How this Password Chart is Giving You A False Sense of Security
By Danny Chung | May 21, 2023
You may have came across this infographic being shared on various social media platforms. However, at face value and taken out of context, it can be considered misinformation — and I will explain why.
This is giving people an absolute false sense of security! It gets much more complicated than just a simple chart like this. This chart gives NO information on the contributing [critical] factors towards these calculations.
Are we using grandma’s old PC from 25 years ago or are we cracking with a beefy rig with multiple GPU’s running on Hashtopolis?
What kind of hashes are being stored? Are we using memory-hard algorithms like Argon2 or are we using a straight MD5 (deprecated) or a salted implementation of MD5 like MD5 Crypt — which is still deprecated, by the way.
Or are we using PBKDF2-HMAC-SHA256 (which is PBKDF2 with SHA256 as the underlying hash algorithm)? If so, what’s the iteration count configured? For instance, are we cracking 5000 rounds that LastPass originally set as the default or is it 100,100 rounds or is it the new recommended minimum of 600,000 rounds or is it something you set way above that?
Is the password random or are you using a dictionary password like “Password123!” ← certainly, this 12 character password that is going to take 226 years according to the chart right? Right?!
Again, please STOP reposting that chart without proper context. You are doing a disservice to the community by making people feel that a simple 12 character password with complexity is sufficient.
To use an analogy, it is like giving me a map with no legend, no scale, and no cardinal points, and telling me it takes a vehicle 10 gallons of gas to from point A to point B. Well, what’s the distance? What vehicle are we using? What’s the MPG on the vehicle? What’s the elevation gain/loss? Talk about your mileage may vary! We may not be able to factor each and every tiny detail, but it gives us a better idea of the context of the case had we have this information.
