Broadband Tech > Security > Security > P@$$1234: the end of strong password-only security

reply to antdude

Re: P@$$1234: the end of strong password-only security

If it actually gets as far as a brute force attack, you're safer with an easy to remember phrase longer than 20 characters than you are with 20 random characters. Longer is stronger. You just have to be sure to use a phrase that can't be either guessed or deduced, which really isn't that hard to do.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."

A randomly generated password, like the one i described above, has none of weaknesses of human generated passwords. It won’t be in any cracker’s 20GB word list and probabilistic attacks can’t be used, so an attacker is always forced into a true brute force attack (an exhaustive search of all possibilities). "Longer is stronger" is valid only when comparing randomly generated passwords. Passwords like: "resworb beW a gnisseccA.A", "n47= ...Timeout Delay: {", or "pmar fo ytilibacilppa 5.1" (25, 25, & 27 characters) may seem clever, but they were cracked by an individual using a normal desktop computer with a single GPU last year. He cracked about 83% of 146 million password hashes over a period of several months.

If you really want to protect your data, locate a quality random password generator and use two-factor authentication whenever it’s available.

Yeah, I know--the "Death of Clever". But my passphrases aren't "clever". They're just longer. They're not in any dictionary or any hash list. I'd put one of my short 32-character phrases up against any other 32-character random string. Brute force would be the only way to crack it.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."