[Discuss] Password managers
Kent Borg
kentborg at borg.org
Wed May 6 19:32:49 EDT 2020
On 5/6/20 1:58 PM, Rich Pieri wrote:
> You tell me why you think 16 random characters is inappropriate for
> this purpose.
The reason for making passwords long is to make them unguessable.
The key feature of a password is that, though I can make up guesses as
fast as I choose to spend the money, there is a limit to how fast I can
check my trove of passwords. I can only check them as fast as some
limited-capacity server lets me. And an evenly slightly competently
written server has explicit rate limiting. And any server on the open
internet is subject to lots of probing traffic...limiting it limits
one's AWS (or electric) bill if nothing else.
16-random characters? Which? Let's assume just lower case ASCII alphabetics.
26^16 is 43608742899428874059776L
That is a big number. (Add uppercase and numbers and other printable
stuff...and 52**16 and 96**16 are both crazy bigger.)
If your attacker started brute forcing that lowercase password at the
start of the universe, and had been checking 100K guesses per second
ever since, your attacker would be finishing up any millennium now.
What is the point?
Conversely, what is the cost? The cost is passwords that are completely
unusable for mere human beings. Unusable is bad security.
-kb
More information about the Discuss
mailing list