On Wed 30 Aug 2017 at 15:47:35 +0200, Thomas Schmitt wrote: > Gene Heskett wrote: > > Well, that easy to remember method just went down in flames. Sigh... > > That's the first diffuse but significant wisdom we found in this thread: > > If you can memorize it without the help of publicly knowable details of > your life, then it's too easy to enumerate with nowadays' hardware.
But the crackers would likely not be in possession of a leaked password (Uld4dFpYSkdkV1J3ZFdOclpYSUsK) but of a hash of it. The article Curt referenced relates how attacking the hashes with brute force for any password with over six random characters was only looked at selectively. And that was with MD5 hashes. With the much slower bcrypt the effort to crack anything more might have been too much. The example generated password is 28 characters. How random they are I do not know, but the article indicates it was not put to the test. Maybe Gene Heskett's password does not have all the criteria for being complex and completely random, but for now it looks like it would escape unscathed from brute force probing. The password does not contain any memorable words so word lists do not look an inviting prospect. Without the password one cannot begin to examine how it was created. Suppose echo "ElmerFudpucker" | base64 | base64 became echo "ElmerFudpucker" | <some_bcrypt_processing> | base64 | base64 which is as memorisable as previously, I am not saying the problem becomes insurmountable for attackers, but slowing them down considerably cannot be bad. (That's assuming they are in possession of the hashes and are after *your* Twitter account. You really don't believe that, do you?) -- Brian.
