![]() That's how a significant amount of dictionary-based password guessing attacks work so it's a completely valid model, but there are others. The math above assumes an uniform distribution of words in the English language. That does make it somewhat subjective in the sense that no one can really know how they're being attacked. in practice, that means how passwords are guessed/bruteforced. 'degree of unpredictability' is basically decided by the distribution you pull samples from. The number of characters doesn't matter in this case. ![]() If however you have not chosen your words randomly, nobody can tell you how secure your master password is. Common password hashes are designed to be around 6 orders of magnitude slower, 3 minutes suddenly become >5 years.Īssuming the combined work of all bitcoin miners worldwide, without any mutations. In other words: If you were able to convince every single bitcoin miner on this planet, a large share of total GPU sales, to help you crack such a password, it would still take 3 minutes.īut bitcoin uses the intentionally fast SHA-256 algorithm. The highest hashrate ever achieved by all bitcoin miners worldwide combined was 273 trillion hashes per second. Let's have a look:įour randomly selected words from a word list with 15k elements, no mutations. If you have selected four words from a word list of size >15000 in a truly random fashion, you have nothing to worry about. The length is obviously strong and is a nonsensical sentence, but in the end, the words are dictionary.įor some reason it's the third time today I write this down, but here we go: I have a 30-character master password in the "correct horse battery staple" XKCD style, so more of a passphrase. I guess my most pressing question is how safe is my data for a month, a year, five years, etc.? Is it safe indefinitely due to MFA? This is doable and in my wheelhouse, but still, it's one more thing to manage. But now, I have to worry about a VM or containers and where to host it, security updates, etc. LastPass has had rock-solid availability for years and while their Android app has sucked a bit, it's always been functional and the service online. Really, this should have been the only model, but I didn't want to and I don't want to now. Vent: Like many, it's time to move to Bitwarden via self-hosted.Even if I were to reach out and say "change your API key", there are some customers I wouldn't even know how to, short of emailing I know I know, this is on them since they should be rotating anyway, but we all know how that goes. The tricky part of this is that some keys are for former customers with many PoCs that have themselves left. Vent: I have customer API keys in my secure notes, and while luckily not many and most are easily changeable, the fact is they're there.Many of them are probably dead and gone, but still, it's not like I can just follow "We recommend you change your passwords!" type of guidance so easily. Vent: I have 1000s of passwords in there.I need the flexibility of it being on PC, Mac, Android, and others, so KeePass is out of the question. My trust in any hosted provider is now generally broken, but I still want the convenience. Is anyone realistically looking at other providers (bitwarden hosted, dashlane, 1password, etc.?).If the data is truly offline and in the hands of the adversary, MFA is no longer in play, correct? There's nothing online to authenticate against, so unless the MFA process salted the password somehow, I can't see how MFA protects anymore.The length is obviously strong and is a nonsensical sentence, but in the end, the words are dictionary. Cannot live without it and gladly pay the renewal for premium every year. I'm an avid LastPass user have been for years. I also just need to vent on a few of these. I have questions about the LastPass breach that extend past my area of expertise. Throwaway account for obvious reasons, but I'm a common lurker and contributor to r/sysadmin.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |