In case you forgot: password strength is based on length, not on stupid rules for humans.

The computer really doesn't care whether you use numbers and symbols and upper casing. That just makes it hard on people. The computer doesn't sweat the additional character types.

It does care about password length.

So, developers: let us pick a password of arbitrary length. 12 characters minimum, these days.

And if you must enforce an upper limit, set it to 512 bytes.

@aeveltstra that's not exactly true, dictionaries and rainbow tables exist and widely used

@charlag @aeveltstra
Yeah, and size of the alphabet can change a lot.
For example, if you know someone's password is 12 chars and it consists only of lowercase letters (which there are 26 of), it's just 26^12 ~= 2^56 passwords to look through.

OTOH, if the person may have used lower and upper case letters, digits, or special chars, then it's (2 * (26 + 10 + 10))^12 = 92^12 ~= 2^78 possibilities, which will take 4 million times more time.

@charlag @aeveltstra
Of course you could use 17-character lowercase-only password for the same amount of security.

So the question is, which is easier to remember and to type correctly for a particular user. And this can vary from person to person.

@nartagnan @charlag @aeveltstra
Depends on individual person.
I tried using 4-lowercase-word passphrases.
I mistyped them *every* *fuckin* *time*.
If they work for you, great. But they don't work for me.

@nartagnan @Wolf480pl @aeveltstra it surely is! Just saying that contents are also important. If everyone just has first QWERTY row it's not helpful.

@nartagnan @Wolf480pl @charlag @aeveltstra
Stanford and several other universities have implemented their requirements such that the longer your password/phrase is, the fewer types of characters you need in it. This is pretty easy to set up on a *nix domain with PAM config options, and for Windows requires a custom PassFilt.dll loaded on your DCs.

@manchot @nartagnan @charlag @aeveltstra

What do you think, how many of their accounts could one get into just by trying orange eagle key shoe

@kitten @manchot @nartagnan @charlag Orange eagle key shoe? Is there a cultural reference to that?

It should be obvious that rainbow tables will contain often-used and often-found combination.

@aeveltstra i was referring to that Stanford infographic above, thats their example password

@aeveltstra @kitten @nartagnan @charlag

Let's say you (cryptographically) randomly chose four words from the top 1,000 most common words of the English language.

log2(1000) * 4 ~= 40 bits of entropy

Not great, but dramatically stronger than your average password, and online attacks aren't really feasible. Offline attacks on bcrypt/argon2 would be doable but expensive.

@manchot thanks for the explanation, but i was just wondering how many people would be lazy enough to take the example as their password

@Wolf480pl @charlag But does 4 million times more time make any difference to a tireless cloud computer farm that executes several teraflops?

No, it doesn't.

The complex character rules only serve to make it hard for normal people to remember their passwords. Which causes them to either reuse the one they do remember, or drives them into the clutches of online password vaults, which invariably get breached.

Sign in to participate in the conversation

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!