@stevefoerster "aaa" is not on the chart because it's too secure

@stevefoerster oh good, I have something just above 7 quadrillion years. I hope giving that away doesn't significantly reduce the guess time.

I guess one english word is about equal to a combination of two upper/lower/number characters

@stevefoerster Seems to be missing the line "is in the list of commonly used passwords gleaned from password leaks"

That chart _sort of_ suggests ji32k7au4a83 would be in the 300 year range.

It's in the "Oh, you're from Taiwan, let's see if ... yep I'm in" range.

@stevefoerster alphanumeric with symbols, and at least 23 characters, i ought to be good for now

@stevefoerster What would be nice would be to include the version with high entropy that humans have been demonstrated to actually be able to remember: diceware style passwords (multiple words, eg like xkcd.com/936/ except you want more like 6-7 words these days)

@cwebber @stevefoerster this chart suggests XKCD is right. Even a 3 word passphrase takes like 10 times as long to crack as a gibberish password of 9 or 10 characters.

@cwebber @stevefoerster that is of course as long as you are human. Users on dolphin.town might have trouble generating enough entropy with a paraphrase in their native language...

Eeee eeeee ee eeeeeee!

@msh @cwebber @stevefoerster Only if the attacker brute-forces character by character instead of word by word.

@Creideiki true, but it's still better to use paraphrases.

4-word, English, all lowercase paraphrase with single space word separators: 8.5 * 10^20 combinations of words. That is more than all the possible combinations of 10 printable ASCII characters (6.6 * 10^19), except easier to remember.

Factor in uppercase characters, punctuation (which dictionary attacks cannot find) and other languages and it's even better.

cwebber@octodon.social @stevefoerster

@msh @cwebber @stevefoerster

I don't believe this is correct.

If enough people use 3-4 word phrases, brute force attackers will specifically adapt to this.

Assuming a lexicon of 20,000 words (average native speaker) you get 20,000 ^ 4 permutations or 1.6e+17

Assuming 68 alpha numeric characters (lower, upper, digits, 10 symbols) you only need 10 characters to surpass this (68^10 or 2.1e+18)

@msh @cwebber @stevefoerster That's from brute-forcing characters. Brute-forcing 3 words via an English word dictionary would take considerably less time.

@stevefoerster nice graph, but it doesnt go to 99 on the vertical axis :(

@stevefoerster this is a cool chart! what assumptions is it making about crack speed, though? is this for online passwords where attackers need to send a request to the server on each attempt, or for situations where the attacker already has a hash or a ciphertext and can brute-force it on their own hardware? resources-wise, are we assuming a random script kiddie or the NSA?
@stevefoerster looks like the site assumes 4e10 attempts per second, with no explanation of where that number comes from

I'm also really not thrilled with "type your password into our site, it's only evaluated client-side and we never see it" and then loading in a bunch of mystery javascript from Google Analytics that can do whatever it likes with your inputs

@Lanza Yes, someone pointed out that these are only current estimates. QC may blow all of this up. 🤷‍♂️

@stevefoerster What about my 100 character passwords with the full character space? :blobwink:
Sign in to participate in the conversation
OERu Social - Mastodon

This Mastodon instance is hosted by the OER Foundation. It is a home for open educators and also supports learners involved in the OERu. Accounts of learners not involved in OERu courses may be removed.