What’s the source for the “Matsano recommendations”? The only Google results for “Matsano recommendations” are your blog post and mentions of it
And my bank wants me to change my 16-character password every 90 days… and this is in the last column.
BREAKING NEWS GPU hardware has gotten faster since 2015!
We might eventually need to push this up to 12 characters minimum. Also, for the love of {diety}
, please never, ever create a numbers-only password.
All this fancy “make up a long pass phrase” talk is fine, until you have to start entering passwords on a mobile phone, and realize that mobile phones are probably the dominant form of computing for everyone, statistically speaking, moving forward… the Chia project has a neat way of dealing with this, autocomplete for a set of 24 words:
and here’s a random new one I generated
As you type, it autocompletes from the available words, so you only have to type a few characters from each word…
that’s really clever!
If you have to write down the code anyway, why is that any better than a similar number of bits-of-entropy worth of letters / numbers / symbols / a QR code / etc? I don’t really get what problem they’re trying to solve.
@matasano says
We changed our twitter name to @NCCsecurityUS
Which means I kinda typo’ed the name in there, my apologies. I’ll fix.
That’s probably due to ISO27001 legacy shit.
My employer recently implemented a “must change password every 90 days” rule. I argued that NIST, Microsoft and UK’s National Cyber Security Centre (NCSC) recommend against periodic mandatory password changes, and they told me that ISO27001 still requires it
Fascinating: password strength measured in dollars.
a 15-alphanum password will plausibly cost at least $330M to crack in 2030 (and an acceptable $59M in 2035)
The recently released RTX 4090 doubled hash rate.