What should i do about Synthient Credential Stuffing Threat Data

Eyeful

bob2302 said:

PRAISETHESUN said:

For example, I use 99-128 character, fully random alpha-numeric + symbols for every site that supports it. 

20 characters is paranoid.

1. Is that just your opinion or can you point to an expert source?

2. The greater the length of the pw, the longer it takes to crack it. Its that simple.
    Pass Word Managers allow long & complex pw to be generated with ease, so why not use it?.

3. The experts in this field say to make the pw as long & complex as the website will allow. 

4, Why make things easy for hacker's?

PRAISETHESUN

Eyeful said:

bob2302 said:

PRAISETHESUN said:

For example, I use 99-128 character, fully random alpha-numeric + symbols for every site that supports it. 

20 characters is paranoid.

1. Is that just your opinion or can you point to an expert source?

2. The greater the length of the pw, the longer it takes to crack it. Its that simple.
    Pass Word Managers allow long & complex pw to be generated with ease, so why not use it?.

3. The experts in this field say to make the pw as long & complex as the website will allow. 

4, Why make things easy for hacker's?

My thoughts exactly. If a website supports long and complex passwords, and my PWM can remember those for me, why shouldn't I use them? Its literally zero extra cost/effort over using a shorter, weaker password. Besides what's impossible to crack by brute force now might not be in the future.

And just because you’re paranoid doesn’t mean they aren’t after you 😉

bob2302

Eyeful said:

bob2302 said:

PRAISETHESUN said:

For example, I use 99-128 character, fully random alpha-numeric + symbols for every site that supports it. 

20 characters is paranoid.

1. Is that just your opinion or can you point to an expert source?

2. The greater the length of the pw, the longer it takes to crack it. Its that simple.
    Pass Word Managers allow long & complex pw to be generated with ease, so why not use it?.

3. The experts in this field say to make the pw as long & complex as the website will allow. 

4, Why make things easy for hacker's?

The only technical reason for allowing a 100 character password is that 100 characters of English contains 100 - 130 bits of entropy,  a  20 character random string of printable ASCII has 130 bits. 

The point of a strong password is to allow the salted hash to resist dictionary/brute attack after a breach - it gives you a chance to change your password. It doesn't have to stand-up to the undivided attention of the NSA for 50 years. In such attacks resources are spread thinly across all passwords.

In any case most important sites have at least 2fa.

Eyeful

bob2302 said:

Eyeful said:

bob2302 said:

PRAISETHESUN said:

For example, I use 99-128 character, fully random alpha-numeric + symbols for every site that supports it. 

20 characters is paranoid.

1. Is that just your opinion or can you point to an expert source?

2. The greater the length of the pw, the longer it takes to crack it. Its that simple.
    Pass Word Managers allow long & complex pw to be generated with ease, so why not use it?.

3. The experts in this field say to make the pw as long & complex as the website will allow. 

4, Why make things easy for hacker's?

The only technical reason for allowing a 100 character password is that 100 characters of English contains 100 - 130 bits of entropy,  a  20 character random string of printable ASCII has 130 bits. 

The point of a strong password is to allow the salted hash to resist dictionary/brute attack after a breach - it gives you a chance to change your password. It doesn't have to stand-up to the undivided attention of the NSA for 50 years. In such attacks resources are spread thinly across all passwords.

In any case most important sites have at least 2fa.

1. You original post mentioned the character length only. Not any extra steps to improve security.

2. The are different types of 2fa. Some types of 2fa are more secure than others.

3. You can also try to using a security key or a passkey.

4. There is no such thing as "perfect security". A layered approach to security is probably the best approach. 

5. You try to make sure as you can, that you are not seen as the low hanging fruit,. 
You hope a hacker will then move on,.to someone else who is easier to crack

bob2302

Eyeful said:

bob2302 said:

Eyeful said:

bob2302 said:

PRAISETHESUN said:

For example, I use 99-128 character, fully random alpha-numeric + symbols for every site that supports it. 

20 characters is paranoid.

1. Is that just your opinion or can you point to an expert source?

2. The greater the length of the pw, the longer it takes to crack it. Its that simple.
    Pass Word Managers allow long & complex pw to be generated with ease, so why not use it?.

3. The experts in this field say to make the pw as long & complex as the website will allow. 

4, Why make things easy for hacker's?

The only technical reason for allowing a 100 character password is that 100 characters of English contains 100 - 130 bits of entropy,  a  20 character random string of printable ASCII has 130 bits. 

The point of a strong password is to allow the salted hash to resist dictionary/brute attack after a breach - it gives you a chance to change your password. It doesn't have to stand-up to the undivided attention of the NSA for 50 years. In such attacks resources are spread thinly across all passwords.

In any case most important sites have at least 2fa.

1. You original post mentioned the character length only. Not any extra steps to improve security.

2. The are different types of 2fa. Some types of 2fa are more secure than others.

3. You can also try to using a security key or a passkey.

4. There is no such thing as "perfect security". A layered approach to security is probably the best approach. 

5. You try to make sure as you can, that you are not seen as the low hanging fruit,. 
You hope a hacker will then move on,.to someone else who is easier to crack

A 20 character random password is not low hanging fruit. If you were to repurpose all of the world bitcoin mining to crack password hashes, you would expect to get 1 every 50 billion years.

Vitor

Until quantum computers become viable. 

Eyeful

bob2302 said:

Eyeful said:

bob2302 said:

Eyeful said:

bob2302 said:

PRAISETHESUN said:

For example, I use 99-128 character, fully random alpha-numeric + symbols for every site that supports it. 

20 characters is paranoid.

1. Is that just your opinion or can you point to an expert source?

2. The greater the length of the pw, the longer it takes to crack it. Its that simple.
    Pass Word Managers allow long & complex pw to be generated with ease, so why not use it?.

3. The experts in this field say to make the pw as long & complex as the website will allow. 

4, Why make things easy for hacker's?

The only technical reason for allowing a 100 character password is that 100 characters of English contains 100 - 130 bits of entropy,  a  20 character random string of printable ASCII has 130 bits. 

The point of a strong password is to allow the salted hash to resist dictionary/brute attack after a breach - it gives you a chance to change your password. It doesn't have to stand-up to the undivided attention of the NSA for 50 years. In such attacks resources are spread thinly across all passwords.

In any case most important sites have at least 2fa.

1. You original post mentioned the character length only. Not any extra steps to improve security.

2. The are different types of 2fa. Some types of 2fa are more secure than others.

3. You can also try to using a security key or a passkey.

4. There is no such thing as "perfect security". A layered approach to security is probably the best approach. 

5. You try to make sure as you can, that you are not seen as the low hanging fruit,. 
You hope a hacker will then move on,.to someone else who is easier to crack

A 20 character random password is not low hanging fruit. If you were to repurpose all of the world bitcoin mining to crack password hashes, you would expect to get 1 every 50 billion years.

1. I am not saying that a 20 character random password is no good, however I would not use this length of password for something important, like internet banking.

2.  A 20 character random password is low hanging fruit. when compared to say a 
     100 character random password.

3. If you can generate longer random character passwords words with little trouble and store them with ease
why not do so? It helps future proof against hacking.

4. Compare the computer used for the moon landing, with the one you used to write your post. The increase in processing power is enormous.
.
5. I heard earlier this year on a news  broadcast that a crude working quantum computer has already been made.
So how long even a 100 character random password will be any good remains to be seen.

6.  New ways for securing information are going to have to be found.

 

bob2302

Eyeful said:

bob2302 said:

Eyeful said:

bob2302 said:

Eyeful said:

bob2302 said:

PRAISETHESUN said:

For example, I use 99-128 character, fully random alpha-numeric + symbols for every site that supports it. 

20 characters is paranoid.

1. Is that just your opinion or can you point to an expert source?

2. The greater the length of the pw, the longer it takes to crack it. Its that simple.
    Pass Word Managers allow long & complex pw to be generated with ease, so why not use it?.

3. The experts in this field say to make the pw as long & complex as the website will allow. 

4, Why make things easy for hacker's?

The only technical reason for allowing a 100 character password is that 100 characters of English contains 100 - 130 bits of entropy,  a  20 character random string of printable ASCII has 130 bits. 

The point of a strong password is to allow the salted hash to resist dictionary/brute attack after a breach - it gives you a chance to change your password. It doesn't have to stand-up to the undivided attention of the NSA for 50 years. In such attacks resources are spread thinly across all passwords.

In any case most important sites have at least 2fa.

1. You original post mentioned the character length only. Not any extra steps to improve security.

2. The are different types of 2fa. Some types of 2fa are more secure than others.

3. You can also try to using a security key or a passkey.

4. There is no such thing as "perfect security". A layered approach to security is probably the best approach. 

5. You try to make sure as you can, that you are not seen as the low hanging fruit,. 
You hope a hacker will then move on,.to someone else who is easier to crack

A 20 character random password is not low hanging fruit. If you were to repurpose all of the world bitcoin mining to crack password hashes, you would expect to get 1 every 50 billion years.

1. I am not saying that a 20 character random password is no good, however I would not use this length of password for something important, like internet banking.

2.  A 20 character random password is low hanging fruit. when compared to say a 
     100 character random password.

3. If you can generate longer random character passwords words with little trouble and store them with ease
why not do so? It helps future proof against hacking.

4. Compare the computer used for the moon landing, with the one you used to write your post. The increase in processing power is enormous.
.
5. I heard earlier this year on a news  broadcast that a crude working quantum computer has already been made.
So how long even a 100 character random password will be any good remains to be seen.

6.  New ways for securing information are going to have to be found.

 

FWIW there has been no unpredictable change in computing power in the last century - it all broadly conforms to Moore's law. Brute forcing passwords is a relatively hard problem  for a quantum computer, it's not likely to make much difference in the early days.

It doesn't really matter though,  in the event of an impending disruptive change in technology your bank can simply force a password change on everyone. The point of a strong password is just to give you time to change your password after a breach. It's a completely different case to password protected data.

Aside from a very small risk that long passwords might not be handled properly, there's no reason for or against excessive passwords But not all passwords are that easily handled, and it's not helpful to misrepresent very strong passwords as weak.

Your password will be stored in, at most, a 512 bit hash, which corresponds to a 78 character password. If you go beyond this there will be other passwords at around 78 character that also work. 512 bits is overkill, the reason why these hash functions exist is to give protection again collision attacks, which aren't relevant to passwords.

Eyeful

bob2302

1. I would think that brute forcing passwords, would most likely be the last method a hacker would use, to crack a 
password, even with to days processing power.

2. You keep implying that I am calling a 20 character complex password weak. I have never said this.
What I have stated is that for things like internet banking and sensitive information a longer password is better.  

3. It is sensible when using a password on any website, to first find out what is the maximum length of characters    it will accept. If you go beyond this length then it is likely that your password will be  silently truncated.
You may then experience login failures & have weaken security.

Consider using point 3 instead, of your more technical explanation. 

bob2302

Eyeful said:

bob2302

1. I would think that brute forcing passwords, would most likely be the last method a hacker would use, to crack a 
password, even with to days processing power.

2. You keep implying that I am calling a 20 character complex password weak. I have never said this.
What I have stated is that for things like internet banking and sensitive information a longer password is better.  

3. It is sensible when using a password on any website, to first find out what is the maximum length of characters    it will accept. If you go beyond this length then it is likely that your password will be  silently truncated.
You may then experience login failures & have weaken security.

Consider using point 3 instead, of your more technical explanation. 

If you are not bothered about offline brute-forcing, then why do you care about any of this?

You are missing the point about 3; if a website allows 120 character passwords, that doesn't mean that only one single string of 120 character will allow login. There will be of the order of 10^36 other passwords that also work, and the shortest of these will be approximately 78 character long. I've already explained to you why sites support this.