WordPress password generate/check from python code

2016-02-15 od romanb password, wordpress

If you want to generate wordpress password from python code (like for updating/reseting user wordpress installs) here's code:

Hard to crack but easy to remember passwords

2011-11-27 od romanb approach, password

Problem

When you're using only small letters for your password with so called "reasonable" minimum length (8 chars) many sites force you to use your password can be guessed within 34 seconds on any machine with decent graphics card.

When you replace at least one char with digit then it will take little longer, like: 8 minutes

When you replace at least one char capital letter then it will take reasonably longer, like 10 hours.

Then you can replace another char with special character like " or # or ! you will get onto another level, hacking of your encrypted password will take 12 days on "decent machine". Some people consider this reasonable enough1...

..but you're ending up with hard to remember horror like

Th!spas1

Solution

Instead you could chose 4 common words, like verse from your favorite poem, book or even random words, like:

thispasscoversit

join them together, you'll get 4 EASY TO REMEMBER words and same "decent machine" it will take 230 thousand years!2

So really, stop beating yourself to death with stupid chars in passwords and start using pass phrases!

1 well it's 12days on slow machine, when hacker has small farm with about 20 machines with newest graphics cards it will take only 8 hours ;)

2 and almost 6 thousand years on small farm described above...

You don't have to believe me, but check for yourself:

Password hash brute force hacking estimator

WARNING: password will be displayed using clear text:

Slow machine = something with power of 3 bilion checks per second.
Fast machine has power of 20 bilion checks per second.
Small farm is few machines with combined power of 120 bilion checks per second.

All calculations assume that attacker guesses/knows sets of chars used:
only digits, lowercase alphabet, uppercase alphabet, special chars or whole byte.

Take action!

So every time someone forces you to use 8 to 12 characters password with at least one digit, one caps and one "special" char try to educate! File a support ticket. Force them to rethink what they're doing.