Should you give Microsoft all of your passwords?

Topic

New Reply

PUBLIC DEFENDER By Brian Livingston A new feature of Microsoft’s Edge browser is causing our readers to ask, “Is this MS initiative going to place our
[See the full post at: Should you give Microsoft all of your passwords?]

Reply | Quote

Replies

The only passwords that I allow to be saved by a browser are those for streaming services and this is for convenience only.  I’ve used PasswordSafe for management and while it’s not quite as easy to use compared to some other solutions, it works fine for my needs and has been ported to Android OS so I can have it on my phone.  The other nice advantage is that it is free!

Reply | Quote

Who is “You”?

If you mean me, well, the answer is no.
As it is, I suspect, for 95% or more of the residents of AskWoody village.

5% of the village may well be IT managers for companies, and IMNSHO those folks should never store a password outside the company.

For the life of me I can’t see why the 95% of us can’t/won’t/don’t maintain passwords in a secure document.

I mean, if you begrudge spending thirty seconds to retrieve “5zgpwozp” from Passwords.doc (*) (not its real name) for your once-a-year foray into submitting your tax returns online, then you haven’t appreciated the time-saving of submitting tax returns online instead of bicycling down to the post office.
As for those twice-a-week online banking transactions, is it that hard to associate a mnemonic password to a bank account?

I can’t see the rationale behind making up secure passwords and than handing them over to any one, or any thing.

(*) 77 passwords in the table at last count

Cheers
Chris

Unless you're in a hurry, just wait.

Reply | Quote

There are many web sites where I wouldn’t care if the name and/or password is hacked, including more than a few that apparently require a username and password only because it makes their owners feel important. The Firefox feature that offers to save and automatically fill in a username and password is useful in these situations.

1 user thanked author for this post.

doriel

Reply | Quote

There are many web sites where I wouldn’t care if the name and/or password is hacked

Of course, I do the same, I store passwords for printers in chrome – its basically the same password for approx. 100 IP addresses. Its faster than typing it all the time.
Also, I store my password for AskWoody, created wesbsites and ohter blogs. I dont consider that to be so risky nor painfull to lose some login to the website.
Those logins that I value the most, I dont store anywhere. I always type ’em.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

wdburt1

Reply | Quote

wdburt1 wrote:

The Firefox feature that offers to save and automatically fill in a username and password is useful in these situations.

Yes! I’ve been using Fx and its forks since Netscape died. I’ve never been much of a IE or Edge user and would never touch Google junk. I trust Mozilla and its main fork I use as my default browser (Basilisk) to treat my saved logins in an honorable way. I also write all logins down on paper. I have about 50 pages of written down logins …front and back of each page so actually about 100 pages of saved logins since I got my first computer in 1999.

I had third party software years ago to manage and save the logins and then disaster struck the software so I began writing each down on paper and also letting Fx, and later Basilisk, save and manage them. I couldn’t possibly memorize all of them and I don’t believe in ever using the same login for more than one site.

2 users thanked author for this post.

DaveBoston, wdburt1

Reply | Quote

I used to keep all my passwords written down in a little notebook.  One day I lost that notebook.

Reply | Quote

After reading Brian’s statement in the newsletter, “Unfortunately, websites that send a verification code by calling or texting your mobile phone are NOT SAFE. The security firm Positive Technologies recently demonstrated how to take over a Coinbase cryptocurrency wallet using known flaws in the global cellular network”. (What a shock). I did some Goggling on the alternates, Authenticator App, and FOB key. I was surprised on one comment in where a reader used Authenticator App and then had to reset or buy a new phone. He was completely locked out of all his accounts because the Authenticator was on his phone! So the FOB looks like the way to go unless it too has a weakness and where do I even get one??

Reply | Quote

J9438 wrote:

I did some Goggling on the alternates, Authenticator App, and FOB key. I was surprised on one comment in where a reader used Authenticator App and then had to reset or buy a new phone. He was completely locked out of all his accounts because the Authenticator was on his phone!

That’s easily mitigated: just keep a copy of the QR code.

When setting up an Authenticator token, the website will generate a unique QR code on screen, at which you point your camera. In addition to snapping the QR code with the Authenticator app, also take a regular photo or screenshot of it. If you ever have to reset or change your phone, just reinstall the Authenticator app and point it at your saved copy of the QR code. Job done.

And for those who don’t know, the Google Authenticator app can be used for more than just Google. All TOTP (“Time-based One Time Passcode”) apps work the same, so the authenticator apps from Google, Microsoft, Facebook, Authy, et al, are interchangeable. You only need one, and it can be configured with TOTP tokens for multiple sites.

Beyond TOTP, and if it’s a Google account you’re talking about, note Google can also generate a series of “Backup Verification Codes” that you can print and store offline, to be used when your normal 2FA method isn’t available. That’s always a good safety measure.

1 user thanked author for this post.

J9438

Reply | Quote

Certainly not, do you give the local authority/ council your car or house keys? Just because people use their services, doesn’t mean you should immediately trust the provider with sensitive info. Use an encrypted password manager and store locally over multiple locations is my advice. One password to remember to access your password database..simplicity works here

illegitimi Non Carborundum

Reply | Quote

It’s a little different if the provider of the password service is also the provider of the operating system. You are already trusting them to the highest level… The OS, by design and necessity, has access to everything you do on that device. If you don’t want to have the passwords out there “in the cloud” where they could be inadvertently exposed, or if for some other reason you don’t consider it secure enough, that’s one thing, but if you don’t trust MS to not do something bad with them if they have them, you shouldn’t be using Windows or Edge at all.

If you know me and the things I write about, you know that I have little trust in Microsoft, but stealing my passwords is one thing I would not worry about with them.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

B. Livingston wrote:

To bring us up to modern times, the Redmond company announced on January 21 that version 88 and higher of its Edge browser can now save usernames and passwords that people enter at websites.

Edge’s storing of your credentials is off by default. Users must enable it by selecting Settings, Profiles, Passwords and configuring the options as shown in Figure 1. The user must also be signed in to a Microsoft account or a work or school account.

That’s not what Microsoft announced this year at all.

Edge (even legacy Edge) has always been able to save website usernames and passwords, and it’s always been on by default. No Microsoft or work/school account has ever been required for that.

What’s new this year is the Password Generator and Password Monitor (which do require Microsoft or work/school accounts), as clearly explained in the announcement:

Help keep your online accounts secure with password generator and Password Monitor

Reply | Quote

I don’t/won’t use Edge, so, no.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Re: Authenicator App and being locked out…

To avoid lockouts, you need to backup your encrypted Authenticator file just like you need to backup your encrypted password file.   And when you do backup these sensitive files, encrypt them again.  For example, mine are backed up within an encrypted disk.   And keep multiple backed up copies in different locations.   Make sure you pick Password Managers and Authenticator Apps that give you a means to back them up, such as storing the user data in an encrypted file.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

1 user thanked author for this post.

J9438

Reply | Quote

One other question on Brian’s post “using known flaws in the global cellular network”

Was or will this flaw be fixed? Since text 2FA is so much simpler to set up and use than the Authenticator App or FOB key, seems like an important fix. As an additional alternative to cell text I have found sites usually also offer the 2FA to a land line or email, which I suppose does not have this flaw, providing of course you can opt out of the cell text. The only problem to that is that the 3 choices seem to be offered together after entering a password so a hacker could still use the cell text option, unless the cell text option could be blocked.

Reply | Quote

J9438 wrote:

Was or will [known flaws in the global cellular network] be fixed?

If you’re in the US, don’t hold your breath. The telcos hold too much power and resist any attempt to force them to spend money fixing their product.

Like the banking and credit card industries (witness how they dragged their feet implementing chip-and-pin), the US telco industry lags behind the rest of the world.

J9438 wrote:

Since text 2FA is so much simpler to set up and use than the Authenticator App …

I would disagree. Setting up a TOTP authenticator is nearly as easy as setting up text-based 2FA.

Install and launch the authenticator app, then tell the service provider (e.g., Google, Facebook, or Microsoft) that you want to set up 2FA, and they’ll display a QR code with an embedded secret key. Point your smartphone’s camera at the QR code, and voila! The only thing left to do is tell the provider what 6-digit code your authenticator is showing, just so the provider can confirm both of you are using the same secret key — a desirable safety measure before they go ahead and enable 2FA on your account.

As for using an authenticator, I find it much easier than texts — just pop open the authenticator and the code is right there, waiting for you to copy it. You don’t have to wait for a text to arrive, which at times may take several minutes or never arrive at all. I’ve also been in places where I have a wired ethernet connection on a computer to get into my email, but no cell connection. In that scenario, waiting for a texted code would be futile. In contrast, the authenticator app doesn’t need a cell connection to work.

J9438 wrote:

The only problem to that is that the 3 choices seem to be offered together after entering a password so a hacker could still use the cell text option, unless the cell text option could be blocked.

That depends on what service you’re talking about, but with Google accounts the answer is yes, the text option can be disabled.

On my account I have three 2FA methods enabled but not the voice/text option. When logging in from an unknown device, the 2FA prompt appears after the username and password are entered, but the prompt has a “Try another way” link that lets me select the second or third method if my primary method is not available. The voice or text option is not offered under “Try another way” because I don’t have that option set up.

 

4 users thanked author for this post.

windbg, Tom-R, doriel, J9438

Reply | Quote

J9438 wrote:

known flaws in the global cellular network” Was or will this flaw be fixed?

dg1261 wrote:

If you’re in the US, don’t hold your breath.

Since probably the vast majority of cell text 2FA users have no idea about this flaw everyone who reads this should sit down and write their legislators and demand a fix.

dg1261 wrote:

Setting up a TOTP authenticator is nearly as easy as setting up text-based 2FA.

First, thank you for the detailed explanation of setting authenticator. I had looked up Microsoft before and got hung up on the QR scan as I did not think my iPhone did QR scanning, but from your explanation it looks like the Authenticator app itself has the scan function.
But getting past that, my signing in is mostly non Microsoft stuff such as bank, insurance, retail sites and it seems like I would have to have app for all of those if they even allow it and would have to go through that long set up procedure for each. Whereas now on all that accept 2FA I just go to the security page and enter my phone to set up. 99% of the time the text comes immediately, but you made a good point if no cell reception. I found an article in PCWorld that compared the 3 types and it said cell text is the easiest to use but least secure, FOB key the hardest to set up but most secure and authenticator app in the middle.

The best solution is to jail all the crooks that make us go through all this gauntlet!!!!

Reply | Quote

I just thought of a possible flaw in authenticator app. If you lose your phone or if it is stolen and you are using cell text 2FA you call your provider immediately and cut off the service and that cuts off cell text 2FA access. However, since the thief still has a locally working phone he can still access your account with the authenticator codes on the phone. You would then have to call all your accounts using those codes to block access. Does that make sense? Seems nothing is failproof!

Reply | Quote

However, since the thief still has a locally working phone he can still access your account with the authenticator codes on the phone.

In this case, you should immediatelly block your phone from the second device. Usually from PC. You can lock iOS phone remotly, phone with Android and Google account too. I suppose you can lock phone with MS Account too somehow, but I have no experience with that.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

J9438

Reply | Quote

So the conclusion is this?
The 2FA via SMS is not safe, because attacker could see your SMS code on the lock screen. But still needs to know your “Whatever account” password to gain access.
+ Attacker must have your phone and break the password, lets say 10 alphanumeric characters or worse.

MS Authenticator seems good, but if someone stoles you phone and unlocks it, they can gain access everywhere. Without any password.
+ Attacker must break 4-6 numbers, or gesture/picture/fingerprint.

If FOB is lost and no password needed, you are doomed.
+ Attacker must have the FOB, then has access instantly, or needs to crack passowrd, again, lets say 10 alphanumeric characters or worse.

Neither way is totally safe. I would say its adequatelly safe. And thats all. The less you put into online world, the more secure you are.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

3 users thanked author for this post.

cmptrgy, Cybertooth, J9438

Reply | Quote

After some more research it seems the cell text flaw is with the “SS7 Global Network”. Goggle showed couple recent articles where some software companies said they had solutions that could be implemented through MNO’s (Mobile Network Operators). Goggle showed articles as early as 2016 talking about the problem and how some banks had lost lots of money due to this. About time for a fix isn’t it??

Reply | Quote

I have a question related to this thread. General audience media stories always say to use a complex password so dictionary (or brute force) attacks that try hundreds or thousands of passwords will not figure your password out. In my experience with banking, etc. if my password is entered incorrectly 3 or 4 times, the account is locked and requires a visit or live phone call to reset using security questions.  I asked an officer at my bank branch and they said this type of attack would not succeed at their bank.

My question is, do these attacks succeed and if so how? I can understand that knitting-tips.com might not have great security rules, but major banks, etc. do.

Can someone at AskWoody or in the audience explain this disconnect? Thanks!

1 user thanked author for this post.

wdburt1

Reply | Quote

Most brute force attacks occur offline, against a leaked or stolen password database.

In case of an offline attack where the attacker has access to the encrypted material, one can try key combinations without the risk of discovery or interference. However database and directory administrators can take countermeasures against online attacks, for example by limiting the number of attempts that a password can be tried, by introducing time delays between successive attempts, increasing the answer’s complexity (e.g. requiring a CAPTCHA answer or verification code sent via cellphone), and/or locking accounts out after unsuccessful login attempts.

Brute-force attack — Countermeasures [Wikipedia]

3 users thanked author for this post.

wdburt1, J9438, DaveBoston

Reply | Quote

Livingston’s newsletter article makes the argument for using a password manager (instead of letting the browser store them), and using 2FA when available:

The best security, which you should always use when it’s available, is two-factor authentication (2FA). After you enter a username and password, a website sends a code to a different device — the second factor. Done right, this is almost totally unhackable.

That’s somewhat misleading, though.

First, 2FA doesn’t have to involve a website sending a code. That may be true for text-based 2FA, but authenticators, security fobs, and biometrics (face ID, fingerprint/palm readers, iris scan) don’t require a website to send a code anywhere. That’s part of their strength because texts can be intercepted en route to your phone.

Second, it’s a little cavalier to say something is “almost totally unhackable”. As doriel points out, you can be vulnerable if your second factor is compromised — which isn’t a rare or unthinkable possibility.

But the whole point of 2FA is to make it more difficult for the bad guys, even if you can’t make it impossible for them.

The “factors” in 2FA fall into three categories:

• something you know (e.g., password, mother’s maiden name, combination lock code)
• something you have (e.g., house key, phone, security fob, safe deposit box key)
• something you are (e.g., fingerprint, iris scan, face ID)

Two-Factor Authentication requires items from two different categories, with the theory being that it is much more difficult for a bad guy to steal items from two categories than two items from one category. So even if you lose your phone or fob, a bad guy would still need to know your account name and password (and the stronger, the better) to make use of your stolen Authenticator token.

 

But getting past that, my signing in is mostly non Microsoft stuff such as bank, insurance, retail sites and it seems like I would have to have app for all of those if they even allow it

Remember, TOTP apps are the same. You don’t need a separate app for each site. One TOTP app can serve different tokens for different sites.

(Aside: some TOTP apps have an extra security option of requiring a PIN to open the app. Google Authenticator does not, so it’s not my preferred choice. But my main point is under the hood they all generate the ever-changing 6-digit code the same way.)

As for sites that support TOTP authentication … IME, few banks do. It boggles the mind.

 

DaveBoston wrote:

if my password is entered incorrectly 3 or 4 times, the account is locked and requires a visit or live phone call to reset using security questions.

Note that’s about how your bank handles password attacks. That won’t help stop a hacker if he already has your valid password. But 2FA will.

Note that asking for “security questions” isn’t 2FA. If your bank asks for your password and then follows it up with a security question, both items fall into the same category of “something you know”. That’s often called Two-Step Authentication, which is better than one step but not as strong as Two-Factor. It’s not as strong because if somebody knows you well enough to know your password, they may also know your favorite pet’s name, etc.

 

1 user thanked author for this post.

J9438

Reply | Quote

dg1261 wrote:

That’s often called Two-Step Authentication, which is better than one step but not as strong as Two-Factor. It’s not as strong because if somebody knows you well enough to know your password, they may also know your favorite pet’s name, etc.

Which is why you use a password manager and make up answers to those questions, saving said answers in the password manager. Even you can’t guess the correct answer.

Strong random passwords and any sort of 2FA is much better than a password you can remember.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

DaveBoston wrote:

if my password is entered incorrectly 3 or 4 times, the account is locked

Don’t forget your laptop that you accidently leave in your unlocked car with your saved passwords while the thief is watching. Your laptop does not lock out after 3 tries. I found a website (don’t remember which one but you can Google search) that does a test brute force attack on any password you want to test. It tells you how long it would take to break it. Basically it said a password with random numbers, letters, etc of 12 characters would take over a 100 years to break with today’s super computers. A simple 4 character common name would be instant. However, that time gets less as computers get faster.

Even with 3 try lockout it is better to have a long password so if your bank’s data base gets hacked a password of “keic8ue3e9fc8ueuod87fi4eui” is much less likely to be used than “rover”. Of course you cannot type “kdji4eoi9de9ud9” every time so either use a password manager or write the password in a text file that you can copy/paste at log in.

2 users thanked author for this post.

DaveBoston, doriel

Reply | Quote

When talking about passwords, its a fact, that the longer the passowrd is, the longer it takes to “guess” it. The function depending on number of characters is exponetial, not linear. It means, that with every character added to your password you make it much harder to crack it.

One guess takes milisecon (for example).
One alphanumerical character password:
36 possibilities; 36 x 1ms = 36 ms

Two alphanumerical character password:
36 ^ 2 possibilities; 1296ms

Ten alphanumerical character password:
36 ^ 10 possibilities; 3656158440062976ms = 115 936 years
For curiosity, that is.. (Wolframalpha link here)

So even “Strongpassword123” (length 17) is better, than “kdji4eoi9de9ud9” (length 15). Its not nesscessary to have difficult password, but its important to have a long password.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

5 users thanked author for this post.

cmptrgy, Tom-R, zat_so, J9438, wdburt1

Reply | Quote

The GRC.com website has a Password Haystacks section for checking length and complexity.

doriel wrote:

“Strongpassword123” (length 17) is better, than “kdji4eoi9de9ud9”

Except that an attacker would try a dictionary attack as well as random and the longer password will be found relatively quickly. If you are going to use common words you need to add more length and / or extra characters, e.g. “Strong.;password#123” or “Strongverylongpassword123”

cheers, Paul

2 users thanked author for this post.

J9438, doriel

Reply | Quote

Or at least some unexpected uppercase: StrongpaSSworD123 should be enough. There is too many combinations even for the dictionary attack.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

J9438

Reply | Quote

Shouldn’t the discussion take into consideration that the attacker will (very likely) not know the length of the password, and so will have to start at some minimum length and work his way up? Most websites that I’ve seen require at least 6 characters, so if your password is 12 characters, wouldn’t the attacker have to try all 6-character passwords, then all 7-character passwords, and so on? The cumulative time for that seems to be beyond the reach of anyone and anything available, even if dictionary words are used.

2 users thanked author for this post.

doriel, J9438

Reply | Quote

I agree with your post, when using dictionary attack.

I think its not good to be “paranoid” too much – the probability of braking password is very small. Relax and set 10-character password. If your password was geussed, you used some obvious password like Password123.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

The issue is less about guessing passwords as using the same password on multiple sites, so ones from a breach are automatically valid.

Using a password manager to generate long passwords is just a good way to manage your online accounts.

cheers, Paul

2 users thanked author for this post.

cmptrgy, doriel

Reply | Quote

No.

Really?  Why even discuss this?

Google’s about to begin changing user passwords if they show up on some compromised pwd’s lists.  Read that again.  “We changed your password to protect you from yourself!”  Stay dumb, your phone is your brain, we do your thinking, you don’t know how.

Passwords written on sticky notes are more secure than those trusted to any online so called manager.

The idea that companies can trash the small remaining trust they may have by compromising security and privacy is a snake eating its tail.  Lawsuits don’t matter, they have more money than many small countries combined.  Unfortunately, it’s a very, very long snake.

Additionally, if they can raid your accounts based on some initiative a half asleep team conjured up, what else are they doing that’s hidden from users?  Unless a third party is managing pwds or they’re somehow hidden, there’s no privacy at all.

https://www.ghacks.net/2021/05/19/google-chrome-may-soon-change-compromised-passwords-for-you-automatically/

1 user thanked author for this post.

J9438

Reply | Quote

anonymous wrote:

Google’s about to begin changing user passwords if they show up on some compromised pwd’s lists.  Read that again.  “We changed your password to protect you from yourself!”

Despite the ghacks.net headline, it’s not automatic:

Google announced today that it is bringing a new security feature to the company’s Chrome web browser that informs users about compromised passwords and lets them change these passwords to a secure new password instantly.
…
Chrome users who prefer to stay in control can do so, for instance by ignoring the feature.

1 user thanked author for this post.

J9438

Reply | Quote

zat_so wrote:

wouldn’t the attacker have to try all 6-character passwords, then all 7-character passwords,

I tried a gobbledygook 7 char password on the password tester on security.org and it quoted 19 minutes to break. So I think the hacker would have plenty of time to go through all combinations up to 10 which shows a month to crack and then 11 chars 4 years. I don’t think the hacker sits their waiting, but probably more like a chat situation where your stolen laptop is started while working on your offline bank account. 12 chars looks like the minimum  at 400 years.

1 user thanked author for this post.

doriel

Reply | Quote

Did you consider, that most servers restrict the ammount of attempts allowed to try the password?

For the webhosting I use, there is limit of 200 requests per minute.

Its not realistic to try guess user password continually for one hour. Not even two minutes (in the real world). Im not saying every server uses this mechanism, but the critical ones do.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

anonymous wrote:

Why even discuss this?

Unfortunately, whether we like it or not, we are in Cyber World War I. Whether some companies diligently enhance their cyber defense or other companies do nothing and let insurance pay the price or whether individuals diligently work on their security or just remain dumb and indifferent until disaster hits home, it still is better for all of us to keep discussing ways to enhance our security whether through long passwords, or 2FA, or add on software or whatever.

Every security technique seems to have an Achilles heal, but at least we can keep on fighting until some day truth and honesty wins and the hackers find that Karma or some ultimate out of this world justice, or whatever proves that crime does not pay in the long run.

Reply | Quote

J9438 wrote:

12 chars looks like the minimum  at 400 years

12 is not long enough. 18 to 20 is the place to start, then it will take several centuries – assuming it is guessed in 10% of the time it takes to perform an exhaustive search.

cheers, Paul

3 users thanked author for this post.

J9438, cmptrgy, doriel

Reply | Quote