« How to Make Identity Management as a Service Work in Your Organization: A Second Look | Main | Dorkbot: Malware That Uses Your Contacts to Spam, Infect Your PC, Steal Your Personal Data »

Monday, 05 November 2012


Feed You can follow this conversation by subscribing to the comment feed for this post.

Stephanie, hello!

You are absolutely right about optimistic estimations and that I didn't consider the highly motivated, highly proficient attacker scenario. My objective though, was to encourage adoption of longer passwords by easing folks into using them. Given this, I chose a convenient way to illustrate strength. As you point out, if you are one or among a set of chosen targets, it's quite possible that your attacker could use parallel methods; hopefully, other brute force detection or countermeasures will intercede.

The time to crack for various lengths is an overly optimistic estimation of the time needed. Resistance to brute force should always considered against the worst case, rather than the "ideal" conditions displayed here.

For example, http://technewspedia.com/cluster-with-25-gpus-sprayed-passwords-lm-ntlm-windows/ - under some operating systems (XP/2003), apparently, arbitrary 14 character passwords fall in *minutes* rather than the billions of years the estimates you cited.

At this point, it's safe to assume that anyone seriously cracking passwords is going to be using paralel methods, and they may have access to GPUs, and in this case, better to assume the worst, because the worst might just happen.

Hi Scott,

I like pass phrases but I'd be cautious to use something too familiar in pop culture. Rather than impossible to remember strings of characters, I'd suggest you consider borrowing a page from a one time password generator and string together several words that you'd remember, or something more obscure from a book you'd recall but are pretty convinced no one else would associate with you, for example:


Cool idea, Dave! It's great to realize how much power users can get simply by adding ; or ~ to a password.

Do you agree with the advice of using quotations as pass phrases? For example, "The Force is strong with this 1." is a very long, easily remembered password that, according to your chart above, should stand against 5 billion years of cracking... but will dictionary attacks undermine its theoretical resistance to the point where 9 nonsense characters would make a stronger password?

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook
My Photo