I try to explain how attackers would guess your password, should they get their hands on your encrypted data. There are some thoughts on the strength of real-world passwords and suggestions for your new password.
TL;DR XKCD solved this problem a decade ago, and somehow most of the industry still hasn’t caught up.
Still a good read, BTW.
I am still doubtful of these password strength “reasoning” blog posts of which there are hundreds.
There seems to be no real information regarding dictionary attacks and how that effects password solve times, but it seems like passphrases would be more susceptible to it. I am definitely no expert.
I briefly talked to a friend of a friend at a dinner who is in digital cyber security and she said that AI has pretty much changed the game and can guess any word-based passwords strings like the famously quoted xkcd comic orders faster than traditional methods, and hackers are using that now but it hasn’t had as much academic research yet. Maybe that is only for unsalted passwords though.
If you make word-based passwords, you still need to make sure to use random words. If you use a sentence or quote or song lyrics, then those usually have far less randomness than people think, and thus can be guessed easily by AI.
But if you use random words, a few words can be plenty secure. The diceware word list used by many password generators has 7777 words. 6 words means 77776 possibilities, which is approximately 278, aka 78 bits of entropy. That would take many years for any datacenter to crack. Though personally for really strong passwords, I go for 90+ bits of entropy.
So we always assume passwords were unsalted? Or can they also brute force salts?
This blog posts makes some weird assumptions. One that especially stood out to me was that when writing a password, someone would only capitalize the first letter. What? Its probably more common, but its definitely not the only letter someone would capitalize. There’s a few other assumptions like that, and I’m not sure where they’re coming from.
how about
openssl rand -hex 50B)
