On Fri, Dec 22, 2017 at 10:25 PM, Richard Hector <rich...@walnut.gen.nz> wrote: > On 21/12/17 22:16, Curt wrote: >> On 2017-12-20, Richard Hector <rich...@walnut.gen.nz> wrote: >>> >>> On 21/12/17 02:02, Curt wrote: >>>> Also, I'm uncertain whether suppression of the asterisk-echo qualifies >>>> as "security by obscurity" >>> >>> I think most people accept that obscurity is quite reasonable for >>> passwords ... >>> >>> Richard >>> >> >> Wonderful, Dick, however, I was referring to the specific expression >> "security by (or through) obscurity," which denotes something else. >> >> https://en.wikipedia.org/wiki/Security_through_obscurity > > I'm aware of that concept. But making it harder to see the length of the > password makes it harder to guess the password, no? Which has got to be > good?
No. I've been facepalming myself through this thread but I can't really keep my mouth shut anymore. All this is very misguided. Knowing the length of your password means that it takes about 1-2% less time to brute-force it, no matter how many characters you use. This is because every extra character multiplies the difficulty by about 50-100 depending on what type of characters you pick from. Let's say you use a 10 letter password, from a pool of 100 characters for each letter and someone is brute-forcing it. If they *know* that you have 10 letters in your password, they will have to try on average 100^10/2 = 50000000000000000000 times before they find the right password. Now, what happens if they *don't* know? They will have to start testing all possible 1-letter passwords, then 2-letter, 3-letter etc: (100^1 + 100^2 + 100^3...)/2 = 50505050505050505050. Wow, to brute-force without known the number requires 1.01% more calculations.
