[WARNING] Bitwarden design flaw: Server side iterations

[britechguy]

It’s not hard to find and replace Technibble with Amazon, WellsFargo, etc.

It also requires guessing that I use Amazon, WellsFargo, etc., which for some random person you don't know the slightest thing about or very little about isn't trivial. For things like Amazon, that "everyone" uses it's relatively easy, but beyond that, it's not.

 

[britechguy]

My go-to password strength checker is now: https://pmdn.org/password-strength/
They give a comprehensive explanation of how they assess password strength and include "number of guesses" data.

 

[nlinecomputers]

A gross and inaccurate overstatement. Yes, if we're talking a short single word, or even several words commonly used together.

titanicoakleafhydrangea is a mighty, mighty strong password.

Yes. As I said in my first comment on this subject sentence structure is part of it. Random words with no context are stronger than sentences. There a reason why your example clocks at 4 million years and the first example was only 3 hours.

 

[seashore]

My go-to password strength checker is now: https://pmdn.org/password-strength/
They give a comprehensive explanation of how they assess password strength and include "number of guesses" data.

At https://pmdn.org/password-strength/
thisismyverysafeunguessablepassword = centuries
Looking like a win for long but simple phrases.

 

[nlinecomputers]

It also requires guessing that I use Amazon, WellsFargo, etc., which for some random person you don't know the slightest thing about or very little about isn't trivial. For things like Amazon, that "everyone" uses it's relatively easy, but beyond that, it's not.

There’s plenty of common sites like national banks. I have no idea if you bank at Chase, WellsFargo, etc. It’s trivial to check. I have your email address and username. This is what bots are used for.

 

[britechguy]

Looking like a win for long but simple phrases.

Password (I'd say pass phrase, sans spaces) length has always been the primary determiner of strength.

An 8-character mix of junk, (tYas0{*, clocks in at only "decent" at PMDN along with the suggestion, "Add another word or two. Uncommon words are better." Contrast that with, "Thereoncewasaman".

Length, particularly if you're using something that doesn't employ a true sentence structure or use very common words, is the first and primary line of defense in passwords. Adding just a few strategically placed mixes of case, digits, and a special character makes the merely strong insanely so.

What I find interesting at PMDN is that there seems to be no password, none, that isn't a major risk with "offline fast" cracking. This indicates to me that "offline fast" cracking technology really doesn't exist yet as a working thing, or we'd have been in deep doo-doo years ago.

 

[seashore]

What I find interesting at PMDN is that there seems to be no password, none, that isn't a major risk with "offline fast" cracking.

thisismyverysafeunguessablepassword = centuries with offline fast

 

[britechguy]

thisismyverysafeunguessablepassword = centuries with offline fast

Unless I've miscounted, that's 35 characters, and I've never tried anything that long. Even if I had that one memorized, typing it would be a bit more of a burden than I'm willing to undertake.

The tests I've done have all been 16 characters or fewer. I still don't worry about "offline fast" as if that were practical, passwords would have stopped being of any use a very long time ago indeed. But, contrary to the assertions of some, they're not useless and will likely remain in use as a primary verification for the remainder of my lifetime (and I'm 60).

 

[nlinecomputers]

What I find interesting at PMDN is that there seems to be no password, none, that isn't a major risk with "offline fast" cracking. This indicates to me that "offline fast" cracking technology really doesn't exist yet as a working thing, or we'd have been in deep doo-doo years ago.

Yes and no. One thing you are forgetting is that websites generally don't let you pound away at them by trying a brute-force attack. You get from 3-10 attempts on most sites before being locked out. Some lockouts are timed pauses others are locked out until you contact the owners by phone and get a password reset. This limits the ability to attack sites. Of course, with a password manager or any encrypted blob if hackers gain possession of the blob they have unlimited time to work on it. A rack of 10 GPUs can easily process billions of attempts. That is not cheap but it's not an unreachable goal either. Botnets obviously cost nothing for the hackers to employ though development and deployment will have some expenses and takes time.

 

[Sky-Knight]

According to https://bitwarden.com/password-strength/ it would take centuries to crack a simple phrase of sufficient length such as thisismyverysafepassword

Makes me wonder why the conventional wisdom is to mix uppercase, lowercase, numbers and symbols, when such a simple phrase would be far more acceptable and memorable for the average IT-challenged customer. Maybe simply because most people pick a shorter one?

Conventional wisdom involving complexity does help, but it doesn't replace for length. Longer passwords provide entropy through length, and the strength of it is directly attached to the algorithm that's doing the hashing. But a string of words, even if they're a sentence, separated by a special character, and a number tossed in somewhere can create memorable, easy to communicate, easy to type passwords.

But you can get entropy from complexity, this lets you get away with a shorter password while providing the same amount of complexity.

I use a generator and manager still because it allows me to have unique versions of these things for thousands of sites without resorting to easily tracked and unlocked patterns. Much of this discussion here revolves around a human process that's easily cracked by bots given enough data. ChatGPT is already making dents in this process, which is why I'm actively hardening my password manager itself.

 

[HCHTech]

There’s plenty of common sites like national banks. I have no idea if you bank at Chase, WellsFargo, etc. It’s trivial to check. I have your email address and username. This is what bots are used for.

Banks are very slowly getting smarter. None of my banks use email address as the userID. That wasn't the case 5 years ago. They still limit the password complexity too much, but baby steps, I guess. My main business bank, in fact, has two separate ID numbers you input as well as a password...

 

[britechguy]

None of my banks use email address as the userID.

Mine don't, either. One of the worst developments ever, and not just from a security perspective, was allowing email addresses to be used as login IDs. The amount of misery and misunderstanding that has come of this is beyond my ability to describe. It seems to be worse for seniors, but I know plenty not in that demographic that don't seem to understand, for example, that if you use mynamehere@gmail.com as your Microsoft Account login ID that doesn't mean that your Gmail/Google Account and Microsoft Account are connected in any way. Now multiply that . . .