Schneier on secure password requirements

I'll stick with copy/paste from files like these.

I have 6 source files like these, each at least 500 lines long. Unless an adversary knows which file I used, where I started, ended, the length of the key, whether or not the password crosses lines, and whether the phrase came from more than one copy/paste, the odds of them finding the password is very remote, even with all of them in plain sight.

 

Interesting thread. Non of those, however, are geared to passphrases, just as mine is not geared to passwords. Recovery time estimation is not valid if a pass phrase is assumed to be attacked as a password. What I liked in zxcvbn, is that it tries to combine both.

As I said, one should also take the usage of the passphrase into the equation. Perhaps the following is convincing for that (taken from my standard analysis report)

Suppose the current passphrase is: wadi attack overt wire

• When used as WiFi key, the passphrase could be recovered off-line in 1.2 centuries on average.
  Assumed recovery hardware etc.: WiFi, 8 GPUs,WPA/WPA2
• When sniffed as a NTLM-password on a Windows network, the phrase can be recovered in 4.0 hours on average!
  Assumed recovery hardware: Fast hash/Prof Hw, 25 GPUs
• When used as WiFi key, agencies employing a GPU-array with 128 GPUs, could recover it in: 7.5 year on average!
  Assumed hardware: 128 GPU array, '8 to128 extrapolation estimation'.

--- edit: 1024 should be 128, now OK

 

Regarding encryption software and password size limits, Scramdisk can utilize 4 passwords/phrases of 39 characters each, total 156 characters. It had this ability 14 years ago.

 

I am starting to deploy two form factor authentication, in the form of a text message, or google authenticator. I also seldomly use generators. I prefer to randomly generate my own passwords. The answers to my security questions are irrelevant to the question itself. Let me give some examples of passwords and answers to questions.


passwords

%*(haTsofToRoyharpER$$#@%
^)9PalmtreESareburgandY%)(8!!
%*^$garMundPhilcoRCa!

questions and answers

What was your first car?

onions and bagels!09

What was the name of your first pet?

!Bulgaria&Austria!

with the above approach, most attackers can be stopped.