![]() Don't use short passwords even with mutations (leet-text, years, exclamation marks, etc)."banana" "plane" -> "banana_Plane2022!")Īttack effectiveness: though the space of all possible guesses is much bigger, it also has higher computational complexity since it tends to run through many mutating patterns for all possible combinations. That said, there aren't that many 'others' and a subset of them make up the vast majority of password-guessing attacks you would reasonably face.Īpproach: mutation-based approaches which take input words then mutate them in predictable ways (e.g. That's how a significant amount of dictionary-based password guessing attacks work so it's a completely valid model, but there are others. The math above assumes an uniform distribution of words in the English language. That does make it somewhat subjective in the sense that no one can really know how they're being attacked. in practice, that means how passwords are guessed/bruteforced. 'degree of unpredictability' is basically decided by the distribution you pull samples from. The number of characters doesn't matter in this case. ![]() If however you have not chosen your words randomly, nobody can tell you how secure your master password is. Common password hashes are designed to be around 6 orders of magnitude slower, 3 minutes suddenly become >5 years.Īssuming the combined work of all bitcoin miners worldwide, without any mutations. In other words: If you were able to convince every single bitcoin miner on this planet, a large share of total GPU sales, to help you crack such a password, it would still take 3 minutes.īut bitcoin uses the intentionally fast SHA-256 algorithm. The highest hashrate ever achieved by all bitcoin miners worldwide combined was 273 trillion hashes per second. Let's have a look:įour randomly selected words from a word list with 15k elements, no mutations. If you have selected four words from a word list of size >15000 in a truly random fashion, you have nothing to worry about. The length is obviously strong and is a nonsensical sentence, but in the end, the words are dictionary.įor some reason it's the third time today I write this down, but here we go: I have a 30-character master password in the "correct horse battery staple" XKCD style, so more of a passphrase. I guess my most pressing question is how safe is my data for a month, a year, five years, etc.? Is it safe indefinitely due to MFA? This is doable and in my wheelhouse, but still, it's one more thing to manage. But now, I have to worry about a VM or containers and where to host it, security updates, etc. ![]() LastPass has had rock-solid availability for years and while their Android app has sucked a bit, it's always been functional and the service online. Really, this should have been the only model, but I didn't want to and I don't want to now.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |