by Tdarcos » Sun Oct 17, 2021 9:27 am
Passwords are a stupid authentication method now, because we don't need them.
XKCD has a cartoon on how to solve the password problem, by using passphrases instead. Easier to remember and
much harder to crack.
You can even use only words in the dictionary, and it's still secure. Who's going to guess your password for your on-line bank account is "this bank can go fork itself" (without quotes, and the sentiment censored). That's 27^28 different (space being an additional character) possible tries to brute force that, or 1.1972515e+40 possible choices, and at 1000 attempts per second, would take 1.1972515e+37 seconds, or about 7.917688e+30 years to crack using brute force. Because, if the pass phrase can be up to, say, 50 characters and allows spaces, you can't know how long it is, and you have to try everything, because you don't know if they (accidentally or intentionally) misspelled a word, or (if numbers are allowed) used 1337 5p34k (leet speak). Consider that the universe is currently only about 1.35000e+9 years old, the universe is likely to suffer heat death long before you crack that.
If upper/lower case is significant, it's not twice as big, which is not double, or 1.5835376e+31, but is exponentially larger, 53^28 or 1.9042517e+48 possible phrases, which, at 1000 attempts per second, is 5.9760915e+40 seconds or 1.87547e+33 years to crack using brute force. Since the original number is already huge, I would not recommend making it case-sensitive. And if punctuation is optionally allowed, the base number again rises exponentially. So, if I used, "Above all else, we shall go on... and continue!" (including quotes) that's 49 characters not even making case significant, and with these characters: !@#$%^&*()_+}{|":?>< for punctuation, this raises the attack surface to 49 characters, with digits 59, raised to the power of the number of allowed characters in the pass phrase.
Make authentication easy for humans to remember, and hard for computers to solve.
Passwords are a stupid authentication method now, because we don't need them. [url=https://xkcd.com/936/]XKCD has a cartoon[/url] on how to solve the password problem, by using passphrases instead. Easier to remember and [i]much[/i] harder to crack.
You can even use only words in the dictionary, and it's still secure. Who's going to guess your password for your on-line bank account is "this bank can go fork itself" (without quotes, and the sentiment censored). That's 27^28 different (space being an additional character) possible tries to brute force that, or 1.1972515e+40 possible choices, and at 1000 attempts per second, would take 1.1972515e+37 seconds, or about 7.917688e+30 years to crack using brute force. Because, if the pass phrase can be up to, say, 50 characters and allows spaces, you can't know how long it is, and you have to try everything, because you don't know if they (accidentally or intentionally) misspelled a word, or (if numbers are allowed) used 1337 5p34k (leet speak). Consider that the universe is currently only about 1.35000e+9 years old, the universe is likely to suffer heat death long before you crack that.
If upper/lower case is significant, it's not twice as big, which is not double, or 1.5835376e+31, but is exponentially larger, 53^28 or 1.9042517e+48 possible phrases, which, at 1000 attempts per second, is 5.9760915e+40 seconds or 1.87547e+33 years to crack using brute force. Since the original number is already huge, I would not recommend making it case-sensitive. And if punctuation is optionally allowed, the base number again rises exponentially. So, if I used, "Above all else, we shall go on... and continue!" (including quotes) that's 49 characters not even making case significant, and with these characters: !@#$%^&*()_+}{|":?>< for punctuation, this raises the attack surface to 49 characters, with digits 59, raised to the power of the number of allowed characters in the pass phrase.
Make authentication easy for humans to remember, and hard for computers to solve.