• viking@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    4
    ·
    edit-2
    10 months ago

    That really depends on the password complexity. Sure, you can crack a password of 6-8 characters in below 30 minutes, but anything more complex than that will take days and longer.

    My default password is 22 characters long and includes a unique identifier for each service plus a checksum. Say as an example (similar enough to my actual use case) for Adobe I’ll have “Ae” (first and last letter of the service) and “41” in a specific position (A = 41 in Hex).

    That way even if I repeat the other 18 characters (including symbols, upper and lower case characters) it will take years or even decades on a consumer grade system to crack my password, and the hash is unique for each service/website, so there won’t be any collateral damage either, even if some service I used got breached and my password somehow fully exposed.

    • ReginaPhalange@lemmy.world
      link
      fedilink
      English
      arrow-up
      28
      arrow-down
      2
      ·
      10 months ago

      Why do people humble brag about their password strength, but then tell the whole world how to construct rainbow tables designed to crack their passwords?

      • InnerScientist@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        10 months ago

        Iirc rainbow tables are currently useless due to good seasoning salt.

        Though password crackers can take a known pattern to drastically increase speed it would still have to do the whole calculation for every password.

      • viking@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        10 months ago

        Like I mentioned, I’m using a related pattern, nothing as simple as the one I sketched out here.

        • LostXOR@kbin.social
          link
          fedilink
          arrow-up
          1
          ·
          10 months ago

          As long as the other 18 characters are randomly generated that seems secure enough, and a decent way to keep track of which passwords are associated with which accounts.

          • LordKitsuna@lemmy.world
            link
            fedilink
            English
            arrow-up
            9
            ·
            10 months ago

            Feels like just a roundabout an exceptionally more difficult way to achieve a strong password versus just a password manager. Where you can do ridiculous things like have a 100 character long password

            Only to discover that the website will accept 100 characters in the box but actually truncate it to like 40 without telling you

    • noodlejetski@lemm.ee
      link
      fedilink
      English
      arrow-up
      20
      ·
      10 months ago

      I think I’ll stick with a password manager and its randomly generated passwords instead of doing an algebra problem every time I want to check my email