Ask HN: How secure would this password be, practically speaking?
So I currently have a rule for myself that I don't let any new passwords be shorter than my previous password. As you may guess, my passwords are getting quite long after a few years of having to change every N days. This got me thinking.
I know it's low entropy, but as a guess on how most modern brute force attacks work, I was wondering how secure something like this would be, both conceptually and practically:
1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaaaaaaa
4 comments
[ 3.2 ms ] story [ 22.8 ms ] threadHere is the reason:
1. It is 101 characters. If I was brute force attacking I'd imagine I'd target passwords <32 characters. Probably more like 8-16.
2. It has [a-zA-Z0-9]. This isn't bad, but isn't optimal. Add some symbols or non ASCII characters to really screw up brute force attacks.
3. If for some reason this is the password on a system that is not hashing but encrypting and using a cipher in ECB then it is definitely not secure.
Honestly if this was a password on a giant list I'd skip it and move on to easier targets.
Not sure how reliable its calculations are.