Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Aug 2012 14:57:36 -0400 (EDT)
From: "Brad Tilley" <>
Subject: Re: any plans to support superlong passwords?

Hi Stephen,


> which basically points an average of 8-9 characters (again 1.1 million
could all be greater than 16 characters and I don't know it yet... give
me 2 years and I can give a better estimate).
> Looking though at the plain text ones (eg rockyou and the various other
plaintext ones..) 8 is the average size of passwords there. Usually in
the form of the same ones we have been finding for the last 20 years.

I agree. Humans being humans, we don't tend to use long passwords unless
we are forced to do so. All of the studies I've seen and research I've
done point to between 6 to 9 characters as being the average password
length on most systems.

Sure, there are longer passwords (no one disputes that), 'Password123456!'
for example, but 21 to 22 characters as an average? That's simply not a
realistic average anywhere on this planet. Perhaps it is for high-security
military systems and as we've all seen it certainly is for contrived
passwords in the KL contest, but not for a real passwords on real sites
intended to be consumed by the masses. It just isn't so.

I assume KL devised such an unrealistic average length as an attempt to
hinder the GPU teams and rainbow table attacks. It didn’t seem to work.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.