Secure Password is not Secure

You’ve seen it, “Enter your new password, it has to be this long with these character types…” BLAH BLAH BLAH. You enter your regular password of Monkey123 (Yes, monkey is always among the most popular passwords found on the internet.)

https://wpengine.com/resources/passwords-unmasked-infographic/
(indecent passwords are blacked out)

I like sites that allow you to add multiple symbols. I also like sites that allow you to set VERY LONG passwords. I personally use passwords that have UPPER, lower, numbers 123, and symbols !@#$%^&*()_+-={}|[]\:”;'<>?,./ that are super long. I also use a password manager so I don’t have to remember my passwords. See LastPass. LastPass is not a sponsor. I have used them as a paid subscriber for 10+ years.

I was setting up a password for 8×8 which is a VoIP phone provider and I used my random password generator from LastPass and 8×8 told me my password was not secure.

Here is an example of a password that I use for my accounts. You can see 50 characters that have upper, lower, numbers, and symbols. A password like this 50 character length has 1606 bits of entropy.

4.53*10^94 is the total number of passwords
94 characters on the keyboard, 50 digits = 94^50
THAT IS slightly more than “FOUR AND ONE HALF HUNDRED UNTRIGINTILLION.”

BUT, 8×8 limits you to no more than 25 characters. That’s half of the total possible combinations at 2.1291E+49 (or 2.13*10^49 or 20 QUINDECILLION.

I don’t know about you but I am not comfortable with only 20 quindecillion possibilities for my password and a brute force attack. Now a days computers can guess about 1,000,000 guesses per second.

SINCE they limit the types of characters to just ~!@#$%^&*()_+-=;:,.?<> AND a-z, A-Z, 0-1 which equals 58 character types and max of 25 digits (58^25) = 1.21815E+44 (or 1.22 Hundred Tredecillion or 1.22 * 10^44 or 121,814,739,012,626,000,000,000,000,000,000,000,000,000)

IN CLOSING, a site that requires password should never limit the number of digits and should allow for all possible character types. If they are storing your password securely with a salted hash then the length and type does NOT matter to the database.

Have a nice (and secure) day!