| HN Mirror

> most of the discussion about passwords completely miss the point. [...] any password under around 50 characters is as good as "dog"

I think you've completely missed the point.

After how long do you start to get annoyed when logging in? Most people probably at 2-5 seconds, but let's say ten full seconds of waiting for the computer to do the hashing. A word like dog is among the top few thousand words, let's say ten thousand, so after 10k×10s/(3600 seconds per hour) = ~28 hours your password is cracked on a single cpu. Probably more like 28 minutes on a couple GPUs, and this is using a complexity setting that literally nobody is going to use (I bet even the NSA isn't paranoid enough to wait 10 seconds for every login). Now compare that to "any other password under around 50 characters".

If you want to use a passphrase, pick random words (at least five when using complex words; the number depends on your dictionary size). Not a single word that is also very common. That completely misses the point.

This strategy would work if literally everyone uses a random words generator and yours, against all odds, comes up with a single common word. Then attackers would have no reason to crack in order of commonness and start with a single word. But that is not the reality we live in and attackers do start with simple passwords before complex ones. (Source: one of the things we do at work is crack passwords, most commonly when we get our hands on Windows password hashes.)

im sorry, what point are you making?

if its that "dog" is a weak password, i thought that was evident. but many people seem confused that "horseloverwhatever" is more secure, similarly that "dog23!Wog" is more secure. my point is they are equally trash so leave the user alone

> if its that "dog" is a weak password, i thought that was evident

You're confusing me. First you say that "dog" is just as strong as any other password, now you say that it should have been evident that it's a weak password. Which is it?

> my point is they are equally trash

This again sounds contradictory, but this time within one comment. First you say that horseloverwhatever is stronger than dog, but then that they are equally "trash".

i meant others commonly assume horseloverwhatever is more secure.

to be more clear,

1. dog is weak 2. horseloverwhatever is weak 3. 8randoms! is weak 4. therefore, dog is as good as horseloverwhatever or 8randoms! 5. most account compromises do not even require a brute force (shoddy practices on the backend) making the complexity requirements pointlessly burdensome on the user 6. in cases where you want a password to resist a legitimate brute force, we need to talk about passphrases (ie > 50 chars) or passwordless

what u think?

chordalkeyboard 1268 days ago

short passwords are still a security weakness even when properly stored because the time necessary to brute force them is relatively low.

i agree. but most sites that enforce a policy (8 chars, symbols, etc) are bruted just as easily. we need to take a step, away from passwords, to secure against brute force in 2022

chordalkeyboard 1268 days ago

well the gp's point is that it literally is not 'just as easy' because the space of possible passwords increases greatly with each character, such that 'dog' is much, much easier to bruteforce than 'doggie12'.

To be fair, I'd probably crack doggie12 sooner than dog because who has ever seen a website with a password length requirement below 6. But technically, yep you're 100% right.

danrocks 1268 days ago

also: rainbow tables

The length of the password only somewhat matters for rainbow tables -- they're not limited to dog-sized passwords -- but also, I rarely come across implementations these days that do not use a salt of some kind, which defeats existing rainbow tables. Generating one-off tables is about as expensive as just cracking the hashes directly.

(Then again, the implementations I see are mostly from well-known projects or customers that care enough about security to hire us. It's biased, but I do think word has gotten round about hashing and salting.)

BeefWellington 1268 days ago

    a random word, like "dog" or "pingpong" is fine if the pqsswords are salted and hashed appropriately.  how often have your accounts been hacked this way? if an adversary is really banging on the hash, and they want it, any password under around 50 characters is as good as "dog", and no "complexity" meter is gona cut it.

You really need to provide some sources for this claim; it's outlandish and unreasonable because it varies so wildly depending on what you mean by "appropriately". This isn't magic, it's math, and we know how fast computers can do specific kinds of math under specific conditions.

[0] - https://www.linkedin.com/pulse/linkedin-hack-understanding-w...

danrocks 1268 days ago

> yep, most of the discussion about passwords completely miss the point. a random word, like "dog" or "pingpong" is fine if the pqsswords are salted and hashed appropriately. how often have your accounts been hacked this way?

A word like "dog" or "pingpong" is favored in a rainbow-table type of attack. Nobody pre-hashes "109231oijoasdfnaisdfabatteryhorse123".

And yes many passwords have been hacked this way [0].

So it's hard to understand the point you are tried to make. Why don't you try again and expand on "modern brute force techniques" that could crack a password 50 characters long? More productive endeavor and benefits the board.

apoligies for the lack if clarity

how does a rainbow table crack "dog" with the salt "109231oijoasdfnaisdfabatteryhorse123"?

rainbow tables are as old as time and indeed still work on passwords with poor salting. for more complex (but not complex enough) passwords there are more modern approaches, like probabilistic candidate generation