@stevefoerster that's very misleading because you can't guess X million permutations over an Internet connection... If you have physical access to the machine, the password length doesn't really matter unless you're James Bond.

@pj
It is useful for cases where people reuse passwords and an attacker has access to the encrypted passwords on one machine. Password reuse is generally bad, but still common.

It can be relevant for when you its about decrypting data and not providing access. Like an encrypted disk or password store. There are also systems that can slow those down though, but not that widespread
@stevefoerster

@wmd @stevefoerster in that case, reusing the password is the vulnerability, not the password length. If the original system was compromised, they could just as easily modify the source to save pws as plaintext, assuming the software was hashing in the first place. It's a valid point to encourage longer passwords, I'm not denying that.

@stevefoerster "aaa" is not on the chart because it's too secure

@stevefoerster oh good, I have something just above 7 quadrillion years. I hope giving that away doesn't significantly reduce the guess time.

@stevefoerster
I guess one english word is about equal to a combination of two upper/lower/number characters

@stevefoerster Seems to be missing the line "is in the list of commonly used passwords gleaned from password leaks"

That chart _sort of_ suggests ji32k7au4a83 would be in the 300 year range.

It's in the "Oh, you're from Taiwan, let's see if ... yep I'm in" range.

@stevefoerster alphanumeric with symbols, and at least 23 characters, i ought to be good for now

@stevefoerster What would be nice would be to include the version with high entropy that humans have been demonstrated to actually be able to remember: diceware style passwords (multiple words, eg like xkcd.com/936/ except you want more like 6-7 words these days)

@cwebber @stevefoerster this chart suggests XKCD is right. Even a 3 word passphrase takes like 10 times as long to crack as a gibberish password of 9 or 10 characters.

@cwebber @stevefoerster that is of course as long as you are human. Users on dolphin.town might have trouble generating enough entropy with a paraphrase in their native language...

Eeee eeeee ee eeeeeee!

@msh @cwebber @stevefoerster Only if the attacker brute-forces character by character instead of word by word.

@Creideiki true, but it's still better to use paraphrases.

4-word, English, all lowercase paraphrase with single space word separators: 8.5 * 10^20 combinations of words. That is more than all the possible combinations of 10 printable ASCII characters (6.6 * 10^19), except easier to remember.

Factor in uppercase characters, punctuation (which dictionary attacks cannot find) and other languages and it's even better.

cwebber@octodon.social @stevefoerster

@msh @cwebber @stevefoerster

I don't believe this is correct.

If enough people use 3-4 word phrases, brute force attackers will specifically adapt to this.

Assuming a lexicon of 20,000 words (average native speaker) you get 20,000 ^ 4 permutations or 1.6e+17

Assuming 68 alpha numeric characters (lower, upper, digits, 10 symbols) you only need 10 characters to surpass this (68^10 or 2.1e+18)

@msh @cwebber @stevefoerster That's from brute-forcing characters. Brute-forcing 3 words via an English word dictionary would take considerably less time.

@stevefoerster nice graph, but it doesnt go to 99 on the vertical axis :(

@stevefoerster this is a cool chart! what assumptions is it making about crack speed, though? is this for online passwords where attackers need to send a request to the server on each attempt, or for situations where the attacker already has a hash or a ciphertext and can brute-force it on their own hardware? resources-wise, are we assuming a random script kiddie or the NSA?
@stevefoerster looks like the site assumes 4e10 attempts per second, with no explanation of where that number comes from

I'm also really not thrilled with "type your password into our site, it's only evaluated client-side and we never see it" and then loading in a bunch of mystery javascript from Google Analytics that can do whatever it likes with your inputs

@Lanza Yes, someone pointed out that these are only current estimates. QC may blow all of this up. 🤷‍♂️

@stevefoerster What about my 100 character passwords with the full character space? :blobwink:
@EpicKitty @stevefoerster And what of zero-width space characters in passwords? 🐸🐸🐸
Sign in to participate in the conversation
OERu Social - Mastodon

This is the Mastodon instance for educators and learners involved in the OERu. Accounts of users not involved in OERu courses may be removed.