That’s 10.000^4 or 10,000,000,000,000,000 possible passwords. And that assumes a space between each word instead or a - or a . You can’t have a rainbow table that large.
We need a NIST standard that says passwords should allow any UTF8 character and should allow a minimum of 100 characters and a should require 12 characters or more so we have ammunition for these idiot banks (they do seem to have the worst password policies).
NIST did update its recommendations recently.
Thanks…I’m not sure I buy all the arguments one way or the other about entropy and that more is better. From an engineering perspective more is always better for passwords I guess…but when you get down to plain old brute force guessing which is what long passwords force you into…it’s not all that clear to me conceptually that more entropy is any better or worse than just longer. The lack of numbers or upper case in the second example is likely what drives the lower entropy value…sticking those in gets it up to. 78 which is in the same ballpark range as 104…but centuries in any event.
In either case though…once you get to more than 17 characters to get around the NTLMv2 issues…then it’s a long time to crack. So is 104 entropy really “better”? Hard to really say when it’s still that long involved brute force method involved.
If I was one of those guys that 3 letter agencies might be interested in…then I would just use offline encryption with 1024 or 2048 bit keys and not worry about it. Using a separate laptop with none of the “stuff I need to keep secret” on it for email and web with anonymous browser sections and pseudo anonymous (i.e., no personal info entered) email addresses along with TOR, war driving, random Starbucks wifi connections, etc. The simple truth of the matter is that if one is willing to actually use encryption to it’s fullest then it’s truly dark to being decrypted by law enforcement and by transferring anonymous blobs of highly encrypted data around your comms just get lost in the internet background. Fortunately…bad guys aren’t usually as smart as they should be…that’s why they get caught.
True…but if you make the password long enough then brute force is the only option…and that’s the whole purpose of using long passwords. Make the easier cracking techniques not relevant and then cracking time is almost entirely dependent on length…so make it something that’s capable of the user remembering rather than completely random gibberish…although the latter might be superior in a perfect world there are times when ya gotta actually type the password and as all engineers know…better is the enemy of good enough. Very few people need perfect password security…for the vast majority of us good enough is well…good enough.
I put in a recommendation that was (when I retired)…wending it’s way through the higher levels of DoD password approvers that basically said do away with the existing rules and instead replace them with 2 rules only.
25 characters
Changed annually
Beyond that nothing else is really needed to keep the password from being cracked…and it’s much less likely if you let them make the password whatever they want that they’ll use something they don’t need to write down on a sticky note stuck to the monitor.
The real problem is that the computer security rules are about 25 years behind the times.
Forcing changing passwords is the single worst thing you can do for security, it practically guarantees passwords will be written down.
That’s why I put in the recommendation…much better than 90 day change requirement. Annual is plenty…keeps the security wonks happy and fa4 is mouth apart to cut down a lot on the writing them down.
neil
Never is plenty. The only time a long password should need to be changed is if for some reason the password (not the hashed salted password, the actual plain-text password) has leaked.
A password of 25 characters comprising only uppercase letters and only numbers yields a possible number of passwords of about 8 followed by thirty-eight zeros. A massive distributed cracking array that can check 100 trillion password every second would take 2 thousand trillion centuries to check all possibilities, long after the heat-death of the universe.
Add in lower case, and you have a 6 followed by forty-four zeros, or 2 billion trillion centuries.
Make it the most common 100 characters and you’re looking at 50 zeros (over 500 trillion trillion centuries).
The number of atoms in the universe is estimated at around 82 zeros.
Now, this depends on random passwords, but even a 25 character password composed of 4-5 letter words and a separator, if it’s a random selection, is still a massive effort to crack, and that is assuming you know absolutely for certain the password can only be specific words.
tl;dr Length trumps entropy very quickly and passwords over 20 characters are secure beyond the ken of our current understanding of how math works and this is not simply a matter of getting faster computers.
You’re right. But nobody will ever be able to convince government security weinies of that…so annual would at least be an improvement.
TTFN:
neil
I thought NIST itself now recommends not to arbitrarily (i.e. unless
there’s some explicit reason to believe a password or passwords has been
compromised) expire passwords?
Brian
Could be…I’ve been out of that business for going on 7 years.
neil
The UK National Cyber Security Centre (which is part of GCHQ, so are certainly well versed in security issues) recommends not forcing people to change passwords unless there is suspicion that they’ve been compromised.
This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately.
[…]
Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.
They produce a very useful and concise guide to password best practice.