How strong should be your password?

I came across this infograph and thought it would be helpful to everyone here.



The infographics is misleading because not all authentication systems are created equal.

If we are talking about brute-forcing password on a zip file — then perhaps yes: you have unlimited attempts and you get results instantly.

But, for example, even the rudimentary password manager will use 2k-long keys, encrypted with something derived from your master password over many thousands iterations, so trying even one password is far from instant. And that is still if you have obtained the database and have unlimited attempts.

Next, hardware solutions, such as those that protect our phones and computers that not only impose additional delays but also limit the number of attempts altogether: if you have only 10 attempts even numbers-only password may be sufficient.

The reasonable solution today is to use a password manager to generate massive passwords for various services and not even look at them. The master password can be protected by hardware with limited number of attempts and does not need to be crazy complex.

Ultimately I can’t wait until passwords become the thing of the past. Adoption of other, much better solutions, such as passkeys is long overdue.