@Tutanota A few terabytes should be enough for any password :blobcatcoffee:

@Tutanota diceware passphrase with 130+ bits entropy for password manager/computer etc.
then 50 chars passwords with random numbers, lowercase and uppercase letters for logins on websites etc.

@Tutanota So, my elementary school-era email passwords are still far beyond the ability of modern computers to crack. Neat!

@Tutanota brb setting my password to the entire script of The Bee Movie

@Tutanota i use the generator from my password manager. If possible 40 characters of all varieties.

@Tutanota Ah, long passwords.

My WiFi system has a 40 character password.

Which works fine with everything except one particular IoT device, which says "password too long" and refuses to operate. Tech support just said "use a shorter password". Despite most of the interweb saying that it can be up to 63 characters.

@Tutanota

FTR 👇

[ghose@debian ~ ]$pass generate new/SuperPassWord
dxPM8<udBMm@+),;~p-hjKllT
[ghose@debian ~ ]$

yes, some sites/services do not like some characters, so use -n with standar length that is enough as I see in that chart.

Thank you.

pass, the standard unix password manager 🔒

@Tutanota
I have both Batman symbol and Prince logo. Does that help?

@Tutanota Looking at the same sheet from 2022 and am a little surprised that the same password would now be more secure than in 2022. I was expecting the opposite direction. I guess that's due to changed methodology? Or am I missing something?

@Tutanota
Ich glaube der NIST nie nur ein Wort. Die Message ist ja, es gäbe überhaupt noch sichere Passworte.

@Tutanota Why are passwords that take millions of year are marked as yellow, an not green?

@Tutanota Hey cool. Most of my memorized passwords are in the 7-30 year range. Not TOO bad...

@Tutanota I’m not sure about other peoples perspective but I can live (or die) with 2qn - whatever that means. Sounds like long time to me.

@Tutanota it would be more fair to the reader to mention that these crack times apply to stolen password hash files. That's why, in the case of an IT security breach, you get a notice to change your password. Most login interfaces have a max attempt limit and a timer, in which case this table does not apply at all.

@Tutanota Well, it depends. If you’re doing eCommerce, the PCI DSS v4.0 still requires regular password rotation (ok, with a maximum interval of 1year, but still) 😎

@Tutanota Using a variation of: "day" "month", " year" and a symbol [$, !,?,@,€,&]

And since I use three languages that's three ways of spelling the month.

So if I changed it today it could be:
September25!2024@
Or
!25Setembre-2024?

Not the strongest but strong enough and easy to remember

@Tutanota
I think it’s important to note that the times listed is the MAXIMUM time it will take to crack the password, you could get lucky and get it on first attempt or 100 iterations in.

@Tutanota It's not like I'll be alive in 19 quintillion years anyways, so I'm fine with 20 character limits.

@Tutanota who cares about password length and complexity if (decent) MFA is mandatory?

@Tutanota tr -cd "[:graph:]" < /dev/urandom | head -c 97 | xargs -0

@Tutanota Yes.. BUT .. Most servers boot Login attempts after 3 errors.

@Tutanota /genq why is 33k years orange. i wont live half a percent of that