|
I wonder if this takes into account Moore's Law (if we are able to sustain that as time goes on) and quantum computing. After 50 years, computers will be something like a million to a billion times faster, and so will be able to crack passwords much faster.
|
|
|
|
|
The good news is, even shaving 6-9 orders of magnitude off the solving time for my most secure password means I'll probably still be dead by the time it would get cracked (even without the 50 year delay). And then I don't care what they do with whatever the password protects.
I think that's a good rule of thumb: a password is secure if you'll be dead before it can be cracked.
|
|
|
|
|
Yeah, most of my passwords for relatively unimportant stuff are 10-20 characters. I think the longest password I know by heart is around 50 characters long.
|
|
|
|
|
AspDotNetDev wrote: 50 characters long
I'd just copy and paste from Notepad -- from my Passwords.txt file.
|
|
|
|
|
I used to do something like that. Now I use KeePass. It's too much trouble to remember hundreds of passwords.
|
|
|
|
|
I use LastPass's random password generation for most websites. I can't think of a more secure password - nobody knows it, not even me! And of course I use my longest most secure password (that I can remember) is on my LastPass account so I don't have an obvious weak point there.
|
|
|
|
|
|
Collin Jasnoch wrote: Honestly who knows what some crazy genologist/crytpologist/biologist.../ist will come up with.
I think I'm going to go invent cryptobiology now.
Nevermind, a Google search gave me about 60,000 results for that word...I need to think of something even more obscure...
|
|
|
|
|
That assumes that the policy is enforced and that the attacker knows the policy.
If the policy is a minimum of eight characters, at least one uppercase, at least one lowercase, at least one digit, and at least one symbol and the attacker knows this (a reasonable assumption) then he won't try anything outside those parameters and will therefore reduce his efforts.
On the other hand, if it's not enforced then he'll never guess that my password is "badger".
In my opinion, allowing and recommending a wide variety of characters is a good idea, but requiring a wide variety of characters is not.
Make the attacker search the largest haystack you can; don't limit it.
|
|
|
|
|
PIEBALDconsult wrote: On the other hand, if it's not enforced then he'll never guess that my password is "badger".
A dictionary attack would be able to get that pretty easily still, and that's likely to be one of their first attempts.
|
|
|
|
|
No, if the attacker expects the password to have digits and symbols then he won't try anything without them.
|
|
|
|
|
But if its not enforced most people will choose not to use them, so I still think he'd try that first, especially because it would be relatively fast (I think I read somewhere English has around 600,000 words or something like that, so even at only 1000 per second that's like 10 minutes, and it works for many people's passwords).
Which is of course why my secure password is utter gibberish with no meaning to anyone existing outside my head. (And the people inside my head can't get to computers so no worries there.)
|
|
|
|
|
just increase the delay everytime a wrong password is entered, then it can't be hacked
|
|
|
|
|
...or disable the account after n consecutive login failures. Pretty standard stuff. IMHO the article is more hype than not.
/ravi
|
|
|
|
|
Ravi Bhavnani wrote: disable the account after n consecutive login failures
That causes too much trouble.
|
|
|
|
|
Right. But some systems also offer a security policy to auto-reenable disabled accounts after m units of time have elapsed since the last perceived dictionary attack.
/ravi
|
|
|
|
|
That works for stuff like websites, but what about something like an encrypted file? There's not much you can do to prevent a brute force attack on those.
|
|
|
|
|
You're absolutely correct. 5+ I was thinking service oriented apps.
/ravi
|
|
|
|
|
lewax00 wrote: an encrypted file
And encrypt at least twice.
|
|
|
|
|
the link says, that using a bigger alphabet is more secure, but this is just plain wrong
it is better to increase the number of characters, even, if they are simple (lowercase letters)
simple math: say 'k' is the size of your alphabet and 'n' shall be the size of your password. then there are k^n possibilities. increasing n is much more valueble than increasing k. just try it out:
f = @(n,k) k^n;
f(6,40) = 4.0960e+09
f(6,41) = 4.7501e+09
f(7,40) = 1.6384e+11
f(10,60) = 6.0466e+17
f(10,61) = 7.1334e+17
f(11,60) = 3.6280e+19
f(20,60) = 3.6562e+35
f(20,61) = 5.0886e+35
f(21,60) = 2.1937e+37
as you see, increasing the first parameter (length) makes like 100 times more possibilites, while adding one more symbol is like not even doubling.
so, a good password is a passphrase, take 3-5 random (and easy to remember) words and stick them together.
the idea to use passphrases came from http://xkcd.com/936/[^]
|
|
|
|
|
Kevin Drzycimski wrote: it is better to increase the number of characters
Yes, that's true too.
|
|
|
|
|
Text from Gibson Research: https://www.grc.com/haystack.htm[^]
"...
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9
You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!..."
|
|
|
|
|
It occurred to me that an organization could have a system constantly trying to break everyone's passwords -- anyone whose password is broken gets some sort of punishment (along with having to change the password).
|
|
|
|
|
A slap in the face from your superior!!!! That would be funny!!!!!!!!
|
|
|
|
|
Now, that is a good question.
My cat has a Codeproject account, and as is my norm these days, his password is a Guid. (Because I can paste it from my encrypted password store on the PC)
How long to break it?
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 5.10 million trillion trillion trillion centuries
My password is not a Guid (because I have to enter it from the keyboard on my phone occasionally)
How long to break it?
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 0.000202 seconds
Maybe I should find a way to remember Guids?
Ideological Purity is no substitute for being able to stick your thumb down a pipe to stop the water
|
|
|
|