Does this create a strong password?

[leahcim]

Machine_Elf:

The thing that will save you is systems that limit the number of attempts before they call for a time out.

This is nearly all systems, at least in practice. Network latency will probably limit you to a few hundred guesses a second at most.

It’s the leaked password hashes (of which there have been a number of recent cases) that are the problem, because crackers can put them on different hardware and get many, many more guesses per second in.

[AdamF]

Machine_Elf:

However, if the brute-force method makes no assumptions and attempts to guess the password as a string of individual characters, then 15 characters means there are 2^15 possible combinations;

Actually, these are characters, not bits. Theoretically, ASCII allows at least 200 different characters, giving you 3e34 combinations. In practice, you can limit it to lower and upper case letters, numbers and a few symbols - giving about 80 possible characters and 4e28 combinations. This is still a lot more work than a dictionary attack.

[tim314]

Ximenean:

The general principle is that a password should be secure even if the attacker knows what scheme you used to construct it.

That seems like a silly principle to me. How would an attacker know what scheme you used to construct your password, so long as it’s sufficiently uncommon (and you don’t go posting about it on the Internet)? It seems to me that a more reasonable principle would be “Your password should be secure against the sorts of attacks an attacker is actually likely to use.”

Suppose my password was my full name written out with the Alpha-Bravo-Charlie alphabet. (e.g. Tango-India-Mike-Three-One-Four, but obviously my real name is much longer). That’s completely insecure if you know what I’m doing, but in practice I think it’s far less likely to be cracked than something like C3cilRules!

[gazpacho]

One of the better password strength checkers is a side project from dropbox.

The checker:
https://dl.dropbox.com/u/209/zxcvbn/test/index.html

A discussion about how it works and the strength of passwords.
https://tech.dropbox.com/?p=165

[Dag_Otto]

Machine_Elf:

a brute-force method that is working with this scheme would take 123 billion years to crack, assuming 1000 attempts per second.

1000 per second? A cheap Timex digital watch probably has more processor power than that.

A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. (that’s from a story that is referenced in ClevelandProud’s link, but they show a hacker’s machine with eight 7970 cards). It may still take a long time, but it’s getting shorter all the time.

That story is an interesting read, and I’ll be updating many of my passwords this weekend.

[black_rabbit]

Machine_Elf:

The problem with really long passwords like that - even if they’re easy to remember - is that since your view of it is often obscured by the password entry window (you usually see dots or asterisks instead of the actual letters you’re typing), it can be difficult to enter the entire password without making any mistakes.

Really?

I’m typing this with my eyes closed. How am I doing?

[Rhythmdvl]

black_rabbit:

Really?

I’m typing this with my eyes closed. How am I doing?

FTFY:

U;n ttoubg tgus wutg nt ete;s ckised. Giw an u diubg>