A poll, aimed in particular at people who think they understand the technologies around password cracking. Assume that there is at least one password that you need to be strong and need to remember & type not-infrequently. How many characters is enough for you to feel comfortable in 2024? Assume any char you can type easily is available.
[May need a follow-up poll if the majority is at >=12]
[Boost if you’re interested in the result]
@timbray Hive Systems has a pretty neat table showing password cracking of bcrypt
http://www.hivesystems.com/library
password: cybersecurityforeveryone
So many implicit assumptions... Here's a couple:
- Is this the hardware hackers use? These days hackers spin up GPUs in the cloud, so the times are meaningless
- If my password is "1Monkey$Wrench" it is 14 characters long and contains lower, upper, numbers and specials. According to this table it should take 805bn years and falls within the "good password" criteria. However, because it's made of English words I bet it would take... many orders of magnitude less than that.
@arikb @timbray this table is for fully random passwords, if you don't use a cryptographic random generator for the letters, it will be less hard to break than what is said here.
Also, it is for hardware that is relatively cheaply available for rent (12x RTX4090), if you are determined.
And it is for standard good practice bcrypt.
@gigantos @timbray Considering that the table covers passwords as short as 4 characters, I would say it's hinting at self selected PIN / passwords. I know no password manager that will generate random passwords shorter than 12 characters by default.
And as for the hardware, you can have as many GPUs as you want for the right amount of money by using a cloud computing provider. The speed of cracking is therefore directly proportional to the amount of money invested.
Tim Bray
gigantos
Arik