Horse StapleStaple for horse
We should concentrate on the protection of logins from brief statistic attack and not on the use of brutal-forces. If you need to select a passcode, one of the most important criteria for selecting a new one should be how many other persons have also selected the same one. The most effective thing we can do as a safety fellowship is to modify our passcode gauges and ban the use of current ones.
The XKCD cartoon shown above appears every writer who is writing about the subject of forums. In fact, the number of remembered words is quite small and there is no need to teach people how to use good one. Everybody knows what a good passcode looks like, we just can't remember clear, powerful passcodes for every online game.
The emergence of passwort mangers meant that the vast majority had to be created at random and substituted by a unique passcode that provided easy acces to all others. It resolves both the problem of strong and memorable 95% of your password1. Apparent exclusions from this policy are: the own safe keys of the passwort organizer, laptops and telephone activation keys, etc.
However, please be aware that this number of words is usually statistical; it does not increment when you log on to a new servic. In my opinion, even if we maintained the XKCD cartoon and began to train people to choose four words randomly instead of a complicated one-word passcode, it would not significantly improve safety.
Brute forcing your brute force passes these few business days is hard. We did a great work as a fellowship by promoting the use of crypt and crypt and humiliating those who use poor authentication washes. Most effective attacks against crypt include the tradeoff of having a weak passwort and a great deal of cash for committed equipment to break it off-line, which the vast majority of attacks have no control over.
With no hashing of your pass word, an attacker is restricted to trying username/password combination over the web, which reduces the maximum number of tries per second by at least 3 orders of scale. That means that we should stop classification of strong words blindfolded by the number of entropy bits3, and above all consider how word-book resistent the words are.
Heuristics for validating your user name ( e.g. minimal length, mandatory use of alphanumerical signs, etc.) are largely useless and often counter-productive. As a result, very faint and fragile logins are repeatedly used, which are very susceptible to statistics assaults (a dictionary-based assault, ordered by diminishing chance of occurrence).
Combined with the dominance of dictionary-based attack and leakage of large passwords, this scenario in later years gave the impression that the only useful criteria for classifying the power of a candidates passwords is the incidence with which it has occurred in the past.
That means that instead of a passcode gauge you should make sure that there is no distortion in the way your system distributes them. When every single passcode is unambiguous, the benefit of a statistic rate assault is significantly diminished. First of all, I think the first thing to do is to stop spreading the notion that there is a way to choose memorable words to keep the attacker in check.
That means there are no "How to select my password" blog posts anymore. Secondly, use the strong passwords form to improve the level of passwords sanitation. I' ve seen many dumb passwords, but I've never seen one that says the username to create the passwords and save them in a passwordsmanagers.
Lastly, we should evaluate the power of a password on the basis of the incidence of these words and not just on the basis of healing statistics and misdirected entropy computations. Our longer-term policy is to eliminate the use of password as the only form of authentification and to make multi-factor authentification the standard everywhere.
First of all, we should concentrate some of our effort on giving our citizens the necessary vital maintenance they need. User do not need to store your user name, they need to be encouraged to use a good one. The few words that you have to remember should be concentrated on making them not only powerful from an information theoretical point of view, but also word-book-compatible.