Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

im sorry, what point are you making?

if its that "dog" is a weak password, i thought that was evident. but many people seem confused that "horseloverwhatever" is more secure, similarly that "dog23!Wog" is more secure. my point is they are equally trash so leave the user alone



> if its that "dog" is a weak password, i thought that was evident

You're confusing me. First you say that "dog" is just as strong as any other password, now you say that it should have been evident that it's a weak password. Which is it?

> my point is they are equally trash

This again sounds contradictory, but this time within one comment. First you say that horseloverwhatever is stronger than dog, but then that they are equally "trash".


i meant others commonly assume horseloverwhatever is more secure.

to be more clear,

1. dog is weak 2. horseloverwhatever is weak 3. 8randoms! is weak 4. therefore, dog is as good as horseloverwhatever or 8randoms! 5. most account compromises do not even require a brute force (shoddy practices on the backend) making the complexity requirements pointlessly burdensome on the user 6. in cases where you want a password to resist a legitimate brute force, we need to talk about passphrases (ie > 50 chars) or passwordless

what u think?


short passwords are still a security weakness even when properly stored because the time necessary to brute force them is relatively low.


i agree. but most sites that enforce a policy (8 chars, symbols, etc) are bruted just as easily. we need to take a step, away from passwords, to secure against brute force in 2022


well the gp's point is that it literally is not 'just as easy' because the space of possible passwords increases greatly with each character, such that 'dog' is much, much easier to bruteforce than 'doggie12'.


To be fair, I'd probably crack doggie12 sooner than dog because who has ever seen a website with a password length requirement below 6. But technically, yep you're 100% right.


also: rainbow tables


The length of the password only somewhat matters for rainbow tables -- they're not limited to dog-sized passwords -- but also, I rarely come across implementations these days that do not use a salt of some kind, which defeats existing rainbow tables. Generating one-off tables is about as expensive as just cracking the hashes directly.

(Then again, the implementations I see are mostly from well-known projects or customers that care enough about security to hire us. It's biased, but I do think word has gotten round about hashing and salting.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: