On 12/09/2007, Delirium delirium@hackish.org wrote:
Gregory Maxwell wrote:
I think the initiative to ensure that people had secure login passwords (which happened, oh, months back) reset people's email preferences - I had no idea that my preferences had changed until a good while later (not that it matters much in my case, but however...)
Ah. Those who got hit with guessable passwords.... ;)
I haven't changed my password either, so it couldn't be that my password was guessable (or if it was, it still is...).
-Mark
All passwords are guessable, it's just a matter of how many guesses one would expect it to take.
A random password containing 8 lowercase letters: (26^8) / 2 = 104 413 532 288 approximately a 37 or 38 bit key
A random password containing 8 letters, uppercase and lowercase: (52^8) / 2 = 2.67298643 × 10^13 approximately a 45 or 46 bit key
A random password containing 8 characters, including uppercase letters, lowercase letters, and numbers: (62^8) / 2 = 1.09170053 × 10^14 approximately a 47 or 48 bit key
A random password containing 9 characters, including uppercase letters, lowercase letters, and numbers: (62^9) / 2 = 6.76854327 × 10^15 approximately a 53 or 54 bit key
Supposing, using three character types (uppercase and lowercase letters + numbers) you wanted to have the equivalent of at least a 256 bit key, you would need 43 characters. For the equivalent of a 512 bit key, 86 characters.
A key word here is random - most passwords are not random, so password crackers can use psychological tricks such as dictionary attacks, dictionary attacks with slight variations, etc.
Of course, if your connection to a website is not encrypted, and someone is eavesdropping on your connection, all of this is irrelevant, as the person can simply read your password in plain text.
Disclaimer: I'm on painkillers, so if my math is wrong, that's why.