On Tue, Aug 12, 2014 at 2:28 PM, Anton Aylward <opensuse@antonaylward.com> wrote:
On 08/12/2014 01:47 PM, Greg Freemyer wrote:
My belief/assumption is it doesn't take long to brute-force a short password regardless of the encryption used. I use 4 chars for throw-away sites - 8 chars for sites I care about, but not that much (facebook / linked-in). 18 chars for things I really care about.
With a 18 char password, even the weakest encryption scheme should be relatively secure unless your password is in a rainbow table. Therefore, my 18 char passwords are also passwords I'm guessing no one else in the world is using.
I'm sorry, Greg but I'm going to burst your pretty baloon again.
Your logic is impeccable. Until it meets the real world.
In the real world there are sites that store your password in clear text. Perhaps its so they can send it back to you when you click in the "I forgot my password" button.
Perhaps they think that sending it to you registered email address is secure enough. Even if they do send it in clear text.
Just like some mailing list managers end a monthly reminder of your password. In clear text. By email.
In the real world there are sites that will truncate your 18 character password to perhaps 8 characters. Anyway, they aren't storing all 18. Their bean counters figure that the amount of disk space they save by having fixed short fields for passwords ....
Oh, and they don't tell you they've truncated it it. Just like those sites that map all your lower case to upper case, and don't tell you.
Or won't let you use punctuation characters in the set [';()<>] See http://xkcd.com/327/ as to why.
The real problem is not your password, its the sites out there.
I agree with your real world, but I'm arguing you need a password algorithm that at a minimum can and does use at least 18 chars of password info and you need to actually have an obscure 18-char (or longer) password. With those 2 minimum features, the use of salt or highly sophisticated encryption algorithms seems much less important. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org