tag:help.masterpassword.app,2014-09-03:/help/discussions/questions/305-mbna-password-requirementsMaster Password: Discussion 2017-09-19T20:32:29Ztag:help.masterpassword.app,2014-09-03:Comment/434984492017-09-19T20:32:26Z2017-09-19T20:32:26ZMBNA password requirements.<div><p>Generally, "basic" password is the best fall-back if Long is incompatible. It is an 8-character alphanumeric with an entropy of ~ 42 bit.</p>
<p>To really know what kind of entropy you should be looking for, you need to state what kind of attack you're trying to defend against.</p>
<p>Are you protecting against a person trying to guess your password on a website? Are you protecting against a hash reversal attack? Is it salted? Is the salt known? Are you protecting against a brute-force network attack on a login page? Are you trying to protect against an intrusion in the website's company servers? Is there a two-factor involved? Is there a brute-force countermeasure involved (eg. max password attempts)? Etc.</p>
<p>The type of attack will give you a clear understanding of what your attack's bottleneck is and how wide it is.</p>
<p>Only after you know how wide your attack's bottleneck is, you can understand what kind of entropy requirement is necessary.</p>
<p>My general recommendation is that you shouldn't do too much effort to maximize a site password's entropy, since there are so many attack angles on this password that password entropy is simply powerless against. Just make it "as good as you can get" and instead focus on compartmentalization: don't let one compromised account get you into too much trouble. Don't put all your eggs in one basket.</p></div>Maarten Billemont