Your Password is Too Damn Short

What’s the source for the “Matsano recommendations”? The only Google results for “Matsano recommendations” are your blog post and mentions of it :slight_smile:

Nice chart illustrating length benefits

1 Like

And my bank wants me to change my 16-character password every 90 days… and this is in the last column. :roll_eyes:


:newspaper: BREAKING NEWS :newspaper: GPU hardware has gotten faster since 2015!

We might eventually need to push this up to 12 characters minimum. Also, for the love of {diety}, please never, ever create a numbers-only password. :scream:

All this fancy “make up a long pass phrase” talk is fine, until you have to start entering passwords on a mobile phone, and realize that mobile phones are probably the dominant form of computing for everyone, statistically speaking, moving forward… the Chia project has a neat way of dealing with this, autocomplete for a set of 24 words:

and here’s a random new one I generated

As you type, it autocompletes from the available words, so you only have to type a few characters from each word…

that’s really clever!


If you have to write down the code anyway, why is that any better than a similar number of bits-of-entropy worth of letters / numbers / symbols / a QR code / etc? I don’t really get what problem they’re trying to solve.


@matasano says

We changed our twitter name to @NCCsecurityUS

Which means I kinda typo’ed the name in there, my apologies. I’ll fix.

1 Like

That’s probably due to ISO27001 legacy shit.

My employer recently implemented a “must change password every 90 days” rule. I argued that NIST, Microsoft and UK’s National Cyber Security Centre (NCSC) recommend against periodic mandatory password changes, and they told me that ISO27001 still requires it :man_shrugging:


Fascinating: password strength measured in dollars. :dollar:

a 15-alphanum password will plausibly cost at least $330M to crack in 2030 (and an acceptable $59M in 2035)

The recently released RTX 4090 doubled hash rate.

1 Like