quantum/correcthorsebatterystaple
1
0
Fork 0
mirror of https://github.com/quantum5/correcthorsebatterystaple.git synced 2025-04-24 10:11:57 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update description.

Browse source
This commit is contained in:
Quantum 2018-11-26 18:27:47 -05:00
parent 1801cf1fad
commit 75947b03a5
1 changed files with 22 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/index.html
View file

@ -113,9 +113,28 @@
</figcaption>
</figure>
</a>
<p>While using a single dictionary as a password is horribly insecure and can be guessed in seconds, guessing multiple
words gets exponentially harder. Using five words should be able to stop any attempts you can be expect, while eight
words can probably deter even the most determined attackers for the next ten years or so.</p>
<p>The core idea is that while using a single dictionary as a password is horribly insecure and can be cracked in
seconds, each additional word makes cracking exponentially harder.</p>
<p>There is a lot of criticism on the internet about this password scheme. However, most of them fail to get the
actual point. There are also claims that <code>correcthorsebatterystaple</code> is as secure as a 9 character
password, which sounds fairly bad. This is true if your 9 character password is truly random, such as
<code>n98idhi3n</code>, and not say, <code>Tr0ub4d0r</code>. The point is that,
<code>correcthorsebatterystaple</code> is more memorable than <code>n98idhi3n</code>, for approximately equal
security. To increase security, we can always add more words.</p>
<p class="lead"><span class="mark">5 words</span> from the large list, or <span class="mark">6 words</span>
from the small list is sufficient for all reasonable threats.</p>
<p>Let us consider the absolute worst case, assuming the attacker knows your password is generated by this site,
knowing that it has 65 bits of entropy, your password was insecurely hashed, and your enemy has GPUs to run
<span class="mark">500 billion attempts every second</span>. Even then, this scheme will resist the
cracking attempt for over a year.</p>
<p>Now, most attackers can't attack you that fast, and those who could have better things to do than spending a year
doing nothing but attacking you (unless you possess state secrets or something), so this is more than sufficient for
your password. In the highly unlikely case that your password need more security than this offers, or perhaps you
are just paranoid, adding an extra word would make the attack time thousandfold.</p>
</div>
</body>