Is this true? longer passwords better than complicated passwords? Because god damn it I hate it when I sign up for something and it says I need at least:
-1 capital letter
-8 characters
-1 number
-1 Symbol
its so frustrating.
Or is this supposed to be sarcastic? I am complete fool when it comes down to programming and software security
He's right. As you lengthen a password, the number of possibilities rises exponentially. When computers were slower and nobody stored as much password data, brute force attacks were harder. Early brute force attacks commonly used just numbers or a 'dictionary' set. If your password was one word up to 8 letters, it might have taken a little longer to try everything until it worked, but you'd probably still get there if determined. Now computers are faster, it's easier. So we started forcing people to use at least 8 characters, a cap, a number, and a symbol as this gives more possibilities per character. But still computers are very fast.
But as the XKCD cartoon says, the longer it gets, the more difficult. Even if you just had passwords that were number only. A 1 digit password has 10 possibilites. A 2 digit one has 100. And so on each additional character is 10 times more possibilities. Even limiting to lower case English letters, at 44 places, that's 26 x 26 x 26 and so on out 44 times.
Another thing that doesn't get mentioned is many systems have anti-brute force built in, so X failed logins to a particular username within a short period of time locks down the account either for a long time (30 mins or more) or requires manual intervention.
Blizzard Entertainment Software Developer - All comments and views are my own and not representative of the company.
I have been told this is false because it opens up attacks by dictionary. So using a couple weird words in another language or proper nouns should be an improvement.
Looking for a cool game? Find it in my blog! Latest post: Often, games must be difficult http://eriktwice.com/
General_Norris has a pretty good point. It's easier to guess something if it's words, as opposed to individual characters. Then it's only 4 items in this instance, as opposed to 44 individual characters.
And almost no malevolent software uses just straight brute-force. It would never get in unless the password was blank or one of the top ten most common passwords.
Hobie-wan wrote:But as the XKCD cartoon says, the longer it gets, the more difficult. Even if you just had passwords that were number only. A 1 digit password has 10 possibilites. A 2 digit one has 100. And so on each additional character is 10 times more possibilities. Even limiting to lower case English letters, at 44 places, that's 26 x 26 x 26 and so on out 44 times.
THIS. The cartoon is misleading since the top section is less characters vs the four separate words in the second row comparison. The four separate easy to remember names will just as hard for the computer "Entropy" even it were characters, numbers or the easy words. All tied into the random search to come up with the answer. On the human guess factor the regular words might be easier to grab versus throwing in a few obscure keyboard numbers or characters.
@ Hobie - The out of the norm symbols is a great idea. Some password crack routines may not even take those into account.
Cronozilla wrote:General_Norris has a pretty good point. It's easier to guess something if it's words, as opposed to individual characters. Then it's only 4 items in this instance, as opposed to 44 individual characters.
Doesn't this assume the attacker knows the password is comprised of several dictionary words? This doesn't seem likely, at least not before this cartoon became popular.
Cronozilla wrote:General_Norris has a pretty good point. It's easier to guess something if it's words, as opposed to individual characters. Then it's only 4 items in this instance, as opposed to 44 individual characters.
Doesn't this assume the attacker knows the password is comprised of several dictionary words? This doesn't seem likely, at least not before this cartoon became popular.
It's a standard early approach I think. If it isn't one of the trivial ones and is also not comprised of dictionary words, they probably can either not hack it fast enough for it to be worth their trouble or even can not hack it at all (i.e. it would take longer than their lifespan to brute force it).
So if it doesn't work they will either keep their method and move onto another target or if they specifically want that target they will try another method (social engineering?).
General_Norris wrote:I have been told this is false because it opens up attacks by dictionary. So using a couple weird words in another language or proper nouns should be an improvement.
Also using made up words. Of course don't use ones from movies and books. Maybe listen to kids that babble when out and about and adopt their made up words.
Another thing to do is have a phrase you know well and use the first character of each word. Obviously you'd want to sprinkle in stuff that isn't letters, but say roygbiv for the color spectrum.
