|
Niceware ships 65,536 unique words. 3 words chosen randomly is 1 "password" of 281,474,976,710,656 possibilities. https://diracdeltas.github.io/niceware If that password was hashed with a single pass of vanilla MD5, the Jeremi Gonsey's cluster of 8 Nvidia GTX 1080i GPUs [2] would be running at 307,200,000,000 hashes per second. https://gist.github.com/epixoip/ace60d09981be09544fdd3500505... In order to exhaust half of the keyspace, so odds would be in the favor of the password cracker finding the original hash, they would need to search only 140,737,488,355,328 hashes. At 307.2 gigahashes per second, this would take approximately 458 seconds, or just under 8 hours using the Niceware list. However, jumping to 4 random words grows that time by a factor of 65,536, which means reaching 50% exhaustion would take approximately 1 full year. Moving to 5 randomly generated Niceware words, and it's impractical to attempt cracking the MD5 hash. Cherry-picking 3 words is a little dishonest for the discussion surrounding password security. The right "best answer" for password generation is to use a password manager, no argument there. And I don't know of any password generators that generate passphrases by default, Niceware, Diceware, or otherwise. But if a user wants a passphrase instead, I don't know of a security expert who would recommend 3 words. |