I was rather pleased with myself!
I have been changing all my passwords to easier to remember but supposedly harder to crack passwords. I had read, on good authority, that making a password longer was a better protection that using lots of funky characters. So for example, I set my gmail password to “when-i-need-to-send-mail”. Nice and long. Also, sites that check a password for safety, tell me that’s a good password. http://www.passwordmeter.com gives it a 100% – “Very Strong”.
I admit that my inutition was confused. I was using common english words. Even though I have a lot of them and a long overall password length, it did feel like it was not as secure as the experts were telling me…
Shoot. Here we go again. Now it seems simple length is not good enough, occording to this article.
“thereisnofatebutwhatwemake”—Turbo-charged cracking comes to long passwords | Ars Technica:
For the first time, the freely available password cracker ocl-Hashcat-plus is able to tackle passcodes with as many as 55 characters. It’s an improvement that comes as more and more people are relying on long passcodes and phrases to protect their website accounts and other online assets.
Check out Steve Gibson's password haystacks.https://www.grc.com/haystack.htmThe basic premise is that you want the bad guys to have to check the full complement of characters (uppper/lower/number/symbol), and you want to make it long. But it can certainly contain dictionary words.Remember, until the bad guy *actually* figures it out, he doesn't know anything, including the length of an ill-gotten hashed password from a compromised password DB. So while you may know it contains dictionary words, the bad guys do not. Nor do they know you've connected them with dashes, or that you've padded the end of it with "12345".Check out that link to evaluate how hard a brute force attack on your passwords will be.
LikeLike
Yes, but… Does good old Steve Gibson's we site know of the latest black hat hacking tool that I referenced in my original post?
LikeLike