WARNING - Hotmail Accounts Hacked

[Deirachel]

20 randomly selected characters has a very high degree of entropy. Even with rainbow tables, that's going to take some significant cracking even for a bot. According to the site www.howsecureismypassword.net, that password would "... take a desktop PC about 560 sextillion years to crack ..."

Definitely, I agree that using a random string of characters is THE best way to make a password with the current conventions of how to construct a password. The point being made by that comic is not that there aren't better methods of password construction, but that the current convention is less effective than other ideas of password construction. Random letters, numbers, and symbols are going to be the least likely to be cracked, but they are EXTREMELY difficult for a human to remember. Most people won't use this type of password, simply because it is so hard to remember.

Second, the system when calculating the amount of time for a crack assumes a mid-range CPU/GPU making 250 million attempts per second (per the creator's facebook account). A dedicated hacker isn't going to be running a mid-range desktop, but a top end system, possibly even an overclocked small server system. This would greatly decrease the time to crack a password.

So, for the TL; DR While I agree the purely random string password is the BEST password, it is an impractical solution for the average user as memorizing a random string is extremely difficult (causing the user to do one of the big no-nos - writing it down, or saving it on their computer somewhere.)

BTW, thanks for that link, that's helpful!

[Hachiman]

So, for the TL; DR While I agree the purely random string password is the BEST password, it is an impractical solution for the average user as memorizing a random string is extremely difficult (causing the user to do one of the big no-nos - writing it down, or saving it on their computer somewhere.)

BTW, thanks for that link, that's helpful!

Deirachel, as I mentioned previously, I don't memorize my passwords. I use a cross-platform password manager to hide my randomly-generated 20 character passwords behind 256-bit encryption, and then cut-and-paste my username and passwords into the appropriate fields on any website that I use that requires authentication. I literally do not know my own email password. That's the job of my password manager.

As for the link: you're welcome!

cheers!
Hachiman

[seanachie]

I have no incentive from nor any relationship with LastPass, but that is the password manager I use and can highly recommend it. There are user configurable options for the password strength and criteria and they have 2 Factor authentication which I definitely use. Because I am involved with IT and e-commerce professionally as well as personally maintaining track of passwords would be otherwise impossible.