@TheGibson What I'd really like to see is, say, lifetime or century-crack length over time.

That is, for a given year, what is the shortest password that can withstand likely crack attempts for 100 years.

Or perhaps ranked against budget: cracking for $0.01/key, $0.10, $1, $10, $100, $1,000, $1,000,0000, $billion, etc.

The cracking-rate progress and budget aspects of this are seriously underappreciated. Hell, I don't know these.

#passwords #security #cracking

@dredmorbius @thegibson I think Bitcoin has proven the economy for this is a hell of a lot cheaper than people think. (Which is why I think the estimates in the chart above are woefully naive as they assume a single attacker and a one pw at a time attack.)

The amount of distributed compute power people are throwing around at cryptocoins for no budget but for imaginary profit is extraordinary. No human password survives ~100-days much less 100 years against cryptocurrency "mining".

which also shows the importance of rate limiting or user credential checks and 2FA.
@dredmorbius @thegibson


@FiXato @dredmorbius @thegibson Unfortunately rate limiting is also *hard* in coordinated distributed attacks. It's tough to "scale" your rate limits in the same way you scale the rest of your APIs.

2FA is a good start and useful stop gap, but I worry isn't enough because today's 2FA doesn't scale "socially" well; it's all too easily social engineered because humans are bad at all "factors". We almost need a ground up rethink, says the pessimism in me.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!