Yeah, I’d consider anything less than 20 characters broken. Much too likely that it’s contained in a rainbow table, regardless how many special characters you use. Can I remember many 20 character passwords? No, but my password manager can.
That’s a big rainbow table. Like, with just precomputed values and random ascii character passwords it’s on the order of 1042 entries. You can shave that down a bit probably with all the tricks rainbow tables use, but I think you’re safe.
Base85 contains just about every printable ASCII character, so I’ll use that as a base. 8516 ~= 1031 -> extremely huge, but still feasible at least for state actors. 8520 ~= 1039 -> if I read Wolfram Alpha’s comparison correctly, that is more information than is believed to be contained in the DNA of all living creatures combined. That’s why I’d recommend >= 20 characters.
State actors don’t generally need to break passwords. They ask the company “nicely” and they get what they want. The exception would be if that password is being used to encrypt data.
1031 is ridiculously huge too. The NSA probably works on EB scales, which is “only” 1018 bytes. If you can get up to 1022 equally likely passwords you’re fine against dragnet, brute force-style attacks. (If you’re zombie Bin Laden and the NSA will stop for a whole year cracking your drive, and doesn’t have any shortcuts, maybe you need 1039 I guess)
That being said, if more characters is no problem, go ahead and do that. I’m not saying more security for free is a bad thing.
I let my password manager create 32 char passwords, that should be enough for a while. But of course then you have websites that throw you a ‘your password is too long’ message and have you find out by trial and error that they only accept 12 characters.
Or the off-by-one errors where they insist that 24 chars are the max, but in reality they accept 23. Probably never tested the limit.
Or websites that truncate your password after X characters when registering, but not when logging in, so you end up with an incorrect password and good luck finding out which limit the registration page actually uses.
Yeah, I’d consider anything less than 20 characters broken. Much too likely that it’s contained in a rainbow table, regardless how many special characters you use. Can I remember many 20 character passwords? No, but my password manager can.
That’s a big rainbow table. Like, with just precomputed values and random ascii character passwords it’s on the order of 1042 entries. You can shave that down a bit probably with all the tricks rainbow tables use, but I think you’re safe.
Base85 contains just about every printable ASCII character, so I’ll use that as a base. 8516 ~= 1031 -> extremely huge, but still feasible at least for state actors. 8520 ~= 1039 -> if I read Wolfram Alpha’s comparison correctly, that is more information than is believed to be contained in the DNA of all living creatures combined. That’s why I’d recommend >= 20 characters.
State actors don’t generally need to break passwords. They ask the company “nicely” and they get what they want. The exception would be if that password is being used to encrypt data.
1031 is ridiculously huge too. The NSA probably works on EB scales, which is “only” 1018 bytes. If you can get up to 1022 equally likely passwords you’re fine against dragnet, brute force-style attacks. (If you’re zombie Bin Laden and the NSA will stop for a whole year cracking your drive, and doesn’t have any shortcuts, maybe you need 1039 I guess)
That being said, if more characters is no problem, go ahead and do that. I’m not saying more security for free is a bad thing.
I let my password manager create 32 char passwords, that should be enough for a while. But of course then you have websites that throw you a ‘your password is too long’ message and have you find out by trial and error that they only accept 12 characters.
Or the off-by-one errors where they insist that 24 chars are the max, but in reality they accept 23. Probably never tested the limit.
Or websites that truncate your password after X characters when registering, but not when logging in, so you end up with an incorrect password and good luck finding out which limit the registration page actually uses.