Is using haveibeenpwned to validate password strength rational?Should I restrict access to the username and passwords in a web app?Encrypting the salt with passwordCreating user and safely sending passwordShould a password ever be presented in plain text to a user (On a website)? Is this illegal under UK Data protections act?Is there any way my password is hashed, if I'm only ever asked to provide 5 out of many characters?Does using NATO's phonetic alphabet increase password strength?Confused about using a password that “would take centuries to break”Suggestions shown in password fieldWebsite returning plaintext passwordStoring database password in plain text?
What can I, as a user, do about offensive reviews in App Store?
Example of non-trivial functors
How would a aircraft visually signal in distress?
Confusion about off peak timings of London trains
Do the English have an ancient (obsolete) verb for the action of the book opening?
Payment instructions allegedly from HomeAway look fishy to me
When conversion from Integer to Single may lose precision
Is open-sourcing the code of a webapp not recommended?
What language is the software written in on the ISS?
Why don’t airliners have temporary liveries?
How water is heavier than petrol eventhough its molecular weight less than petrol?
What's up with this leaf?
Is it possible to 'live off the sea'
How Can I Tell The Difference Between Unmarked Sugar and Stevia?
Avoiding cliches when writing gods
How did they achieve the Gunslinger's shining eye effect in Westworld?
Why doesn't Adrian Toomes give up Spider-Man's identity?
Indirectly defined macros: Undefined macro with "@" does not trigger compile error
Did the ending really happen in Baby Driver?
Why was the calendar not arranged so that Yom Kippur never falls on Shabbat?
What was with the Miles Morales's stickers?
Why would future John risk sending back a T-800 to save his younger self?
Where does "0 packages can be updated." come from?
Should I give professor gift at the beginning of my PhD?
Is using haveibeenpwned to validate password strength rational?
Should I restrict access to the username and passwords in a web app?Encrypting the salt with passwordCreating user and safely sending passwordShould a password ever be presented in plain text to a user (On a website)? Is this illegal under UK Data protections act?Is there any way my password is hashed, if I'm only ever asked to provide 5 out of many characters?Does using NATO's phonetic alphabet increase password strength?Confused about using a password that “would take centuries to break”Suggestions shown in password fieldWebsite returning plaintext passwordStoring database password in plain text?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not.
I am confused by this. My understanding is that the haveibeenpwned list comes from accounts which have been compromised, whether because they were stored in plain text, using a weak cipher, or some other reason. This seems to have little to do with password strength to me. There could be very strong passwords that were stored in plain text, and thus compromised, and would really be pretty fine to use as long as they weren't used in combination with the original email/username. The fact that their hashes are known (duh, any particular password's hash is known!) doesn't matter if the place you are storing them is salted. Although it really doesn't hurt to rule out these passwords, as perhaps a hacker would start with this list when brute forcing, and it is easy to choose another one.
But the inverse is where I am concerned - there will always be very easy to crack passwords that aren't on the list. "longishpassword" at this time has not had an account using this password that was hit by a leak. This does not mean however that were a leak of hashes to happen, this password would be safe. It would be very easy to break.
What is the rationale behind checking a password (without an email/username) against the haveibeenpwned list to see if it is worthy to be used? Is this a good use of the list or is it misguided?
passwords have-i-been-pwned
edited 1 hour ago
Charles Duffy
31929
asked 13 hours ago
NachtNacht
378111
add a comment |
I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not.
I am confused by this. My understanding is that the haveibeenpwned list comes from accounts which have been compromised, whether because they were stored in plain text, using a weak cipher, or some other reason. This seems to have little to do with password strength to me. There could be very strong passwords that were stored in plain text, and thus compromised, and would really be pretty fine to use as long as they weren't used in combination with the original email/username. The fact that their hashes are known (duh, any particular password's hash is known!) doesn't matter if the place you are storing them is salted. Although it really doesn't hurt to rule out these passwords, as perhaps a hacker would start with this list when brute forcing, and it is easy to choose another one.
But the inverse is where I am concerned - there will always be very easy to crack passwords that aren't on the list. "longishpassword" at this time has not had an account using this password that was hit by a leak. This does not mean however that were a leak of hashes to happen, this password would be safe. It would be very easy to break.
What is the rationale behind checking a password (without an email/username) against the haveibeenpwned list to see if it is worthy to be used? Is this a good use of the list or is it misguided?
passwords have-i-been-pwned
edited 1 hour ago
Charles Duffy
31929
asked 13 hours ago
NachtNacht
378111
4
Can you cite a source saying HIBP "is a good way to check if a password is strong enough to use or not"?
– schroeder♦
12 hours ago
3
In brief, HIBP has a huge list of real passwords, including both strong and weak ones. It is possible that the strong ones are filtered and not used in bruteforce attacks, but it's also possible that it's not worth filtering the list (after all, passwords that look strong might actually be weak and used by more than one user). So attackers might just use the whole list for bruteforcing, and therefore every password on that list is going to be at risk.
– reed
11 hours ago
I'd say that if your password was able to be cracked using any hash, it's not a good password. I'd also say that your your password was revealed in plaintext, it's now in the cracking dictionary, and thus a bad password. But I certainly wouldn't say that NOT being in haveIBeenPwned.com means it's a good password. The website primarily exists to show how common account cracking is, and how BAD your password is. It's nearly impossible to show how good a password is, unless it can be demonstrated to have a sufficient amount of entropy by the method used to generate it.
– Steve Sether
1 hour ago
add a comment |
I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not.
I am confused by this. My understanding is that the haveibeenpwned list comes from accounts which have been compromised, whether because they were stored in plain text, using a weak cipher, or some other reason. This seems to have little to do with password strength to me. There could be very strong passwords that were stored in plain text, and thus compromised, and would really be pretty fine to use as long as they weren't used in combination with the original email/username. The fact that their hashes are known (duh, any particular password's hash is known!) doesn't matter if the place you are storing them is salted. Although it really doesn't hurt to rule out these passwords, as perhaps a hacker would start with this list when brute forcing, and it is easy to choose another one.
But the inverse is where I am concerned - there will always be very easy to crack passwords that aren't on the list. "longishpassword" at this time has not had an account using this password that was hit by a leak. This does not mean however that were a leak of hashes to happen, this password would be safe. It would be very easy to break.
What is the rationale behind checking a password (without an email/username) against the haveibeenpwned list to see if it is worthy to be used? Is this a good use of the list or is it misguided?
passwords have-i-been-pwned
edited 1 hour ago
Charles Duffy
31929
asked 13 hours ago
NachtNacht
378111
I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not.
I am confused by this. My understanding is that the haveibeenpwned list comes from accounts which have been compromised, whether because they were stored in plain text, using a weak cipher, or some other reason. This seems to have little to do with password strength to me. There could be very strong passwords that were stored in plain text, and thus compromised, and would really be pretty fine to use as long as they weren't used in combination with the original email/username. The fact that their hashes are known (duh, any particular password's hash is known!) doesn't matter if the place you are storing them is salted. Although it really doesn't hurt to rule out these passwords, as perhaps a hacker would start with this list when brute forcing, and it is easy to choose another one.
But the inverse is where I am concerned - there will always be very easy to crack passwords that aren't on the list. "longishpassword" at this time has not had an account using this password that was hit by a leak. This does not mean however that were a leak of hashes to happen, this password would be safe. It would be very easy to break.
What is the rationale behind checking a password (without an email/username) against the haveibeenpwned list to see if it is worthy to be used? Is this a good use of the list or is it misguided?
passwords have-i-been-pwned
passwords have-i-been-pwned
edited 1 hour ago
Charles Duffy
31929
asked 13 hours ago
NachtNacht
378111
edited 1 hour ago
Charles Duffy
31929
asked 13 hours ago
NachtNacht
378111
edited 1 hour ago
Charles Duffy
31929
edited 1 hour ago
Charles Duffy
31929
edited 1 hour ago
Charles Duffy
31929
31929
asked 13 hours ago
NachtNacht
378111
asked 13 hours ago
NachtNacht
378111
asked 13 hours ago
NachtNacht
378111
378111
4
Can you cite a source saying HIBP "is a good way to check if a password is strong enough to use or not"?
– schroeder♦
12 hours ago
3
In brief, HIBP has a huge list of real passwords, including both strong and weak ones. It is possible that the strong ones are filtered and not used in bruteforce attacks, but it's also possible that it's not worth filtering the list (after all, passwords that look strong might actually be weak and used by more than one user). So attackers might just use the whole list for bruteforcing, and therefore every password on that list is going to be at risk.
– reed
11 hours ago
I'd say that if your password was able to be cracked using any hash, it's not a good password. I'd also say that your your password was revealed in plaintext, it's now in the cracking dictionary, and thus a bad password. But I certainly wouldn't say that NOT being in haveIBeenPwned.com means it's a good password. The website primarily exists to show how common account cracking is, and how BAD your password is. It's nearly impossible to show how good a password is, unless it can be demonstrated to have a sufficient amount of entropy by the method used to generate it.
– Steve Sether
1 hour ago
add a comment |
4
Can you cite a source saying HIBP "is a good way to check if a password is strong enough to use or not"?
– schroeder♦
12 hours ago
3
In brief, HIBP has a huge list of real passwords, including both strong and weak ones. It is possible that the strong ones are filtered and not used in bruteforce attacks, but it's also possible that it's not worth filtering the list (after all, passwords that look strong might actually be weak and used by more than one user). So attackers might just use the whole list for bruteforcing, and therefore every password on that list is going to be at risk.
– reed
11 hours ago
I'd say that if your password was able to be cracked using any hash, it's not a good password. I'd also say that your your password was revealed in plaintext, it's now in the cracking dictionary, and thus a bad password. But I certainly wouldn't say that NOT being in haveIBeenPwned.com means it's a good password. The website primarily exists to show how common account cracking is, and how BAD your password is. It's nearly impossible to show how good a password is, unless it can be demonstrated to have a sufficient amount of entropy by the method used to generate it.
– Steve Sether
1 hour ago
4
4
Can you cite a source saying HIBP "is a good way to check if a password is strong enough to use or not"?
– schroeder♦
12 hours ago
Can you cite a source saying HIBP "is a good way to check if a password is strong enough to use or not"?
– schroeder♦
12 hours ago
3
3
In brief, HIBP has a huge list of real passwords, including both strong and weak ones. It is possible that the strong ones are filtered and not used in bruteforce attacks, but it's also possible that it's not worth filtering the list (after all, passwords that look strong might actually be weak and used by more than one user). So attackers might just use the whole list for bruteforcing, and therefore every password on that list is going to be at risk.
– reed
11 hours ago
In brief, HIBP has a huge list of real passwords, including both strong and weak ones. It is possible that the strong ones are filtered and not used in bruteforce attacks, but it's also possible that it's not worth filtering the list (after all, passwords that look strong might actually be weak and used by more than one user). So attackers might just use the whole list for bruteforcing, and therefore every password on that list is going to be at risk.
– reed
11 hours ago
I'd say that if your password was able to be cracked using any hash, it's not a good password. I'd also say that your your password was revealed in plaintext, it's now in the cracking dictionary, and thus a bad password. But I certainly wouldn't say that NOT being in haveIBeenPwned.com means it's a good password. The website primarily exists to show how common account cracking is, and how BAD your password is. It's nearly impossible to show how good a password is, unless it can be demonstrated to have a sufficient amount of entropy by the method used to generate it.
– Steve Sether
1 hour ago
I'd say that if your password was able to be cracked using any hash, it's not a good password. I'd also say that your your password was revealed in plaintext, it's now in the cracking dictionary, and thus a bad password. But I certainly wouldn't say that NOT being in haveIBeenPwned.com means it's a good password. The website primarily exists to show how common account cracking is, and how BAD your password is. It's nearly impossible to show how good a password is, unless it can be demonstrated to have a sufficient amount of entropy by the method used to generate it.
– Steve Sether
1 hour ago
add a comment |
4 Answers
4
active
oldest
votes
"Strong" has always had the intention of meaning "not guessable". Length and complexity help to make a password more "not guessable", but a long, complex, but commonly used password is just as weak as Pa$$w0rd.
If a password is in the HIBP list, then attackers know that the password has a higher likelihood of being chosen by people, hence, might be used again. So those lists will be hit first.
So, if your password is on the list, then it is "guessable".
If your password is not on the list, then from a dictionary attack approach, it is less guessable and not what others have chosen, and by implication (for as much as that's worth), is "less guessable". Many other factors, of course, can make your password "more guessable", even if it is not on the HIBP list.
As always, a randomly generated password is the most "unguessable" and a maximum length and randomly generated password is extremely difficult to bruteforce. And if you are randomly generating it, then why not go max length?
answered 11 hours ago
schroeder♦schroeder
82.4k33184221
6
I think the confusion is compounded by "password strength" often being described by "entropy", and misapplication of Kerckhoffs's principle: the strength of a password is a property not of how you select it, but of how an attacker will attack it. Just as the attacker is trying to guess how the password was selected, the user can try to guess how the attacker will brute force it.
– IMSoP
3 hours ago
add a comment |
I have to admit I'm a bit lost in what strong means nowadays. I like to think that strong means a complex and long password. But that doesn't make a good password since it can possibly still be guessed easily.
As you already note: "a hacker would start with this list when brute forcing". So if your password occurs in this list, your password will be quickly guessed and this means it is not a good password.
There's an explanation on the website when you enter a string that's not in the list:
This password wasn't found in any of the Pwned Passwords loaded into
Have I Been Pwned. That doesn't necessarily mean it's a good password,
merely that it's not indexed on this site.
Using the HIBP list is a way of checking how easy your password will be guessed, but is not an indication of its strength. You need to use a password strength checker for this, which often will not check the leaked password lists. HIBP password list and a password strength checker complement each other.
answered 12 hours ago
LVDVLVDV
1173
New contributor
LVDV is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Password strength checkers have very limited utility as they assume certain criteria for brute-forcing and may not check any dictionary at all. They are useful for illustrative purposes, but not for choosing a strong password.
– schroeder♦
11 hours ago
1
@schroeder I don't see how your comment adds to what I already said. Can you explain?
– LVDV
9 hours ago
"You need to use a password strength checker for [an indication of its strength]" - password strength checkers should not be used for this and are not good at determining strength. They are illustrative at best, good for learning the basics of the effects of making certain changes to passwords. I just Googled "password strength checker" and the top hit returned "very strong, 82%" for the input ofPa$$w0rd.
– schroeder♦
9 hours ago
Checking strength is not the thing to do. The thing to do is to generate passwords that have strength.
– schroeder♦
9 hours ago
In the beginning of my answer I explained what I understand under strong, which is length and complexity. A password strength checker can help you define this. Pa$$w0rd is a strong password by my definition (although a bit short), but it is predictable which makes it a bad and ineffective pw. I can have a strong password according to your definition of length, complexity and predictability, but it still wouldn't be a good password if I've been using it for 10 years and for 50 different sites. That's why I prefer the simple term "good" when talking about the final effectiveness of a password.
– LVDV
8 hours ago
add a comment |
I would argue that simply ruling out billions of perhaps strong passwords that are on this list from previous breaches is not necessarily useful as in the context of your environment it might just make it very hard to select one when billions are excluded already especially if people have to remember it for one reason or the other (can't use password manager for example).
I think this should also be put in the context of whether you also employ MFA in which case knowing the password only get's you so far. Also, brute-force attacks can be effectively countered by employing account lockout rules for wrong password entries.
answered 10 hours ago
bfloriangbfloriang
1555
add a comment |
To answer this question properly, you need to think like the hacker who wants to work out your password.
But to avoid having to dive straight into a mathsy way of thinking, let's start instead by thinking about a competitor on the Lego Movie game show "Where are my pants?"
Obviously, when the competitor wants to find their clothes, the first thing they'll do is go to their wardrobe. If that doesn't prove fruitful, they might check their drawers, followed by the chair in the corner of the room, followed by the laundry basket, and perhaps the dog's basket if the dog is of the naughty pants-stealing sort. That'll all happen before they start looking in the fridge.
What's going on here is of course that the competitor will look in the most likely places first. They could have systematically worked through every square foot of the house in a grid, in which case they would on average have to check half the house. On the other hand with this strategy they have a good chance of getting it on the first go, and certainly wouldn't expect to cover half the house.
A hacker ideally wants to do the same thing. Suppose they know that the password they are after is 8 lowercase letters long. They could try working through them one at a time, but there are 208,827,064,576 possible options, so a given completely random guess has about a 1 in 208 billion chance of being right. On the other hand, it's well known that "password" is the most common password. (except when it's banned) In fact looking at the data from haveibeenpwned, the chance of the right answer being "password" is about 1 in 151. Not 151 billion, just 151. So that's over a billion times more likely than some random guess, and they'd be stupid not to start with it. (And obviously, since you want your password not to be found, you want to avoid picking what they'd start with)
Now, the question is whether that generalises beyond "password." Is it worth their while working through a list of leaked passwords? For a bit of information, consider this quote from the original release write up.
I moved on to the Anti Public list which contained 562,077,488 rows with 457,962,538 unique email addresses. This gave me a further 96,684,629 unique passwords not already in the Exploit.in data. Looking at it the other way, 83% of the passwords in that set had already been seen before.
What that tells us is that, roughly speaking, a randomly selected password has a better than 80% chance of featuring in the list. The list has a few hundred million entries, compared with a few hundred billion options for random 8 letter passwords. So, roughly speaking our hacker trying 8 letter passwords would have a 0.1% chance without the list in the time they could get an 80% chance with the list. Obviously they'd want to use it. And again, you might as well avoid it. After all, you still have hundreds of billions of options to choose from, and you can get thousands of billions by just going to nine letters!
That's the justification for checking the list.
Now your first worry is that "there will always be very easy to crack passwords that aren't on the list." That may be true. For example, "kvym" is not on the list. It's only 4 letters. There are only half a million passwords that are 4 lowercase letters or shorter, so if people are likely to prefer short passwords then a hacker would blaze through them in a fraction of the time it would take to finish the leaks list. It's likely that they'd try both.
The answer to that is obvious. Use both rules. Don't use a password that has appeared in a breach, and don't use a password that is very short. If you have a random password of any significant length, you have more than enough options that a hacker has no shortcut way to find.
answered 1 hour ago
JosiahJosiah
61125
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211221%2fis-using-haveibeenpwned-to-validate-password-strength-rational%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
"Strong" has always had the intention of meaning "not guessable". Length and complexity help to make a password more "not guessable", but a long, complex, but commonly used password is just as weak as Pa$$w0rd.
If a password is in the HIBP list, then attackers know that the password has a higher likelihood of being chosen by people, hence, might be used again. So those lists will be hit first.
So, if your password is on the list, then it is "guessable".
If your password is not on the list, then from a dictionary attack approach, it is less guessable and not what others have chosen, and by implication (for as much as that's worth), is "less guessable". Many other factors, of course, can make your password "more guessable", even if it is not on the HIBP list.
As always, a randomly generated password is the most "unguessable" and a maximum length and randomly generated password is extremely difficult to bruteforce. And if you are randomly generating it, then why not go max length?
answered 11 hours ago
schroeder♦schroeder
82.4k33184221
6
I think the confusion is compounded by "password strength" often being described by "entropy", and misapplication of Kerckhoffs's principle: the strength of a password is a property not of how you select it, but of how an attacker will attack it. Just as the attacker is trying to guess how the password was selected, the user can try to guess how the attacker will brute force it.
– IMSoP
3 hours ago
add a comment |
"Strong" has always had the intention of meaning "not guessable". Length and complexity help to make a password more "not guessable", but a long, complex, but commonly used password is just as weak as Pa$$w0rd.
If a password is in the HIBP list, then attackers know that the password has a higher likelihood of being chosen by people, hence, might be used again. So those lists will be hit first.
So, if your password is on the list, then it is "guessable".
If your password is not on the list, then from a dictionary attack approach, it is less guessable and not what others have chosen, and by implication (for as much as that's worth), is "less guessable". Many other factors, of course, can make your password "more guessable", even if it is not on the HIBP list.
As always, a randomly generated password is the most "unguessable" and a maximum length and randomly generated password is extremely difficult to bruteforce. And if you are randomly generating it, then why not go max length?
answered 11 hours ago
schroeder♦schroeder
82.4k33184221
6
I think the confusion is compounded by "password strength" often being described by "entropy", and misapplication of Kerckhoffs's principle: the strength of a password is a property not of how you select it, but of how an attacker will attack it. Just as the attacker is trying to guess how the password was selected, the user can try to guess how the attacker will brute force it.
– IMSoP
3 hours ago
add a comment |
"Strong" has always had the intention of meaning "not guessable". Length and complexity help to make a password more "not guessable", but a long, complex, but commonly used password is just as weak as Pa$$w0rd.
If a password is in the HIBP list, then attackers know that the password has a higher likelihood of being chosen by people, hence, might be used again. So those lists will be hit first.
So, if your password is on the list, then it is "guessable".
If your password is not on the list, then from a dictionary attack approach, it is less guessable and not what others have chosen, and by implication (for as much as that's worth), is "less guessable". Many other factors, of course, can make your password "more guessable", even if it is not on the HIBP list.
As always, a randomly generated password is the most "unguessable" and a maximum length and randomly generated password is extremely difficult to bruteforce. And if you are randomly generating it, then why not go max length?
answered 11 hours ago
schroeder♦schroeder
82.4k33184221
"Strong" has always had the intention of meaning "not guessable". Length and complexity help to make a password more "not guessable", but a long, complex, but commonly used password is just as weak as Pa$$w0rd.
If a password is in the HIBP list, then attackers know that the password has a higher likelihood of being chosen by people, hence, might be used again. So those lists will be hit first.
So, if your password is on the list, then it is "guessable".
If your password is not on the list, then from a dictionary attack approach, it is less guessable and not what others have chosen, and by implication (for as much as that's worth), is "less guessable". Many other factors, of course, can make your password "more guessable", even if it is not on the HIBP list.
As always, a randomly generated password is the most "unguessable" and a maximum length and randomly generated password is extremely difficult to bruteforce. And if you are randomly generating it, then why not go max length?
answered 11 hours ago
schroeder♦schroeder
82.4k33184221
edited 11 hours ago
answered 11 hours ago
schroeder♦schroeder
82.4k33184221
answered 11 hours ago
schroeder♦schroeder
82.4k33184221
answered 11 hours ago
schroeder♦schroeder
82.4k33184221
82.4k33184221
6
I think the confusion is compounded by "password strength" often being described by "entropy", and misapplication of Kerckhoffs's principle: the strength of a password is a property not of how you select it, but of how an attacker will attack it. Just as the attacker is trying to guess how the password was selected, the user can try to guess how the attacker will brute force it.
– IMSoP
3 hours ago
add a comment |
6
I think the confusion is compounded by "password strength" often being described by "entropy", and misapplication of Kerckhoffs's principle: the strength of a password is a property not of how you select it, but of how an attacker will attack it. Just as the attacker is trying to guess how the password was selected, the user can try to guess how the attacker will brute force it.
– IMSoP
3 hours ago
6
6
I think the confusion is compounded by "password strength" often being described by "entropy", and misapplication of Kerckhoffs's principle: the strength of a password is a property not of how you select it, but of how an attacker will attack it. Just as the attacker is trying to guess how the password was selected, the user can try to guess how the attacker will brute force it.
– IMSoP
3 hours ago
I think the confusion is compounded by "password strength" often being described by "entropy", and misapplication of Kerckhoffs's principle: the strength of a password is a property not of how you select it, but of how an attacker will attack it. Just as the attacker is trying to guess how the password was selected, the user can try to guess how the attacker will brute force it.
– IMSoP
3 hours ago
add a comment |
I have to admit I'm a bit lost in what strong means nowadays. I like to think that strong means a complex and long password. But that doesn't make a good password since it can possibly still be guessed easily.
As you already note: "a hacker would start with this list when brute forcing". So if your password occurs in this list, your password will be quickly guessed and this means it is not a good password.
There's an explanation on the website when you enter a string that's not in the list:
This password wasn't found in any of the Pwned Passwords loaded into
Have I Been Pwned. That doesn't necessarily mean it's a good password,
merely that it's not indexed on this site.
Using the HIBP list is a way of checking how easy your password will be guessed, but is not an indication of its strength. You need to use a password strength checker for this, which often will not check the leaked password lists. HIBP password list and a password strength checker complement each other.
answered 12 hours ago
LVDVLVDV
1173
New contributor
LVDV is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Password strength checkers have very limited utility as they assume certain criteria for brute-forcing and may not check any dictionary at all. They are useful for illustrative purposes, but not for choosing a strong password.
– schroeder♦
11 hours ago
1
@schroeder I don't see how your comment adds to what I already said. Can you explain?
– LVDV
9 hours ago
"You need to use a password strength checker for [an indication of its strength]" - password strength checkers should not be used for this and are not good at determining strength. They are illustrative at best, good for learning the basics of the effects of making certain changes to passwords. I just Googled "password strength checker" and the top hit returned "very strong, 82%" for the input ofPa$$w0rd.
– schroeder♦
9 hours ago
Checking strength is not the thing to do. The thing to do is to generate passwords that have strength.
– schroeder♦
9 hours ago
In the beginning of my answer I explained what I understand under strong, which is length and complexity. A password strength checker can help you define this. Pa$$w0rd is a strong password by my definition (although a bit short), but it is predictable which makes it a bad and ineffective pw. I can have a strong password according to your definition of length, complexity and predictability, but it still wouldn't be a good password if I've been using it for 10 years and for 50 different sites. That's why I prefer the simple term "good" when talking about the final effectiveness of a password.
– LVDV
8 hours ago
add a comment |
I have to admit I'm a bit lost in what strong means nowadays. I like to think that strong means a complex and long password. But that doesn't make a good password since it can possibly still be guessed easily.
As you already note: "a hacker would start with this list when brute forcing". So if your password occurs in this list, your password will be quickly guessed and this means it is not a good password.
There's an explanation on the website when you enter a string that's not in the list:
This password wasn't found in any of the Pwned Passwords loaded into
Have I Been Pwned. That doesn't necessarily mean it's a good password,
merely that it's not indexed on this site.
Using the HIBP list is a way of checking how easy your password will be guessed, but is not an indication of its strength. You need to use a password strength checker for this, which often will not check the leaked password lists. HIBP password list and a password strength checker complement each other.
answered 12 hours ago
LVDVLVDV
1173
New contributor
LVDV is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Password strength checkers have very limited utility as they assume certain criteria for brute-forcing and may not check any dictionary at all. They are useful for illustrative purposes, but not for choosing a strong password.
– schroeder♦
11 hours ago
1
@schroeder I don't see how your comment adds to what I already said. Can you explain?
– LVDV
9 hours ago
"You need to use a password strength checker for [an indication of its strength]" - password strength checkers should not be used for this and are not good at determining strength. They are illustrative at best, good for learning the basics of the effects of making certain changes to passwords. I just Googled "password strength checker" and the top hit returned "very strong, 82%" for the input ofPa$$w0rd.
– schroeder♦
9 hours ago
Checking strength is not the thing to do. The thing to do is to generate passwords that have strength.
– schroeder♦
9 hours ago
In the beginning of my answer I explained what I understand under strong, which is length and complexity. A password strength checker can help you define this. Pa$$w0rd is a strong password by my definition (although a bit short), but it is predictable which makes it a bad and ineffective pw. I can have a strong password according to your definition of length, complexity and predictability, but it still wouldn't be a good password if I've been using it for 10 years and for 50 different sites. That's why I prefer the simple term "good" when talking about the final effectiveness of a password.
– LVDV
8 hours ago
add a comment |
I have to admit I'm a bit lost in what strong means nowadays. I like to think that strong means a complex and long password. But that doesn't make a good password since it can possibly still be guessed easily.
As you already note: "a hacker would start with this list when brute forcing". So if your password occurs in this list, your password will be quickly guessed and this means it is not a good password.
There's an explanation on the website when you enter a string that's not in the list:
This password wasn't found in any of the Pwned Passwords loaded into
Have I Been Pwned. That doesn't necessarily mean it's a good password,
merely that it's not indexed on this site.
Using the HIBP list is a way of checking how easy your password will be guessed, but is not an indication of its strength. You need to use a password strength checker for this, which often will not check the leaked password lists. HIBP password list and a password strength checker complement each other.
answered 12 hours ago
LVDVLVDV
1173
New contributor
LVDV is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have to admit I'm a bit lost in what strong means nowadays. I like to think that strong means a complex and long password. But that doesn't make a good password since it can possibly still be guessed easily.
As you already note: "a hacker would start with this list when brute forcing". So if your password occurs in this list, your password will be quickly guessed and this means it is not a good password.
There's an explanation on the website when you enter a string that's not in the list:
This password wasn't found in any of the Pwned Passwords loaded into
Have I Been Pwned. That doesn't necessarily mean it's a good password,
merely that it's not indexed on this site.
Using the HIBP list is a way of checking how easy your password will be guessed, but is not an indication of its strength. You need to use a password strength checker for this, which often will not check the leaked password lists. HIBP password list and a password strength checker complement each other.
answered 12 hours ago
LVDVLVDV
1173
New contributor
LVDV is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 12 hours ago
LVDVLVDV
1173
New contributor
LVDV is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 12 hours ago
LVDVLVDV
1173
answered 12 hours ago
LVDVLVDV
1173
1173
New contributor
LVDV is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
LVDV is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Password strength checkers have very limited utility as they assume certain criteria for brute-forcing and may not check any dictionary at all. They are useful for illustrative purposes, but not for choosing a strong password.
– schroeder♦
11 hours ago
1
@schroeder I don't see how your comment adds to what I already said. Can you explain?
– LVDV
9 hours ago
"You need to use a password strength checker for [an indication of its strength]" - password strength checkers should not be used for this and are not good at determining strength. They are illustrative at best, good for learning the basics of the effects of making certain changes to passwords. I just Googled "password strength checker" and the top hit returned "very strong, 82%" for the input ofPa$$w0rd.
– schroeder♦
9 hours ago
Checking strength is not the thing to do. The thing to do is to generate passwords that have strength.
– schroeder♦
9 hours ago
In the beginning of my answer I explained what I understand under strong, which is length and complexity. A password strength checker can help you define this. Pa$$w0rd is a strong password by my definition (although a bit short), but it is predictable which makes it a bad and ineffective pw. I can have a strong password according to your definition of length, complexity and predictability, but it still wouldn't be a good password if I've been using it for 10 years and for 50 different sites. That's why I prefer the simple term "good" when talking about the final effectiveness of a password.
– LVDV
8 hours ago
add a comment |
Password strength checkers have very limited utility as they assume certain criteria for brute-forcing and may not check any dictionary at all. They are useful for illustrative purposes, but not for choosing a strong password.
– schroeder♦
11 hours ago
1
@schroeder I don't see how your comment adds to what I already said. Can you explain?
– LVDV
9 hours ago
"You need to use a password strength checker for [an indication of its strength]" - password strength checkers should not be used for this and are not good at determining strength. They are illustrative at best, good for learning the basics of the effects of making certain changes to passwords. I just Googled "password strength checker" and the top hit returned "very strong, 82%" for the input ofPa$$w0rd.
– schroeder♦
9 hours ago
Checking strength is not the thing to do. The thing to do is to generate passwords that have strength.
– schroeder♦
9 hours ago
In the beginning of my answer I explained what I understand under strong, which is length and complexity. A password strength checker can help you define this. Pa$$w0rd is a strong password by my definition (although a bit short), but it is predictable which makes it a bad and ineffective pw. I can have a strong password according to your definition of length, complexity and predictability, but it still wouldn't be a good password if I've been using it for 10 years and for 50 different sites. That's why I prefer the simple term "good" when talking about the final effectiveness of a password.
– LVDV
8 hours ago
Password strength checkers have very limited utility as they assume certain criteria for brute-forcing and may not check any dictionary at all. They are useful for illustrative purposes, but not for choosing a strong password.
– schroeder♦
11 hours ago
Password strength checkers have very limited utility as they assume certain criteria for brute-forcing and may not check any dictionary at all. They are useful for illustrative purposes, but not for choosing a strong password.
– schroeder♦
11 hours ago
1
1
@schroeder I don't see how your comment adds to what I already said. Can you explain?
– LVDV
9 hours ago
@schroeder I don't see how your comment adds to what I already said. Can you explain?
– LVDV
9 hours ago
"You need to use a password strength checker for [an indication of its strength]" - password strength checkers should not be used for this and are not good at determining strength. They are illustrative at best, good for learning the basics of the effects of making certain changes to passwords. I just Googled "password strength checker" and the top hit returned "very strong, 82%" for the input of
Pa$$w0rd.– schroeder♦
9 hours ago
"You need to use a password strength checker for [an indication of its strength]" - password strength checkers should not be used for this and are not good at determining strength. They are illustrative at best, good for learning the basics of the effects of making certain changes to passwords. I just Googled "password strength checker" and the top hit returned "very strong, 82%" for the input of
Pa$$w0rd.– schroeder♦
9 hours ago
Checking strength is not the thing to do. The thing to do is to generate passwords that have strength.
– schroeder♦
9 hours ago
Checking strength is not the thing to do. The thing to do is to generate passwords that have strength.
– schroeder♦
9 hours ago
In the beginning of my answer I explained what I understand under strong, which is length and complexity. A password strength checker can help you define this. Pa$$w0rd is a strong password by my definition (although a bit short), but it is predictable which makes it a bad and ineffective pw. I can have a strong password according to your definition of length, complexity and predictability, but it still wouldn't be a good password if I've been using it for 10 years and for 50 different sites. That's why I prefer the simple term "good" when talking about the final effectiveness of a password.
– LVDV
8 hours ago
In the beginning of my answer I explained what I understand under strong, which is length and complexity. A password strength checker can help you define this. Pa$$w0rd is a strong password by my definition (although a bit short), but it is predictable which makes it a bad and ineffective pw. I can have a strong password according to your definition of length, complexity and predictability, but it still wouldn't be a good password if I've been using it for 10 years and for 50 different sites. That's why I prefer the simple term "good" when talking about the final effectiveness of a password.
– LVDV
8 hours ago
add a comment |
I would argue that simply ruling out billions of perhaps strong passwords that are on this list from previous breaches is not necessarily useful as in the context of your environment it might just make it very hard to select one when billions are excluded already especially if people have to remember it for one reason or the other (can't use password manager for example).
I think this should also be put in the context of whether you also employ MFA in which case knowing the password only get's you so far. Also, brute-force attacks can be effectively countered by employing account lockout rules for wrong password entries.
answered 10 hours ago
bfloriangbfloriang
1555
add a comment |
I would argue that simply ruling out billions of perhaps strong passwords that are on this list from previous breaches is not necessarily useful as in the context of your environment it might just make it very hard to select one when billions are excluded already especially if people have to remember it for one reason or the other (can't use password manager for example).
I think this should also be put in the context of whether you also employ MFA in which case knowing the password only get's you so far. Also, brute-force attacks can be effectively countered by employing account lockout rules for wrong password entries.
answered 10 hours ago
bfloriangbfloriang
1555
add a comment |
I would argue that simply ruling out billions of perhaps strong passwords that are on this list from previous breaches is not necessarily useful as in the context of your environment it might just make it very hard to select one when billions are excluded already especially if people have to remember it for one reason or the other (can't use password manager for example).
I think this should also be put in the context of whether you also employ MFA in which case knowing the password only get's you so far. Also, brute-force attacks can be effectively countered by employing account lockout rules for wrong password entries.
answered 10 hours ago
bfloriangbfloriang
1555
I would argue that simply ruling out billions of perhaps strong passwords that are on this list from previous breaches is not necessarily useful as in the context of your environment it might just make it very hard to select one when billions are excluded already especially if people have to remember it for one reason or the other (can't use password manager for example).
I think this should also be put in the context of whether you also employ MFA in which case knowing the password only get's you so far. Also, brute-force attacks can be effectively countered by employing account lockout rules for wrong password entries.
answered 10 hours ago
bfloriangbfloriang
1555
answered 10 hours ago
bfloriangbfloriang
1555
answered 10 hours ago
bfloriangbfloriang
1555
answered 10 hours ago
bfloriangbfloriang
1555
1555
add a comment |
add a comment |
To answer this question properly, you need to think like the hacker who wants to work out your password.
But to avoid having to dive straight into a mathsy way of thinking, let's start instead by thinking about a competitor on the Lego Movie game show "Where are my pants?"
Obviously, when the competitor wants to find their clothes, the first thing they'll do is go to their wardrobe. If that doesn't prove fruitful, they might check their drawers, followed by the chair in the corner of the room, followed by the laundry basket, and perhaps the dog's basket if the dog is of the naughty pants-stealing sort. That'll all happen before they start looking in the fridge.
What's going on here is of course that the competitor will look in the most likely places first. They could have systematically worked through every square foot of the house in a grid, in which case they would on average have to check half the house. On the other hand with this strategy they have a good chance of getting it on the first go, and certainly wouldn't expect to cover half the house.
A hacker ideally wants to do the same thing. Suppose they know that the password they are after is 8 lowercase letters long. They could try working through them one at a time, but there are 208,827,064,576 possible options, so a given completely random guess has about a 1 in 208 billion chance of being right. On the other hand, it's well known that "password" is the most common password. (except when it's banned) In fact looking at the data from haveibeenpwned, the chance of the right answer being "password" is about 1 in 151. Not 151 billion, just 151. So that's over a billion times more likely than some random guess, and they'd be stupid not to start with it. (And obviously, since you want your password not to be found, you want to avoid picking what they'd start with)
Now, the question is whether that generalises beyond "password." Is it worth their while working through a list of leaked passwords? For a bit of information, consider this quote from the original release write up.
I moved on to the Anti Public list which contained 562,077,488 rows with 457,962,538 unique email addresses. This gave me a further 96,684,629 unique passwords not already in the Exploit.in data. Looking at it the other way, 83% of the passwords in that set had already been seen before.
What that tells us is that, roughly speaking, a randomly selected password has a better than 80% chance of featuring in the list. The list has a few hundred million entries, compared with a few hundred billion options for random 8 letter passwords. So, roughly speaking our hacker trying 8 letter passwords would have a 0.1% chance without the list in the time they could get an 80% chance with the list. Obviously they'd want to use it. And again, you might as well avoid it. After all, you still have hundreds of billions of options to choose from, and you can get thousands of billions by just going to nine letters!
That's the justification for checking the list.
Now your first worry is that "there will always be very easy to crack passwords that aren't on the list." That may be true. For example, "kvym" is not on the list. It's only 4 letters. There are only half a million passwords that are 4 lowercase letters or shorter, so if people are likely to prefer short passwords then a hacker would blaze through them in a fraction of the time it would take to finish the leaks list. It's likely that they'd try both.
The answer to that is obvious. Use both rules. Don't use a password that has appeared in a breach, and don't use a password that is very short. If you have a random password of any significant length, you have more than enough options that a hacker has no shortcut way to find.
answered 1 hour ago
JosiahJosiah
61125
add a comment |
To answer this question properly, you need to think like the hacker who wants to work out your password.
But to avoid having to dive straight into a mathsy way of thinking, let's start instead by thinking about a competitor on the Lego Movie game show "Where are my pants?"
Obviously, when the competitor wants to find their clothes, the first thing they'll do is go to their wardrobe. If that doesn't prove fruitful, they might check their drawers, followed by the chair in the corner of the room, followed by the laundry basket, and perhaps the dog's basket if the dog is of the naughty pants-stealing sort. That'll all happen before they start looking in the fridge.
What's going on here is of course that the competitor will look in the most likely places first. They could have systematically worked through every square foot of the house in a grid, in which case they would on average have to check half the house. On the other hand with this strategy they have a good chance of getting it on the first go, and certainly wouldn't expect to cover half the house.
A hacker ideally wants to do the same thing. Suppose they know that the password they are after is 8 lowercase letters long. They could try working through them one at a time, but there are 208,827,064,576 possible options, so a given completely random guess has about a 1 in 208 billion chance of being right. On the other hand, it's well known that "password" is the most common password. (except when it's banned) In fact looking at the data from haveibeenpwned, the chance of the right answer being "password" is about 1 in 151. Not 151 billion, just 151. So that's over a billion times more likely than some random guess, and they'd be stupid not to start with it. (And obviously, since you want your password not to be found, you want to avoid picking what they'd start with)
Now, the question is whether that generalises beyond "password." Is it worth their while working through a list of leaked passwords? For a bit of information, consider this quote from the original release write up.
I moved on to the Anti Public list which contained 562,077,488 rows with 457,962,538 unique email addresses. This gave me a further 96,684,629 unique passwords not already in the Exploit.in data. Looking at it the other way, 83% of the passwords in that set had already been seen before.
What that tells us is that, roughly speaking, a randomly selected password has a better than 80% chance of featuring in the list. The list has a few hundred million entries, compared with a few hundred billion options for random 8 letter passwords. So, roughly speaking our hacker trying 8 letter passwords would have a 0.1% chance without the list in the time they could get an 80% chance with the list. Obviously they'd want to use it. And again, you might as well avoid it. After all, you still have hundreds of billions of options to choose from, and you can get thousands of billions by just going to nine letters!
That's the justification for checking the list.
Now your first worry is that "there will always be very easy to crack passwords that aren't on the list." That may be true. For example, "kvym" is not on the list. It's only 4 letters. There are only half a million passwords that are 4 lowercase letters or shorter, so if people are likely to prefer short passwords then a hacker would blaze through them in a fraction of the time it would take to finish the leaks list. It's likely that they'd try both.
The answer to that is obvious. Use both rules. Don't use a password that has appeared in a breach, and don't use a password that is very short. If you have a random password of any significant length, you have more than enough options that a hacker has no shortcut way to find.
answered 1 hour ago
JosiahJosiah
61125
add a comment |
To answer this question properly, you need to think like the hacker who wants to work out your password.
But to avoid having to dive straight into a mathsy way of thinking, let's start instead by thinking about a competitor on the Lego Movie game show "Where are my pants?"
Obviously, when the competitor wants to find their clothes, the first thing they'll do is go to their wardrobe. If that doesn't prove fruitful, they might check their drawers, followed by the chair in the corner of the room, followed by the laundry basket, and perhaps the dog's basket if the dog is of the naughty pants-stealing sort. That'll all happen before they start looking in the fridge.
What's going on here is of course that the competitor will look in the most likely places first. They could have systematically worked through every square foot of the house in a grid, in which case they would on average have to check half the house. On the other hand with this strategy they have a good chance of getting it on the first go, and certainly wouldn't expect to cover half the house.
A hacker ideally wants to do the same thing. Suppose they know that the password they are after is 8 lowercase letters long. They could try working through them one at a time, but there are 208,827,064,576 possible options, so a given completely random guess has about a 1 in 208 billion chance of being right. On the other hand, it's well known that "password" is the most common password. (except when it's banned) In fact looking at the data from haveibeenpwned, the chance of the right answer being "password" is about 1 in 151. Not 151 billion, just 151. So that's over a billion times more likely than some random guess, and they'd be stupid not to start with it. (And obviously, since you want your password not to be found, you want to avoid picking what they'd start with)
Now, the question is whether that generalises beyond "password." Is it worth their while working through a list of leaked passwords? For a bit of information, consider this quote from the original release write up.
I moved on to the Anti Public list which contained 562,077,488 rows with 457,962,538 unique email addresses. This gave me a further 96,684,629 unique passwords not already in the Exploit.in data. Looking at it the other way, 83% of the passwords in that set had already been seen before.
What that tells us is that, roughly speaking, a randomly selected password has a better than 80% chance of featuring in the list. The list has a few hundred million entries, compared with a few hundred billion options for random 8 letter passwords. So, roughly speaking our hacker trying 8 letter passwords would have a 0.1% chance without the list in the time they could get an 80% chance with the list. Obviously they'd want to use it. And again, you might as well avoid it. After all, you still have hundreds of billions of options to choose from, and you can get thousands of billions by just going to nine letters!
That's the justification for checking the list.
Now your first worry is that "there will always be very easy to crack passwords that aren't on the list." That may be true. For example, "kvym" is not on the list. It's only 4 letters. There are only half a million passwords that are 4 lowercase letters or shorter, so if people are likely to prefer short passwords then a hacker would blaze through them in a fraction of the time it would take to finish the leaks list. It's likely that they'd try both.
The answer to that is obvious. Use both rules. Don't use a password that has appeared in a breach, and don't use a password that is very short. If you have a random password of any significant length, you have more than enough options that a hacker has no shortcut way to find.
answered 1 hour ago
JosiahJosiah
61125
To answer this question properly, you need to think like the hacker who wants to work out your password.
But to avoid having to dive straight into a mathsy way of thinking, let's start instead by thinking about a competitor on the Lego Movie game show "Where are my pants?"
Obviously, when the competitor wants to find their clothes, the first thing they'll do is go to their wardrobe. If that doesn't prove fruitful, they might check their drawers, followed by the chair in the corner of the room, followed by the laundry basket, and perhaps the dog's basket if the dog is of the naughty pants-stealing sort. That'll all happen before they start looking in the fridge.
What's going on here is of course that the competitor will look in the most likely places first. They could have systematically worked through every square foot of the house in a grid, in which case they would on average have to check half the house. On the other hand with this strategy they have a good chance of getting it on the first go, and certainly wouldn't expect to cover half the house.
A hacker ideally wants to do the same thing. Suppose they know that the password they are after is 8 lowercase letters long. They could try working through them one at a time, but there are 208,827,064,576 possible options, so a given completely random guess has about a 1 in 208 billion chance of being right. On the other hand, it's well known that "password" is the most common password. (except when it's banned) In fact looking at the data from haveibeenpwned, the chance of the right answer being "password" is about 1 in 151. Not 151 billion, just 151. So that's over a billion times more likely than some random guess, and they'd be stupid not to start with it. (And obviously, since you want your password not to be found, you want to avoid picking what they'd start with)
Now, the question is whether that generalises beyond "password." Is it worth their while working through a list of leaked passwords? For a bit of information, consider this quote from the original release write up.
I moved on to the Anti Public list which contained 562,077,488 rows with 457,962,538 unique email addresses. This gave me a further 96,684,629 unique passwords not already in the Exploit.in data. Looking at it the other way, 83% of the passwords in that set had already been seen before.
What that tells us is that, roughly speaking, a randomly selected password has a better than 80% chance of featuring in the list. The list has a few hundred million entries, compared with a few hundred billion options for random 8 letter passwords. So, roughly speaking our hacker trying 8 letter passwords would have a 0.1% chance without the list in the time they could get an 80% chance with the list. Obviously they'd want to use it. And again, you might as well avoid it. After all, you still have hundreds of billions of options to choose from, and you can get thousands of billions by just going to nine letters!
That's the justification for checking the list.
Now your first worry is that "there will always be very easy to crack passwords that aren't on the list." That may be true. For example, "kvym" is not on the list. It's only 4 letters. There are only half a million passwords that are 4 lowercase letters or shorter, so if people are likely to prefer short passwords then a hacker would blaze through them in a fraction of the time it would take to finish the leaks list. It's likely that they'd try both.
The answer to that is obvious. Use both rules. Don't use a password that has appeared in a breach, and don't use a password that is very short. If you have a random password of any significant length, you have more than enough options that a hacker has no shortcut way to find.
answered 1 hour ago
JosiahJosiah
61125
answered 1 hour ago
JosiahJosiah
61125
answered 1 hour ago
JosiahJosiah
61125
answered 1 hour ago
JosiahJosiah
61125
61125
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211221%2fis-using-haveibeenpwned-to-validate-password-strength-rational%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
Can you cite a source saying HIBP "is a good way to check if a password is strong enough to use or not"?
– schroeder♦
12 hours ago
3
In brief, HIBP has a huge list of real passwords, including both strong and weak ones. It is possible that the strong ones are filtered and not used in bruteforce attacks, but it's also possible that it's not worth filtering the list (after all, passwords that look strong might actually be weak and used by more than one user). So attackers might just use the whole list for bruteforcing, and therefore every password on that list is going to be at risk.
– reed
11 hours ago
I'd say that if your password was able to be cracked using any hash, it's not a good password. I'd also say that your your password was revealed in plaintext, it's now in the cracking dictionary, and thus a bad password. But I certainly wouldn't say that NOT being in haveIBeenPwned.com means it's a good password. The website primarily exists to show how common account cracking is, and how BAD your password is. It's nearly impossible to show how good a password is, unless it can be demonstrated to have a sufficient amount of entropy by the method used to generate it.
– Steve Sether
1 hour ago