What’s the source for the “Matsano recommendations”? The only Google results for “Matsano recommendations” are your blog post and mentions of it 
And my bank wants me to change my 16-character password every 90 days… and this is in the last column. 
2 Likes
BREAKING NEWS GPU hardware has gotten faster since 2015!
We might eventually need to push this up to 12 characters minimum. Also, for the love of {diety}, please never, ever create a numbers-only password. 
All this fancy “make up a long pass phrase” talk is fine, until you have to start entering passwords on a mobile phone, and realize that mobile phones are probably the dominant form of computing for everyone, statistically speaking, moving forward… the Chia project has a neat way of dealing with this, autocomplete for a set of 24 words:
and here’s a random new one I generated
As you type, it autocompletes from the available words, so you only have to type a few characters from each word…
that’s really clever!
3 Likes
If you have to write down the code anyway, why is that any better than a similar number of bits-of-entropy worth of letters / numbers / symbols / a QR code / etc? I don’t really get what problem they’re trying to solve.
2 Likes
@matasano says
We changed our twitter name to @NCCsecurityUS
Which means I kinda typo’ed the name in there, my apologies. I’ll fix.
1 Like
That’s probably due to ISO27001 legacy shit.
My employer recently implemented a “must change password every 90 days” rule. I argued that NIST, Microsoft and UK’s National Cyber Security Centre (NCSC) recommend against periodic mandatory password changes, and they told me that ISO27001 still requires it 
2 Likes
Fascinating: password strength measured in dollars. 
a 15-alphanum password will plausibly cost at least $330M to crack in 2030 (and an acceptable $59M in 2035)
The recently released RTX 4090 doubled hash rate.
1 Like