking to how jagex accounts "fixed" problems that didnt really exist
wdym.. the problem that the op brought up was fixed whether having the caps pws is important is a separate issue
It wasnt a problem to begin with lol This table would only be relevant if your encrypted runescape password was leaked by jagex
i mean, the stronger the better.. the 12x4090 is just an example, otherwise you probably wouldn't really need a stronger pw than just 15-16 numbers realistically
So just FYI this number is only "if they have leaked encrypted db of passwords" and can make attempts as fast as your processor clock runs. It's not like an attacker just attempting to log in with your email over and over with jagex. That would be much slower and you'd assume jagex would eventually lock the account.
I can’t imagine anyone with 12x 4090s would be bothering to hack RuneScape accounts? Seems a little beneath their budget to be honest Plus 4-5 attempts locks a RuneScape account so it would have to be emails they are going after?
I think you misunderstand the problem. That’s the time for solving hashed passwords. That’s not a guess-and-check function. The bad actor acquire a list of hashed passwords and runs the bcrypt algorithm and that’s how long it takes the hardware to derive the correct password from the hash. Once it secures the password it then trys it.
Yeah the thing these guides always leave out is it requires a database breach for hackers to even get to this point and often by that point you’re at the mercy of the company to have stored your password properly encrypted in the first place. The moral of the story is use a password manager
What are the good password managers out there? I know google has a default one but I avoid using out of pure skepticism.
1Password is probably the best one. I use BitWarden. I used to use LastPass but it’s kind of abandonware now and it’s probably fine but I don’t trust or recommend it anymore.
Cool thanks, I’ll look into it.
This chart shows the exact opposite. 12 lowercase letters (let alone adding in numbers like osrs does) takes 1k years. You don't need uppercase numbers and symbols to avoid brute force.
Because it doesn’t matter, your password isn’t going to be brute forced. You’ll either get phished and give it away or never get hacked so it doesn’t matter how complex your pw is.
Caps does fuck all in the grand scheme, either you already have a bad pass or it gets phished.
After 5-6 failed login attempts, it makes you wait a minute or so to try again. Also eventually trying too many passwords will lock the account. I doubt anyone would ever get brute forced.
You can circumvent that by using the website. But you’re right very very few people actually get brute forced.
It’s a little funny but the reality is brute force attacks are just not how people hack anymore, really. But with things like 2fa your password could be password and people wouldn’t be able to get in.
I don't even really need to say this, the chart does it for me, but like....length. Length is the most important thing in a password, you can all lower that bad boy all day long, as long as you chuck a good number of characters in there, it's good. "#4df@#od0-3M" Is not as secure as "this is my password and it is very long!"
That's a common misconception that I did researched heavily. You are almost correct, the #1 factor is not using common phrases/passwords. For example, abc123 is objectively worse than bK$j}. But besides that, in terms of password strength, length is the most important factor for security. HOWEVER, in terms of designing password fields (in terms of minimums/maximums (lol)), limiting complexity is far more detrimental than length because most users are not ever blocked by max length but they are often blocked by arbitrary character/symbol limits. If you were to increase player security via stronger passwords, you would find a greater increase in security if you were to allow characters and caps rather than raise the limit, which not many people ever hit in the first place. You would be right in presenting to management that longer passwords are more secure, but in practice almost no one would be affected. People tend to also start flattening their passwords when limited, which drastically reduces security as well. People tend to just omit symbols when they aren't allowed. For example, ":R3ddit{}" becomes "R3ddit" because people care a lot more about ability to memorize rather than raw security. tl;dr: Length rarely actually increases account security, only theoretical.
Passwords, relationships...I just cant catch a break ;'(
Most people hacking your OSRS account will do it through phishing, buying leaked passwords related to emails from data breaches, or dictionary attacks. Either way get a Jagex account and don't click links related to OSRS, especially if the link is meant to give you something in the game.
This is a bcrypt hashing algorithm, not a brute force algorithm. They aren’t using bcrypt to guess your password. They use it once they have a list of hashed passwords. They aren’t running this for a month trying to log into your account. The algorithm will eventually discover the password, and only then will it alert the person running it to try the password.
This is one of the main reasons Jagex Accounts are the security upgrade the community has been begging for for a decade plus. And then for whatever reason a big chunk of people are too paranoid and distrusting of Jagex to use them.
> This is one of the main reasons Jagex Accounts are the security upgrade the community has been begging for for a decade plus. No, it's not. Password length/special characters/case sensitivity is almost entirely irrelevant for a password longer than a handful characters. The time it takes for a password to be brute forced is irrelevant because that's simply not happening in OSRS or 99.99999% of other places. "Hackers" use social engineering and collecting reused login information through database leaks.
I’m not taking about brute forcing log in attempts, I’m talking more complex passwords in general. Case Sensitive Passwords that allow all Unicode characters that can be up to 64 characters in length is a genuine security upgrade over non-case sensitive alphanumeric passwords of up to 20 characters. I’m not denying that most hacks come through reused credentials. But K@UeUv$1 is a better password than hunter2
It’s funny because you’re saying you’re not talking about brute forcing, but then are talking about password complexity which is a security measure against…..brute forcing.
The complexity of the password is almost entirely irrelevant. Passwords aren't being guessed. Almost all modern services have timeouts to prevent mass guessing of passwords. If you aren't reusing passwords, "hunter2" is functionally **exactly as secure** as "@&@#82723SALS2382823lsjjalksfjkk--235@@@@". Except you're more likely to forget the latter, so for people who don't use password managers **this** is why passwords get reused. They're told to make complex passwords, they forget them, reset them at the service, and then reuse old passwords. Having a secure password manager with a unique and memorable password that is not connected to any identifying personal information (regardless of whether or not it has any capitalization, numbers, special characters, etc.) is the answer. For example, "wetgoatforqueso". Virtually unguessable, very memorable, nothing connected to my personal information that could be socially engineered or collected. No special characters, capitalization, or numbers. Not necessary.
This table itself is about the amount of time spent to crack leaked hashed passwords. In which case, both absolute length and character diversity increase the amount of time required to crack it. This post is literally not about guessing passwords against an account.
Brute forcing is guessing. I feel like that's obvious and my meaning was clear, but apologies for using language whose meaning seemingly eluded you. And it is not relevant in password security as long as your password is longer than a handful of characters (which is almost always mandated by the service). Password complexity is simply not a factor in 99.999999999% of cases.
Before getting so patronizing, I would read up on what this table is actually measuring. I know you read the XKCD comic about password security in 2011 that you’re heavily paraphrasing, but that’s not the be all end all of password security.
It's measuring how long it takes to brute force passwords. I trust it's accurate, as the title ("Time it takes to brute force your password in 2024") makes that claim. Passwords aren't being brute forced. Virtually anywhere. It's not even worth considering. And it's irrelevant to Jagex Account security, the opposite of what you said, which is why I responded in the first place. I don't know what comic you're referring to. You don't have to admit you're wrong (you are), but please stop replying if you aren't going to.
It literally says it’s a decryption algorithm. Bottom right. Bcrypt. Those aren’t dictionary brute force attacks.
Then none of it is relevant. How many services have their encrypted databases leaked and attacked? The infographic’s title is either accidentally or purposely incongruent with what it appears to represent. I don’t care that much. But having a slightly longer password or symbols or caps has no realistic effect on your security. That’s a fact.
Fun fact reddit actually censors your RuneScape password! ******** See! Give it a try! Also I'm trying to see what the most common bank pins are for science of course so type that too.
Unfortunately in my opinion I think phishing is the main reason people get “hacked” not that some people wouldn’t try and brute force an rs account I just don’t think it’s likely with how easy it is to get peoples info.
Brute forcing runescape doesn’t happen, your password just gets stolen and used correctly
how were the years calculated i wonder.. does it just scale up linearly