this post was submitted on 07 Jun 2026
20 points (100.0% liked)

Privacy

4662 readers
628 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 3 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
20
Password strength explained (palant.info)
submitted 1 week ago by cm0002@suppo.fi to c/privacy@programming.dev
5 comments fedilink hide all child comments
 

I try to explain how attackers would guess your password, should they get their hands on your encrypted data. There are some thoughts on the strength of real-world passwords and suggestions for your new password.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] JustEnoughDucks@slrpnk.net 2 points 6 days ago (1 children)

I am still doubtful of these password strength "reasoning" blog posts of which there are hundreds.

There seems to be no real information regarding dictionary attacks and how that effects password solve times, but it seems like passphrases would be more susceptible to it. I am definitely no expert.

I briefly talked to a friend of a friend at a dinner who is in digital cyber security and she said that AI has pretty much changed the game and can guess any word-based passwords strings like the famously quoted xkcd comic orders faster than traditional methods, and hackers are using that now but it hasn't had as much academic research yet. Maybe that is only for unsalted passwords though.

[โ€“] hirihit640@sh.itjust.works 1 points 6 days ago* (last edited 6 days ago)

If you make word-based passwords, you still need to make sure to use random words. If you use a sentence or quote or song lyrics, then those usually have far less randomness than people think, and thus can be guessed easily by AI.

But if you use random words, a few words can be plenty secure. The diceware word list used by many password generators has 7777 words. 6 words means 7777^6^ possibilities, which is approximately 2^78^, aka 78 bits of entropy. That would take many years for any datacenter to crack. Though personally for really strong passwords, I go for 90+ bits of entropy.