(no title)
DanielStraight | 9 years ago
> Attackers use programs that try all words in a password dictionary, which is typically just a file of commonly used words in a given written language. These programs will even use combinations of these words, and permutations based on common replacements of letters with numbers or symbols
The author then goes on to say...
> Compare the password "B5s9z-Qx" with the password "SophisticatedpwsRock!!".... The first would be 72⁸, or 722,204,136,308,736 possible passwords. This would take a desktop PC roughly 3 days to crack. Compare that with our second password, which would be 72²² or 72,663,267,215,268,556,211,671,874,973,277,863,542,784, that’s a lot of possibilities.
This is a contradiction. A 10-letter word does not add as much entropy as 10 random characters. If you assume it does, you will cripple your security.
Do not follow this advice on passwords.
thembones|9 years ago
>Password length is 99% of password security. Password complexity is a distant second when it comes to modern password security.
He doesn't say to use a common 10 letter word with no complexity, which you infer with your comment. It's also comparing 72^8 with 72^22. The point of the article is that length trumps complexity. Not sure how you came to your conclusion.
DanielStraight|9 years ago
B5s9z-Qx is 72^8
SophisticatedpwsRock!! is something like number_of_common_words^2 + 26^3 + 10^2. In other words, two common words, three lowercase letters and two symbols.
You can put each of these passwords in Dropbox's zxcvbn (https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.ht...) to see this more clearly.
They give a guesses_log10 of 8 for "B5s9z-Qx" and 12.76155 for "SophisticatedpwsRock!!". In other words, the latter is stronger, but it's not 72^14 times stronger. That's where the article messes up.
An attacker isn't going to crack "SophisticatedpwsRock!!" by trying 72^22 options. Just like an attacker isn't going to crack "password" by trying 72^8 or even 26^8 options. They're going to try 1000 or so options of super common passwords for "password" and some combination of dictionary words, abbreviations, symbols, common transformations, etc for "SophisticatedpwsRock!!". This makes the search space much, MUCH smaller than 72^22.