Which password policy is more secure: one password of length 9 vs. two passwords each of length 8?How to...

What is the lore-based reason that the Spectator has the Create Food and Water trait, instead of simply not requiring food and water?

How can I get my players to come to the game session after agreeing to a date?

Roman Numerals equation 1

Injecting creativity into a cookbook

We are very unlucky in my court

Propeller Fan - Array Modifier

How to prevent users from executing commands through browser URL

what does しにみえてる mean?

Why do no American passenger airlines still operate dedicated cargo flights?

A starship is travelling at 0.9c and collides with a small rock. Will it leave a clean hole through, or will more happen?

Can making a creature unable to attack after it has been assigned as an attacker remove it from combat?

What is this metal M-shaped device for?

Lick explanation

How to deal with an incendiary email that was recalled

What is the most triangles you can make from a capital "H" and 3 straight lines?

How can I deliver in-universe written lore to players without it being dry exposition?

How should I handle players who ignore the session zero agreement?

Difference between `vector<int> v;` and `vector<int> v = vector<int>();`

Using only 1s, make 29 with the minimum number of digits

How can my powered armor quickly replace its ceramic plates?

Program that converts a number to a letter of the alphabet

What are the differences between a+i and &a[i] for pointer arithmetic in C++?

How do you funnel food off a cutting board?

How to remove blank page before my new report chapter?



Which password policy is more secure: one password of length 9 vs. two passwords each of length 8?


How to securely hash passwords?Why is using salt more secure?In 2018, what is the recommended hash to store passwords: bcrypt, scrypt, Argon2?Long Passwords: How are they more secure?password complexity policy for non “English” passwordsPassword verification scheme (used in eg. MS Office) - more secure than just a hash?Strategy for updating stored passwords to more secure hash?Two passwords for one accountHow secure is it to use passwords consisting of one common part and one site specific prefix?How come a controlledly generated password is more secure than a purely randomly generated oneSend password through unsecured connectionIs it a bad idea to use base-64 encoded strings for passwords?Why are passwords with special characters considered more secure than longer length passwords?













17















What is more secure, having one password of length 9 (salted and hashed) or having two different passwords, each of length 8 (salted and hashed using two different salts)?










share|improve this question









New contributor




Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 4





    You should not be using salted hashes in 2019. See security.stackexchange.com/questions/211/… and security.stackexchange.com/questions/193351/…

    – Polynomial
    yesterday






  • 51





    To clarify for the uninitiated, Polynomial is discouraging simple salting of "fast" hashes (like MD5) that are not suitable for password storage, or rolling your own salted hashes. Even modern "hashes" (actually complex cryptographic operations, not simple hashes - but still colloquially called "hashes" by most people in conversation) are also salted. Salting is good. Salting alone, of an otherwise bad/fast hash, is slightly better than not salting ... but not by much.

    – Royce Williams
    yesterday








  • 7





    Obligatory xkcd

    – T.J. Crowder
    yesterday






  • 10





    Option 3: a single 16 character password, using a modern password hash with salting built in (e.g, bcrypt). Assuming the password is randomly generated, of course.

    – jpmc26
    23 hours ago








  • 3





    @RoyceWilliams so...we should be using salted hashes, but they should be known to be secure (e.g., bcrypt) , as opposed to either known to be weak (e.g., MD5) or unknown to be secure (self-rolled algorithm). Is that what I should take "you shouldn't be using salted hashes" as? Because if so, I have trouble understanding the advice. Sure, it makes sense but it's not new and doesn't exactly match the question.

    – VLAZ
    17 hours ago
















17















What is more secure, having one password of length 9 (salted and hashed) or having two different passwords, each of length 8 (salted and hashed using two different salts)?










share|improve this question









New contributor




Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 4





    You should not be using salted hashes in 2019. See security.stackexchange.com/questions/211/… and security.stackexchange.com/questions/193351/…

    – Polynomial
    yesterday






  • 51





    To clarify for the uninitiated, Polynomial is discouraging simple salting of "fast" hashes (like MD5) that are not suitable for password storage, or rolling your own salted hashes. Even modern "hashes" (actually complex cryptographic operations, not simple hashes - but still colloquially called "hashes" by most people in conversation) are also salted. Salting is good. Salting alone, of an otherwise bad/fast hash, is slightly better than not salting ... but not by much.

    – Royce Williams
    yesterday








  • 7





    Obligatory xkcd

    – T.J. Crowder
    yesterday






  • 10





    Option 3: a single 16 character password, using a modern password hash with salting built in (e.g, bcrypt). Assuming the password is randomly generated, of course.

    – jpmc26
    23 hours ago








  • 3





    @RoyceWilliams so...we should be using salted hashes, but they should be known to be secure (e.g., bcrypt) , as opposed to either known to be weak (e.g., MD5) or unknown to be secure (self-rolled algorithm). Is that what I should take "you shouldn't be using salted hashes" as? Because if so, I have trouble understanding the advice. Sure, it makes sense but it's not new and doesn't exactly match the question.

    – VLAZ
    17 hours ago














17












17








17


4






What is more secure, having one password of length 9 (salted and hashed) or having two different passwords, each of length 8 (salted and hashed using two different salts)?










share|improve this question









New contributor




Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












What is more secure, having one password of length 9 (salted and hashed) or having two different passwords, each of length 8 (salted and hashed using two different salts)?







passwords password-management password-policy






share|improve this question









New contributor




Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 1 hour ago









unor

1,05311332




1,05311332






New contributor




Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









CarlosCarlos

8913




8913




New contributor




Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Carlos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 4





    You should not be using salted hashes in 2019. See security.stackexchange.com/questions/211/… and security.stackexchange.com/questions/193351/…

    – Polynomial
    yesterday






  • 51





    To clarify for the uninitiated, Polynomial is discouraging simple salting of "fast" hashes (like MD5) that are not suitable for password storage, or rolling your own salted hashes. Even modern "hashes" (actually complex cryptographic operations, not simple hashes - but still colloquially called "hashes" by most people in conversation) are also salted. Salting is good. Salting alone, of an otherwise bad/fast hash, is slightly better than not salting ... but not by much.

    – Royce Williams
    yesterday








  • 7





    Obligatory xkcd

    – T.J. Crowder
    yesterday






  • 10





    Option 3: a single 16 character password, using a modern password hash with salting built in (e.g, bcrypt). Assuming the password is randomly generated, of course.

    – jpmc26
    23 hours ago








  • 3





    @RoyceWilliams so...we should be using salted hashes, but they should be known to be secure (e.g., bcrypt) , as opposed to either known to be weak (e.g., MD5) or unknown to be secure (self-rolled algorithm). Is that what I should take "you shouldn't be using salted hashes" as? Because if so, I have trouble understanding the advice. Sure, it makes sense but it's not new and doesn't exactly match the question.

    – VLAZ
    17 hours ago














  • 4





    You should not be using salted hashes in 2019. See security.stackexchange.com/questions/211/… and security.stackexchange.com/questions/193351/…

    – Polynomial
    yesterday






  • 51





    To clarify for the uninitiated, Polynomial is discouraging simple salting of "fast" hashes (like MD5) that are not suitable for password storage, or rolling your own salted hashes. Even modern "hashes" (actually complex cryptographic operations, not simple hashes - but still colloquially called "hashes" by most people in conversation) are also salted. Salting is good. Salting alone, of an otherwise bad/fast hash, is slightly better than not salting ... but not by much.

    – Royce Williams
    yesterday








  • 7





    Obligatory xkcd

    – T.J. Crowder
    yesterday






  • 10





    Option 3: a single 16 character password, using a modern password hash with salting built in (e.g, bcrypt). Assuming the password is randomly generated, of course.

    – jpmc26
    23 hours ago








  • 3





    @RoyceWilliams so...we should be using salted hashes, but they should be known to be secure (e.g., bcrypt) , as opposed to either known to be weak (e.g., MD5) or unknown to be secure (self-rolled algorithm). Is that what I should take "you shouldn't be using salted hashes" as? Because if so, I have trouble understanding the advice. Sure, it makes sense but it's not new and doesn't exactly match the question.

    – VLAZ
    17 hours ago








4




4





You should not be using salted hashes in 2019. See security.stackexchange.com/questions/211/… and security.stackexchange.com/questions/193351/…

– Polynomial
yesterday





You should not be using salted hashes in 2019. See security.stackexchange.com/questions/211/… and security.stackexchange.com/questions/193351/…

– Polynomial
yesterday




51




51





To clarify for the uninitiated, Polynomial is discouraging simple salting of "fast" hashes (like MD5) that are not suitable for password storage, or rolling your own salted hashes. Even modern "hashes" (actually complex cryptographic operations, not simple hashes - but still colloquially called "hashes" by most people in conversation) are also salted. Salting is good. Salting alone, of an otherwise bad/fast hash, is slightly better than not salting ... but not by much.

– Royce Williams
yesterday







To clarify for the uninitiated, Polynomial is discouraging simple salting of "fast" hashes (like MD5) that are not suitable for password storage, or rolling your own salted hashes. Even modern "hashes" (actually complex cryptographic operations, not simple hashes - but still colloquially called "hashes" by most people in conversation) are also salted. Salting is good. Salting alone, of an otherwise bad/fast hash, is slightly better than not salting ... but not by much.

– Royce Williams
yesterday






7




7





Obligatory xkcd

– T.J. Crowder
yesterday





Obligatory xkcd

– T.J. Crowder
yesterday




10




10





Option 3: a single 16 character password, using a modern password hash with salting built in (e.g, bcrypt). Assuming the password is randomly generated, of course.

– jpmc26
23 hours ago







Option 3: a single 16 character password, using a modern password hash with salting built in (e.g, bcrypt). Assuming the password is randomly generated, of course.

– jpmc26
23 hours ago






3




3





@RoyceWilliams so...we should be using salted hashes, but they should be known to be secure (e.g., bcrypt) , as opposed to either known to be weak (e.g., MD5) or unknown to be secure (self-rolled algorithm). Is that what I should take "you shouldn't be using salted hashes" as? Because if so, I have trouble understanding the advice. Sure, it makes sense but it's not new and doesn't exactly match the question.

– VLAZ
17 hours ago





@RoyceWilliams so...we should be using salted hashes, but they should be known to be secure (e.g., bcrypt) , as opposed to either known to be weak (e.g., MD5) or unknown to be secure (self-rolled algorithm). Is that what I should take "you shouldn't be using salted hashes" as? Because if so, I have trouble understanding the advice. Sure, it makes sense but it's not new and doesn't exactly match the question.

– VLAZ
17 hours ago










6 Answers
6






active

oldest

votes


















40














As John Deters has noted, 2x8 is almost certainly worse - but the reasons why take a little explaining.



There were a couple of problems with LANMAN hashes (the classic case of breaking a password in half, gone awry):




  • Since passwords tend to be human-generated and somewhat short, if a single password was only a little longer than the first half (say, 8 characters), then cracking the second half would take dramatically less time - and could even give away what the first half was likely to be


  • LANMAN was just so darned fast (for the attacker to attempt, in hash operations per second)


  • LANMAN cut the passwords in two at an unfortunate length (7), that was quite susceptible to full exhaustion (and even moreso on modern GPUs)



However, your question is a little different from the LANMAN case:




  • It does not state that the 2x8 passwords are actually a single password broken in half (they could be independently generated, and random)

  • It explicitly states that the two passwords are of length 8 (rather than, say, one of length 8 and the other of length 1, the famous LANMAN worst case)

  • Unless your salts are trivially small, building rainbow tables would be infeasible - which is the purpose of salting (unlike LANMAN hashes, which were entirely unsalted)


So it's an interesting question - one that's largely answered by looking at the associated math.



Let's make some assumptions:




  • Both the 9x1 and 8x2 approaches are salted and hashed using the same
    salt lengths and algorithms

  • Worst case for the attacker (the passwords are randomly generated from the printable ASCII character set (95 chars), with reasonably long salts. (The question would be less interesting if the passwords were human-generated, because in practice they would usually fall to easy attacks long before the attacker would have to resort to brute force)


  • Modern hardware and speeds are fair game


  • The hash algorithm may or may not be parallelism-friendly


Given all of the above, I'd roughly expect:




  • The 1x9 hash would be 100% exhausted in 95^9 (6.302 × 10^17) hashing operations (which might be parallelized well or poorly).

  • The 2x8 hashes would be jointly 100% exhausted in (95^8)x2 (1.326 × 10^16) hashing operations (and no matter the algorithm, could easily be naively parallelized simply by cracking each hash on a different system - but can often be parallelized very efficiently on a single system as well, depending on the algorithm).


In other words:




  • That 9th character adds 95 times the work to exhaust, and might be hard to parallelize

  • Two 8-character passwords only doubles the amount of work needed, and can be trivially parallelized


Another way to think about it is that adding one more character roughly creates the same work as having to crack 95 eight-character passwords! (If this isn't intuitive, start with simple cases comparing smaller cases like 1x1 vs 1x2, until you understand it).



So all other things being equal, 1x9 should almost always be better than 2x8.



And really, this is not only a simple illustration of the power of parallelization, it should also make it obvious why allowing longer password lengths is so crucial. Each additional character in the model above adds 95 times work to the overall keyspace. So adding two characters adds 95^2 - or 9025 times - the work. Brute force quickly becomes infeasible, even for very fast and unsalted hashes.



This would make an excellent homework question. ;)






share|improve this answer


























  • Agreed with your conclusion. I would of explained this in a very similar manner.

    – Overmind
    yesterday






  • 5





    If the 2x8 passwords are human-generated, there are good chances that the second one is just the first one with a 1 replaced by a 2.

    – Federico Poloni
    22 hours ago











  • What if one makes the hashing function for the second password 200 times as slow as the hashing function for the primary password? Making the hashing function for the primary function too slow will make a denial-of-service attack trivial (simply flood a server with lots of login requests), but if one made the secondary function slower, only people who had cracked the primary password would be able to perform a DOS using the second, and trying that would increase the likelihood of the credentials being changed before the attacker could gain access.

    – supercat
    13 hours ago











  • Why would having two passwords to crack change the paralelization significantly, assuming the input is still completely undiscernable when the output is known? I would assume that leaves just the option of computing each hash, which would seem to be equally effective spread across 8 cores on one computer as it would be 4 cores on 2 computers.

    – IllusiveBrian
    13 hours ago











  • Fair question. I'm not a developer, but I've observed the results. When attacking a salted hash, trying the same candidate password against both hashes can sometimes be executed more efficiently when done together than when executed completely separately. I don't grok the mathematical/algorithmic shortcuts that make that possible, but the results are measurable. (And this property would obviously not be what you'd want as a defender - which is why modern password hashing algorithms are constructed to eliminate it).

    – Royce Williams
    12 hours ago





















5














Splitting the password is almost certainly worse. It allows an eight character rainbow table to be created. It implies that all passwords in the system will be in 8 character parts. (This is exactly how NT LANMAN passwords were broken.) In your case, it would simply require two rainbow tables.



The nine character password system has no such visible flaw, implying that if you entered a proper 14 character password it would be safely stored as a single hash.






share|improve this answer
























  • Salting them would automatically exclude the use of rainbow tables. But the method described would indeed reduce the strength of longer passwords, for exactly the reasons you've noted.

    – Royce Williams
    yesterday













  • Er, unless it was a trivially weak (short) salt. :)

    – Royce Williams
    yesterday



















5














Starting from math point of view ...
(to simplify calculation I assume only digit passwords)



Situation A: 2 parts 8 digit password,
'bruteforce attack on part one require max 10^8 hashes, same for part. Total of max 2*10^8 hashes required '



Situation B: 1 part 9 digit password,
'bruteforce attack require max 10^9 hashes'



Math say that's B is better than A



In few words



adding more password increase bruteforce of multiplication of number of parts (in this scenario is 2x)



adding more digits increase bruteforce of power of number of digits (in this scenario is x10^1)






share|improve this answer










New contributor




WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • How did you end up with 10 as your base? It’s very rare that only numbers are allowed, right? With alphanumeric characters (ASCII), the base would be 36 or 62 already. And if you allow any Unicode character … Your argument is even stronger with larger bases.

    – caw
    11 hours ago








  • 1





    WaltZie started with a simple case, to make the math easier.

    – Royce Williams
    5 hours ago



















3














No meaningful answer is possible without knowing what your threat scenario is. What are you trying to protect against? Are you worried about brute force or hash cracking? In the first case, we need to know your login procedure (e.g. do I enter the passwords sequentially or in parallel?). Also, if your login procedure doesn't lock me out after thousands or millions of failed login attempts, it is broken. That's not a question of password strength.



What about users writing things down? Shoulder surfing? Phishing? What's the model behind the passwords?



There are legitimate uses of two passwords, for example one read-access password and a seperate change-enable password. I doubt you have that in mind because of your 9-letter password alternative, just throwing that out there to show that reality is more complicated than an academic question on password strength based only on length.






share|improve this answer
























  • Thought-provoking! And another interesting use case for two passwords: increased resistance to insider threat (requiring two people to collude in order to use the system).

    – Royce Williams
    18 hours ago






  • 1





    @RoyceWilliams that's far out from what the question implies, but yes it is an actual real-world use case that is more common than most people assume.

    – Tom
    16 hours ago



















1














Password systems involve trade-offs between security against illegitimate access versus resistance to denial-of-service attacks. A potential advantage of split-password systems is that the two halves of the system can apply different trade-offs. For example, resilience against denial-of-service attacks may require that the first-half hashing function be fast enough to keep up with spammed access attempts, but that wouldn't be so necessary for the second-half function since only an attacker who had broken the first-half password would be able to attempt access with the second.



If Fred Jones was notified every time anyone attempted an access with an incorrect first credential, an attacker could easily flood Mr. Jones with so many notifications that they would become useless, whether or not the attacker would ever have any real likelihood of gaining access. Notifying Mr. Jones if someone enters the correct first password but fails to enter a correct second password, however, would be much more useful. Unless Mr. Jones was the person attempting to access the account, such notification would serve as a very timely and useful warning that the primary password was breached, and both passwords should be changed ASAP.






share|improve this answer































    1














    Irrespective of the details of the hashing or of plausible cracking mechanisms, the fact of the matter is that the effort needed to crack two n-bit passwords is not 2n bits. It is n + 1 bits.



    So suppose that your eight character passwords, P1 and P2, each have, say, a strength equivalent of 30 bits. (Doesn't really matter, I'm just trying to pick a number to be concrete. So it takes 30 bits of effort[See note] to crack each. To crack both, it does not take 60 bits. Instead it take 31 bits of effort.



    Now suppose that you take P1 and simply add a digit that is uniformly chosen (you roll a D10) and stick that on the end. Then your augmented P1 will take take about 33.3 bits of effort to crack. That is more than four times more work than going after both P1 and P2.



    If you pick a single lowercase letter or digit (so 36 possibilities) at random to add to the end of P1, then this new password is more than 5 bits stronger, and so it will take 16 times as many guesses to crack this than it will to crack both P1 and P2.



    Higher security vaults?



    I work for 1Password, a password manager. And we receive requests to have vaults within vaults. That is a Master Password to generally unlock 1Password and then a second password to unlock some higher security data. We have declined those requests for the reasons that I (and others here) have pointed out.



    The result described above is counter-intuitive is counter intuitive. People will perceive using both P1 and P2 to be more secure than just a slightly longer augmentation of P1. We also consider a person's choice of Master Password to be the weakest point of their 1Password security (other than running on a compromised machine), and so we do not want to introduce things that might encourage people to use weaker master passwords than they otherwise would. We also would like people to get the most security for the effort, and making and remembering a small addition to a master password is less effort than creating and remembering another password.





    Notes:



    "bits of effort": n bits of effort roughly means that it takes on average 2^(n-1) guesses to find the the correct password.






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      Carlos is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204450%2fwhich-password-policy-is-more-secure-one-password-of-length-9-vs-two-passwords%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      6 Answers
      6






      active

      oldest

      votes








      6 Answers
      6






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      40














      As John Deters has noted, 2x8 is almost certainly worse - but the reasons why take a little explaining.



      There were a couple of problems with LANMAN hashes (the classic case of breaking a password in half, gone awry):




      • Since passwords tend to be human-generated and somewhat short, if a single password was only a little longer than the first half (say, 8 characters), then cracking the second half would take dramatically less time - and could even give away what the first half was likely to be


      • LANMAN was just so darned fast (for the attacker to attempt, in hash operations per second)


      • LANMAN cut the passwords in two at an unfortunate length (7), that was quite susceptible to full exhaustion (and even moreso on modern GPUs)



      However, your question is a little different from the LANMAN case:




      • It does not state that the 2x8 passwords are actually a single password broken in half (they could be independently generated, and random)

      • It explicitly states that the two passwords are of length 8 (rather than, say, one of length 8 and the other of length 1, the famous LANMAN worst case)

      • Unless your salts are trivially small, building rainbow tables would be infeasible - which is the purpose of salting (unlike LANMAN hashes, which were entirely unsalted)


      So it's an interesting question - one that's largely answered by looking at the associated math.



      Let's make some assumptions:




      • Both the 9x1 and 8x2 approaches are salted and hashed using the same
        salt lengths and algorithms

      • Worst case for the attacker (the passwords are randomly generated from the printable ASCII character set (95 chars), with reasonably long salts. (The question would be less interesting if the passwords were human-generated, because in practice they would usually fall to easy attacks long before the attacker would have to resort to brute force)


      • Modern hardware and speeds are fair game


      • The hash algorithm may or may not be parallelism-friendly


      Given all of the above, I'd roughly expect:




      • The 1x9 hash would be 100% exhausted in 95^9 (6.302 × 10^17) hashing operations (which might be parallelized well or poorly).

      • The 2x8 hashes would be jointly 100% exhausted in (95^8)x2 (1.326 × 10^16) hashing operations (and no matter the algorithm, could easily be naively parallelized simply by cracking each hash on a different system - but can often be parallelized very efficiently on a single system as well, depending on the algorithm).


      In other words:




      • That 9th character adds 95 times the work to exhaust, and might be hard to parallelize

      • Two 8-character passwords only doubles the amount of work needed, and can be trivially parallelized


      Another way to think about it is that adding one more character roughly creates the same work as having to crack 95 eight-character passwords! (If this isn't intuitive, start with simple cases comparing smaller cases like 1x1 vs 1x2, until you understand it).



      So all other things being equal, 1x9 should almost always be better than 2x8.



      And really, this is not only a simple illustration of the power of parallelization, it should also make it obvious why allowing longer password lengths is so crucial. Each additional character in the model above adds 95 times work to the overall keyspace. So adding two characters adds 95^2 - or 9025 times - the work. Brute force quickly becomes infeasible, even for very fast and unsalted hashes.



      This would make an excellent homework question. ;)






      share|improve this answer


























      • Agreed with your conclusion. I would of explained this in a very similar manner.

        – Overmind
        yesterday






      • 5





        If the 2x8 passwords are human-generated, there are good chances that the second one is just the first one with a 1 replaced by a 2.

        – Federico Poloni
        22 hours ago











      • What if one makes the hashing function for the second password 200 times as slow as the hashing function for the primary password? Making the hashing function for the primary function too slow will make a denial-of-service attack trivial (simply flood a server with lots of login requests), but if one made the secondary function slower, only people who had cracked the primary password would be able to perform a DOS using the second, and trying that would increase the likelihood of the credentials being changed before the attacker could gain access.

        – supercat
        13 hours ago











      • Why would having two passwords to crack change the paralelization significantly, assuming the input is still completely undiscernable when the output is known? I would assume that leaves just the option of computing each hash, which would seem to be equally effective spread across 8 cores on one computer as it would be 4 cores on 2 computers.

        – IllusiveBrian
        13 hours ago











      • Fair question. I'm not a developer, but I've observed the results. When attacking a salted hash, trying the same candidate password against both hashes can sometimes be executed more efficiently when done together than when executed completely separately. I don't grok the mathematical/algorithmic shortcuts that make that possible, but the results are measurable. (And this property would obviously not be what you'd want as a defender - which is why modern password hashing algorithms are constructed to eliminate it).

        – Royce Williams
        12 hours ago


















      40














      As John Deters has noted, 2x8 is almost certainly worse - but the reasons why take a little explaining.



      There were a couple of problems with LANMAN hashes (the classic case of breaking a password in half, gone awry):




      • Since passwords tend to be human-generated and somewhat short, if a single password was only a little longer than the first half (say, 8 characters), then cracking the second half would take dramatically less time - and could even give away what the first half was likely to be


      • LANMAN was just so darned fast (for the attacker to attempt, in hash operations per second)


      • LANMAN cut the passwords in two at an unfortunate length (7), that was quite susceptible to full exhaustion (and even moreso on modern GPUs)



      However, your question is a little different from the LANMAN case:




      • It does not state that the 2x8 passwords are actually a single password broken in half (they could be independently generated, and random)

      • It explicitly states that the two passwords are of length 8 (rather than, say, one of length 8 and the other of length 1, the famous LANMAN worst case)

      • Unless your salts are trivially small, building rainbow tables would be infeasible - which is the purpose of salting (unlike LANMAN hashes, which were entirely unsalted)


      So it's an interesting question - one that's largely answered by looking at the associated math.



      Let's make some assumptions:




      • Both the 9x1 and 8x2 approaches are salted and hashed using the same
        salt lengths and algorithms

      • Worst case for the attacker (the passwords are randomly generated from the printable ASCII character set (95 chars), with reasonably long salts. (The question would be less interesting if the passwords were human-generated, because in practice they would usually fall to easy attacks long before the attacker would have to resort to brute force)


      • Modern hardware and speeds are fair game


      • The hash algorithm may or may not be parallelism-friendly


      Given all of the above, I'd roughly expect:




      • The 1x9 hash would be 100% exhausted in 95^9 (6.302 × 10^17) hashing operations (which might be parallelized well or poorly).

      • The 2x8 hashes would be jointly 100% exhausted in (95^8)x2 (1.326 × 10^16) hashing operations (and no matter the algorithm, could easily be naively parallelized simply by cracking each hash on a different system - but can often be parallelized very efficiently on a single system as well, depending on the algorithm).


      In other words:




      • That 9th character adds 95 times the work to exhaust, and might be hard to parallelize

      • Two 8-character passwords only doubles the amount of work needed, and can be trivially parallelized


      Another way to think about it is that adding one more character roughly creates the same work as having to crack 95 eight-character passwords! (If this isn't intuitive, start with simple cases comparing smaller cases like 1x1 vs 1x2, until you understand it).



      So all other things being equal, 1x9 should almost always be better than 2x8.



      And really, this is not only a simple illustration of the power of parallelization, it should also make it obvious why allowing longer password lengths is so crucial. Each additional character in the model above adds 95 times work to the overall keyspace. So adding two characters adds 95^2 - or 9025 times - the work. Brute force quickly becomes infeasible, even for very fast and unsalted hashes.



      This would make an excellent homework question. ;)






      share|improve this answer


























      • Agreed with your conclusion. I would of explained this in a very similar manner.

        – Overmind
        yesterday






      • 5





        If the 2x8 passwords are human-generated, there are good chances that the second one is just the first one with a 1 replaced by a 2.

        – Federico Poloni
        22 hours ago











      • What if one makes the hashing function for the second password 200 times as slow as the hashing function for the primary password? Making the hashing function for the primary function too slow will make a denial-of-service attack trivial (simply flood a server with lots of login requests), but if one made the secondary function slower, only people who had cracked the primary password would be able to perform a DOS using the second, and trying that would increase the likelihood of the credentials being changed before the attacker could gain access.

        – supercat
        13 hours ago











      • Why would having two passwords to crack change the paralelization significantly, assuming the input is still completely undiscernable when the output is known? I would assume that leaves just the option of computing each hash, which would seem to be equally effective spread across 8 cores on one computer as it would be 4 cores on 2 computers.

        – IllusiveBrian
        13 hours ago











      • Fair question. I'm not a developer, but I've observed the results. When attacking a salted hash, trying the same candidate password against both hashes can sometimes be executed more efficiently when done together than when executed completely separately. I don't grok the mathematical/algorithmic shortcuts that make that possible, but the results are measurable. (And this property would obviously not be what you'd want as a defender - which is why modern password hashing algorithms are constructed to eliminate it).

        – Royce Williams
        12 hours ago
















      40












      40








      40







      As John Deters has noted, 2x8 is almost certainly worse - but the reasons why take a little explaining.



      There were a couple of problems with LANMAN hashes (the classic case of breaking a password in half, gone awry):




      • Since passwords tend to be human-generated and somewhat short, if a single password was only a little longer than the first half (say, 8 characters), then cracking the second half would take dramatically less time - and could even give away what the first half was likely to be


      • LANMAN was just so darned fast (for the attacker to attempt, in hash operations per second)


      • LANMAN cut the passwords in two at an unfortunate length (7), that was quite susceptible to full exhaustion (and even moreso on modern GPUs)



      However, your question is a little different from the LANMAN case:




      • It does not state that the 2x8 passwords are actually a single password broken in half (they could be independently generated, and random)

      • It explicitly states that the two passwords are of length 8 (rather than, say, one of length 8 and the other of length 1, the famous LANMAN worst case)

      • Unless your salts are trivially small, building rainbow tables would be infeasible - which is the purpose of salting (unlike LANMAN hashes, which were entirely unsalted)


      So it's an interesting question - one that's largely answered by looking at the associated math.



      Let's make some assumptions:




      • Both the 9x1 and 8x2 approaches are salted and hashed using the same
        salt lengths and algorithms

      • Worst case for the attacker (the passwords are randomly generated from the printable ASCII character set (95 chars), with reasonably long salts. (The question would be less interesting if the passwords were human-generated, because in practice they would usually fall to easy attacks long before the attacker would have to resort to brute force)


      • Modern hardware and speeds are fair game


      • The hash algorithm may or may not be parallelism-friendly


      Given all of the above, I'd roughly expect:




      • The 1x9 hash would be 100% exhausted in 95^9 (6.302 × 10^17) hashing operations (which might be parallelized well or poorly).

      • The 2x8 hashes would be jointly 100% exhausted in (95^8)x2 (1.326 × 10^16) hashing operations (and no matter the algorithm, could easily be naively parallelized simply by cracking each hash on a different system - but can often be parallelized very efficiently on a single system as well, depending on the algorithm).


      In other words:




      • That 9th character adds 95 times the work to exhaust, and might be hard to parallelize

      • Two 8-character passwords only doubles the amount of work needed, and can be trivially parallelized


      Another way to think about it is that adding one more character roughly creates the same work as having to crack 95 eight-character passwords! (If this isn't intuitive, start with simple cases comparing smaller cases like 1x1 vs 1x2, until you understand it).



      So all other things being equal, 1x9 should almost always be better than 2x8.



      And really, this is not only a simple illustration of the power of parallelization, it should also make it obvious why allowing longer password lengths is so crucial. Each additional character in the model above adds 95 times work to the overall keyspace. So adding two characters adds 95^2 - or 9025 times - the work. Brute force quickly becomes infeasible, even for very fast and unsalted hashes.



      This would make an excellent homework question. ;)






      share|improve this answer















      As John Deters has noted, 2x8 is almost certainly worse - but the reasons why take a little explaining.



      There were a couple of problems with LANMAN hashes (the classic case of breaking a password in half, gone awry):




      • Since passwords tend to be human-generated and somewhat short, if a single password was only a little longer than the first half (say, 8 characters), then cracking the second half would take dramatically less time - and could even give away what the first half was likely to be


      • LANMAN was just so darned fast (for the attacker to attempt, in hash operations per second)


      • LANMAN cut the passwords in two at an unfortunate length (7), that was quite susceptible to full exhaustion (and even moreso on modern GPUs)



      However, your question is a little different from the LANMAN case:




      • It does not state that the 2x8 passwords are actually a single password broken in half (they could be independently generated, and random)

      • It explicitly states that the two passwords are of length 8 (rather than, say, one of length 8 and the other of length 1, the famous LANMAN worst case)

      • Unless your salts are trivially small, building rainbow tables would be infeasible - which is the purpose of salting (unlike LANMAN hashes, which were entirely unsalted)


      So it's an interesting question - one that's largely answered by looking at the associated math.



      Let's make some assumptions:




      • Both the 9x1 and 8x2 approaches are salted and hashed using the same
        salt lengths and algorithms

      • Worst case for the attacker (the passwords are randomly generated from the printable ASCII character set (95 chars), with reasonably long salts. (The question would be less interesting if the passwords were human-generated, because in practice they would usually fall to easy attacks long before the attacker would have to resort to brute force)


      • Modern hardware and speeds are fair game


      • The hash algorithm may or may not be parallelism-friendly


      Given all of the above, I'd roughly expect:




      • The 1x9 hash would be 100% exhausted in 95^9 (6.302 × 10^17) hashing operations (which might be parallelized well or poorly).

      • The 2x8 hashes would be jointly 100% exhausted in (95^8)x2 (1.326 × 10^16) hashing operations (and no matter the algorithm, could easily be naively parallelized simply by cracking each hash on a different system - but can often be parallelized very efficiently on a single system as well, depending on the algorithm).


      In other words:




      • That 9th character adds 95 times the work to exhaust, and might be hard to parallelize

      • Two 8-character passwords only doubles the amount of work needed, and can be trivially parallelized


      Another way to think about it is that adding one more character roughly creates the same work as having to crack 95 eight-character passwords! (If this isn't intuitive, start with simple cases comparing smaller cases like 1x1 vs 1x2, until you understand it).



      So all other things being equal, 1x9 should almost always be better than 2x8.



      And really, this is not only a simple illustration of the power of parallelization, it should also make it obvious why allowing longer password lengths is so crucial. Each additional character in the model above adds 95 times work to the overall keyspace. So adding two characters adds 95^2 - or 9025 times - the work. Brute force quickly becomes infeasible, even for very fast and unsalted hashes.



      This would make an excellent homework question. ;)







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited 18 hours ago

























      answered yesterday









      Royce WilliamsRoyce Williams

      5,56211742




      5,56211742













      • Agreed with your conclusion. I would of explained this in a very similar manner.

        – Overmind
        yesterday






      • 5





        If the 2x8 passwords are human-generated, there are good chances that the second one is just the first one with a 1 replaced by a 2.

        – Federico Poloni
        22 hours ago











      • What if one makes the hashing function for the second password 200 times as slow as the hashing function for the primary password? Making the hashing function for the primary function too slow will make a denial-of-service attack trivial (simply flood a server with lots of login requests), but if one made the secondary function slower, only people who had cracked the primary password would be able to perform a DOS using the second, and trying that would increase the likelihood of the credentials being changed before the attacker could gain access.

        – supercat
        13 hours ago











      • Why would having two passwords to crack change the paralelization significantly, assuming the input is still completely undiscernable when the output is known? I would assume that leaves just the option of computing each hash, which would seem to be equally effective spread across 8 cores on one computer as it would be 4 cores on 2 computers.

        – IllusiveBrian
        13 hours ago











      • Fair question. I'm not a developer, but I've observed the results. When attacking a salted hash, trying the same candidate password against both hashes can sometimes be executed more efficiently when done together than when executed completely separately. I don't grok the mathematical/algorithmic shortcuts that make that possible, but the results are measurable. (And this property would obviously not be what you'd want as a defender - which is why modern password hashing algorithms are constructed to eliminate it).

        – Royce Williams
        12 hours ago





















      • Agreed with your conclusion. I would of explained this in a very similar manner.

        – Overmind
        yesterday






      • 5





        If the 2x8 passwords are human-generated, there are good chances that the second one is just the first one with a 1 replaced by a 2.

        – Federico Poloni
        22 hours ago











      • What if one makes the hashing function for the second password 200 times as slow as the hashing function for the primary password? Making the hashing function for the primary function too slow will make a denial-of-service attack trivial (simply flood a server with lots of login requests), but if one made the secondary function slower, only people who had cracked the primary password would be able to perform a DOS using the second, and trying that would increase the likelihood of the credentials being changed before the attacker could gain access.

        – supercat
        13 hours ago











      • Why would having two passwords to crack change the paralelization significantly, assuming the input is still completely undiscernable when the output is known? I would assume that leaves just the option of computing each hash, which would seem to be equally effective spread across 8 cores on one computer as it would be 4 cores on 2 computers.

        – IllusiveBrian
        13 hours ago











      • Fair question. I'm not a developer, but I've observed the results. When attacking a salted hash, trying the same candidate password against both hashes can sometimes be executed more efficiently when done together than when executed completely separately. I don't grok the mathematical/algorithmic shortcuts that make that possible, but the results are measurable. (And this property would obviously not be what you'd want as a defender - which is why modern password hashing algorithms are constructed to eliminate it).

        – Royce Williams
        12 hours ago



















      Agreed with your conclusion. I would of explained this in a very similar manner.

      – Overmind
      yesterday





      Agreed with your conclusion. I would of explained this in a very similar manner.

      – Overmind
      yesterday




      5




      5





      If the 2x8 passwords are human-generated, there are good chances that the second one is just the first one with a 1 replaced by a 2.

      – Federico Poloni
      22 hours ago





      If the 2x8 passwords are human-generated, there are good chances that the second one is just the first one with a 1 replaced by a 2.

      – Federico Poloni
      22 hours ago













      What if one makes the hashing function for the second password 200 times as slow as the hashing function for the primary password? Making the hashing function for the primary function too slow will make a denial-of-service attack trivial (simply flood a server with lots of login requests), but if one made the secondary function slower, only people who had cracked the primary password would be able to perform a DOS using the second, and trying that would increase the likelihood of the credentials being changed before the attacker could gain access.

      – supercat
      13 hours ago





      What if one makes the hashing function for the second password 200 times as slow as the hashing function for the primary password? Making the hashing function for the primary function too slow will make a denial-of-service attack trivial (simply flood a server with lots of login requests), but if one made the secondary function slower, only people who had cracked the primary password would be able to perform a DOS using the second, and trying that would increase the likelihood of the credentials being changed before the attacker could gain access.

      – supercat
      13 hours ago













      Why would having two passwords to crack change the paralelization significantly, assuming the input is still completely undiscernable when the output is known? I would assume that leaves just the option of computing each hash, which would seem to be equally effective spread across 8 cores on one computer as it would be 4 cores on 2 computers.

      – IllusiveBrian
      13 hours ago





      Why would having two passwords to crack change the paralelization significantly, assuming the input is still completely undiscernable when the output is known? I would assume that leaves just the option of computing each hash, which would seem to be equally effective spread across 8 cores on one computer as it would be 4 cores on 2 computers.

      – IllusiveBrian
      13 hours ago













      Fair question. I'm not a developer, but I've observed the results. When attacking a salted hash, trying the same candidate password against both hashes can sometimes be executed more efficiently when done together than when executed completely separately. I don't grok the mathematical/algorithmic shortcuts that make that possible, but the results are measurable. (And this property would obviously not be what you'd want as a defender - which is why modern password hashing algorithms are constructed to eliminate it).

      – Royce Williams
      12 hours ago







      Fair question. I'm not a developer, but I've observed the results. When attacking a salted hash, trying the same candidate password against both hashes can sometimes be executed more efficiently when done together than when executed completely separately. I don't grok the mathematical/algorithmic shortcuts that make that possible, but the results are measurable. (And this property would obviously not be what you'd want as a defender - which is why modern password hashing algorithms are constructed to eliminate it).

      – Royce Williams
      12 hours ago















      5














      Splitting the password is almost certainly worse. It allows an eight character rainbow table to be created. It implies that all passwords in the system will be in 8 character parts. (This is exactly how NT LANMAN passwords were broken.) In your case, it would simply require two rainbow tables.



      The nine character password system has no such visible flaw, implying that if you entered a proper 14 character password it would be safely stored as a single hash.






      share|improve this answer
























      • Salting them would automatically exclude the use of rainbow tables. But the method described would indeed reduce the strength of longer passwords, for exactly the reasons you've noted.

        – Royce Williams
        yesterday













      • Er, unless it was a trivially weak (short) salt. :)

        – Royce Williams
        yesterday
















      5














      Splitting the password is almost certainly worse. It allows an eight character rainbow table to be created. It implies that all passwords in the system will be in 8 character parts. (This is exactly how NT LANMAN passwords were broken.) In your case, it would simply require two rainbow tables.



      The nine character password system has no such visible flaw, implying that if you entered a proper 14 character password it would be safely stored as a single hash.






      share|improve this answer
























      • Salting them would automatically exclude the use of rainbow tables. But the method described would indeed reduce the strength of longer passwords, for exactly the reasons you've noted.

        – Royce Williams
        yesterday













      • Er, unless it was a trivially weak (short) salt. :)

        – Royce Williams
        yesterday














      5












      5








      5







      Splitting the password is almost certainly worse. It allows an eight character rainbow table to be created. It implies that all passwords in the system will be in 8 character parts. (This is exactly how NT LANMAN passwords were broken.) In your case, it would simply require two rainbow tables.



      The nine character password system has no such visible flaw, implying that if you entered a proper 14 character password it would be safely stored as a single hash.






      share|improve this answer













      Splitting the password is almost certainly worse. It allows an eight character rainbow table to be created. It implies that all passwords in the system will be in 8 character parts. (This is exactly how NT LANMAN passwords were broken.) In your case, it would simply require two rainbow tables.



      The nine character password system has no such visible flaw, implying that if you entered a proper 14 character password it would be safely stored as a single hash.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered yesterday









      John DetersJohn Deters

      27.8k24191




      27.8k24191













      • Salting them would automatically exclude the use of rainbow tables. But the method described would indeed reduce the strength of longer passwords, for exactly the reasons you've noted.

        – Royce Williams
        yesterday













      • Er, unless it was a trivially weak (short) salt. :)

        – Royce Williams
        yesterday



















      • Salting them would automatically exclude the use of rainbow tables. But the method described would indeed reduce the strength of longer passwords, for exactly the reasons you've noted.

        – Royce Williams
        yesterday













      • Er, unless it was a trivially weak (short) salt. :)

        – Royce Williams
        yesterday

















      Salting them would automatically exclude the use of rainbow tables. But the method described would indeed reduce the strength of longer passwords, for exactly the reasons you've noted.

      – Royce Williams
      yesterday







      Salting them would automatically exclude the use of rainbow tables. But the method described would indeed reduce the strength of longer passwords, for exactly the reasons you've noted.

      – Royce Williams
      yesterday















      Er, unless it was a trivially weak (short) salt. :)

      – Royce Williams
      yesterday





      Er, unless it was a trivially weak (short) salt. :)

      – Royce Williams
      yesterday











      5














      Starting from math point of view ...
      (to simplify calculation I assume only digit passwords)



      Situation A: 2 parts 8 digit password,
      'bruteforce attack on part one require max 10^8 hashes, same for part. Total of max 2*10^8 hashes required '



      Situation B: 1 part 9 digit password,
      'bruteforce attack require max 10^9 hashes'



      Math say that's B is better than A



      In few words



      adding more password increase bruteforce of multiplication of number of parts (in this scenario is 2x)



      adding more digits increase bruteforce of power of number of digits (in this scenario is x10^1)






      share|improve this answer










      New contributor




      WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





















      • How did you end up with 10 as your base? It’s very rare that only numbers are allowed, right? With alphanumeric characters (ASCII), the base would be 36 or 62 already. And if you allow any Unicode character … Your argument is even stronger with larger bases.

        – caw
        11 hours ago








      • 1





        WaltZie started with a simple case, to make the math easier.

        – Royce Williams
        5 hours ago
















      5














      Starting from math point of view ...
      (to simplify calculation I assume only digit passwords)



      Situation A: 2 parts 8 digit password,
      'bruteforce attack on part one require max 10^8 hashes, same for part. Total of max 2*10^8 hashes required '



      Situation B: 1 part 9 digit password,
      'bruteforce attack require max 10^9 hashes'



      Math say that's B is better than A



      In few words



      adding more password increase bruteforce of multiplication of number of parts (in this scenario is 2x)



      adding more digits increase bruteforce of power of number of digits (in this scenario is x10^1)






      share|improve this answer










      New contributor




      WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





















      • How did you end up with 10 as your base? It’s very rare that only numbers are allowed, right? With alphanumeric characters (ASCII), the base would be 36 or 62 already. And if you allow any Unicode character … Your argument is even stronger with larger bases.

        – caw
        11 hours ago








      • 1





        WaltZie started with a simple case, to make the math easier.

        – Royce Williams
        5 hours ago














      5












      5








      5







      Starting from math point of view ...
      (to simplify calculation I assume only digit passwords)



      Situation A: 2 parts 8 digit password,
      'bruteforce attack on part one require max 10^8 hashes, same for part. Total of max 2*10^8 hashes required '



      Situation B: 1 part 9 digit password,
      'bruteforce attack require max 10^9 hashes'



      Math say that's B is better than A



      In few words



      adding more password increase bruteforce of multiplication of number of parts (in this scenario is 2x)



      adding more digits increase bruteforce of power of number of digits (in this scenario is x10^1)






      share|improve this answer










      New contributor




      WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      Starting from math point of view ...
      (to simplify calculation I assume only digit passwords)



      Situation A: 2 parts 8 digit password,
      'bruteforce attack on part one require max 10^8 hashes, same for part. Total of max 2*10^8 hashes required '



      Situation B: 1 part 9 digit password,
      'bruteforce attack require max 10^9 hashes'



      Math say that's B is better than A



      In few words



      adding more password increase bruteforce of multiplication of number of parts (in this scenario is 2x)



      adding more digits increase bruteforce of power of number of digits (in this scenario is x10^1)







      share|improve this answer










      New contributor




      WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this answer



      share|improve this answer








      edited 16 hours ago





















      New contributor




      WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      answered 21 hours ago









      WaltZieWaltZie

      3093




      3093




      New contributor




      WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.













      • How did you end up with 10 as your base? It’s very rare that only numbers are allowed, right? With alphanumeric characters (ASCII), the base would be 36 or 62 already. And if you allow any Unicode character … Your argument is even stronger with larger bases.

        – caw
        11 hours ago








      • 1





        WaltZie started with a simple case, to make the math easier.

        – Royce Williams
        5 hours ago



















      • How did you end up with 10 as your base? It’s very rare that only numbers are allowed, right? With alphanumeric characters (ASCII), the base would be 36 or 62 already. And if you allow any Unicode character … Your argument is even stronger with larger bases.

        – caw
        11 hours ago








      • 1





        WaltZie started with a simple case, to make the math easier.

        – Royce Williams
        5 hours ago

















      How did you end up with 10 as your base? It’s very rare that only numbers are allowed, right? With alphanumeric characters (ASCII), the base would be 36 or 62 already. And if you allow any Unicode character … Your argument is even stronger with larger bases.

      – caw
      11 hours ago







      How did you end up with 10 as your base? It’s very rare that only numbers are allowed, right? With alphanumeric characters (ASCII), the base would be 36 or 62 already. And if you allow any Unicode character … Your argument is even stronger with larger bases.

      – caw
      11 hours ago






      1




      1





      WaltZie started with a simple case, to make the math easier.

      – Royce Williams
      5 hours ago





      WaltZie started with a simple case, to make the math easier.

      – Royce Williams
      5 hours ago











      3














      No meaningful answer is possible without knowing what your threat scenario is. What are you trying to protect against? Are you worried about brute force or hash cracking? In the first case, we need to know your login procedure (e.g. do I enter the passwords sequentially or in parallel?). Also, if your login procedure doesn't lock me out after thousands or millions of failed login attempts, it is broken. That's not a question of password strength.



      What about users writing things down? Shoulder surfing? Phishing? What's the model behind the passwords?



      There are legitimate uses of two passwords, for example one read-access password and a seperate change-enable password. I doubt you have that in mind because of your 9-letter password alternative, just throwing that out there to show that reality is more complicated than an academic question on password strength based only on length.






      share|improve this answer
























      • Thought-provoking! And another interesting use case for two passwords: increased resistance to insider threat (requiring two people to collude in order to use the system).

        – Royce Williams
        18 hours ago






      • 1





        @RoyceWilliams that's far out from what the question implies, but yes it is an actual real-world use case that is more common than most people assume.

        – Tom
        16 hours ago
















      3














      No meaningful answer is possible without knowing what your threat scenario is. What are you trying to protect against? Are you worried about brute force or hash cracking? In the first case, we need to know your login procedure (e.g. do I enter the passwords sequentially or in parallel?). Also, if your login procedure doesn't lock me out after thousands or millions of failed login attempts, it is broken. That's not a question of password strength.



      What about users writing things down? Shoulder surfing? Phishing? What's the model behind the passwords?



      There are legitimate uses of two passwords, for example one read-access password and a seperate change-enable password. I doubt you have that in mind because of your 9-letter password alternative, just throwing that out there to show that reality is more complicated than an academic question on password strength based only on length.






      share|improve this answer
























      • Thought-provoking! And another interesting use case for two passwords: increased resistance to insider threat (requiring two people to collude in order to use the system).

        – Royce Williams
        18 hours ago






      • 1





        @RoyceWilliams that's far out from what the question implies, but yes it is an actual real-world use case that is more common than most people assume.

        – Tom
        16 hours ago














      3












      3








      3







      No meaningful answer is possible without knowing what your threat scenario is. What are you trying to protect against? Are you worried about brute force or hash cracking? In the first case, we need to know your login procedure (e.g. do I enter the passwords sequentially or in parallel?). Also, if your login procedure doesn't lock me out after thousands or millions of failed login attempts, it is broken. That's not a question of password strength.



      What about users writing things down? Shoulder surfing? Phishing? What's the model behind the passwords?



      There are legitimate uses of two passwords, for example one read-access password and a seperate change-enable password. I doubt you have that in mind because of your 9-letter password alternative, just throwing that out there to show that reality is more complicated than an academic question on password strength based only on length.






      share|improve this answer













      No meaningful answer is possible without knowing what your threat scenario is. What are you trying to protect against? Are you worried about brute force or hash cracking? In the first case, we need to know your login procedure (e.g. do I enter the passwords sequentially or in parallel?). Also, if your login procedure doesn't lock me out after thousands or millions of failed login attempts, it is broken. That's not a question of password strength.



      What about users writing things down? Shoulder surfing? Phishing? What's the model behind the passwords?



      There are legitimate uses of two passwords, for example one read-access password and a seperate change-enable password. I doubt you have that in mind because of your 9-letter password alternative, just throwing that out there to show that reality is more complicated than an academic question on password strength based only on length.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered yesterday









      TomTom

      5,373831




      5,373831













      • Thought-provoking! And another interesting use case for two passwords: increased resistance to insider threat (requiring two people to collude in order to use the system).

        – Royce Williams
        18 hours ago






      • 1





        @RoyceWilliams that's far out from what the question implies, but yes it is an actual real-world use case that is more common than most people assume.

        – Tom
        16 hours ago



















      • Thought-provoking! And another interesting use case for two passwords: increased resistance to insider threat (requiring two people to collude in order to use the system).

        – Royce Williams
        18 hours ago






      • 1





        @RoyceWilliams that's far out from what the question implies, but yes it is an actual real-world use case that is more common than most people assume.

        – Tom
        16 hours ago

















      Thought-provoking! And another interesting use case for two passwords: increased resistance to insider threat (requiring two people to collude in order to use the system).

      – Royce Williams
      18 hours ago





      Thought-provoking! And another interesting use case for two passwords: increased resistance to insider threat (requiring two people to collude in order to use the system).

      – Royce Williams
      18 hours ago




      1




      1





      @RoyceWilliams that's far out from what the question implies, but yes it is an actual real-world use case that is more common than most people assume.

      – Tom
      16 hours ago





      @RoyceWilliams that's far out from what the question implies, but yes it is an actual real-world use case that is more common than most people assume.

      – Tom
      16 hours ago











      1














      Password systems involve trade-offs between security against illegitimate access versus resistance to denial-of-service attacks. A potential advantage of split-password systems is that the two halves of the system can apply different trade-offs. For example, resilience against denial-of-service attacks may require that the first-half hashing function be fast enough to keep up with spammed access attempts, but that wouldn't be so necessary for the second-half function since only an attacker who had broken the first-half password would be able to attempt access with the second.



      If Fred Jones was notified every time anyone attempted an access with an incorrect first credential, an attacker could easily flood Mr. Jones with so many notifications that they would become useless, whether or not the attacker would ever have any real likelihood of gaining access. Notifying Mr. Jones if someone enters the correct first password but fails to enter a correct second password, however, would be much more useful. Unless Mr. Jones was the person attempting to access the account, such notification would serve as a very timely and useful warning that the primary password was breached, and both passwords should be changed ASAP.






      share|improve this answer




























        1














        Password systems involve trade-offs between security against illegitimate access versus resistance to denial-of-service attacks. A potential advantage of split-password systems is that the two halves of the system can apply different trade-offs. For example, resilience against denial-of-service attacks may require that the first-half hashing function be fast enough to keep up with spammed access attempts, but that wouldn't be so necessary for the second-half function since only an attacker who had broken the first-half password would be able to attempt access with the second.



        If Fred Jones was notified every time anyone attempted an access with an incorrect first credential, an attacker could easily flood Mr. Jones with so many notifications that they would become useless, whether or not the attacker would ever have any real likelihood of gaining access. Notifying Mr. Jones if someone enters the correct first password but fails to enter a correct second password, however, would be much more useful. Unless Mr. Jones was the person attempting to access the account, such notification would serve as a very timely and useful warning that the primary password was breached, and both passwords should be changed ASAP.






        share|improve this answer


























          1












          1








          1







          Password systems involve trade-offs between security against illegitimate access versus resistance to denial-of-service attacks. A potential advantage of split-password systems is that the two halves of the system can apply different trade-offs. For example, resilience against denial-of-service attacks may require that the first-half hashing function be fast enough to keep up with spammed access attempts, but that wouldn't be so necessary for the second-half function since only an attacker who had broken the first-half password would be able to attempt access with the second.



          If Fred Jones was notified every time anyone attempted an access with an incorrect first credential, an attacker could easily flood Mr. Jones with so many notifications that they would become useless, whether or not the attacker would ever have any real likelihood of gaining access. Notifying Mr. Jones if someone enters the correct first password but fails to enter a correct second password, however, would be much more useful. Unless Mr. Jones was the person attempting to access the account, such notification would serve as a very timely and useful warning that the primary password was breached, and both passwords should be changed ASAP.






          share|improve this answer













          Password systems involve trade-offs between security against illegitimate access versus resistance to denial-of-service attacks. A potential advantage of split-password systems is that the two halves of the system can apply different trade-offs. For example, resilience against denial-of-service attacks may require that the first-half hashing function be fast enough to keep up with spammed access attempts, but that wouldn't be so necessary for the second-half function since only an attacker who had broken the first-half password would be able to attempt access with the second.



          If Fred Jones was notified every time anyone attempted an access with an incorrect first credential, an attacker could easily flood Mr. Jones with so many notifications that they would become useless, whether or not the attacker would ever have any real likelihood of gaining access. Notifying Mr. Jones if someone enters the correct first password but fails to enter a correct second password, however, would be much more useful. Unless Mr. Jones was the person attempting to access the account, such notification would serve as a very timely and useful warning that the primary password was breached, and both passwords should be changed ASAP.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 13 hours ago









          supercatsupercat

          1,68469




          1,68469























              1














              Irrespective of the details of the hashing or of plausible cracking mechanisms, the fact of the matter is that the effort needed to crack two n-bit passwords is not 2n bits. It is n + 1 bits.



              So suppose that your eight character passwords, P1 and P2, each have, say, a strength equivalent of 30 bits. (Doesn't really matter, I'm just trying to pick a number to be concrete. So it takes 30 bits of effort[See note] to crack each. To crack both, it does not take 60 bits. Instead it take 31 bits of effort.



              Now suppose that you take P1 and simply add a digit that is uniformly chosen (you roll a D10) and stick that on the end. Then your augmented P1 will take take about 33.3 bits of effort to crack. That is more than four times more work than going after both P1 and P2.



              If you pick a single lowercase letter or digit (so 36 possibilities) at random to add to the end of P1, then this new password is more than 5 bits stronger, and so it will take 16 times as many guesses to crack this than it will to crack both P1 and P2.



              Higher security vaults?



              I work for 1Password, a password manager. And we receive requests to have vaults within vaults. That is a Master Password to generally unlock 1Password and then a second password to unlock some higher security data. We have declined those requests for the reasons that I (and others here) have pointed out.



              The result described above is counter-intuitive is counter intuitive. People will perceive using both P1 and P2 to be more secure than just a slightly longer augmentation of P1. We also consider a person's choice of Master Password to be the weakest point of their 1Password security (other than running on a compromised machine), and so we do not want to introduce things that might encourage people to use weaker master passwords than they otherwise would. We also would like people to get the most security for the effort, and making and remembering a small addition to a master password is less effort than creating and remembering another password.





              Notes:



              "bits of effort": n bits of effort roughly means that it takes on average 2^(n-1) guesses to find the the correct password.






              share|improve this answer




























                1














                Irrespective of the details of the hashing or of plausible cracking mechanisms, the fact of the matter is that the effort needed to crack two n-bit passwords is not 2n bits. It is n + 1 bits.



                So suppose that your eight character passwords, P1 and P2, each have, say, a strength equivalent of 30 bits. (Doesn't really matter, I'm just trying to pick a number to be concrete. So it takes 30 bits of effort[See note] to crack each. To crack both, it does not take 60 bits. Instead it take 31 bits of effort.



                Now suppose that you take P1 and simply add a digit that is uniformly chosen (you roll a D10) and stick that on the end. Then your augmented P1 will take take about 33.3 bits of effort to crack. That is more than four times more work than going after both P1 and P2.



                If you pick a single lowercase letter or digit (so 36 possibilities) at random to add to the end of P1, then this new password is more than 5 bits stronger, and so it will take 16 times as many guesses to crack this than it will to crack both P1 and P2.



                Higher security vaults?



                I work for 1Password, a password manager. And we receive requests to have vaults within vaults. That is a Master Password to generally unlock 1Password and then a second password to unlock some higher security data. We have declined those requests for the reasons that I (and others here) have pointed out.



                The result described above is counter-intuitive is counter intuitive. People will perceive using both P1 and P2 to be more secure than just a slightly longer augmentation of P1. We also consider a person's choice of Master Password to be the weakest point of their 1Password security (other than running on a compromised machine), and so we do not want to introduce things that might encourage people to use weaker master passwords than they otherwise would. We also would like people to get the most security for the effort, and making and remembering a small addition to a master password is less effort than creating and remembering another password.





                Notes:



                "bits of effort": n bits of effort roughly means that it takes on average 2^(n-1) guesses to find the the correct password.






                share|improve this answer


























                  1












                  1








                  1







                  Irrespective of the details of the hashing or of plausible cracking mechanisms, the fact of the matter is that the effort needed to crack two n-bit passwords is not 2n bits. It is n + 1 bits.



                  So suppose that your eight character passwords, P1 and P2, each have, say, a strength equivalent of 30 bits. (Doesn't really matter, I'm just trying to pick a number to be concrete. So it takes 30 bits of effort[See note] to crack each. To crack both, it does not take 60 bits. Instead it take 31 bits of effort.



                  Now suppose that you take P1 and simply add a digit that is uniformly chosen (you roll a D10) and stick that on the end. Then your augmented P1 will take take about 33.3 bits of effort to crack. That is more than four times more work than going after both P1 and P2.



                  If you pick a single lowercase letter or digit (so 36 possibilities) at random to add to the end of P1, then this new password is more than 5 bits stronger, and so it will take 16 times as many guesses to crack this than it will to crack both P1 and P2.



                  Higher security vaults?



                  I work for 1Password, a password manager. And we receive requests to have vaults within vaults. That is a Master Password to generally unlock 1Password and then a second password to unlock some higher security data. We have declined those requests for the reasons that I (and others here) have pointed out.



                  The result described above is counter-intuitive is counter intuitive. People will perceive using both P1 and P2 to be more secure than just a slightly longer augmentation of P1. We also consider a person's choice of Master Password to be the weakest point of their 1Password security (other than running on a compromised machine), and so we do not want to introduce things that might encourage people to use weaker master passwords than they otherwise would. We also would like people to get the most security for the effort, and making and remembering a small addition to a master password is less effort than creating and remembering another password.





                  Notes:



                  "bits of effort": n bits of effort roughly means that it takes on average 2^(n-1) guesses to find the the correct password.






                  share|improve this answer













                  Irrespective of the details of the hashing or of plausible cracking mechanisms, the fact of the matter is that the effort needed to crack two n-bit passwords is not 2n bits. It is n + 1 bits.



                  So suppose that your eight character passwords, P1 and P2, each have, say, a strength equivalent of 30 bits. (Doesn't really matter, I'm just trying to pick a number to be concrete. So it takes 30 bits of effort[See note] to crack each. To crack both, it does not take 60 bits. Instead it take 31 bits of effort.



                  Now suppose that you take P1 and simply add a digit that is uniformly chosen (you roll a D10) and stick that on the end. Then your augmented P1 will take take about 33.3 bits of effort to crack. That is more than four times more work than going after both P1 and P2.



                  If you pick a single lowercase letter or digit (so 36 possibilities) at random to add to the end of P1, then this new password is more than 5 bits stronger, and so it will take 16 times as many guesses to crack this than it will to crack both P1 and P2.



                  Higher security vaults?



                  I work for 1Password, a password manager. And we receive requests to have vaults within vaults. That is a Master Password to generally unlock 1Password and then a second password to unlock some higher security data. We have declined those requests for the reasons that I (and others here) have pointed out.



                  The result described above is counter-intuitive is counter intuitive. People will perceive using both P1 and P2 to be more secure than just a slightly longer augmentation of P1. We also consider a person's choice of Master Password to be the weakest point of their 1Password security (other than running on a compromised machine), and so we do not want to introduce things that might encourage people to use weaker master passwords than they otherwise would. We also would like people to get the most security for the effort, and making and remembering a small addition to a master password is less effort than creating and remembering another password.





                  Notes:



                  "bits of effort": n bits of effort roughly means that it takes on average 2^(n-1) guesses to find the the correct password.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 11 hours ago









                  Jeffrey GoldbergJeffrey Goldberg

                  3,807814




                  3,807814






















                      Carlos is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      Carlos is a new contributor. Be nice, and check out our Code of Conduct.













                      Carlos is a new contributor. Be nice, and check out our Code of Conduct.












                      Carlos is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204450%2fwhich-password-policy-is-more-secure-one-password-of-length-9-vs-two-passwords%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      “%fieldName is a required field.”, in Magento2 REST API Call for GET Method Type The Next...

                      How to change City field to a dropdown in Checkout step Magento 2Magento 2 : How to change UI field(s)...

                      變成蝙蝠會怎樣? 參考資料 外部連結 导航菜单Thomas Nagel, "What is it like to be a...