kb1 Posted February 22, 2018 3 hours ago, bzzrak said: Sir, you are a goddamn genius. Genius, I tell you. That's very nice of you, thank you! But I can't take the credit - I'm sure I read it somewhere :) For passwords, size really does matter. Each additional character makes the brute-force method between 36 times (letters and numbers) and 96 times (case-sensitive letters, numbers, and symbols) more difficult. So, adding just 5 characters multiplies the brute-force time by 60-million to 8-billion times! The shortest sentence I typed above requires an average of 1E+53 ("1" and 53 other digits) tries for the brute-force method. The fastest PC might be able to try 20 million per second per thread. For that sentence, I calculate that it would take, on average, 16456471089407229008473500735 years to hit the proper password, with 1 billion PCs running 16 threads, each with 20 million tries per second. In other words, the sentence "I was born on August 14th!." is sufficiently secure. ( I love calculations like these :) Another idea: You could print up a thread like this one, pin it to a wall, and use sentences from it for your weekly password sentences. If you're careful, no one would know what that printout was for. Might have to try that. Just don't use this thread, hee hee. 1 Share this post Link to post
GuyMcBrofist Posted February 22, 2018 (edited) While you can use a big long password to make a massive search space for an attacker, you should probably take into account that most passwords these days are stored as hash-values rather than plain text, so the hash function being used is generally what comes under fire. 0 Share this post Link to post
kb1 Posted March 29, 2018 On 2/21/2018 at 8:25 PM, GuyMcBrofist said: While you can use a big long password to make a massive search space for an attacker, you should probably take into account that most passwords these days are stored as hash-values rather than plain text, so the hash function being used is generally what comes under fire. Big bump... If you have access to the database then, yes, you're in. Using a good password is the best a user can do to protect their stuff, and it virtually prevents a stockpile of direct attacks. I guess I'm not sure what you are suggesting. Yes, my suggestion assumes that the passwords are being stored in a secure way. They may not be, but, again, it's the best a user can do, and it's up to the programmer(s) to maintain proper security. 0 Share this post Link to post
GuyMcBrofist Posted March 29, 2018 I guess I was just trying to curb the enthusiasm over password length when there are other attack vectors against password security. Reading over it now, my post doesn't make much sense. 0 Share this post Link to post
Gez Posted March 29, 2018 https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/ 0 Share this post Link to post
kb1 Posted April 5, 2018 On 3/29/2018 at 12:57 PM, Gez said: https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/ I can't really get behind some of the author's conclusions. For one thing, password managers are very nice to have, but that provides a single point of entry to all your passwords, which is kinda scary. I mean, sure, if the hacker has the db, or is on the server somehow, all bets are off. But, from a user's perspective, the longer the password, the harder it is to crack using brute force. It's the only thing the user can do to be more safe. And, a sentence is easier to remember. Even adding "hubba-bubba" to the end or middle of that sentence makes it massively harder to brute force. Each character makes it exponentially harder to brute force. Now, I do agree with the author's idea that the password should prove to be unique by searching against all other passwords in the db, and possibly also searching from known password lists - there's a lot of them out there. Also, disallowing passwords containing the name of the service makes sense. It's a tricky mess. 0 Share this post Link to post