This calculation is utter bullshit.
Why? Because you said so?
You are right though... I extremely underestimated the key space size (see end of response to you.)
Did you even read the discussion? The comparison was between a password including a unicode character input via Windows alt-code and the same password with that character replaced by four decimal digits. Nobody suggested every single character in the password should be chosen from the set of all unicode characters; that would take forever to type (and again, would be no more secure than just a string of four times as many digits, and also no easier to remember, as they are in fact the same thing).
You're right, nobody suggested that, including me. Additionally, you seem to have this notion that passwords can be cracked 1 character at a time, which isn't true. Implied by the fact that you think a password with 1 unicode character somewhere in it, has a smaller key space to brute force than a password of all unicode characters. If
the attacker knew that the password contained unicode, and their only choice was to brute force, they would be forced
to check each character slot for the entire unicode key space (and all combinations thereof.)
Supposing your password is eight completely random printable ASCII characters (and as I understand it they are not in any sense completely random, but I'll give you the benefit of the doubt here) and a randomly chosen alt-code, of which there are a maximum of 10,000, the actual number of combinations is 94^8 * 10000 = 60956893854108160000, or just under 67 bits. Now, that really should be plenty of entropy for a password, but it's nothing like what you think it is.
Wait, what? You been watching too many movies? You can't brute force a PW 1 character at a time - alternatively, you're implying that the attacker not only knows that there's a unicode character, but that they know the exact position of it in the password. It doesn't work that way, they would have to attempt the entire 10,000 character set in every character slot: 10,000^8, or 10,000,000,000,000,000,000,000,000,000,000 possible combinations. Which actually makes the character space of an 8-character PW with unicode characters over 210 million
times larger than the key space of a 12 character password with a character set of 94.
More to the point of my "most secure password" - you know nothing about it except the key space of it, everything else was an assumption, and every single assumption you made was utterly wrong.
I agree that if an attacker was trying to brute force your password, it is unlikely they would try the entire unicode character set. Certainly not more than a few characters in length. But who says that they have to brute force your password just because it contains a few unicode characters? It would be very reasonable to think that an attacker would try common password algorithms and append a unicode character on the end. They could also try unicode characters between words or many other possibilities.
Most people probably do not choose randomly from the entire unicode set either. They probably choose only characters that can be typed with alt+XXXX. Also, most people choose characters they are familiar with. As a poster already pointed out, in my example I didn't choose a character randomly. I chose a greek character because I am familiar with them. So a smart attacker could make their attacks much faster. Just adding a unicode character does not make your password "practically unbreakable".
I just wanted to point out here - all of your assumptions are wrong. You assume I don't know how to generate a secure password (with or without the Unicode set) and that led you down a path of assumptions that were all doomed to be wrong.
But it is less likely that an attacker will try unicode characters. And if an attacker is reduced to doing a brute force attack, it is even more unlikely that they will crack your password in a reasonable amount of time. So in practice it is safer than not using them. Never underestimate the cleverness of an attacker though. Do not assume that an attacker will have to resort to a brute force attack. Someone could glance over your shoulder and see the length of your password or a few characters.
At this point the discussion is irrelevant - physical access = full access. Pop in specially built Linux disk, wipe password from SAM, logon to account without even having to put any effort and figuring out what the password was. Ta-da! You're done in 3 minutes.
They could even see that you type on one side of the keyboard more than another. They can search your username on the internet to find out information about you. They might be able to crack a different password using an offline attack, and now that they know your pattern they can use a smarter online attack. Or they could even trivially break it by using a key logger or reading from memory. Or they can reduce the key space using cryptanalysis. Or they can get an SSL certificate signed by a CA and use a MITM attack. So to be as safe as possible always ensure that your password has adequate entropy. And also make sure you take reasonable precautions to mitigate "side channel" attacks as much as possible.
Here's the thing - my entire point was that you a) force them to brute force, and b) Including unicode does two things - 1) significantly increases the keyspace, and 2) most attackers are unlikely to even include the unicode set in a brute force attack, making the password effectively unbreakable in most instances.
Google ( "Isil`Zha" forum ). I will bet you that many of the results are you. If someone tries to crack your password your password isn't uncrackable because it uses unicode characters, but it is if you have a lot of entropy.
See previous statement.
Most of this "discussion" has been a strawman of my original post, where I merely mentioned an added benefit, but by no means do I ever consider my password 100% unbreakable.
( "isil zha" forum "password" -"forgot password" -"remember password" ) *cough* spacebattles *cough*
Oh n0es! Not another silly forum account!