Web lists-archives.com

Re: Password policy.




	Hi.

On Tue, Nov 13, 2018 at 08:23:13AM -0800, peter@xxxxxxxxxxx wrote:
> Hi, 
> 
> https://www.debian.org/doc/manuals/debian-reference/ch04.en.html#_good_password
> specifies "6 to 8 characters".  Is that adequate against currently available brute force?

$ hashcat --session 6to8 -m1800 /tmp/hash -a3 ?a?a?a?a?a?a

hashcat (v4.2.1) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1060 3GB, 753/3013 MB allocatable, 9MCU

...

Session..........: 6to8
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$...
...
Time.Estimated...: Tue Aug 11 17:56:28 2020 (1 year, 271 days)
Guess.Mask.......: ?a?a?a?a?a?a [6]

$ hashcat --session 6to8 -m1800 /tmp/hash -a3 ?a?a?a?a?a?a?a?a

...

Session..........: 6to8
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$...
...
Time.Estimated...: Next Big Bang (15988 years, 0 days)
Guess.Mask.......: ?a?a?a?a?a?a?a?a [8]


So, 6 characters is somewhat low (that GPU is outdated by today's
standards). 8 characters seem ok.

Reco