> Using 4 or more dictionary words provides excellent password security I would ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Dylan16807 on Aug 18, 2024 \| parent \| context \| favorite \| on: Flaw has Microsoft Authenticator overwriting MFA a... > Using 4 or more dictionary words provides excellent password security I would not call 44-48 bits "excellent". It works if there's a good password hash being used, but if someone left PBKDF on basic settings then a GPU might be able to do 50 million guesses per second, or for a plain old salted hash 50 billion guesses per second.

norgie on Aug 18, 2024 [–]

How does that math work?

Dylan16807 on Aug 18, 2024 | [–]

The bits, I'm assuming a list of about 2k-4k words. The XKCD example is 2k, so 11 bits per word.

The guesses per second, I looked up some hashcat benchmarks to get a rough range.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact