[bryondowd]

I wonder if anyone has a formula to convert estimated $ loss if a password is cracked to a suggested level of password entropy. In other words, you could probably calculate that a given password format (say, 8 random characters with about 70 possible values each) would require X CPU cycles, with Y% certainty. Then, you could convert the CPU cycles to an estimated opportunity cost to crack that password. That would be the maximum value that this password format would be sensible to protect. Drop a couple orders of magnitude if you want to err on the safe side (or adjust Y). I expect you'd reach a number beyond all economic activity on Earth before you hit 100 characters, 15 probably exceeds most people's net worth, and 8 characters probably suffice for the majority of sites requiring a password.

I think the bigger win of using a password manager is being able to use different random passwords for each site, rather than using particularly long ones. That alone gives you sufficient entropy to beat brute force attacks and isolation of your other accounts from a single site leaking your password from their end.

[tedunangst]

Yes. Additionally, if your bank is at all competent, they will enforce rate limits that prohibit online guessing attacks. If an attacker has your bank password hash to perform an offline attack, it's reasonable to assume they also owned the rest of the bank and have a copy of any session cookies, "security" answers, etc. you provided, and probably don't need the password. If a site has been compromised, the site has been compromised. Unique passwords are the best way to contain the damage.

[hackuser]

> about 70 possible values each

The norm is 95 values. That's the all ASCII printable characters, or just count them on your keyboard.

(I'm not sure if that includes the <space> character.)

[bryondowd]

Fair enough. I erred low due to many sites restricting symbols. Also considered leaving out symbols entirely and going with 62 for that reason. Fewer possible symbols just means extra characters, and probably doesn't even have a huge impact on that number. Nine alphanumerics (62 possibilities) beats eight characters with 95 possible values, and if you want something easy to type manually, could be preferable. Depends on usage and site requirements.