0

Some sites have strong requirements. E.g. 

Your new password must:

be at least 8 characters long (longer passwords are more secure)
contain at least 1 uppercase character
contain at least 1 lowercase character
contain at least 1 numeric digit
contain at least 1 of these special characters ~ ^ * _ ? \ . / ! + - { } [ ]
contain no spaces

I am a layperson (i.e. not familiar with security matters). Because these passwords are so damn hard to remember, I often, perhaps foolishly, record such passwords down, often digitally at various places, on my Windows desktop, in my emails, in some Notes app on my phone, etc.

I am probably not alone. So is it possible that because of user behavior similar to mine, these supposedly strong passwords are actually counter-productive?

  • 8 Chars are far to short now. – AstroDan Mar 12 '16 at 02:02
  • @AstroDan 8 chars base64 give 48 bits of entropy. Should be enough at current technology level, as long as all standard keyboard symbols are allowed. – timuzhti Mar 12 '16 at 03:08
  • 1
    @Alpha3031 not really. My GPU based system can generate and test ~1 billion passwords per second and could generate a rainbow table for all 48 bit passwords in a few days. Even back in 2012 custom hardware could reach 320 billions passwords per second (http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/) which could crack 48 bits in 15 minutes. You always assume worst case (offline attack poor storage) when setting up security for systems that you don't control (online sites password storage in this case). – AstroDan Mar 12 '16 at 04:00
  • @AstroDan, frankly, I don't trust that the passwords are hashed at all. Now they're telling me I can use any of my past passwords... How do they know that? And if you're changing the sensitive ones frequently enough to mitigate database compromises, which you should be doing if you're assuming poor storage, there's no point in making it any stronger than 48 bits. – timuzhti Mar 14 '16 at 10:50

0 Answers0