bwall Posted February 28, 2013 Posted February 28, 2013 For everyone who uses a password manager, this might be a good extension for you to try. After doing a bit of research, I found that most hash cracking software can not crack passwords over 125 characters. While a 125 character password is extremely strong, 126 makes it so hash cracking software must be modified(which can be a pain as I found after helping patch John the Ripper). I was sad to see that password managers don't have the option to create passwords that large(for the most part), so I decided to create a simple Chrome extension to generate passwords at a variable length, with focus on massive passwords. Here's a link: https://chrome.google.com/webstore/detail/bwallhatestwits-password/gocfgmeinifgmkhjkdmfjolfmpfpfnbg Feel free to send any questions/comments my way. Quote
Jason Cooper Posted February 28, 2013 Posted February 28, 2013 An interesting question is how increasing the length of a password affects the probability of their being a collision with a shorter length password. After all a password of 2000 characters is no use if the same hash is generated by one of 5 characters. Quote
bwall Posted March 10, 2013 Author Posted March 10, 2013 Can't really account for collisions, especially since it depends on what hashing method is employed by the web server. Also, different salts can rule out predictable collisions. if hash(pass1 + salt1) == hash(pass2 + salt1): hash(pass1 + salt2) != hash(pass2 + salt2) Quote
Jason Cooper Posted March 11, 2013 Posted March 11, 2013 But if you are cracking password hashes then you already have the hash and the salt and you are just searching for a password when hashed with the known salt produces the hash. Thus the strength of a password in this case isn't the length of the actual password used to generate the hash but the length of the shortest password that will generate the same hash. Having said that, as you probably won't actually have your password hash for many systems you are still better to go for a longer password (that way there is only a chance of a shorter password produces a collision with your hash, if you pick a short password then there definitely is a short password that can be found when cracking the hash). Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.