Seems like you decided to quote the article, yet ignore the actual advice.
>Password length is 99% of password security. Password complexity is a distant second when it comes to modern password security.
He doesn't say to use a common 10 letter word with no complexity, which you infer with your comment. It's also comparing 72^8 with 72^22. The point of the article is that length trumps complexity. Not sure how you came to your conclusion.
My point is that 72^8 and 72^22 is an invalid comparison to determine the relative strength of those passwords.
B5s9z-Qx is 72^8
SophisticatedpwsRock!! is something like number_of_common_words^2 + 26^3 + 10^2. In other words, two common words, three lowercase letters and two symbols.
They give a guesses_log10 of 8 for "B5s9z-Qx" and 12.76155 for "SophisticatedpwsRock!!". In other words, the latter is stronger, but it's not 72^14 times stronger. That's where the article messes up.
An attacker isn't going to crack "SophisticatedpwsRock!!" by trying 72^22 options. Just like an attacker isn't going to crack "password" by trying 72^8 or even 26^8 options. They're going to try 1000 or so options of super common passwords for "password" and some combination of dictionary words, abbreviations, symbols, common transformations, etc for "SophisticatedpwsRock!!". This makes the search space much, MUCH smaller than 72^22.
>My point is that 72^8 and 72^22 is an invalid comparison to determine the relative strength of those passwords.
That's fair, but you're talking about directly attempting to crack as opposed to rainbow tables, which I believe was the authors intention, mapping the full key space. In this case, the exponents still hold.
>Do not follow this advice on passwords.
Additionally, maybe your first comment's point wasn't well articulated, since the author's work has proven true in your own tests for the passwords given, length trumps complexity. I would also argue that he doesn't say anywhere do not use complexity, he specifically points out however that banks use complexity as a mask of security while limiting length.
"Internationalization" is 20 letters long, but it will be cracked in seconds by even a moderately sophisticated attacker. (zxcvbn gives it guesses_log10 of 4.34708)
The only way to measure password strength is to estimate the number of guesses necessary to crack the password. That means figuring out how many possible passwords could have been chosen for whatever method you are using to pick your password. In the case of "SophisticatedpwsRock!!", the method is something like: common adjective with a common transformation (capitalization), relatively common abbreviation, common noun with a common transformation, common punctuation, common punctuation. The number of possible passwords using that pattern is what you should be interested in, because that is how the attacked is going to get your password, not by trying every possible combination of characters.
For a simple example, the passwords "i like salt" and "you like pepper" should be considered equally strong (or equally weak as the case may be) since they follow the same pattern for generation. Any system of determining password strength which gives them significantly different strengths is misleading. In this case, if we followed the method the author used, we would say "you like pepper" is 26^4 times stronger, which is absurd. (zxcvbn by comparison gives them both almost the same rating: guesses_log10 of approximately 8.)
You cannot take a password picked by one method (common words) and score based on another method (characters). Passwords are only as strong as the easiest possible way to guess them. If you generate 8 random characters and they happen to spell "password", your password is still weak because it can be guessed by a much easier method than going through every combination of 8 characters.
Find the easiest way to approach guessing a password and see how many tries it would take using that method. That will give you the strength of the password. Counting characters will not.
>"Internationalization" is 20 letters long, but it will be cracked in seconds by even a moderately sophisticated attacker. (zxcvbn gives it guesses_log10 of 4.34708)
Literally nothing to do with the article and an absurd choice for a password to make your (misguided) point. Length does trump complexity, however once again I'll repeat, the article doesn't say complexity doesn't matter. It does. It says it does.
Sorry my man, I think you missed the point of the article entirely. I also think your knowledge about how passwords are cracked in the wild is off base. Your theoretical thought experiment here isn't how it's done. Also the Dropbox password calculator you provided proves it. Every single character added to a decent password adds guesses_log10 assuming moderate complexity.
Exploding offers are necessary. I agree they should be discussed with the candidate at the interview so there is full disclosure. That being said, I have a role I need to fill and I'm aggressive with hiring. If the candidate doesn't want to work for my company on it's merits (assuming my offer isn't way off base of course) then I want to move on to someone who does. The candidate's time is important, but so is the company's.
Just like all of the other stories of "needing to hire someone immediately" and having an open head count go unfilled for months and months. It's not a credible story, I'm afraid. I've seen what it's like to hire people in tech, I've been on both sides of it. And frankly the issue of timeliness is so far down the list from being able to find someone experience and competent who you can trust as to barely be an issue. If you think you need someone in role RIGHT GODDAMN NOW, you're probably mistaken and need to readjust your expectations and values. Good people are insanely more valuable than random "butts in seats", it's worth it to make sure you're not alienating them or driving them away with silly hard sell tactics.
It goes back hundreds of years! National intelligence agencies have consistently managed to get full intercepts. Way back in the day, they counterfeited wax seals and steamed open letters. In the 1800s, they got telegraph printouts. In the early 1900s, wires. In the 60s-70s, tapes. Then hard drives. It's just part of what governments do ;)
I think that the big difference today is that they can analyze all data that they can grab. Back in the Good Old Days, you had to devote considerable manpower to this analysis; if you wanted to read letters, you had to be specific because you simply didn't have the resources to look at everyone's mail. This is why most people (including me) have no problem with the idea of monitoring POTS lines; it ties up a considerable amount of resources, so the police are much more likely only to tap the phones they think will get results.
Now, we've gotten to the point where the challenges facing mass surveillance are political rather than physical. I think that this is a lot more dangerous than 1800s police looking at telegraph printouts line by line.
Yes, that's an excellent point. And capabilities for data analysis are improving rapidly. Google still has far better tools, but the NSA has the intercepts. And it will get the tools. Eventually, it will become the Eschaton ;)
This was an interesting and early revelation, but it wasn't until the Snowden documents that we understood what this closet really meant. We had no idea the government was recording every phone conversation in the u.s., every email, etc... We still had some hope that the rule of law as being followed and that this closet was just a way to make targeted surveillance easier.
> but it wasn't until the Snowden documents that we understood what this closet really meant.
> We had no idea the government was recording every phone conversation in the u.s.
> We still had some hope that the rule of law as being followed
All lies. This was well covered on slashdot when it happened. We all knew exactly what it meant.
Snowden's release was iron clad and incontrovertible, which was refreshing, but it also detailed the extent to which private tech companies outside of AT&T were aiding the federal government in their illegal activities.
Even the most paranoid nutbag commenting on those old slashdot threads couldn't imagine how bad it was going to get. Reality outpaced the conspiracy theorists.
Close, I think that the premise the Bush administration used to obtain this information, "dragnet surveillance", was ruled illegal, which exposed the phone companies to lawsuits. Congress then retroactively indemnified them.
Ok, so I'll be the one to say it. It seems to me that no one who's commented here served in the military. The threats that were given to this women are horrific, yes, she didn't deserve any of them. That being said, she should have never taken that picture, regardless of what excuse she had for taking it. And that being said, she should have known better than to post on social media. And that being said, she should have known about privacy settings. This is equivalent to walking around shouting racist terms on the streets and hiding behind free speech after someone attacks you. She didn't ask for any of the threats she received, but she also had exceptionally poor judgement.
She has a different sense of humor. To compare that to racism is absolutely ridiculous. Racism has negative intention. The picture and her sense of humor don't. The only reason it was poor judgement is that she didn't account for the politically correct idiots of this world making a big deal out of it. The rest of your points about not posting to social media are quite valid.
I am a Marine, and HN is the first I have seen of this picture.
Most know better & keep their mouths shut since it serves no purpose to further fan the flames, even if it is something disrespectful - that is part of what it means to serve. All in the Armed Forces know that they help defend the right for people to say/do what they want, as long as it is lawful.
