";s:4:"text";s:4158:" Hack the planet. This only provides 1949^4 max combinations, which is actually a smaller key space than the job I ran at a little under 2458^4. This assumes that the password breach will go undetected – as soon as it is detected the password will be changed anyway! Although the concept is fair, this comic's implementation is flawed for achieving its goal. In this document, aimed at system owners, they address not only the limitations of passwords but also the effects of various password policies on overall security when accounting for real user behaviour! ), Go ahead an use spaces in your passwords. This application is designed to assess the strength of password strings. There's this whole other conversation to be had on whether or not we can even properly measure entropy, but that's outside the scope of this article. Well, that's complicated... People generally can't care about things they don't know. In theory, I could have grabbed the source for this generator (available in the web page's source code) and just walked through that entire key space in less time. (As character sets change this calculation can become more complex.
The biggest problem here is these policies aren't modeling real world attackers (and they certainly don't represent real world attacks.). How to Remove Old Folder Redirection and Internet Explorer Maintenance Policies from GPOs, Export and Import Persistent Routes into Windows 2012R2, Hybid Exchange – Bulk Email Domain Name Change. Break all the things.
So suggesting diceware is great, but it should also come with a recommendation of how that pattern should be selected (and that should not simply be "thinking of the words."). Don't ever let anyone tell you SHA-anything is "enough". The point here was never to suggest they are more flawed than passwords, but keep realistic expectations. Of course I let him know to change his password (he immediately started selecting much longer dicewares), but I also asked him how he selected the compromised password. Use all the spaces! It now seems that GCHQ agrees with me! If you haven't already guessed, I got a password in less than that. The longer it takes to crawl a key space, the stronger the password. That results in strings of characters and numbers that hackers could easily predict and algorithms that specifically target those weaknesses. These particular passwords were being stored in salted SHA-512. (At least, this is the common theory.).
Password Strength (11 links) Instead of using random character sequences for passwords (which are hard to remember), Randall suggests using passphrases in natural language, which are both more secure and easier to memorize. Any passwords which are recovered are forced to be changed. This xkcd comic suggests what is essentially diceware over the traditional patterns. Longer passwords, even consisting of simpler words or constructs, are better than short passwords with special characters. OkCupid is a US-based company, and everyone in the office speaks English, so I assumed an English lexicon for this attack. If you can go bcrypt, scrypt, or argon2, you should. Well, now we need to understand what makes a password "strong". The average person's exposure to password creation and policies is tied directly to the varied websites and services they use on the web every day. For example, the password manager itself needs to be protected by a master password (but this is still infinitely better remembering one password rather than all the passwords within the manager.) However, people then tend to use predictable strategies to generate passwords, so the security benefit is marginal while the user burden is high. Realistically, we need a better way to measure password strength. These passwords are annoying to type, even harder to remember than without symbols, and you still need 13 characters: log(95^13)/log(2)= ~85.4 bits. In fact, there's a pretty solid argument to be made that they can never be right (at least when used as a sole authN factor.)