What is the next number set in the sequence?

[kb1]

3 hours ago, bzzrak said:

Sir, you are a goddamn genius. Genius, I tell you.

That's very nice of you, thank you! But I can't take the credit - I'm sure I read it somewhere :)

 

For passwords, size really does matter. Each additional character makes the brute-force method between 36 times (letters and numbers) and 96 times (case-sensitive letters, numbers, and symbols) more difficult. So, adding just 5 characters multiplies the brute-force time by 60-million to 8-billion times! The shortest sentence I typed above requires an average of 1E+53 ("1" and 53 other digits) tries for the brute-force method. The fastest PC might be able to try 20 million per second per thread. For that sentence, I calculate that it would take, on average, 16456471089407229008473500735 years to hit the proper password, with 1 billion PCs running 16 threads, each with 20 million tries per second. In other words, the sentence "I was born on August 14th!." is sufficiently secure.

 

( I love calculations like these :)

 

Another idea: You could print up a thread like this one, pin it to a wall, and use sentences from it for your weekly password sentences. If you're careful, no one would know what that printout was for. Might have to try that. Just don't use this thread, hee hee.

 

 

[GuyMcBrofist]

While you can use a big long password to make a massive search space for an attacker, you should probably take into account that most passwords these days are stored as hash-values rather than plain text, so the hash function being used is generally what comes under fire.

[kb1]

On 2/21/2018 at 8:25 PM, GuyMcBrofist said:

While you can use a big long password to make a massive search space for an attacker, you should probably take into account that most passwords these days are stored as hash-values rather than plain text, so the hash function being used is generally what comes under fire.

Big bump...

 

If you have access to the database then, yes, you're in. Using a good password is the best a user can do to protect their stuff, and it virtually prevents a stockpile of direct attacks. I guess I'm not sure what you are suggesting. Yes, my suggestion assumes that the passwords are being stored in a secure way. They may not be, but, again, it's the best a user can do, and it's up to the programmer(s) to maintain proper security.

[GuyMcBrofist]

I guess I was just trying to curb the enthusiasm over password length when there are other attack vectors against password security. Reading over it now, my post doesn't make much sense.

[Gez]

https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/

 

[Taw Tu'lki]

100

[kb1]

On 3/29/2018 at 12:57 PM, Gez said:

https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/

 

I can't really get behind some of the author's conclusions. For one thing, password managers are very nice to have, but that provides a single point of entry to all your passwords, which is kinda scary.

 

I mean, sure, if the hacker has the db, or is on the server somehow, all bets are off. But, from a user's perspective, the longer the password, the harder it is to crack using brute force. It's the only thing the user can do to be more safe. And, a sentence is easier to remember. Even adding "hubba-bubba" to the end or middle of that sentence makes it massively harder to brute force. Each character makes it exponentially harder to brute force.

 

Now, I do agree with the author's idea that the password should prove to be unique by searching against all other passwords in the db, and possibly also searching from known password lists - there's a lot of them out there. Also, disallowing passwords containing the name of the service makes sense. It's a tricky mess.