undefined | Better HN

0 pointssneak5y ago0 comments

You're the sixth person to reply to me with this "advice". My own password is 30 characters and I self-host bitwarden_rs, patched to permit a higher KDF iteration count.

This has nothing to do with my usage.

0 comments

luis85y ago

Is sharing you password length wise? Knowing the # of chars you have reduced the number of iterations needed to complete a brute force attack.

255! vs 255! / (255 - 30)!

My math could be off though, i haven't work with factorials since i was in the university

Dylan168075y ago

I don't think you want a factorial involved.

With unknown size, cracking 30 characters takes time proportional to n^30 + n^29 + n^28 etc.

Cracking just 30 is proportional to n^30.

The difference is negligible. A percent or two.

luis85y ago

My bad, I was thinking in permutations but those does not allow repeated entries. It make sense now, like you said the difference is negligible.

throwaway7446785y ago

It's a trick. OP's password is actually 29 chars long, but the attacker will now start at 30 characters, and never brute force the actual password. Nicely played.

the_mitsuhiko5y ago

Evidently there is no problem then.

j / k navigate · click thread line to collapse

0 comments

luis85y ago

Is sharing you password length wise? Knowing the # of chars you have reduced the number of iterations needed to complete a brute force attack.

255! vs 255! / (255 - 30)!

My math could be off though, i haven't work with factorials since i was in the university

Dylan168075y ago

I don't think you want a factorial involved.

With unknown size, cracking 30 characters takes time proportional to n^30 + n^29 + n^28 etc.

Cracking just 30 is proportional to n^30.

The difference is negligible. A percent or two.

luis85y ago

My bad, I was thinking in permutations but those does not allow repeated entries. It make sense now, like you said the difference is negligible.

throwaway7446785y ago

It's a trick. OP's password is actually 29 chars long, but the attacker will now start at 30 characters, and never brute force the actual password. Nicely played.

the_mitsuhiko5y ago

Evidently there is no problem then.

j / k navigate · click thread line to collapse