bitwise @2:

Right now I use 15 character unique random alphanumeric passwords for everything, but what happens in 10 years when processors are powerful enough to brute force 15 character hashes? Do we start using 25 character hashes instead? Why is moving this increasingly infeasible line the correct solution when we should be investigating methods of authentication that do not require users to memorize long random strings?

Because increasing password length exponentially increases the amount of time it takes to crack it, while processor speed increases are linear. A 15 character passphrase that isn't a common phrase taken from a book or otherwise predictable (your kid's full name, for instance) is very secure, even more so if you mix case, add numbers, add symbols, or otherwise increase the number of guesses required for each character in the phrase.

Using zxcvbn as an estimator (one of the better strength estimators available): cracking a 14 character, all lowercase password like 'port star cows' through brute force takes something on the order of 10 years when working back from the hash. Capitalizing each word or adding a comma or a number takes the time to centuries. Part of this depends on the hashing algorithm used to create the password hashes - some are quicker to crack than others, and many companies still foolishly use those ones.

On the other hand, Will's example @1, 'c00k13', takes less than a fifth of a second, in part because it's an example of a technique that crackers like Hashcat explicitly check for - leetspeak replacement. What's more, his reply @10 is equally silly. Translating an obscure word from a foreign language into another language just gets you another, perhaps less-obscure, perhaps shorter word in a different foreign language, not more security. If you took "forest" and translated it into French, then German, then Spanish, and back into English, you (ideally) get 'forest' back and the password cracker doesn't need to know that you spent some time with Google Translate before entering 'forest.' And if you left it in German, you'd have 'wald,' which is a) not harder to guess because you started with 'forest' and b) much shorter than 'forest' and computationally much easier to crack. And finally, the dictionaries that password crackers use aren't the Oxford English Dictionary, they're collections of passwords that people have used in the past, which is a very different thing, and means that his 'pierogie3' suggestion is potentially extremely common, since people all over the world use computers, passwords, and the internet.

That's the point of the xkcd comic - length trumps complexity. Most password cracking these days is done working back from the hash using brute force, so increasing the number of guesses required is the way to go.

To illustrate the numbers: the search space for a password of one character that only accepts lowercase alphabetic characters is 26. So the maximum guesses required for a computer are 26. If the password is 2 characters long, the maximum guesses required is 702 (26*26 for a 2 character password, + 26 for a possible 1 character password - the cracker doesn't know the length of the password). If the password is 3 characters, it's 18,300. For 4 character,s it's 475,254. At 10 characters it's more than 146 trillion guesses. That's actually not huge - it only takes about 10 hours to crack that password using a moderately powerful setup. But when you get to 15 characters, it takes 555 years. If you're really worried, bitwise, add another character. That jumps you to 144 centuries. And that's with only lowercase characters. Source: Gibson.

For most people, a tool like LastPass is a great way to ensure that you're secure. It means that no single security breach renders any of your other sites vulnerable, and it lets you generate passwords that aren't vulnerable to brute force approaches.

Yes, Fnarf, we've met. And you seemed pleasant, knowledgeable, polite and impolite in entertaining proportions, and well worth hanging out with. It was at a Questionland meetup, which is perhaps not coincidental, because Questionland was really the medium where those characteristics were best rewarded. It's convenient that you mention your status there, which was well earned. On Slog, however, I've much more often found you to be hateful, still knowledgeable but in an insufferably smug way, often condescending even when not addressing Will, possessed of a faith in your own correctness that I typically associate with blowhards and zealots, and with a seemingly unquenchable desire to render yourself indistinguishable from Will by tussling with him as often as you can stomach. You also respond poorly to disagreement and seem incapable of agreeing to disagree, which I realize is probably somewhere near the root of your furious loathing of Will, who is congenitally incapable of agreeing with anybody on anything other than his own merits.

For what it's worth, I've met Will, too, and I agree 100% with your assessments of him. I would choose a repeat of my single in-person experience with you a thousand times before considering a repeat of even ten seconds of any of my unfortunately many in-person experiences with Will. But my agreement with you, and my having met you and enjoyed your company, doesn't alter my assessment of your conduct here. Even on questions like the probably year-old discussion of porn watching in libraries, where it's not hard to see the merits of both sides of the argument, you angrily, condescendingly advanced your own opinion as the only reasonable choice. I recall another instance (although unfortunately not the topic - the behavior was what stands out) where you turned angrily on Matt from Denver for the crime of taking a position that differed from yours, and you expressed stunned surprise that somebody who you had found so agreeable was capable of disagreeing with you, and then you vented your spleen all over him while he remained resolutely polite. Yeesh, come on.

What have you ever done to me, Fnarf? Nothing. But what you've done to your public persona here is pretty ugly. You clearly can be a contributor of great merit, but you're not our pope, and nobody owes you agreement. Nobody, with the possible exception of you, needs to be saved from Will's online presence. I was once asked if either you or Will could exist without the other, and my sad answer was that I'm not sure. That really blows. I wish I had remembered Questionland, because that place was pretty excellent proof that you're almost unimaginably better without Will around, but Questionland is gone and Slog is still around.

If the FBI knocks on your door who will stand up for you? You? With what? Truth?

So in your world, when the FBI knocks at your door, you answers alone, with guns blazing?

Truth isn't a bulletproof vest

Neither is a gun.

and it certainly wont stop a bulldozer.

Believe it or not, this is the first time I've considered the old "guns vs. bulldozers" problem, but I suspect truth has stopped more bulldozers than guns have.

Peacefully protest, great, but for how long?

So your problem with peaceful protest is that you get tired of it eventually? How does a gun help with that? Or do you just see peaceful protest as an inconvenient waiting period before you get to shoot at bulldozers with a feeling of justification?

But to turn your construct around: what do you think has done a better job of safeguarding liberty? A free press, or the right to bear arms? If you think it's the right to bear arms, then maybe you can illustrate for us how liberty somehow still remains in the many countries that don't provide a right to bear arms.