Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

...conversely, do you have evidence most people pick their passwords from a 10k word list?

And the Oxford dictionary has ~171k words, so not sure where a 10k list even comes into play



If you look at Oxford you'll never have heard of 80% of those. People mostly know 15-30k words, but their productive vocabulary is smaller than their receptive, so for anyone coming up with random words 10k sounds pretty reasonable. Once you go beyond about 35k in word frequency lists, it turns into pretty technical/archaic stuff.


I think haveibeenpwned is good evidence people choose weak passwords and reuse them.

DICEWARE uses ~8k words, chosen so that people can remember and spell them.


haveibeenpwned is great! but it doesn't have anything to do with password strength. it just tells you if your password hash has been leaked/stolen.

edit: seems I'm wrong and they do actually have a passwords section: https://haveibeenpwned.com/Passwords


haveibeenpwned provides no such statistic, other than reuse (75% of original set) -- a breached password is unrelated to its strength.

The simple fact that the HIBP password list contains 512 MILLION unique passwords...


> a breached password is unrelated to its strength

But most of them were weak. And most of them have been cracked by hobbyists.

https://blog.cynosureprime.com/2017/08/320-million-hashes-ex...

512 MILLION is not a large number of passwords to check. What do you think the hash rate of modern GPUs/ASICs is?

https://www.troyhunt.com/86-of-passwords-are-terrible-and-ot...


You're forgetting the salt added. Compared to the original post I commented on, 512 mil is way larger than 10k. So it's 512 mil known passwords, times however large the salt is...it's not trivial -- and their 10k list was expected at 6hours...

Extrapolating, 10k:6hrs == 512m:35 years


A GTX1080 gets 25GH/s on MD5, that is 1.5x10^16 per week. The salt is known -- makes rainbow attacks impractical, but doesn't reduce the hashing rate.

Martin Kleppman explained the problem back in 2013: https://martin.kleppmann.com/2013/05/24/improving-security-o...


I conveniently forgot the salt is public ::facepalm::

I also was using the OP numbers, verses trying to do any math or research myself first ::second facepalm::


It alright, that's why we have HN - not to be always right first and fastest, but to go deeper.


No, clearly most people don't pick their passwords from a 10k wordlist. My argument doesn't rely on them doing that: my argument relies on them picking bad passwords. I am using 10k wordlist diceware-style passwords only as an entropy estimation of a pretty good password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: