On 2018-05-24 14:25, Anton Aylward wrote:
On 24/05/18 05:09 AM, Johannes Meixner wrote:
I think for companies/organizations it seems not to matter to make things actually more secure. It seems what matters more is that companies/organizations can feel safe because they had enforced the right (well known/old) rules and then when things go wrong they can claim it is not their fault.
See also: https://arstechnica.com/information-technology/2013/06/password-complexity-r... <quote> A pair of studies done in 2011 and 2012 on password length and construction showed two things: first, customer frustration increases significantly with complexity, but less so with length. Second, a number of password cracking algorithms can be more easily thwarted by a long password that is created without number, symbol, or case requirements than are shorter passwords that are required to be complex, particularly for a large number of guesses. That is, shorter, more complex password restrictions beget passwords that can be more frustrating to everyone except the only entity who shouldn’t have it: the password cracker. </quote>
In practical terms, because of the buffer sizes and hashes, a length limit of 512 characters should be considered adequate for most purposes.
I would, however, point out that Leo Marks mentions in his book "between Silk and Cyanide" that picking a phrase from a poem or nursery rhyme (or movie or novel) may defeat traditional computational and combinatorial methods, it won't defeat a human versed in your culture. In modern terms that means a high speed AI with access to the Net, YouTube, Guttenberg and more can draw on sources and resources. Eventually there will be AIs that run an emulation of you.... But for now, length beats complexity.
Like scanning facebook and others :-p
The real pisassnts are the 4 digit PIN codes ...
I know banks that use that. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)