Email or username:

Password:

Forgot your password?
Tuta

🥳 NIST is making updates to their #password standards:
pages.nist.gov/800-63-4/sp800-

Goodbye unnecessary rotations & hello longer maximum password length! (Fun fact: Tuta has no password length limits 😎)

What do you think of these changes? How do you create your passwords securely?

A guide from Hive Systems visualizing the time required to brute force a password in 2024.
35 comments
TuxOnBike

@Tutanota My password manager creates them. But I play around with the options.

Tuta

@TuxOnBike That's another great way to create strong password! :)

Ténno Seremélʹ

@Tutanota A few terabytes should be enough for any password :blobcatcoffee:

arutaz

@Tutanota diceware passphrase with 130+ bits entropy for password manager/computer etc.
then 50 chars passwords with random numbers, lowercase and uppercase letters for logins on websites etc.

enoch_exe_inc

@Tutanota So, my elementary school-era email passwords are still far beyond the ability of modern computers to crack. Neat!

ajn142

@Tutanota brb setting my password to the entire script of The Bee Movie

rockpick

@Tutanota i use the generator from my password manager. If possible 40 characters of all varieties.

Tim Ward ⭐🇪🇺🔶 #FBPE

@Tutanota Ah, long passwords.

My WiFi system has a 40 character password.

Which works fine with everything except one particular IoT device, which says "password too long" and refuses to operate. Tech support just said "use a shorter password". Despite most of the interweb saying that it can be up to 63 characters.

ghose ⁂ 👣

@Tutanota

FTR 👇

[ghose@debian ~ ]$pass generate new/SuperPassWord
dxPM8<udBMm@+),;~p-hjKllT
[ghose@debian ~ ]$

yes, some sites/services do not like some characters, so use -n with standar length that is enough as I see in that chart.

Thank you.

pass, the standard unix password manager 🔒

a Witty Name

@Tutanota
I have both Batman symbol and Prince logo. Does that help?

Elatan

@Tutanota Looking at the same sheet from 2022 and am a little surprised that the same password would now be more secure than in 2022. I was expecting the opposite direction. I guess that's due to changed methodology? Or am I missing something?

A guide from Hive Systems visualizing the time required to brute force a password in 2022.
Zimmie

@elatan @Tutanota This chart doesn’t mention which hash it’s targeting. The 2022 chart might be for MD5, which is much less safe than bcrypt used for the 2024 chart.

Martin Rost

@Tutanota
Ich glaube der NIST nie nur ein Wort. Die Message ist ja, es gäbe überhaupt noch sichere Passworte.

cube

@Tutanota Why are passwords that take millions of year are marked as yellow, an not green?

bluGill

@cube

@Tutanota because governments can throw a lot more resources at your password than a random hacker. Do they care to is an open question - for your personally probably not - but NIST is advising people who foreign governments are willing to throw as many resources as they can at. (Ie the password that unlocks nuclear bombs)

SomeGadgetGuy

@Tutanota Hey cool. Most of my memorized passwords are in the 7-30 year range. Not TOO bad...

Rpsu (326 ppm)

@Tutanota I’m not sure about other peoples perspective but I can live (or die) with 2qn - whatever that means. Sounds like long time to me.

Cluster Fcku

@Tutanota it would be more fair to the reader to mention that these crack times apply to stolen password hash files. That's why, in the case of an IT security breach, you get a notice to change your password. Most login interfaces have a max attempt limit and a timer, in which case this table does not apply at all.

Cognitive Dissidence

@Tutanota

I use a phrase from a book, preferably one that's not too popular, then add some creative misspellings. For a hint, I can just use the book's title.

Things that I have never used in a password:

- DOB or anniversary of myself or family members
- Pet's name, current or past
- Home Town
- Any dictionary word (unless obfuscated by multiple misspellings)

What am I forgetting?

@Tutanota

I use a phrase from a book, preferably one that's not too popular, then add some creative misspellings. For a hint, I can just use the book's title.

Things that I have never used in a password:

- DOB or anniversary of myself or family members
- Pet's name, current or past
- Home Town
- Any dictionary word (unless obfuscated by multiple misspellings)

bluGill

@Jonstewartmill

@Tutanota Dictionary words spelled correctly are good, so long as there is more than one and they are random words. A phase is good but it needs to be more words because phase often from someplace people would guess. The idea is you want something that is nearly as unlikely as random garbage, but much easier to remember.

Armin Hanisch

@Tutanota Well, it depends. If you’re doing eCommerce, the PCI DSS v4.0 still requires regular password rotation (ok, with a maximum interval of 1year, but still) 😎

Simon Levesque

@Linkshaender @Tutanota most likely for another reason: to ensure no one that was in a company and got the password can use it forever even when leaving the company

Armin Hanisch

@simonlevesque as the PCI DSS also requires MFA, so I do hope that should not be possible.

@Tutanota

Johns

@Tutanota Using a variation of: "day" "month", " year" and a symbol [$, !,?,@,€,&]

And since I use three languages that's three ways of spelling the month.

So if I changed it today it could be:
September25!2024@
Or
!25Setembre-2024?

Not the strongest but strong enough and easy to remember

mangymagi:~#:blinking_cursor:

@Tutanota
I think it’s important to note that the times listed is the MAXIMUM time it will take to crack the password, you could get lucky and get it on first attempt or 100 iterations in.

bluGill

@mangymagi

@Tutanota While that is possible it is unlikely. Anyone sane doing these checks will have 10,000 or more common passwords they check first before they start the random search. And they will likely do their random search with shorter combinations as well. In fact if they don't know the length of your password (which no sane password storage will give you) they probably won't even try if your password is long because the odds of them ever getting it are too low to bother.

DELETED

@Tutanota It's not like I'll be alive in 19 quintillion years anyways, so I'm fine with 20 character limits.

André Koot

@Tutanota who cares about password length and complexity if (decent) MFA is mandatory?

mmphosis

@Tutanota tr -cd "[:graph:]" < /dev/urandom | head -c 97 | xargs -0

BoBwalker

@Tutanota Yes.. BUT .. Most servers boot Login attempts after 3 errors.

zoe

@Tutanota /genq why is 33k years orange. i wont live half a percent of that

Kuchenmampfer

@zoe @Tutanota because they only threw twelve consumer graphics card at it. If you are the NSA and have several datacenters full of graphics cards, a few thousand years on this chart quickly become wayyy shorter. Another factor is that computers are getting faster, which also reduces the cracking time in the future. And in case someone finds an attack against the hash algorithm, that can reduce it by orders of magnitude as well...

Go Up