|
![](/i/fill.gif) |
On 11/08/2011 07:17 PM, Jim Henderson wrote:
> On Thu, 11 Aug 2011 09:09:01 +0100, Invisible wrote:
>
>> Personally, I think the most /realistic/ way to gauge password strength
>> is to see how long it takes real, commonly-available password crackers
>> to break your password. After all, /that/ is what most unsophisticated
>> attackers are going to use against you.
>
> Arguably that's the most accurate way, but not the most realistic way.
> It wouldn't be realistic to run a prospective password through each one
> of those tools when setting the password.
You don't think so?
I think that if you type a password and a cracker can guess it in under
30 seconds, you should definitely pick a different password. But maybe
that's just me...
> In addition, if you've got rainbow tables-based cracking, as long as the
> tables extend to the length of the password (and take into account the
> appropriate factors for the password algorithm, naturally), then the
> cracking time is linear no matter what the complexity of the password is
> - which would be both unrealistic and inaccurate as a measure, because
> the hashes are precomputed.
On the other hand, salting the password trivially defeats rainbow tables.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
![](/i/fill.gif) |