23
Pro tip: A friend told me my password vault needed a master password longer than 12 characters.
I always used 10 character master passwords until last month when a buddy who does IT security showed me how easy they are to crack with a decent GPU. Has anyone else bumped up their master password length after getting similar feedback?
3 comments
Log in to join the discussion
Log In3 Comments
henry_hernandez18d ago
wait actually that's not totally accurate about the GPU thing. Like yeah a good graphics card can crack short passwords fast but it's more about the hash type and how the vault stores it. Most modern password managers use slow hashing algorithms like Argon2 or bcrypt that are designed to be hard to brute force even with a beast GPU. So a 10 character master password might not be as easy to crack as your buddy made it sound, especially if the vault uses a strong key derivation function with lots of iterations. That said, longer is still better obviously, I just don't want people to panic and think their 10 char password is basically useless. Bumping up to 14 or 16 is smart though, makes dictionary attacks way harder no matter what hash they're using.
0
ryan_kim6318d ago
Nah you're totally right. I've seen a lot of people get spooked by those GPU benchmarks but they're always testing against simple MD5 or SHA1 hashes, not a well-configured Argon2 setup. Your typical modern manager like Bitwarden or 1Password uses something like 100,000+ iterations and a memory-hard function that really slows things down. So a 10 character passphrase with mixed case and numbers is probably still fine for most threat models as long as you're not a high-value target. Bumping to 15 or 16 is a cheap extra layer though, takes like 30 seconds to add a few more words to your passphrase.
2
the_brooke18d ago
One of my buddies had a heart attack about this exact thing last month. He was worried his 12 character password was basically useless and spent like two hours making a new 20 character one, then realized his vault was using bcrypt with a ton of iterations anyway. Said he felt kinda dumb but at least now he's extra safe.
6