Blog

Articles about passwords, security, and why almost everything we were taught was wrong.

What really happens when your password leaks

Your password doesn't leak and vanish: it leaks and starts circulating. It gets cracked at leisure, merged with other lists, and ends up in a combo someone tries on your bank. What makes it valuable isn't that it was weak. It's that it was the same one.

Hash, salt, bcrypt and Argon2: what a well-built site does with your password

Every time you're let in, something gets checked. But checking isn't knowing. The story of how we learned not to store passwords, and of why the function that protects them has to be slow — and expensive — by design.

How long your password really takes to crack

The sites promising you '3 million years' are hiding half the equation. The same password can fall in an afternoon or hold for centuries depending on how the site you signed up to chose to store it — something you don't get to pick and nobody explains. Here's what's behind the number.

Diceware: how five dice pick a better password than you do

Ask someone for a random word and you won't get a random word: you'll get one of their words. Arnold Reinhold fixed that in 1995 with five dice and a list of 7,776 words. The beauty of it is that dice have no taste, no memory, and no idea what kind of day you're having.

What entropy bits are, and why we won't give you a percentage

"92% strong" doesn't mean anything: there is no 100 to reach. Bits do mean something very specific, and they always mean the same thing. Every bit you add doubles the work for whoever is trying to guess you, so 40 bits isn't twice as good as 20 — it's a million times more.