I just made a simple excel sheet. Downloaded a large dictionary that I cleaned up so the min word size is 4 I think. Then build some random rollers and built a 3 or 4 word password with some numbers and special characters between words. Generally the passwords are 20+ characters long.
From most of what I’ve read, password length makes the most difference in their strength.
So, the difference with no numbers and special characters is 52^20 (2x10^34) versus 95^20 (3.6x10^39). There are three reasons this runs into issues.
Pure math indicates that a 20 digit alpha only password with caps sprinkled in is slightly stronger than 12-13 digits of alphanumeric plus caps and specials.
Out of the various people within various organizations I have supported, people have disclosed their passwords to me a breathtaking number of times. It is quite common for people to create a password with only lower characters. That would be 4x10^27, about the same as 14 characters using the full qwerty set.
Either way, we are discussing a password cracking tool running locally attempting to hash your password. You do have a point that 12 thousand years is a very long time to arbitrarily guess a password. Unless something changes where someone can easily access ten thousand cores at a reasonable utility, you are pretty much safe from anyone except state level threats. That would be full time use of that many cores for 37 days at 10k cores, or 9 hours access to a million cores. We just aren’t there yet. No clue if this would work better with GPU time, but that would still be a serious system.
Now, I am stepping into old lessons from 2011, and I can’t find a great source to back myself up. If I’m wrong, then I have been operating off this misinformation for 15 years and I’d gladly appreciate better information.
The final issue is that since passwords are hashed in chunks, parts of the password could become visible while the rest is being worked on. This could lead to the attacker guessing the rest of the password.
![TIL that if you search "Password generator, [x] characters, [y] strength" at DuckDuckGo, it will generate a password for you.](https://lemmy.world/pictrs/image/31a5b1e1-4330-4a27-aa88-cc47a25acb05.jpeg){kind=link}
I just made a simple excel sheet. Downloaded a large dictionary that I cleaned up so the min word size is 4 I think. Then build some random rollers and built a 3 or 4 word password with some numbers and special characters between words. Generally the passwords are 20+ characters long.
From most of what I’ve read, password length makes the most difference in their strength.
So, the difference with no numbers and special characters is 52^20 (2x10^34) versus 95^20 (3.6x10^39). There are three reasons this runs into issues.
Pure math indicates that a 20 digit alpha only password with caps sprinkled in is slightly stronger than 12-13 digits of alphanumeric plus caps and specials.
Out of the various people within various organizations I have supported, people have disclosed their passwords to me a breathtaking number of times. It is quite common for people to create a password with only lower characters. That would be 4x10^27, about the same as 14 characters using the full qwerty set.
Either way, we are discussing a password cracking tool running locally attempting to hash your password. You do have a point that 12 thousand years is a very long time to arbitrarily guess a password. Unless something changes where someone can easily access ten thousand cores at a reasonable utility, you are pretty much safe from anyone except state level threats. That would be full time use of that many cores for 37 days at 10k cores, or 9 hours access to a million cores. We just aren’t there yet. No clue if this would work better with GPU time, but that would still be a serious system.
Now, I am stepping into old lessons from 2011, and I can’t find a great source to back myself up. If I’m wrong, then I have been operating off this misinformation for 15 years and I’d gladly appreciate better information.
The final issue is that since passwords are hashed in chunks, parts of the password could become visible while the rest is being worked on. This could lead to the attacker guessing the rest of the password.