Mike McGee
PerryM ✅As a computer hobbyist, I often worry how good my passwords are. I've never seen anything to describe how important it is. This chart and the research is super. My hat off to HIVE!
John Gordon@PerryM Assumes unlimited hit rate. The reason iPhone 6 digit PIN works at all is the retry interval grows with each error
Ben Jacobsen@PerryM It's a very attractive visualization! Their methodology is a bit limited, tho - they assume passwords are chosen uniformly at random, which is extremely not the case for most users. Unless you use a password manager, your password is probably much less secure than the table implies. E.G. "OpenSesame1!" would probably be cracked in seconds, not centuries.
Nick has moved to Mathstodon@benjacobsen @PerryM It seems like this is especially true of the use of non-alphanumeric symbols in passwords. Most people insert them through some semi-formulaic procedure (like using l33t speak), so I really doubt it adds that much entropy in practice.
Steve Dinn 🇨🇦@PerryM Ha! Thanks to password managers, all my passwords are 24 - 36 characters long and use all the combinations. Perhaps that's overkill.
Jamie@ArborealTechie @PerryM My *bank* used to do this.
@ArborealTechie @PerryM seriously, I had to have a max. 8 character password with only numbers and letters, no spaces. And it was case insensitive.
Luckily, this is not still the case.
Kainoa 
Johan 🌀@spiralmind @kainoa @PerryM Yeah, that's why I use 32, most of the time, but sometimes sites can't handle the size of my, er...passwords.
@steve @[email protected] @PerryM ...and of course I have to recommend @dumbpasswordrules for some fun.
@spiralmind @steve @PerryM 1Password has had some pretty bad data breaches, I'd recommend @bitwarden
@kainoa @steve @PerryM Ah, that kind of vector, I was thinking more actual data exfiltration attacks. Bit of an ingenious headline on that page, and BitWarden should also be included for that level of vulnerability. https://flashpoint.io/blog/bitwarden-password-pilfering/
Matthieu@kainoa @spiralmind @steve @PerryM There are two kinds of password managers. Those that were breached and the one that haven’t been breached yet.
Now, from the one that were breached. Did they loose your passwords or not?
The real bad breach is lastpass loosing payment information. I was a free user at the time so I’m unaffected. But that sure didn’t look good.
Now, from the one that were breached. Did they loose your passwords or not?
The real bad breach is lastpass loosing payment information. I was a free user at the time so I’m unaffected. But that sure didn’t look good.
@matthieu_xyz @spiralmind @steve @PerryM the best password managers are the ones you host on your own machine. Far, FAR less chance of any breach.
@kainoa @spiralmind @steve @PerryM I need my passwords on too many devices to just use local keepass conveniently and I don’t trust myself as a sysadmin. But that would be the ideal thing to do yes.
@kainoa @matthieu_xyz @steve @PerryM In general I'm hoping passkeys will become a major thing where it makes sense, to replace passwords.
Schrank 
🐘
CrankyOldBugger 
@PerryM No mention of spaces, or pass phrases. Check this out: https://www.useapassphrase.com/
Jane Fanghanel@PerryM
Coo thought my password was safe - always gets a Strong from whichever site I'm using. Annoying that many companies only ask for the bare minimum.
Coo thought my password was safe - always gets a Strong from whichever site I'm using. Annoying that many companies only ask for the bare minimum.
Portsmouth Green Party
Phil Thane ✅@PortsmouthGreens @PerryM I've often wondered, does it help to use foreign or even non-English British language words?
September@pthane @PortsmouthGreens @PerryM Yes it does help a lot!
For every attack, we must assume that the attacker knows how we created the password. But still, this increases the number of possible words, so it helps.
To reference my own table again:
https://chaos.social/@Septem9er/110260038180253016
There you can see how much of a difference a bigher wordlist (2024 vs. 7776) makes (first row).
The important thing here is: The passphrase must be created truly random. Not in your head.
September (@[email protected])
Attached: 3 images In case anyone else is interested on a comparison of passphrases vs. passwords, here is the result. Number in the top row refers to the number of words in the #wordlist and the hardware used. The number in the first column refers to the number of words in the #passphrase For comparison the original table for passwords from hive systems. We assume the attacker knows we use a passphrase and uses a wordlist attack. Other than that method and calculation basis as in: https://www.hivesystems.io/blog/are-your-passwords-in-the-green
curtmack@PortsmouthGreens @PerryM I used diceware with real dice for a while, but I got tired of the passwords taking so long to type, so I wrote my own pronounceable password generator a while ago: https://github.com/curtmack/mantra
(One of these days I should look into migrating off of GitHub, too)
Ian Tindale@PerryM I’m surprised there isn’t a specific column for correct horse battery staple
skua@PerryM
Somebody will soon turn up with that table adjusted for the expected speed of quantum computers.
Somebody will soon turn up with that table adjusted for the expected speed of quantum computers.
oseo@PerryM What matters is randomness and entropy, see https://en.wikipedia.org/wiki/Password_strength#Random_passwords.
Humans can't easily remember or type special characters, they should use a password manager for that or use a random list of words, that is much easier to remember and, with enough words, as strong or stronger than any list with special characters. Only drawback: it is longer.
Pino Carafa@PerryM I see somebody has already posted the "Correct Horse Battery Staple" cartoon. Good.
SAPhillips@PerryM Cool!!! I should be good!
Siggi Bjarnason 🤠@PerryM this is why I always advocate for having 16 char passphrase and not worry about complexity. After 27 years, who cares anymore. In fact it's unlikely that anyone is willing work on brute forcing something for a year.
Simon Brooke@PerryM Indeed. But I'm pleased to see that breaking my master passwords is still into many billions of years, even on #ChatGPT-level hardware.
Very long encryption keys can be easy to remember (a couple of lines from your favourite song, for example), and, provided they're never stored on disk or passed over a network, are really vulnerable only to sophisticated malware on the client (keyloggers or memory snoopers).
Dimitri Schouten@PerryM
As for the colors:
Why is 17k years orange? Or 1m yellow? Anything over the average human lifespan would be green as far as I’m concerned.
As for the colors:
Why is 17k years orange? Or 1m yellow? Anything over the average human lifespan would be green as far as I’m concerned.
Scott Laird@drag0nsden @PerryM yeah. Coloring 1-100k years as orange seems nuts. I mean, I'm not going for green, at least if I need to remember it. Not that I remember more than 3 or 4 passwords anymore.
Hanneke@laird @drag0nsden @PerryM I assume it’s because it’s based on current computing power. I don’t know how fast it goes down but (wild assumption) if it goes down by 50% every year a password that takes 100k years with current hardware will take 3 months in 20 years. So that would mean it’s basically 20 (or even 18 if you start cracking in 17 years) years not 100k.
That’s probably fine for most use cases though, pretty sure there’s nothing I’m currently doing that anyone is going to be interested in in 20 years.
gom@drag0nsden
Account for the ever growing of compute throughput. Double compute every 2 years and 17k years comes down to almost nothing after 30years of progress. And this does not account for user errors (human made passwords are bad) and algorithmic advancements.
@PerryM
Account for the ever growing of compute throughput. Double compute every 2 years and 17k years comes down to almost nothing after 30years of progress. And this does not account for user errors (human made passwords are bad) and algorithmic advancements.
@PerryM
Jürgen - يورجن (he,him) ⚣@PerryM for most logins this is completely irrelevant. There is no way to brute force most passwords as the number of trials is usually very limited.
@jyrgi66 @PerryM that's only true if the passwords are tested via the front end. There are a *lot* of security breaches that have leaked entire password databases, along with email addresses and account names. Every competent password databases uses one-way hashed password storage, but once an attacker has a copy they can test passwords as fast as their hardware allows.
Kevin Karhan 
@PerryM guess why even the weakest passwords of mine are 16 digits numbers, lowercase, uppercase & symbols?
And those are the ones I only choose if I can't go with 64 or more digits...
All individualized and secured with a #PasswordManager ...
Mathias@PerryM why would somebody use MD5 in 2023..? .. Oh never mind .😣
Brett Glass - WY7BG@PerryM What assumptions are being made here? Are you assuming that the cracker has access to a hash of your password and/or can query a server an infinite number of times at infinite speed, with no delayed responses?
@PerryM And are they accounting for the fact that most stored passwords are "salted" and now use SHA hashes, not weak hashes such as MD5?
waldi@brettglass @PerryM Anything modern is past SHA already. In some cases the hashs also scale with needed memory, to make GPU attacks much harder (they have a lot of computing, but not that much RAM).
theMimicI second the table and the advises. However, I think that the colour choices are a bit pessimistic. More than a month of bruteforce should be at least yellow. A couple of years is definitely a safe for me.
zippy@PerryM This is great. I have a question about a chart like this: when the "number of characters" is 15, for example, does the time required include the assumption that there are 15 characters? Or does it try 4, 5, etc up to 15 characters in sequence? Similarly for the columns
Qedhup 🇨🇦@PerryM my passwords are usually; I take the first letter of every word in a quote or phrase that I like. Pick a particular number I know well and mix it in letter, number, letter, number. certain letters for me are always capital, the others are not. Then I add a symbol a certain number of characters in. voila, it looks like a serial number, but I can figure it out if I forget it.
Piko@PerryM This is very interesting! Do you know if there's a similar table with number of characters vs. year, so that one can factor in the growth of computing power?
DJGummikuh@PerryM the only thing I do not really like is that this graphic is only going up to 18 characters. I would have preferred if it went up to e.g. 32 chars, at which even numeric passwords would safe against brute-force.
AJJDordt@PerryM I think I need to think of paswords with at least 11 characters, lower case, upper case, symbols and numbers.
Then change the password annually.
Tabletop Hotdish@PerryM man, 202k years is *yellow*? i guess they're saying that it's safe in 2023 but in a few years it might not be?
In Search of a Better World@PerryM Actual time spent: five minutes blagging their way past the IT guy who hands over the whole database without questioning it.
Queenero89 
@PerryM 779.000 años!
JamesTDG@PerryM huh, 53 years for my usual passwords now, I'm fine with that
John Beresford@PerryM I love how a "time to crack" of 15-18 thousand years gets you an amber warning, and even 5 billion years is in yellow warning territory. Some patient crackers out there 😆
HeliographJason Pettus :blobrainbow: (@[email protected])
A new "password-guessing" AI bot was given 15 million real passwords, and it correctly guessed 81% of them within a month after starting (with a full 50% guessed in less than one minute). The 19% that weren't guessed all had over 18 characters and were a random mix of upper and lowercase letters, numbers and symbols, so let that guide your password creations from now on. https://9to5mac.com/2023/04/07/ai-cracks-passwords-this-fast-how-to-protect/