You'd need to go with a 12 characters minimum, adding more characters to satisfy your particular paranoia and future-proofing preferences. If this pool of pwgen passwords is 15% of the total lowercase possibilities (I have no idea what it actually is) then 11 characters would probably not be a sufficient minimum length. So theoretically an attacker could identify only the possible passwords generated by pwgen and target those in their password cracking attempts to save time. ago it unconditionally exits the program when you have the error condition. expect ('more detailed panic message') still might be better. This probably causes a significant reduction in the number of possible passwords out of the total pool of lowercase random passwords. The top-level main function of a program is the only other place Id say using unwrap is alright - though its more verbose equivalent. My understanding of pwgen is that, by default, it doesn't randomly create the passwords and instead attempts to structure them in a more memory friendly arrangement of consonants and vowels. I will caution that these estimates assume attackers must use brute-force attacks (even if against a restricted selection of characters, like lowercase) to guess your password. You can quickly increase strength by adding more length as your memory (or password policies) allow. With online accounts you often don't know what type of hashing they implemented so the safe bet is to assume fast hashes.īy my estimates, moving to a minimum password length of 11 characters for slow hashes and a minimum of 14 characters for fast hashes should help offset the weakness of using passwords constructed with only lowercase characters. Your password manager and disk encryption should be using these slower hashing algorithms for key derivation. If this same password is stored using a stronger hashing algorithm (scrypt, bcrypt, argon2, etc.) then it might be cracked using a brute-force against only lowercase letters but probably not by a full brute force against all characters (because it would take too long). A password created with pwgen defaults (all lowercase letters, 8 in length) stored using a fast hash (MD5 or SHA1) could be offline brute-force cracked with a single modern GPU in anywhere from a few minutes (just trying lowercase) up to around 9 days against all characters (trying lowercase, uppercase, numbers, symbols). It's somewhat hard to quantify what is a 'real security risk'.
0 Comments
Leave a Reply. |