You are reading a single comment by @Velocio and its replies. Click here to read the full conversation.
  • [@radar]unless the attacker knows you're using phrases.

  • Ever tried password cracking (I did, only last month when my accountants decided to start password protecting PDF payslips and I wanted to mock them)?

    Length is the issue.

    Even if someone told you their password was 50 chars long, figuring out how to make that from all dictionary words, names, place names, etc... just keeping to ASCII only... would take a long long time to crack.

    My accounts used a short complex password, it took my GPU less than a day with no clue given, and less than an hour when I told it that it was only looking at 8 chars in length.

    Long simple passwords FTW.

    I started to use long passwords by simply prepending my old password with "my password is ". Though now I've gone full Catch-22 and have to repeat a loyalty oath every time I want to do something.

  • Only to the extent of calculating md5 hashes for the top 100 weak passwords so I could tell some users they were their own worst enemy.

    If you know someone's using phrases, have an idea how long it is, and their main language, you can skip the letter-level bruteforcing and skip to the data-mining-based guessing.

  • I'm pretty much pig-ignorant on this, but Bruce Shneier claims that the XKCD long password thing is no longer a good tactic: https://www.schneier.com/crypto-gram-1403.html#13

About

Avatar for Velocio @Velocio started