[a / b / c / d / e / f / g / gif / h / hr / k / m / o / p / r / s / t / u / v / vg / vr / w / wg] [i / ic] [r9k / s4s / vip / qa] [cm / hm / lgbt / y] [3 / aco / adv / an / asp / bant / biz / cgl / ck / co / diy / fa / fit / gd / hc / his / int / jp / lit / mlp / mu / n / news / out / po / pol / qst / sci / soc / sp / tg / toy / trv / tv / vp / wsg / wsr / x] [Settings] [Search] [Home]
Board
Settings Home
/g/ - Technology


Thread archived.
You cannot reply anymore.



File: password_strength.png (91 KB, 740x601)
91 KB
91 KB PNG
Which one do you use /g/?
>>
I just use password123. I mean, who is going to think that I'm going to use such a weak password?
It's actually safer this way.
>>
>>71390421
That comic is wrong.
>>
It's best to use symbols and made-up words.
Joos*Looz*N*Snooz or
grubbagegebabedinsuence or something like that
>>
>>71390421
I unironically used this password for my WiFi for 7 or so years.
>>
Have fun "remembering" 20 different retarded comic strips for all accounts you use.
If you use the same password everywhere, you can put your 2^44 among fairy tales.
>>
>>71390433
Unironically used to think this when I was like 11, my club penguin account was "password" and I thought I was a genius.
>>
>>71390526
If you use a password manager, you effectively use one password for everything.
>>
>>71390469
>A random passphrase is a good idea as has been said numerous times here. Two random dictionary words (from a 10000 word dictionary) is roughly as secure as a six random lower-case letters password, in practice this is quite weak (10000*10000 ~ 108, while 266 ~ 3 x 108).
https://security.stackexchange.com/questions/16503/using-passwords-made-of-words
>>71390488
The whole point of a passphrase is that it is easier to remember actual words. If you have several passwords for several websites, then it is harder to memorize made up words.
If you speak a non English language though, you could use words from that language written in Latin and your passphrase will become infinitely harder.
>>
>>71390549
Not if you also use a key file stored away on your thumb drive.
>>
>>71390577
Ah yes the thumb drive. Accidentaly flash/lose/forget it and you can't access shit.
>>
>>71390599
Stop pretending you don't have at least 12 of them you could use for redundancy.
>>
File: 1551273998168.jpg (405 KB, 750x896)
405 KB
405 KB JPG
>>71390421
>throws a dictionary attack at your passphrase
nothing personnel, kid
>>
>>71390617
Yes but I need all 12 at once to enter my database and I only access my database once a ritual- I mean year. So a thief would need to go on a treasure hunt.
>>
Another chapter in the "I'm so clever I trolled myself" saga.
>>
>passphrase
>nigger nigger nigger nigger
it would be nice to login with a jingle stuck in your head
>>
>>71390421
>tiringblizzardbrigadeturmoil
>28 characters
>Entropy: 51.70 bit
>îðÇñþeTúuG*1ð+¦8ð*Ldú´ºçtÙËú
>28 characters
>Entropy: 213.01 bit
Okay lads.
>>
>>71390549
Yes, but it's a password that never goes online.
>>
i just slam my keyboard with my whole hand, then copy and paste whatever i got in my encrypted notepad
>>
File: 1560212011042.jpg (154 KB, 1143x1500)
154 KB
154 KB JPG
>>71390421
That is just opening you up for another kind of dictionary attack.
For that to be properly effective, you need some really obscure words or even words that you just made up. Throwing some random symbols in the middle of some words makes it significantly more effective too.
>>
>>71390717
Really, you're invulnerable to any spectre/meltdown thing? You're running 0 unsandboxed apps?
>>
>>71390549
>hurr password reuse is a-ok!
look at this idiot and laugh
>>
>>71390733
You have to invent a hypothetical scenario where someone actively exploited a hardware vulnerability on my machine to support your "keepass is just like using one password everywhere" claim.
>>
>>71390469
No, it isn't.
>>
>>71391009
The suggested password scheme is vulnerable to dictionary attacks. There are 171,476 words in English. If we assume all passwords are four words or fewer, we are left with less than 2 million permutations to try.

You have to mix the two strategies because a random word isn't random enough.
>>
>>71390488
>Feed*And*Sneed
>>
>>71391273
>Hello I don't know about diceware and that this is a proven concept so I will pretend that I am an expert because nobody can prove me wrong!
>>
>>71391273
what? The comic is saying to combine words. You do realize that password prompts don’t tell you how much you got right, correct? Word1Word2 isn’t treated as {“Word1”, “Word2”}. It’s treated as one single word that does not exist in the english language.
>>
kek
>>
I use quotes from my favourite books/movies
>>
>>71390630
underb&, legally retarded or a fucking narmalfaggot tourist
>>
>>71390683
You aren't wrong (dishonesty of using way more letters than exist in English notwithstanding), but you missed the point.
How much longer will it take to remember and more importantly type in?
Diceware is good enough for considerable security (nothing is 100% secure) and easy to remember and use.
>>
>>71390421
Why not just this:
echo 'USERNAME+MASTER PASSWORD+WEBSITE' | gpg --encrypt | sha512sum | sed 's/3/#/g'

You'll always know the password, you can't find it without your gpg key, and you add symbols where you don't know. hell, if you want to go a step further:
echo 'USERNAME+MASTER PASSWORD+WEBSITE' | gpg --encrypt | sha512sum | sed 's/.\{4\}/&\!/g' | sed 's/.\{2\}/&\#/g' 
>>
>>71390421
You shouldn't remember passwords anyways.
Password manager, use one or terminate your host process.
And do dictionary attacks suddenly not exist anymore? Restricting yourself to something as stupid as passphrases is the worst thing you can do second only to using your name or pets name or shit like that.
And besides use 2fa and preferably passwords utilising the full utf-8 character space you glow in the dark consumers.
>>
>>71390433
Brute force doesn't care if it's stupid or not.
Dictionary attacks have the word password in them so..
>>
>>71392142
But the reddit cartoon didn't say "use diceware" it said "use 4 common words." Gotta pay attention, reddit. The other Anon is right in that the xcfgb guy or whatever it's called is as incorrect as he's unfunny. As usual.
>>
>>71393132
>Let's make our passwords into programming exercises. Forget one spacing and you are fucked.

>>71393189
I think by now it is absolutely proven that Randall is an absolute fucking retard, but this doesn't mean that he wasn't illustrating a good concept. What do you want, a 24 page comic?
>>
>>71390421
This comic is retarded, you could break correcthorsebatterystaple with a dictionary attack in like 5 seconds.
>>
>>71393239
>I think by now it is absolutely proven that Randall is an absolute fucking retard, but this doesn't mean that he wasn't illustrating a good concept. What do you want, a 24 page comic?
But the concept is wrong, so how is it good? Is Randall the guy who makes this comic? How did a person become so unfunny and faggy? It's like someone distilled pure Reddit and formed a man through some alchemical homunculi process.
>>
>>71392220
>It’s treated as one single word that does not exist in the english language.
That's not how a dictionary attack works you retard.
>>
>>71390421
I use prime numbers from several number sets my system discovered running arithmetic progressions which I multiply together then convert to hexadecimal. The resulting password is so long, I can't remember it myself. This is used for all my important accounts including my PC and encrypted drives then layered with multifactor authentication via one time secret through Google Authenticator. To access my accounts, I use biometric unlock for my PC and phone which is set to auto-unlock my accounts and encrypted drives/phone.

I almost bricked my machine and all my accounts when I updated my BIOS and fudged the TPM module which erased biometric, PIN, and encryption keys so I had to manually take those prime numbers, recreate the prime composite to convert to hexadecimal, and reenter my keys.
>>
>>71393301
lmao
and (((they))) still have your every single keypress and camera access
>>
>>71393132
>sha512 for passwords
hhhhhhhhh
>>
>>71393301
I use the method of loci to remember 30 character strings of random letters and symbols.
>>
>>71390421
Actually, BOTH random char passwords and passphrases are inherently insecure as one is vulnerable to brute force attacks and the other to dictionary attacks. The best is combination of both. For example inserting a symbol between a long SAT word like circumscribe.

ie: c~i~r~c~u~m~s~c~r~i~b~e~

Further strengthening can be achieved by using 2 or more special characters in a pattern along with case sensitive placement. But this password alone is now 24 characters long making it virtually impossible to bruteforce and at the same time a nightmare for dictionary attacks (efficiency gets cut in half for every symbol or combination of symbols it scans between words).

YET it's relatively easy to remember, at worst you just have to remember the pattern of special characters used between letters if you're that paranoid.
>>
>>71393352
I willingly give the alphabet agencies my keystrokes, as a former government dog, I'm doomed to be pozzed for life anyways. As for camera access, I don't have a camera on my PC. Nothing I can do about my phone cameras, I hope they enjoy watching me beat my meat.
>>
>>71393362
>not using 2389472 iterations of rot13
>>
>>71393362
>method of loci
interesting, I'm not familiar but will need to read more about this as my working memory is detrimentally poor yet my spacial memory is extremely sharp. My passwords are way beyond 30 digits of random letters and symbols though
>>
>>71393387
Thanks, just added this concept in my l33tspeak cracker.
>>
File: spurdofootdrink.jpg (17 KB, 400x331)
17 KB
17 KB JPG
>>71390549
>you effectively use one password for everything
Yeah have fun cracking my LUKS password.
>>
>>71393425
If your spatial memory is good, you can memorize anything with that method. 30 digits was just an arbitrary length that seemed reasonable at current gen. I could easily have made it 100 characters or something else. I remember a huge amount of such passwords because I swap them out now and then.
>>
>>71393444
Okay, send me your header over mega or similar.
>>
>>71393437
Good luck, you're gonna have to add every special character out there including emojis and scan for characters used in variances. I personally use the crying face emoji with the laughing crying emoji on my HDD pass.
>>
>>71393493
Thanks. Added crying face emoji/laughing face emoji variations.
>>
I just use 16 characters of hex, or 8 if I'm forced to use less (has happened before 5 times to me. Fucking shitty websites)
>>
>>71390722
BASED

My truecrypt encrypted notepad is enveloped in anther veracrypt container. Just in case one of them had a backdoor.
>>
>>71393458
My spatial memory is dangerously good since I've been in the transportation, logistics, and supply chain industry for about 10 years. I'm an expert in analyzing and memorizing maps. I will definitely need to learn this Method of Loci.
>>
ZoLtAx2040KREEMOU-bingybingubon'gy
>>
>>71393521
>forced to use less (has happened before 5 times to me. Fucking shitty websites)
I FUCKING HATE THIS
>>
>>71393249
>I have no idea what PBKDF is
>>
>>71393544
Most people take a couple of years to learn to utilize it well, but you're probably expert tier already because it's actually that sort of memory you need to train to become proficient at it. The method in itself is simple and you'll learn it in a day or so and with it there's basically no upper limit to what you can memorize.
>>
>>71393493
Literally every dictionary attack swaps symbols.
Unless you're replacing every symbol with an alternative one, you are not changing the asymptotic difficulty.
>>
>>71393471
Not him, but tell me the command and I will. Last time I touched luks was a while ago.
>>
>>71393471
>okay just do half the work for me
It's on a publicly accessible http server. That's all the help you get.
>>
>>71393590
Just touching the subject, I'm beyond fascinated by the idea. I really appreciate that kind of name drop, anon.
>>
>>71393611
No, you're supposed to prove you're safe in a dangerous situation to automatically prove you're safe in casual use.
>>
>>71393563
Worst I have seen so far has to be
>exactly 8 characters
>only alphanumeric
>no special chars
>does not differentiate between uppercase and lowercase
And who could have guessed as a confirmation I got my password sent to me in plain text in an email.

>>71393589
Yeah you really have no fucking clue what PBKDF or a dictionary attack is. What you are thinking of is a rainbow table attack you absolute imbecile.
>>
>>71393614
Have fun. It's been a source of extreme usefulness in many areas of my life.
>>
>>71393631
What's a rainbow table attack?
>>
>>71393631
>https://en.wikipedia.org/wiki/Rainbow_table
>use of a key derivation function that employs a salt makes this attack infeasible.
I'm sorry you're such a mongoloid
>>
File: 1558230946168.png (353 KB, 604x630)
353 KB
353 KB PNG
>>71390722
>>71393530
>not just writing them onto a real notepad and locking then in a safe that only you know the combination to
>>
As this very nice anon pointed out
>>71390683
you want to be using all types of available characters to increase entropy, only real use for a passphrase is for when you'll have to enter the password manually (say, setting up a phone for example)
>>
>>71393596
The more symbols you swap the closer it becomes to a bruteforce attack. At which point you're bruteforcing a 24 character password. Fine if you're a state actor but your quad TITAN gaming rig isn't going to cut it.
>>
>>71393673
What about when you want to access this information from somewhere other than at home?
>>
>>71393725
What I'm saying is, you only gain from swapping *every* lookalike symbol.
>>
>>71393596
That's for KNOWN variances where symbols represent a characters in a word (ie L€€tg4m€R, ©uπ+vv@goπ, £@gg°+$ho€). If a dictionary attack included even just looking for the same exactbsymbol repeating between letters in a long word you're now effectively bruteforcing because there's like a million symbols that can be used including those from other languages (ie moon runes).

It's especially debilitating when long 12+ char SAT words are used.
>>
>>71390421
Fuck this guy is retarded, its not more bits, you can just dictionary bomb it if just plain english (each bit isnt orthogonal in his model)
>>
>>71393733
Remember the passwords to your most used accounts, and carry it with you when you know that you are going to need it. I've being using a notepad for my passwords for over a decade and never had a problem.
>>
>>71393669
Are you a mouth breathing knuckle dragging troglodyte? Why do I even ask when I know the answer is fucking yes.
Can you even fucking read?
>you could break correcthorsebatterystaple with a dictionary attack in like 5 seconds
>I have no idea what PBKDF is
Do you even remotely understand what PBKDF actually is or does you inbred dogfucker?
All the salting and hashing in the world isn't gonna do jack shit when the password in question just got guessed in 20 seconds using a simple fucking dictionary attack.
>>
>>71393752
Bruh once you bring in the emojis in, hackers might as well pack up and leave.
>>
>>71390565
>Two random dictionary words (from a 10000 word dictionary) is roughly as secure as a six
>sort dictionary in popularity order
>cracks your password in few minutes
nothing personnel kid
>>
>>71393814
The vast majority of English words are equally as unpopular. You've done yourself no favours.
>>
>>71390433
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-10000.txt#L1085
>>
>>71390565
>The whole point of a passphrase is that it is easier to remember actual words
if your password is memorable it is already a weak password.
>>
>>71390421

1q2w3e4r5t6y

it's already on dictionaries so there it is, but my philosphy goes around that, memorizing keyboard movements.

Also, the typical trick of using the NATO phonetic alphabet and a piece of work I can remember(Star Wars-SW-1Sierra-Whisky)
>>
>>71393784
>All the salting and hashing in the world isn't gonna do jack shit when the password in question just got guessed in 20 seconds using a simple fucking dictionary attack.
Okay, let's say we put about 20 seconds worth of PBKDF on that password before we get the derived key.

Now since I'm a troglodyte, please explain to me exactly how you're going to do a 20 second calculation as many times as it takes to get the correct answer in 20 seconds.
>>
>>71390433
>what is a dictionary attack for 100
>>
>>71390421
Multilingual Passphrase combined with password.
>>
>>71393923
You still don't get it you imbecile. How are you that retarded and still alive? How have you not disembowelled yourself with a butter knife while trying to butter a piece of toast?
You can use whatever hashing and salting you want for however a long time you want to and it won't matter when I logged into your account by literally guessing your password till I am in.
I'm gonna spell it out one more time really slowly for you:
It doesn't matter how the password is hashed when you already breached the account by guessing the password or in other words using a fucking dictionary attack.
>>
>>71391273
>There are 171,476 words in English. If we assume all passwords are four words or fewer, we are left with less than 2 million permutations to try
How the fuck did you get that number? There are 8.6*10^20 length-4 permutations of 171,476 words
>>
>>71393932
Nice try, that password isn't in the top 100.
He's safe.
>>
>>71392912
this has to be bait, you should get ur head checked m8, somethin's wrong with you
>>
>>71393973
>It doesn't matter how the password is hashed when you already breached the account by guessing the password or in other words using a fucking dictionary attack.
So apparently, you're going to get around needing 20 seconds per attempt, by already knowing the password. Genius. Why am I too stupid to know that you can just know the password before trying to guess the password
>>
>>71394016
How about doing a million concurrent attempts at once that take 20 seconds each?
Password crackers have massive setups, and they can use cloud computing for basically infinite computing power.
It really doesn't matter.
>>
>>71394016
Is this simply the worst bait I have seen this decade or does the hospital ward for clinically brain dead patients have wifi now?

>>71394051
We're still not talking about cracking passwords. You don't need to crack a hashed password when you can literally use a dictionary attack to simply log in in literally seconds by guessing till you hit the correct password. That retard above somehow brought up PBKDF when everyone else was talking about dictionary attacks. But what is to be expected from someone that is an elite 1337 hacker calling himself lain because he visited /cyb/ that one time.
>>
>>71393835
there is like just 2000 common words and i'm 99% sure that words from your passphrase is here.
so your 4 words passphrase is just 16 seconds to crack on modern hardware
>>
>>71393293
no shit, but how many people have “NiggerAnonFaggot” in their lists? Oh that’s right, none. If you create your own passphrase then you have an almost infinite amount of combinations of words, most of which will not be in a cracker’s dictionary list. “password123” is much different than “mydogisnamedGerald123”.
>>
>>71394051
>a million concurrent attempts
if we assume a 4 word passphrase, in which all permutations total less than or equal to 1 million, that would require a dictionary (d) the size of

d = 1000000^(1/4) or about 31.62 words in our dictionary.

Using my basic understanding of linguistics, most language courses have about 5000 words in order to be 'conversational', so that would result in

5000^4 or 625000000000000 possibilities, OR 625000000 repetitions of your magical 1 million concurrent hashing machine.
>>
>>71394088
>there is like just 2000 common words and i'm 99% sure that words from your passphrase is here.
That's 16 trillion potential passphrases. If we take the comic's number of 1000 guesses per second from this combinatoric dictionary attack, that's 550 years to crack. Exactly as the comic predicted.
>>
>>71394123
>Nigger
>Anon
>Faggot
Literally all worth their shit? Those aren't uncommon words. Unless you use witenagemot chaulmoogra and gossypol don't kid yourself by saying these are in no dicitonary anywhere.
>>
>>71394075
>ha ha I didn't say anything but insulted you, ha ha
Okay, have a nice life, I guess
>>
>>71394139
1000 guesses per second is pretty realistic if you use a computer from 1976. In $currentYear however that is far from realistic. Even a 200$ smartphone will do orders of magnitude better than that.
>>
>>71394153
Sure thing kiddo. I didn't say anything at all. I only pointed out about 20 times that you have no clue what you are talking about and that it has nothing to do at all with the discussion at hand but sure, pointing out an ad hominem does count as a counterargument to you showing off for all to see just how retarded you are.
>>
>>71394164
That's extremely false. Maybe if we're talking md5 hashed passwords, but that's not what anyone is concerned about.
Stop pulling numbers out of your ass without having any idea what you're talking about.
>>
>>71394146
you idiot, ALONE those words are common, TOGETHER they are not. What’s so hard about this?
>>
>>71394088
Okay, here are the contents of new.kdbx - a keepassxc database with a 4-phrase english word password. AES256. Write the password as a reply.

https://pastebin.com/m3uXcvKp
>>
>>71394182
>>71394223
How many fucking people are on this board that have no fucking clue what a dictionary attack is and when will we finally change the name to /g/ - Consumers?
>>
>>71394164
except that you can (and nearly everyone does) use key stretching techniques to combat increases in computational power.

>>71394180
You haven't 'pointed out' anything. You have asserted, without evidence, that you can somehow bypass key stretching. Someone, possibly you, mentioned something about crackers having access to 'unlimited computing power', a statement so baseless and incongruent with reality that I can't even find a way to refute it without finding statistics on the total processing power of every computer on the planet today to show you how absolutely infeasible such a proposition is.
>>
>>71394285
pseud
>>
>>71394274
You are legitimately retarded
>>
>>71394273
>>71394088
Here, just so I know you have the right file
http://www.yourfilelink.com/get.php?fid=2045258
>>
>>71394274
If you keep repeating “dictionary attack” that doesn’t make you right. Explain yourself, because if I’m wrong I’ll admit it.
>>
>>71394387
It's a troll. Every time this comic is posted people will come in and pretend to be retards who just spout "dictionary attack" over and over again because it's fun watching people getting riled up over it and angrily explaining over and over again that dictionary attacks are already accounted for in this analysis and aren't magic bullets that work whenever words are involved.
The first few times it was posted, there were legitimate retarded skids who decided to run their mouths about dictionary attacks to look like they knew something. Each time it was posted, some new skid would show up and be reliably yelled at. It became a well known way to cause strife to just mention "dictionary attack" at this comic and watch the defenses roll in, so now there's a bunch of trolling about it. You would do well to just ignore it.
>>
>>71394475
I see. Thanks for the heads up.
>>
>>71390726
If you take a dictionary with 100k words and use six words there are 10^30 combinations.
Have fun, script kiddo.
>>
>>71390421
2FA
>>
File: im_with_her.png (44 KB, 740x633)
44 KB
44 KB PNG
>>71393273
The concept is still good and he did not come up with it, even though you are right about him. Randall Munroe is his name
>>
>>71394475
Dictionary attacks aren't accounted for in the reddit comic, though? Without further steps the first password is actually magnitudes better, so the redditor is giving bad advice.
>>
>>71394828
But while cracking the first password would take me a couple of hours, the second one he recommends would take 3 seconds, so how is it good advice?
>>
>>71394273
>>71394345
20 seconds are over guys. What gives?
>>
bash script makes a random string and puts it in a database.
>>
>>71394910
Gotem.
>>
>>71394851
Explain how diceware would take you less time than say, a 12-letter password
>>
>>71394961
But the plebbit cartoon doesn't say anything about diceware. Maybe you should send him a mail or something and tell him to expand on his advice, because as it stands it's terrible.
>>
File: 1200px-Qubes_OS_Logo.svg.png (51 KB, 1200x1290)
51 KB
51 KB PNG
>>71390733
Yes
>>
>>71395056
Virtualisation does not mitigate these vulns. Zombieload has a nice demo of tor browser running inside qemu getting pwned.
>>
Passphrases for Google and my password manager. Everything else is randomly generated. Just use Bitwarden
>>
>>71394961
Posted this in haste so you have time to explain, meanwhile I am explaining why you are wrong.

The normal english keyboard has about 100 symbols. Which means you have base 100.

The english language has about 170k words which makes it a base 170k. Now this is what the comic is describing and in theory it works well, but in practice not so much as this has the problem of psychological algorithms where dumb people choose related words like "beautiful ocean sea beach".

There comes diceware with only 7776 words selected, base 7776. The wordlist is completely public and you have to choose the words at random. The entropy is completely calculated on the premise that everyone uses that algorithm and the attacker knows this.

So, let's calculate:

10 letter password: 100^10 =
100000000000000000000

6 words diceware: 7776^6 =
221073919720733357899776

This is easier to remember because there is actually not much difference in the ability to remember between one of 100 symbols and a normal word. So you only have to remember 60% and with every new word or from choosing from a bigger wordlist you are not losing much in terms of being able to remember something. Additionally you can literally salt it with your birthday or something to make it infinitely harder as you go outside of diceware.


>>71394994
>Hey Randall, could you please make 23 additional pages so you can get it perfectly right and even the last autist exactly understands
The comic wants you to learn what already exists so you can educate yourself faggot. It may be fucking plebbit, but your attack on it is from the complete fucking wrong angle you dumb shit.
>>
>>71395185
>The comic wants you to learn what already exists so you can educate yourself faggot. It may be fucking plebbit, but your attack on it is from the complete fucking wrong angle you dumb shit.
Well, he should mention that you need additional steps to make his advice secure. Wouldn't have to be 23 pages. A single sentence would do. It's mostly retarded normalfags who reads his retarded comic, so they are going to take his advice as it stands and think they're more secure when in reality they just made themselves about 1000 times more insecure.

Not adding a tiny disclaimer "ATTENTION! DO NOT TAKE MY BAD ADVICE, LOOK INTO DICEWARE FIRST!" isn't just irresponsible, it's downright mean.
>>
>>71395238
Well, fair enough, would make it less shareable though. Don't ask why, this is just normalfag things. Normies are fucking disgusting and I am saying this as someone who makes his livelyhood with marketing.
>>
>>71393530
>saving the decryption password on the encrypted drive

state of /g/

sage pls
>>
>>71390421
both kinda
I take a sentence and write down the three first letters, the example would be
corhorbatsta
Then i just arbitrarily decide to change some of the letters into a random number/sign that works for me
c9rh9rbatsta
Then i decide that all occorences of one letter should be capital, i usually never have the first letter as a capital.
And my password would be
c9rh9rbaTsTa
This would be accepted in almost any password rule set. and it not just words plus its easier to remeber plus that you can write down hints like
correct ho ba st
9
T
An people would find the paper and still not be able to guess your password
>>
Word Number Symbol Symbol
Word Number Symbol Symbol
Word Number Symbol Symbol
Word Number Symbol Symbol (unique website salt)
4-10 x 4 bits of entropy per component, remember 4 words, 4 numbers, and a single symbol to break them into sections.


These4##Ducks6##Suck9##Dick8##4chan.org

You can even use the same password over and over as long as you keep the salt unique.
>>
>>71396836
https://www.grc.com/haystack.htm
4.35 hundred thousand trillion trillion trillion trillion centuries
>>
>>71390421
Literally just use lastpass, if i'm going to get botnetted, might as well be comfy
>>
>>71390526
I memorized 500 kanji i can do passwords
>>
How are people not getting that randomly generated dictionary passwords achieve higher entropy per character (if you consider each word a character) than alphanumeric passwords because they pull from a bigger pool? log base 2 (x) and you make x like hundreds or thousands of times bigger per 'unit'.
>>
>>71390421
I use diceware to generate both username and password so I might log in to some site as:
user: AbsurdHonestyParchDateVoltsTell
pass: BetraySalemPathFareHowdyEgret
Then put it all in a password manager. Sometimes I have to sprinkle in a number or special character but works for me and is pretty secure.
>>
>>71390630
There are 100000 commonly used english words. Dictionary attack is only so helpful. Especially if you use camel case and sprinkle numbers and l33t speak.
>>
>>71396997
l33t shit and capitalization doesn't improve entropy nearly as much as just adding another word. dictionary attack programs have cli options to try 1337 and caps shit.
>>
>>71396985
my only issue with true random passwords is that, if you lose the master in some way, you are absolutely fucked. Recommending a password keeper to a normal person is basically dooming them in the future. They will not back up their key repository and eventually lose it. Keeping it in cloud storage is better but that's adding a whole other surface of attack. Relying on a SaaS is just as bad unless they are paying for it and have a warranty.

Unless you're suggesting that you memorize randomly generated passwords for each individual account, which is arguably even worse.

Availability is a very important part of the security model.
>>
>>71390733
Nigger, if getting infected with a meltdown-like zero day to steal your paswords is your threat model you're fucked already
>>
>>71393392
>I hope they enjoy watching me beat my meat.
Based g-man
>>
>>71390421
I just use a password that even I have trouble remembering. I could not log on from my mobile device because I couldn't remember it, but when I saw in front of a keyboard for about 10 seconds and placed my fingers over the keys, it came right back to me.
The most secure password storage: MUSCLE MEMORY
>>
Inserting the odd symbol or two with your dictionary words really does help. Once you start having to number crunch rules in your dictionary attack then even if you use common words that would be found in a small dictionary you can make an attack go from taking 5 minutes to 5 days.
>>71394088
Doesn't work like that obviously.
>>
>>71393425
>my working memory is detrimentally poor yet my spacial memory is extremely sharp.
You might want to check out spaced repetition http://augmentingcognition.com/ltm.html
and Dual n-back https://www.gwern.net/DNB-meta-analysis
The first link has the solution to poor long term memory and the second has a somewhat less certain but leading method for increasing working memory. The dual n-back task has been shown by some researchers to have far transfer to other unrelated working memory tasks. Basically, it's the only "brain game" shown to actually work.
>>
>>71393647
I've messed around with the method of loci before but actually implementing it on a complex piece of knowledge gets tedious so I gave up. Does it get easier with practice?
>>
File: 1315677426586.jpg (28 KB, 588x521)
28 KB
28 KB JPG
just use the first for words of a song stuck in your head for life
pic related my password sux
>>
>randomly generated long ass passwords for everything
>5 word passphrase with a couple of random symbols thrown in for master key
Feels good to be king.
>>
>>71390421
passphrase for my password manager and ones im forced to memorize
insanely complex 347859347853489 character password for everythign else
>>
>>71397037
A normal person only needs their bank account password to be really secure.
>>
>>71393978
Well, you got me there. Can't check more than 100 passwords.
>>
>memorizing your passwords

no.
>>
File: please.png (24 KB, 435x857)
24 KB
24 KB PNG
>>71393860
Is this the cutest password?
>>
>>71390421
Eat_a_dick_6969
>>
>>71394123
Moron, dictionary attacks solve for permutations. It will try, nigger, anon and faggot separately and then combine them at some point.
>>
>>71390421
>open text editor
>blindly smash random keys
>adjust size, remove invalid entries
>transcribe to physical paper
>eventually memorize through repetition
Is there any other way?
>>
>>71401021
>post paper transcription
>break out key letter combinations
>fill in the blanks with additional letters to create random gibberish sentence
>create a jingle to the sentence
>hum it to yourself for two days

Remember your passwords upon your death bed and your bratty kids still wont be able to guess them.
>>
>>71401061
>your bratty kids
if there was a chance of this I would abandon anything that required passwords entirely and go live with them and my stocky wife innawoods
>>
Password with lower upper case and number
This thing is suggested by a guy that now regret saying so as nowadays password requirement follows
He said now length is more effective
Also it's also being said that frequently changing password make it difficult to remember and people probably just write it down somewhere.
This is the real threat to security.

So I guess long password with easy to remember phrase is better.
>>
THebeStpaSsPhraSEisonWitHraNdocAPitalIsAtion then your pw manager for everything else
>>
File: 1559927181403.gif (465 KB, 320x180)
465 KB
465 KB GIF
>>71395185
jesus christ stop posting
xkcfaggot didn't say anything about diceware nor would it take "23 pages" to explain to retards not to use COMMON words

just kill yourself
>>
>>71390421
>get PhD
>get job working with science team for NASA satellite mission
>work closely with the mission PI (head honcho of a satellite mission)
>this guy literally has the final say on all things on this $120 million mission
>go to a conference one day with him, sitting next to him in the auditorium
>see him enter his password on his laptop
>it's 12345
>I have no reaction pic that accurately conveys my feel for this
>>
>>71401497
he's maxing productivity
>>
>>71390421
bushdidnineeleven
>>
>>71390421
I use my phone number or email depending on how secure I want to be.
>>
>>71390549
>If you use a password manager, you effectively use one password for everything.
But that password never goes online.
>>
>>71390421
>jr*Fj4yK4f2
Used a random password generator years ago to generate that, and have just memorised it. Try cracking that
>>
Passphrases for gpg keys and luks encrypted drives.
Randomly generated passwords for everything else.
>>
>>71390421
I use my families names and birthdays for my passwords. Hasn't failed me yet and keeps me from skipping a birthday
>>
if you actually know your passwords/don't use a password manager then you're a retard. period.
>>
>>71390421
I actually ended up doing a research project on why that comic is wrong for my security course, the gist of it is that the average adult only knows about 20-25k English words, and is immensely likely to pick 2-3 of their words for the top 5K most common passwords in whatever given table you pick, so the overall complexity is correct but there is a useful heuristic for passphrases that absolutely murders their security. If you want to be safe, a passphrase with literally any two numbers or symbols put somewhere will make the heuristic attack infeasable. Also reminder that the FBI networks all of the computers in their field offices together to crack passwords, they can exhaust a 23 character search space in a month for SHA256. 24 random characters is the minimum for gov proof encryption.
>>
File: nedry.jpg (52 KB, 700x372)
52 KB
52 KB JPG
>>71399807
yes
>>
>>71390469
>>71391009
>>71391273
The bottom is only hard for machine to guess if you are doing 1k guesses / sec assuming the password is not full words.
If you assume everything is diceware and only guess that, then it's easier to guess.
>>
>what is dictionary attack
>>
>>71403611
>Try cracking that
I dont have to you just gave it to me
>>
>>71403827
>I use my families names and birthdays for my passwords.
this is pretty retarded
>>
>>71393835
If you look at the data of how people given current security standards construct passwords, you arent selecting random words form a dictionary. The insertion of characters are meant help you think creatively.
>>
>>71404031
>they can exhaust a 23 character search space in a month for SHA256
source on this? just curious. also i doubt fbi would direct all their resources on someone unless they're a big deal.

also a reminder that it's pretty much guaranteed this thread is being monitored. say hello to 3-letter agencies
>>
>>71390421
I just use 30 symbols long strings that i write down.
>>
>>71399807
225 is my password
>>
I wonder if chinese passwords are harder/easier to crack
>>
>>71390421
Passwords are shit. Unreliable. U2F is cool. Best would be U2F with biometrics (fingerprint) on the U2F device.
>>
>>71406673
no
>>
>>71406673
>biometrics (fingerprint)
Might as well have no password at that point. Biometrics are the opposite of safe. Why is that so? The CCC produced a working finger print of the German defence minister years ago just from a press photo where her hand was vaguely visible.
>>
>>71407816
I didn't express myself clearly. The U2F (Yubikey) itself doesn't have it's private key based on your fingerprint. It's a traditional U2F, like a Yubikey, or a Feitan, Thetis etc...

However, in order to protect your sister or GF, or rommate, or even a shitty thief to access your account, there should be an other protection, like a biometric, on the U2F itself. This way you are protected against the vast majority of people, and it's reliable.
>>
>>71407926
Of course, you can combine with a password (2FA).
>>
>>71407926
(there should be an other protection, like a biometric, on the U2F itself.)
In order to activate the device.
>>
>>71407926
I know I have a few Yubikeys myself, but my point is biometrics just shouldn't be used anywhere, at least not as a security strategy, because they offer no additional safety proportional to the cost of implementing it, especially when we are talking about a Yubikey with the ability to process biometrics. And honestly for most applications and scenarios any kind of two factor auth that isn't biometrics is more than enough and honestly just should be enforced at this point.
>>
>>71407965
Biometrics are cool, as a low security mechanism that deters 99.9% of the population. I would like to know the proportion of people on /g who could quickly and efficiently bypass a fingerprint reader. It's like a screen lock for your android phone. Could the NSA hack it? Most likely. Could the average petty thieve do it? Almost sure he can't.
>>
>>71408073
(biometric screen lock for your android phone).
>>
>>71407965
> because they offer no additional safety proportional to the cost of implementing it

In a few year we could have a Yubikey with fingerprint reader (to protect access to the device) for $50.
>>
File: gfYw57t.png (332 KB, 1642x1238)
332 KB
332 KB PNG
Good enough.
>>
>>71397897
>start dictionary attack
>gets blocked after 3 failed attempts
>>
>>71393860
shouldnt chinese or indian "words" be top 100 or so considering there are much more chinese and indian than native english speakers?
>>
File: 1493036825332.png (222 KB, 660x931)
222 KB
222 KB PNG
I have a fairly simple algorithm that I use to generate passwords, and which I can also recover them from if I "forget" them.
This is mostly used for services that I most definitely don't want to be locked out of like email, >facebook and my password manager vault.
Everything else gets the good old random 20 char password from the password manager.
>>
>>71408073
>I would like to know the proportion of people on /g who could quickly and efficiently bypass a fingerprint reader
Anyone that searches it on google or whatever search engine you prefer for a few minutes. You don't even need a 3D printer you can literally do it with a tube of silicone from the local hardware store and a few hours of work as has been demonstrated countless times.

>>71408100
Well wake me up when we are there then cause right now it's not worth the cost. And even then I think it's not worth it. Personally I'd still opt for the one without fingerprint if it was cheaper.
>>
I just write whatever is around me and what I have on my mind, and keep it on a piece of paper.
So for instance when I finished my english degree my password was "EnglishDegreeUselessCokeCanAndChips"
>>
>>71390421
Why not both like "2 horny women 1 empty cone" why just use words that's just asking for a future quantum computing dictionary attack
>>
>>71408102
which service lets you make 100.000.000 failed password attempts per sec?
>>
>>71408106
>implying password cracking only relate to website accounts
>>
>>71408291
I see you are yet untainted of the shitshow that is the security "standards" on most websites on the internet. Flee anon while you still have your sanity.
>>
>>71408291
Government's secret service.
>>
>>71391009
Being realistic each letter can be caps - so multiply the base 16 bits with two. Two chars of a "random" number at an "arbitrary" position would give about 5 extra bits (ca 2 for position and 3 for the number). 32+5 using his flawed logic.
>>
>>71405223
We had a cyber crime investigator give a career opportunity presentation in class. It's not that they direct all their resources at one guy, they put a bunch of things to crack in a queue and basically just loop through the search space over and over, so they get to work on everything in the queue at the same time and the amount of time to crack is the same regardless of how much is in the queue. I'm pretty sure that's public info somewhere if they were willing to tell a bunch of mouth breather undergrads about it. It was honestly pretty cool to hear about some of the tricks they used to dunk on pedophiles and people who mailed fake anthrax to politicians.
>>
>>71408165
>local hardware store and a few hours of work as has been demonstrated countless times.

As a petty theft, you'll need to make a mold of the user's finger. Might as well put a hidden camera in his living room and broadcast what he types on his keyboard ;-)
>>
File: plains1.jpg (178 KB, 563x598)
178 KB
178 KB JPG
>>71391009
>>71390421
>>71391273
retard

>>71390469
>That comic is wrong.

correctanonpostingquality

https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/3/

>Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.

>"The combinator attack got it! It's cool," he said. Then referring to the oft-cited xkcd comic, he added: "This is an answer to the batteryhorsestaple thing."
Photograph by imgs.xkcd.com

>What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."

https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/3/

Dictionary will find all
>>
6 word diceware passphrase here

considering 8 words but afraid i might forget them
>>
>>71390433
>when you realize pooword123 is more secure than password123
>>
hunter2
>>
File: image.jpg (389 KB, 1571x1089)
389 KB
389 KB JPG
>Two relatively obscure words with a 0 at the end.
>>
File: 1530142667070.jpg (41 KB, 249x249)
41 KB
41 KB JPG
>>71393860
>#773
>>
I use made up words and phrases from obscure video games no one played
>>
>>71390469
Yes it is, theres no reason ever to have to "remember" passwords. Using a fucking open-source offline password manager like keepas2 and generate random 128 character passwords (or to the character limit for whatever password field anyway)

This would be 1000x more secure than fucking "correct horse battery staple", dictionary attacks are sophistacted as fuck and "random" words you think up are not so random at all
>>
>>71410549
Just to clarify, something like "$~C0rR3ctH0rs3b4tTerYS74pLe&$" or using made-up words would be much better but that is not what the comic is saying, its just saying to use 4 normal words. Words that wont be random because they can't be, if you live near mountains then "mountain" is more likely to be one of the words
>>
>>71397019

What about modifying a word in a way you know but a dictionary wouldn't include?

Like doubleniggerfagget instead of doubleniggerfaggot.
>>
>>71393631
My bank forced me to change my password because it was too long. They now have a restriction that all passwords must be between 8 and 16 characters, no more or less than that.

amazing
>>
>>71411330
You have seen nothing yet. Want a reason to end my suffering? Banks around here have very specific requirements for the online banking login.
5 Characters, Alphanumeric, no special chars, case insensitive.
At least they allowed me to setup 2FA for transactions so people can see me buying 500 dildos but at least they can't send themselves my money. I hate this country so god damn much.
>>
Are there many dictionary attacks with non-English languages?
serious question, seem like it would complicate things.
>>
>>71411433
Honestly just use a password manager and passwords that use the entire UTF-8 character space the chance that your password would get brute forced or dictionaried with that is literally so small you might as well call it non existent.
>>
The trick is to use random nonsense sentence instead.
My kepass database password has 32 letters, some random capitalization and digits.
Very easy to remember.
>>
>>71411455
Yeah but has anyone done that?
For my important passwords I dont use dictionary words, tho I suppose people could get close if they knew any 1 of my other PWs.
Just wondering if using a different language would slow things down.
I've never seen a demonstration with any language other than English and dictionaries compiled from other leaked databases.
>>
>>71393493
>having a fucking emoji in the password
how zoomer do you have to get to do this?
>>
>>71411367
I asked if I could have 2FA and they said no

lmao

fuck I really ought to switch banks
>>
>>71411492
I do that for my servers and really critical accounts.
But yeah if you use a keyboard layout / language with öäüêé etc in it it drastically reduces the chances of your password getting fucked by a dictionary attack.
>>
>>71411505
I have no option for a better bank. They all have retarded security "standards" around here. Only other option would be switch to an all online bank and then I might as well just keep my current shit.
But yours sounds even more nightmarish than mine ngl. Shit like this really makes me wonder how the global payment system hasn't collapsed yet.
>>
>>71390421
I just use "correct horse battery staple" for everything since xkcd showed it to be a better and more secure password than the random letters I was using before.
>>
>>71390433
>attackers try the most common passwords first
>then a dictionary attack
>*then* the brute force begins
>your password is so pathetic that it gets rekt at the very first stage
>>
>>71393814
>Two random dictionary words (from a 10000 word dictionary) is roughly as secure as a six
... no.
>>
>>71393866
>btw im retarded if this matters
>>
>>71393866
What if I find GynFhvfSdgbVhjnGGGHhfgbfrgFfg to be memorable? Is that weak?
>>
>>71390421
Not using lheuj. hfcrkflre lkz gfhjlz
>>
>>71393814
first off, dictionary attacks aren't just aardvark... abacus... abandon... etc. a good dictionary attack will check every possible combination as well.

second, nobody bothers brute forcing anything anymore its all just digging passwords out of leaks
>>
>>71393780
My mom uses a all-lower characters password and hasn't had any issues either because neither of you are likely targets of an attack and most websites you use hashed passwords, so someone would only get into your accounts by brute-forcing - but again, neither of you are likely targets. That doesn't mean the system you use is any good, just that no one cares about you enough.
>>
>>71414578
need a numbers and a symbol
>>
Use one good, long passphrase for your encrypted password manager.
Use your password manager to generate random 20+ letter passwords for each service.

Every other answer is retarded



Delete Post: [File Only] Style:
[Disable Mobile View / Use Desktop Site]

[Enable Mobile View / Use Mobile Site]

All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.