Tim BrayOct 2, 2024

A poll, aimed in particular at people who think they understand the technologies around password cracking. Assume that there is at least one password that you need to be strong and need to remember & type not-infrequently. How many characters is enough for you to feel comfortable in 2024? Assume any char you can type easily is available.
[May need a follow-up poll if the majority is at >=12]
[Boost if you’re interested in the result]

#infosec

9
3.3%
10
6.2%
11
2.2%
>=12
88.3%
Poll ended at .
Show threadChad GeidelOct 2, 2024

@timbray I thought I read a few years back that a desktop GPU can brute force passwords up to 14 characters in length.

A "master password" should probably be a sentence these days.

Show threadMax LeeOct 3, 2024

@chadgeidel
Or a key file/hardware key.

Imo. more services need to support that but at least 2fa is offering it often and HOTP as a login is getting a lot more common now with passkey APIs apparently being based on the same underlying system?
@timbray

Show threadNatanael ⚠️
@the_moep @chadgeidel @timbray passkeys use the same method as WebAuthn / security tokens / FIDO2 (there are soo many different names here), which uses hardware bound cryptographic keys and a cryptographic challenge-response protocol. It doesn't use the HOTP algorithm, it's a different type of 2FA
Oct 3, 2024 at 8:18pmWeb
Show threadMax LeeOct 8, 2024
@Natanael_L Thanks for the clarification! Didn't realise that HOTP and FIDO tokens were a different thing.