This discussion is locked.
You cannot post a reply to this discussion. If you have a question start a new discussion

Password strength?

When it comes to passwords, I've usually used a 10 character random mix of uppercase, lowercase, special and numeric characters, and have never had any issues with these being accepted as adequate. (Before I get told off, I have a different password for each application I use!)


However, when recently setting up a new application, my 10 character password was described by the system as "weak". So I used a 19 character password (again, a random mix of characters) and this time it was described as "fair".


Given that there are 256 ASCII characters, the determined hacker has a 1 in 5.709 X 10^45 chance of striking it lucky with my 19 character password. (I say lucky - he'd be sadly disappointed at what he found after all that effort). So my question is, what lengths would one have to go to, in order to create a password that could be described as strong?
  • I have to disagree with your assessment of the odds against the hacker. While there may be 256 ASCII codes, many of these are unusable (such as ASCII 127 which is delete). The standard keyboard has about 48 character keys, which with the shift key expands this to 96. However this still leaves the hacker with 4.6 x 10^37 options, and that is assuming he knows the length of the password. I would further point out that by demanding a password MUST have (as opposed to may have) uppercase, lowercase, numeric and special characters (ULNS from now) you are actually reducing the number of possible permutations and so potentially making the password weaker.

    Most password checkers I have seen require 8 (or more) characters made up of three out of four of ULNS and categorise random collections of these as strong. I suspect the instance you are describing is one where the check for strength has a mistake in the algorithm. Are you able to say what the application was (though of course I would fully understand if you decline to say on a public forum).

  • I have often referred people to this XKCD   which is despite being a bit tongue in cheek, is very true in its basic thrust.

    And any system worth its salt imposes a short delay between retries - even a few hundred milliseconds is enough to slow down a machine attack to being not much faster than a typist.

    Really secure things do not use a password, complex or simple,  as the sole means anyhow, as they are weak against human attacks - another valid point.  as a cartoon.
  • I concur - how often are attacks the result of actually cracking a password, against buying leaked data or exploiting some other vulnerability? Also, any system that permits a billion password attempts in a short period is just inviting hacking.
  • I would agree there Alex.


    I would suggest that the vast majority of hacking incidents are from where data has been compromised or stolen from large organisations who haven't encrypted it sufficiently. I doubt very much if cyber criminals would really take the time and effort to target specific individuals in an attempt to crack their password and get access to their online accounts. 


    So to be honest your password is only as secure as the encryption methods being used by the organisation your account is held with. 


    Recently I've had to change a number of passwords I use for a variety of different web based systems as their data had been hacked.  I think LinkedIn had their data compromised not long ago...? So no matter how secure my password is, if their data has been hacked then whatever combinations of letters numbers and symbols I've used means absolutely nothing as it's all going to be displayed to the hackers anyway once they decrypt the data.
  • Just to add to this conversation, there is a website here: https://haveibeenpwned.com/ that you can pop your email address into and it will tell you if your email address has been compromised by data breaches and which organisation it applies to.
  • I presume they also tell you that they have your Email address, after you have typed it in?

  • mapj1:

    I presume they also tell you that they have your Email address, after you have typed it in?






    From their privacy statement:

     

    When you search for an email address


    Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.


    Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.