A poll, aimed in particular at people who think they understand the technologies around password cracking. Assume that there is at least one password that you need to be strong and need to remember & type not-infrequently. How many characters is enough for you to feel comfortable in 2024? Assume any char you can type easily is available.
[May need a follow-up poll if the majority is at >=12]
[Boost if you’re interested in the result]
@timbray @HollyGoDarkly
The current cyber password standard is:
• 15 character minimum
• passphrase
• no restrictions
• change once a year
Example:
AVeryLongPasswordYoudRemember
Why:
• 15 characters ups the encryption level as each increase in length increases the combinations. 9 characters is better than 8 with specials.
• A passphrase is memorable, quicker to type and often longer than 15 characters.
• The surface to the attacker is different to the user. The attacker doesn’t know if you put in a £ so the combinations to crack still includes special characters even if you don’t use them.
• You will remember it and never write it down.
Why not:
• Forcing special characters actually lowers the potential combinations AND makes it harder to remember.
• Changing monthly makes them unmemorable and so people write it into less secure places, like notes and text files. The human element HAS to be accounted for.
• So exactly 8 characters with specials is out of date like not wearing a seatbelt is out of date… You might be fine or you might be seriously harmed.
Bonus Life Hacks
• Use words you have trouble spelling like ‘bureaucracy’ or ‘deoxyribonucleic’ and by the end of the year you can spell them.
• Learn a sequence like cell division: InterEarlyLateMetaAnaTeloInterphas£
Tim Bray
The Animal and the Machine