So I am sitting here inserting a password I made up our of special characters, numbers, letters, in alternating case, and every thing that comes up gives me a full green bar. However, how do I really know that its that secure?
Is there a user side benchmark for passwords? Do I just run aircrack against it and see when the machine explodes?
I generally don’t trust the sites where you have to enter your password and they evaluate it. Some of the sites are client side or can be run as stand alone on your machine. You can use those sites to get a sense of security, just don’t use your actual passwords.
I tend to go for longer, random passwords and don’t get too hung up on the size of the keyspace or if there are at least 3 different kinds of symbols or no more than 3 capital letters in a row, but at least 4 non-numeric, non-symbol, non-lowercase characters in a row.
I think 100+ to 250 bits of entropy is secure for our lifetime, depending on the content that the password is protecting. I also use a password manager so that I don’t have to remember 20+ random characters for each password that I use.
to know if your password secure you have to know what hackers do to crack them.
kind of password is best?.
upper/lower case, numeric and special chars with 10 or more characters is currently to long to crack in any reasonable time. if the hacker is using brute force.
thats not to long to crack, but will take days or weeks even, on a 3090ti or equiv
basically the longer the better.
if your password hash has been leaked then its a case of is the hash crackable. (psst most are).
then its a simple case of running a python script to brute force the hash and reveal its secrets.
this is way quicker as the gpu is just making hashes from a wordlist and comparing it to your leaked hash. if its the same, they print the word that creates that hash.
And to boot, there are ways to narrow down the search space, based on common patterns- such as an word followed by 2 numbers or two words with symbol in the middle. It turns out that, as a species, we are terrible at picking secure passwords.
I used to run min 100 letters, capitalized letters, numbers, symbols and ASCII special characters. Even a few dedicated data center will take some time cracking it down with brute force. Then my browser had a glitch and copy paste was broken so it required a way to type it manually. So I downgraded it to something more reasonable. 50 letters, capitalized letters, numbers, and symbols.
And then, I encountered using passwords in a machine that isn’t mine and without a password manager installed so from there, I switched to a passphrase salted with a few numbers and symbols and kept it on a more reasonable word length, plus a vernacular word that isn’t likely to be used in a dictionary attack. On my next round of password replacement, it will be for all.
Also, mind you, the classic XKCD comic:
Works for the government, private organization, criminals, mafia, drug lords, etc…
BTW, if you happen to think about designing your own password storage while in the middle of some random project because you learned a bit of crypto and found some handy APIs … don’t.
Either use bcrypt or use pufferfish2 if you’re feeling fancy.
If you need to use a password to derive a key (as opposed to using a random material as a key; which you could store securely), don’t just hash something once, use a KDF (key derivation function like argon2id).
These all combine multiple rounds of SHA (or BLAKE) to make it expensive time wise to brute force stuff. … and/or make it both memory expensive as well, in order to resist being able to parallelize cheaply. (e.g. computing on GPUs or on custom ASICs).
A password is as secure as the protocols that communicate the password. Those are to be tested, not really a password with random characters in it. Those usually have enough entropy to be unguessable.
If you want to generate a password with as much entropy as possible just use dices to generate it. Diceware if you want a password that a human can remember, just assigning random characters to a number if you want to go for pure chaos.