Hacker News new | past | comments | ask | show | jobs | submit login
Passwords are weaker than you believe (cendyne.dev)
2 points by xena on Jan 7, 2023 | hide | past | favorite | 5 comments



I was under the impression / assumed many sites had timed password comparison so as to discourage brute force.

The table doesn't explain for example that using words in letters only, might regardless of length under 30 characters, be easy to crack.

Passwords are pretty safe if the person creating them is thoughtful enough to use a unique password for every site ... and don't share with some other site / service that might be comprised from within.


In my experience, there is no password that is generated by most humans that cannot be quickly and easily cracked by good password guessing tools. The tools have gotten to the point where they already know about every trick you might throw into the mix, and they already have mitigation schemes designed to be optimized for them.

You should be letting your password manager generate all your passwords, according to the limits imposed by the site, and make sure that you never accidentally re-use any of those passwords anywhere. It should be a reliable password manager with local storage of the vault. If cloud storage/sync is used, you should be able to choose your own cloud storage/sync mechanism.

And then you should add 2FA on top of that, if you can.


Easily cracked might be true for those using words with a couple numbers thrown in between. Yes there are a vast number of people who are not exactly savvy when they use and create passwords. It's one of the reasons why some honeypot sites were set up primarily to catch people who use the same password and email at every site they visit.


That password table is bullshit, it's the time taken to crack unsalted MD5-hashed passwords, using a few GPUs.

It's blatant scaremongering - most services will use multiple iterations of hashing and incorporate a salt.


They should do so, yes.

Sadly, many don't.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: