[Owasp-leaders] Stepping through password hashing options

Rogan Dawes rogan at dawes.za.net
Mon Jun 11 14:19:29 UTC 2012


On 11/06/2012 16:01, William Stranathan wrote:
> Jim:

> But again - you're spot-on in the summary - passwords are dead (at
> least I hope). As much as possible, I personally use passphrases and
> MFA.

Unfortunately, a passphrase is simply a password where the allowed 
character set includes [:space:].

Reference the linked in password cracking, which has unearthed a 29 
character password, comprising a verse from the bible:

https://newsessentials.wordpress.com/2012/06/09/linkedin-millions-of-passwords-stolen-and-posted-on-the-internet-by-russian-hackers/

So, even a long passphrase devolves into something crackable, so long as 
you restrict yourself to actual words, with minor punctuation.

Rogan


More information about the OWASP-Leaders mailing list