Commentary on Strong Passwords
It turns out that "2bon2btitq" is not a strong password.
Posted on November 11, 2011 at 5:52 AM
@kent - the real world algorithm for password cracking is grab the encrypted password and try all the possibilities.
It used to be rainbow tables - which is why 'tbon2btistq' or 'a passwd that nobody else uses' used to be good advice. They wouldn't be in the rainbow tables and so wouldn't be cracked.
Now GPU passwd hashers are faster than rainbow tables - so '$d5#2F+~" is no more secure than "password" but "a very long quote even comprising simple words" is N times harder.
Assuming of course that your opponent is using GPUs, and the website doesn't store the unhashed passwds in a file called passwd on their web server!
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.