> It's worth pointing out that length is not important, only entropy is important.
Theoretically yes, as long as you assume the equivalent of a spherical cow in a vacuum.
We've (the security community) become very good at enforcing password schemes that are hard for users to remember and easier for computers to crack. While you could correctly assert that a 30 character long lower case letter only phrase has less entropy than a 15 character sequence of randomly generated numbers, letters of mixed case and punctuation, it makes no odds to me - I'm getting neither of them in a reasonable timeframe.
The reason for this is that if you look at the way web site passwords and company passwords are compromised it's not a single account that's hacked. It's going to be the domain or the database of password hashes. Because you're running all of these through a cracker at once you can't (as an attacker) generally afford to waste the time going through combinations of dictionary words with permutations, especially if you know that if you crack a big enough percentage of passwords you've got the access you need and can move on.
Cracking one 10 character random password with alphanumeric and special characters is a problem of scale with the password generaton algorithm. Depending on the algorithm used you can wait for appropriate rainbow tables to appear to increase your chances, for a cryptographic flaw in the algorithm or for moore's law to catch up. Trying to exhaust the same keyspace for a 30 character password (bearing in mind that the attacker is unlikely to know whether or not your password is high or low entropy, especially if other cracked passwords imply a high entropy policy is in place) is going to be much harder, and will only likely take place if no results of value have been found earlier on.
I absolutely agree, and I didn't mean to imply otherwise with my post.
> it makes no odds to me - I'm getting neither of them in a reasonable timeframe
There's nothing wrong with a passphrase as long as it can't be gotten in a reasonable timeframe, obviously! My point about generation stands, though - no password scheme stands in a vacuum, and if whatever you do catches on, you can guarantee software will be made to exploit the low entropy passwords on that scheme (for example, attacks can now include tricks like taking the website name - LinkedIn - and performing common mutations to generate passwords to attempt: L1nk3dIn1)
If it became really common, people would make rainbow tables for it too. All you'd need to do is create a reduction function that maps back into the set <passwords formed from concatenating common words> :)
This applies to all forms of password generation though: ultimately, entropy is important, and if you care about your security you should know whether the entropy levels of your passwords afford you the security you want or need.
Theoretically yes, as long as you assume the equivalent of a spherical cow in a vacuum.
We've (the security community) become very good at enforcing password schemes that are hard for users to remember and easier for computers to crack. While you could correctly assert that a 30 character long lower case letter only phrase has less entropy than a 15 character sequence of randomly generated numbers, letters of mixed case and punctuation, it makes no odds to me - I'm getting neither of them in a reasonable timeframe.
The reason for this is that if you look at the way web site passwords and company passwords are compromised it's not a single account that's hacked. It's going to be the domain or the database of password hashes. Because you're running all of these through a cracker at once you can't (as an attacker) generally afford to waste the time going through combinations of dictionary words with permutations, especially if you know that if you crack a big enough percentage of passwords you've got the access you need and can move on.
Cracking one 10 character random password with alphanumeric and special characters is a problem of scale with the password generaton algorithm. Depending on the algorithm used you can wait for appropriate rainbow tables to appear to increase your chances, for a cryptographic flaw in the algorithm or for moore's law to catch up. Trying to exhaust the same keyspace for a 30 character password (bearing in mind that the attacker is unlikely to know whether or not your password is high or low entropy, especially if other cracked passwords imply a high entropy policy is in place) is going to be much harder, and will only likely take place if no results of value have been found earlier on.