(no title)

> most of the discussion about passwords completely miss the point. [...] any password under around 50 characters is as good as "dog"

I think you've completely missed the point.

After how long do you start to get annoyed when logging in? Most people probably at 2-5 seconds, but let's say ten full seconds of waiting for the computer to do the hashing. A word like dog is among the top few thousand words, let's say ten thousand, so after 10k×10s/(3600 seconds per hour) = ~28 hours your password is cracked on a single cpu. Probably more like 28 minutes on a couple GPUs, and this is using a complexity setting that literally nobody is going to use (I bet even the NSA isn't paranoid enough to wait 10 seconds for every login). Now compare that to "any other password under around 50 characters".

If you want to use a passphrase, pick random words (at least five when using complex words; the number depends on your dictionary size). Not a single word that is also very common. That completely misses the point.

This strategy would work if literally everyone uses a random words generator and yours, against all odds, comes up with a single common word. Then attackers would have no reason to crack in order of commonness and start with a single word. But that is not the reality we live in and attackers do start with simple passwords before complex ones. (Source: one of the things we do at work is crack passwords, most commonly when we get our hands on Windows password hashes.)

    a random word, like "dog" or "pingpong" is fine if the pqsswords are salted and hashed appropriately.  how often have your accounts been hacked this way? if an adversary is really banging on the hash, and they want it, any password under around 50 characters is as good as "dog", and no "complexity" meter is gona cut it.

You really need to provide some sources for this claim; it's outlandish and unreasonable because it varies so wildly depending on what you mean by "appropriately". This isn't magic, it's math, and we know how fast computers can do specific kinds of math under specific conditions.

> yep, most of the discussion about passwords completely miss the point. a random word, like "dog" or "pingpong" is fine if the pqsswords are salted and hashed appropriately. how often have your accounts been hacked this way?

A word like "dog" or "pingpong" is favored in a rainbow-table type of attack. Nobody pre-hashes "109231oijoasdfnaisdfabatteryhorse123".

And yes many passwords have been hacked this way [0].

[0] - https://www.linkedin.com/pulse/linkedin-hack-understanding-w...

So it's hard to understand the point you are tried to make. Why don't you try again and expand on "modern brute force techniques" that could crack a password 50 characters long? More productive endeavor and benefits the board.