Hacker News new | ask | show | jobs
by GekkePrutser 2008 days ago
I do't really agree with the long passphrase thing.. I leave my passwords at 12 characters max (and 8 for less important sites)

Reason: You still have to type it sometimes. Like on a device you don't have the password manager on. That makes it really annoying. And because it's only used on one site it doesn't really matter how long it is. If a hacker gets hold of the password file they already own that site anyway. Doesn't really matter whether they can bruteforce the hash. It won't give them more access than they already have.

I do agree with the horcrux thing though.. Really important passwords I only store on paper and I already add a memorised thing to them. But be aware it's not perfect either. A compromised endpoint could have a keylogger installed. Totally passwordless with Fido2 for example would be even better.
2 comments
nhumrich 2008 days ago
> won't give him access to more then he already has.

That is very incorrect. A lot of hash leaks happen when an attacker can read data. but he can't necessarily edit it or even make sense of it. Also, the attacker usually does a quick download, then _sells_ the data. So, imagine your Twitter password was leaked. The original attacker a) likely doesn't have write access, and 2, is just going to sell the password hashes. The real worry is the buyer, who buys the hashes, to log in as you and do anything.

This is how youvebeenpwned works. He actually finds leaks of hashes on the dark web.

link
nucleardog 2008 days ago
> Reason: You still have to type it sometimes. Like on a device you don't have the password manager on.

Assuming a standard typeable character set (letters upper/lower, numbers, symbols you can type on a standard US keyboard), you've got 92 characters. (Safe assumption given you're planning on typing this on all sorts of devices.)

Your randomized eight character password has 52 bits of entropy. Twelve characters takes it it to 78 bits. Not really enough if you're up against an offline attack.

Assuming you choose 5 random English words (which will probably take you about two seconds to type on something like a phone), you'll have a more secure password.

I agree typing on devices that don't have your password manager is annoying, but in my experience it _really_ doesn't come up that often. Yours is the exact reason I use 32 character passwords rather than the 64/128/etc some people I know use.

But 12 is.. short. The trade-off between the added security and the inconvenience makes it a pretty obvious choice for me. (And you're wrong--having a database dump full of password hashes does not "already owning that site" make.)

Typing 32 characters on a game console to log into Netflix taking an extra minute every few years is really not that inconvenient relative to the added security. And it's something like 2^130 times more secure than your 12 character password for the inconvenience it brings. Or about 1,361,129,500,000,000,000,000,000,000,000,000,000,000 times (I can't actually find the SI prefix for how big this is) stronger.

link