Ars has now done about a dozen of these articles. Unfortunately I think they are somewhat misleading, in that they don't emphasize what exactly the threat is that these password crackers represent.<p>This is an offline attack that allows the attacker to recover the plaintext from hashes. In the context of the internet, the impact of this type of attack on the end-user can be almost entirely mitigated by using unique passwords on each site. A site which has leaked its password hashes is almost certainly already fully compromised, so having the password to that particular site gets the attacker not much. It's only when those passwords are reused that recovering the plaintext becomes a big additional win for the attacker.<p>The implications of these articles is that you should use some super complicated random password. Indeed that's a good idea. I personally use lastpass to generate long random passwords. But if there's a choice between using one really good password all over the internet versus unique, but mediocre passwords on each site, the latter is a better choice. After all any particular site could be a honeypot or store your password in the clear.<p>On the flip side, if these articles are aimed at developers rather than end users, then they should be emphasizing using a modern key derivation function with an appropriate work factor.
The link goes to page 3, here's page 1: <a href="http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/" rel="nofollow">http://arstechnica.com/security/2013/10/how-the-bible-and-yo...</a>
I'm curious what you guys think of my current strategy. I use passwordchart.com. It requires a generator phrase to create a "password chart", which is simply a mapping from each alphanumeric character to a different 1-3 character alphanumeric string. You then type in an easy to remember password, and it maps that to a far more secure password using the generated chart. I use the same chart (with a backup printed in my wallet), and apply the same methodology for every service I use to create my easy-to-remember password. I read the "how it works" page and it seems pretty secure to me. For all my password needs I only have to remember two things: the generator phrase and the method for making the easy to remember password. There is also little counter party risk (passwordchart.com doesn't know where the passwords are used, it would be hard to change the chart without me noticing, and I have a backup). I love not having to think hard when signing up for something new. In 5 seconds, I have an easy to fetch, secure, unique password for any service.
I set up an automatic grader for a class I TA so students could submit code and have results immediately (it just pipes input into stdin and checks stdout against a set answer). They had to set up little accounts on my grading website. I told them not to use an important passwords or anything since I am not doing any sort of security. Upon examining the plaintext passwords, there is a decent number (maybe 5 out of 73 students) who used things like "Proverbs22" (number made up) as passwords.<p>Seems like a good strategy to brute force passwords.
I haven't been following cracking development, is anyone aware of a back of the envelope analysis of how much using a preconceived mnemonic reduces entropy versus random letters? I would expect the math has been done, I think all you need are the 1gram counts for the first letter position[1].<p>[1] <a href="https://www.google.com/fusiontables/DataSource?docid=1DlRnW1jLqZrRqVMlII39sJgWM5qH0hki_KcehSY#rows:id=1" rel="nofollow">https://www.google.com/fusiontables/DataSource?docid=1DlRnW1...</a><p>EDIT: Based on a quick spreadsheet calculation, I think uniform A-Z each letter is 4.7 bits, and a phrase constructed of random english words each letter is 4.1 bits, so maybe not all that bad. <a href="https://docs.google.com/spreadsheet/pub?key=0Ar03cGpoaUJ3dHpZQU1aUS1YSnA4Q2dMQUZIRDc0anc&gid=0" rel="nofollow">https://docs.google.com/spreadsheet/pub?key=0Ar03cGpoaUJ3dHp...</a>