I’ve had a thought forming in the back of my head since a recent ISD Podcast we did the other day featuring a breach of a Star Wars fan site. In the case of a data breach like this, it really doesn’t matter what your password is if the website stores in in clear text. Obviously you would hope that they wouldn’t do this but if they do, you are screwed.
No matter how much care you put into having that 80 character pass phrase with punctuation, etc, the data thief is sitting there staring at your password plain as day. Furthermore, you are standing out as the lone wolf who has this crazy password. From the thief’s perspective, that makes you a more interesting target since you are A) Either just more careful than the average Joe or B) You have something spectacular to hide.
Most people choose a password of 7-8 characters. This is because this is the minimum required length for most websites. A password of that length is somewhat trivial to crack these days practically no matter how much capitalization or punctuation you have present. When you move up to more like a 15 character password, I’ll dare say that you are beyond the practical reach of current capabilities. If you were dumb about it and made it easy to guess then all bets are off. Putting in spaces can help but even just combining odd words will make a better password. To illustrate:
“sneakyrubberdogbath” is safer than “P4$$#ui!”
But then if a website gets hacked and the all the user accounts are leaked, having something REALLY long and REALLY crazy is going to make you stand apart from the pack. Probably far more than you really want to. If I saw something like…
userbob: St4rz4rr666brown_wag1n4setz_blahblahblah_blahlitmus_vermin
…my interests would personally be peaked and I would wonder what was so damned important that userbob is trying to protect. My point is that you should keep your password within a range and not get carried away too far in either direction.
If you like the content on this site, please support it by using this link to order from Amazon. You know you were going to go there and buy stuff anyhow so why not help me pay the hosting bill.
This brings out two points,
1) If the password is stored in plain text, is it truncated to some maximum length? if so, then it will only store that many characters.
2) This is another reason why you must always hash passwords! For a given SHA algorithm, the output is always the same size, independent of the input length.
Agreed that if the website doesn’t hash them you are already screwed to begin with. Unfortunately this is the part we don’t have control over. As far as truncated lengths, that IS something we can pretty much test for by putting in a really long password and typing less of it. That would also give us a pretty good clue that they were storing the passwords in plain text if that worked. The whole thought of truncated plain text passwords gives me the chills…
But this only applies if you reuse passwords.
Yep! The cold fact is that most people do… by a big margin from what I can tell. Regardless, thanks for bring up that point since I seemed to have glossed over it. 😉