Password Complexity, Good or bad?
-
@travisdh1 said:
@JaredBusch said:
@scottalanmiller said:
The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.
It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.
Let alone getting into anyone outside of IT.
Very sad that it's true.
Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.
This is proven every day with all the exploits that are discovered.
Hell Apple's iMessage has a flaw in it - one that can't be fixed without whole sale replacing the current system, so yet another gaping whole that will just be left to rot.
-
@Dashrender said:
Well, are we talking about paid security decision maker or are we talking about typical IT?
Well, while we can't guarantee it, this is a company and we should assume that someone was getting paid to make security decisions. So to some degree these two are one and the same.
-
@scottalanmiller said:
Remember that password complexity is a myth. It's complex to a human but the computer cannot tell. p@55w0rd and password are exactly the same to a computer - they are both easily guessable eight character passwords.
Is that true? Doesn't adding character sets make it harder to guess? Human interaction aside? I am just saying aaaaaaaa versus something random with punctuation would take longer to crack. Are you saying that is not the case?
-
@BRRABill said:
@scottalanmiller said:
Remember that password complexity is a myth. It's complex to a human but the computer cannot tell. p@55w0rd and password are exactly the same to a computer - they are both easily guessable eight character passwords.
Is that true? Doesn't adding character sets make it harder to guess? Human interaction aside? I am just saying aaaaaaaa versus something random with punctuation would take longer to crack. Are you saying that is not the case?
Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.
-
No matter what they say... length matters
-
@brianlittlejohn said:
No matter what they say... length matters
Yes, I purposely went there. I'm heading home now, latter
-
@travisdh1 said:
Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.
I also agree with that.
I am just saying isn't
thisisalongpassword
weaker than
thisisa@longpassword
-
@BRRABill said:
@travisdh1 said:
Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.
I also agree with that.
I am just saying isn't
thisisalongpassword
weaker than
thisisa@longpassword
Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd
-
@Dashrender said:
Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd
I originally was questioning @scottalanmiller that
password
and
P@ssw0rdare the same to a computer.
Not arguing anything here. Agree with it all.
-
@Dashrender said:
thisisalongpassword
according to howsecureismypassword.com
thisisalongpassword
and P@ssw0rd
-
@BRRABill said:
@Dashrender said:
Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd
I originally was questioning @scottalanmiller that
password
and
P@ssw0rdare the same to a computer.
Not arguing anything here. Agree with it all.
He was over simplifying it, sure. But both would be in a pre defined dictionary which would take seconds to crack so he does have that on his side.
-
http://howsecureismypassword.com/
Appears to be offline
-
-
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
-
@BRRABill said:
@Breffni-Potter said:
http://howsecureismypassword.com/
Appears to be offline
.NET
whoops
-
-
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
Is there a real difference? A meaningful difference?
-
-
@Dashrender said:
Is there a real difference? A meaningful difference?
Yes.
I plan to live between those two numbers, so I need the stronger password.
-
@BRRABill said:
@Dashrender said:
Is there a real difference? A meaningful difference?
Yes.
I plan to live between those two numbers, so I need the stronger password.
Just change it at least once between now and then and you should be fine.
