@stevefoerster that's very misleading because you can't guess X million permutations over an Internet connection... If you have physical access to the machine, the password length doesn't really matter unless you're James Bond.
It is useful for cases where people reuse passwords and an attacker has access to the encrypted passwords on one machine. Password reuse is generally bad, but still common.
It can be relevant for when you its about decrypting data and not providing access. Like an encrypted disk or password store. There are also systems that can slow those down though, but not that widespread
@wmd @stevefoerster in that case, reusing the password is the vulnerability, not the password length. If the original system was compromised, they could just as easily modify the source to save pws as plaintext, assuming the software was hashing in the first place. It's a valid point to encourage longer passwords, I'm not denying that.
@stevefoerster oh good, I have something just above 7 quadrillion years. I hope giving that away doesn't significantly reduce the guess time.
I guess one english word is about equal to a combination of two upper/lower/number characters
@stevefoerster Seems to be missing the line "is in the list of commonly used passwords gleaned from password leaks"
That chart _sort of_ suggests ji32k7au4a83 would be in the 300 year range.
It's in the "Oh, you're from Taiwan, let's see if ... yep I'm in" range.
@stevefoerster i'm not on the chart :o
@stevefoerster alphanumeric with symbols, and at least 23 characters, i ought to be good for now
@stevefoerster How long it **currently** takes...
@Creideiki true, but it's still better to use paraphrases.
4-word, English, all lowercase paraphrase with single space word separators: 8.5 * 10^20 combinations of words. That is more than all the possible combinations of 10 printable ASCII characters (6.6 * 10^19), except easier to remember.
Factor in uppercase characters, punctuation (which dictionary attacks cannot find) and other languages and it's even better.
I don't believe this is correct.
If enough people use 3-4 word phrases, brute force attackers will specifically adapt to this.
Assuming a lexicon of 20,000 words (average native speaker) you get 20,000 ^ 4 permutations or 1.6e+17
Assuming 68 alpha numeric characters (lower, upper, digits, 10 symbols) you only need 10 characters to surpass this (68^10 or 2.1e+18)
@stevefoerster nice graph, but it doesnt go to 99 on the vertical axis :(
@stevefoerster and within 10 years ?
@Lanza Yes, someone pointed out that these are only current estimates. QC may blow all of this up. 🤷♂️