Subnostr

These tables circulating on the internet of brute force password hacks are totally incorrect.

These tables only work for passwords generated randomly by computers or applications such as KeePassXC, if the password is generated by a human they are useless, since humans are predictable and when a password is hacked by brute force different types of dictionaries are used which substantially shortens the hacking time.

If you want to measure well the entropy of your password with an algorithm that takes into account dictionary attacks and predictive attacks use the KeepassXC calculator.

Recommendation: Never use human generated passwords.

Reply to this note

Please Login to reply.

Discussion

GLACA 1y ago

I didn't know that KeepassXC has a calculator. Good tip and great explanation!

Olive Grove Eggs 1y ago

I generated a Keepass password the other day and it was rejected by the bank site for being too long!

Cyph3rp9nk 1y ago

Many banks use a 6-digit pin number, which is very indicative of how concerned they are about the security of their customers.

The banking system is the most dishonest industry on the planet.

Olive Grove Eggs 1y ago

Security clueless on the front end for sure. I asked the local bank teller to show me how the app worked with the different reference numbers they had given me. They were very patient, as was I, until it came to the password reset step. I was literally wtf are you kidding me when they told me to put in a password. You know, something like Juanmadrid2024.

1GLENCo 1y ago

I use KeePassXC to generate a new random password for everything that asks for a password. I also am paranoid about the rise of quantum computing, so always try to generate as long of a password as possible.

Most services have very restrictive rules for what they allow you to set your password to. It's laughable that most banks have the stupidest and weakest rules of them all. None of my banks have any option to add TOTP 2FA, and most of them have rules which restrict the maximum length of your password to something which forces you to use very low entropy. Smh.

Fuck banks. Use bitcoin.

Robertrobert 1y ago

Thanks for this! I am guilty of using words from dictionary all the time.

Cyph3rp9nk 1y ago

Tip:

Using dictionary words is safe as long as you use more than 7 words (7 is more than enough) and they are chosen randomly as for example from the EFF list, in such a case the entropy is very high and your passprhase is safe, this is usually easier to remember than a 20 character alphanumeric password.

nostr:note1a3qvy3npfgjzw2kkj7ehytcfwrxtu0426tudtfyerqfjw377g6hs4tznp4

ynniv 1y ago

This chart is also misleading when it says "Password hash: bcrypt". Bcrypt is used with a work factor that should be set as high as practical for your server. Not listing the work factor means that the absolute numbers listed are meaningless.