[Discuss] Password managers

[kentborg at borg.org (Kent Borg)]

On 5/6/20 1:58 PM, Rich Pieri wrote:
> You tell me why you think 16 random characters is inappropriate for 
> this purpose.

The reason for making passwords long is to make them unguessable.

The key feature of a password is that, though I can make up guesses as 
fast as I choose to spend the money, there is a limit to how fast I can 
check my trove of passwords. I can only check them as fast as some 
limited-capacity server lets me. And an evenly slightly competently 
written server has explicit rate limiting. And any server on the open 
internet is subject to lots of probing traffic...limiting it limits 
one's AWS (or electric) bill if nothing else.

16-random characters? Which? Let's assume just lower case ASCII alphabetics.

 ?26^16 is 43608742899428874059776L

That is a big number. (Add uppercase and numbers and other printable 
stuff...and 52**16 and 96**16 are both crazy bigger.)

If your attacker started brute forcing that lowercase password at the 
start of the universe, and had been checking 100K guesses per second 
ever since, your attacker would be finishing up any millennium now.

What is the point?

Conversely, what is the cost? The cost is passwords that are completely 
unusable for mere human beings. Unusable is bad security.

-kb