- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I only have a little over 50, but there is no way I could possibly remember strong, unique passwords for all those sites.
Admin
(KeePassX 0.4.3 on windows for me, along with the mac and droid versions)
357 entries with 44 unique usernames. And yeah, a number of those logins are dead (past jobs, etc)
Admin
Emphasis mine.
Reference: https://www.grc.com/haystack.htm
Section on:
Which of the following two passwords is stronger, more secure, and more difficult to crack?
F0x.....................
PrXyc.N(n4k77#L!eVdAfp9
Too bad my users can't be more like you...
Admin
Takes me months to memorize my number when I get a new one, but only a few days to learn my wife's when hers changes. Difference? I don't call myself nearly as often as my wife.
Admin
To date, the only sites that have given out my password to crackers are Yahoo and Skype (it was the 8-character-maximum-insecure one both times, from 2008 and 2013, respectively).
Then again, apparently my accounts aren't all that high-profile....
Admin
That's another nice thing about using KeePass: my master password is long and ridiculous, but because I use it every time I start a work session that involves logging on to anything, my fingers remembered it quickly and are now not going to let go of it.
I just counted the entries in my database and there are 165 sets of credentials in there. All the passwords are long, machine-generated random, and unique. Some of them get used once per year or less, but when I need them I really need them, and I love knowing that when I do, I'll just have them.
I also used to do the tiered-security-level shared password thing across multiple sites. IIRC it took me two years after finding out that password safes were a thing before I committed to using one. I have never had cause to regret it since.
Admin
:+1: I don't remember if it took me two years, but it was definitely a while, and it was reading about security :wtf:s here that convinced me.
Admin
zxcvbn rates the estimated crack times for those two as "instant" and "centuries" respectively.
Admin
interestingly..... https://howsecureismypassword.net/ rates
at 50 octillion years and at 30 octillion years..... :wtf:
Admin
That's because you don't mess with the Fox!
Filed under: May be prudent to leave the hedgehog alone too.
Admin
I see your ASCII delimiter-separated file and raise you an EBCDIC fixed-width file with 4 bytes for each password.
Admin
https://imgs.xkcd.com/comics/security.png
Admin
It seems to me that the scenario outlined* in this cartoon is many orders of magnitude less unlikely than the one where somebody finds their way into my Dropbox and decrypts my passwords database without my knowledge.
howsecureismypassword.net is probably using a naive estimator based on nothing more than length and detected alphabet size. Corresponding estimates from zxcvbn, which also attempts to model the effects of dictionary and pattern attacks, are 24 seconds and 1.4 octillion years respectively.
I am completely unsurprised to see Steve Gibson making recommendations based on a relatively shallow understanding of his claimed field of expertise. That man is a walking demonstration of Dunning-Kruger.
*see what I did there?
Admin
Somehow, I don't think two words is a very secure password.
Seriously? A correctly-spelled one-word password takes over 1069 times the age of the universe to guess?
Admin
I just know I'm going to regret asking this question.
Does lojban permit the construction of compound words of arbitrary length? If so, then your single word example is probably best thought of as a passphrase. Also, zxcvbn probably doesn't include a lojban dictionary, so its entropy estimate of 303 bits is probably a little generous. Here's an English passphrase of similar length for comparison purposes:
Admin
Yes, but jbojevysofkemsuzgugje'ake'eborkemfaipaltrusi'oke'ekemgubyseltru is in the dictionary.
Admin
General principle: using any kind of pattern to generate your passwords will vastly reduce their expected crack times. For any given password length, the output of a CSPRNG will be far stronger than anything a human could generate unaided.
Admin
I have a password consisting of four uncommon words (>5 letters each) that I use for Google, combined with 2-factor authentication. Everything else is either 63 random ASCII printable characters or as many of them as I can get the form to accept and is remembered by Chrome.
Admin
Just not in zxcvbn's; which goes to show that password strength estimators are only ever really useful for telling you that your password might be unexpectedly weak. If you want strong, you really do have to rely on raw length and the soundness of your RNG.
I am quite sure that somebody will end up paying the smartarse tax for this one too:
Admin
lojban has more entropy than Welsh?
Admin
Once your password is being attacked by an instance of John the Ripper incorporating both Welsh and Lojban dictionaries: not noticeably.
Admin
MOST SECURE PASSWORD EVER
Admin
Related anecdote: I was at a bank today and the banker insisted that I should put a "security question" on my account just in case I needed to withdraw money by phone. Why is it that the system handling the entire world's wealth is many orders of magnitude less secure than the system handling video games and conversations between nerds?
Admin
Banks have no interest in security beyond pricing the aggregate effect of breaches to an acceptably low level. Nerds care more about means than ends; for nerds, security is a branch of aesthetics.
Admin
Someone try to crack password "Dot............doT" (there is 12 "." in between)
Admin
zxcvbn analysis:
Admin
TRWTF is changing your phone number so often it becomes a problem. I've had the same number I got when I was 16 and I've changed providers a couple of times since.
Admin
Is "Tsaukpaetra" the 8 or 9 character one? :trollface:
Admin
Thanks.
I heard each punctuations are treated as seperate entities when performing dictonary attacks, and therefore will create trouble for them. Guess this way is no longer good enough.
How about non-English passwords? "鑫森淼焱垚"
Admin
Admin
match sequence:
'鑫森淼焱垚' pattern: bruteforce entropy: 25.22197059679227 cardinality: 33
Admin
Nice. Thanks.
I've got easy-to-remember password that seems to be secure, do I win a prize? :stuck_out_tongue:
password: q.w.e.r.t.y entropy: 59.3 crack time (seconds): 35494227657132.74 crack time (display): centuries score from 0 to 4: 4 calculation time (ms): 0
Admin
Only for the anally-retentive. Beware!
Admin
Reading the introduction page there...
Btw, most password checker see "correcthorsebatterystaple" as weak password because it fails dictionary attack pretty easily. By tokenizing the string, it gives 4 element only, and surrender in (171476 ^ 4) attempts over common dictionary attack.
Admin
And to the other poster, yammering on about having the same number since the age of 16, that's nice, but some of us are old enough (and have moved internationally enough) that this wouldn't work.
I was 16 in 1982, ffs, and I don't recall there being any "carry your phone number around with you forever" services in 1982, and if there were, they wouldn't have allowed me to keep a number across an international move, which I've done twice since then.
Admin
Aliens from the planet we come from.
Btw, thanks for sharing your Internet with us.
Admin
71828182845904523536028747135266249775724709369996
is considered extremely secure by some online checkers and extremely weak by others. But only because there are only numbers in it, not because it is the first 50 decimals of one of the most used number in the world.
2.71828182845904523536028747135266249775724709369996
is about the same.
Admin
If you thought i<3tswift was the joke, you should google for hunter2 and update your meme-knowledge.
Admin
To be fair, i<3tswift is definitely a joke.
Admin
But definively a rather safe password for nerd usage, nevertheless.
Admin
You are aware that that is (just under) 1021, yes? At 1012 tests per second (i.e., a big cluster of
zombiesmachines dedicated to beating this one password) the expected time to crack it is 15 years.Your laundry list is going to be safe…
Admin
To be fair, the expected time to crack this particular passphrase is probably a nanosecond...
Admin
Well, slightly longer. They'll probably check
passwordandhunter2first…Admin
Actually, most password strength estimators severely down-rate correcthorsebatterystaple for no better reason than that it contains nothing but lowercase letters; you can verify this by observing that a truly strong password like kfczpxudhkmwtwyehgngnaxpu scores a similarly low rating from the same estimator.
The zxcvbn estimator correctly treats it as more likely to fall to a dictionary attack than anything else, and estimates entropy accordingly. Scroll down on the demo page and you'll see both the xkcd passwords analyzed under "Examples".
Admin
password: neverforget13/3/1997What happened on Smarch 3rd 1997?
Admin
I dunno, pastille day or some bullshit.
Admin
Kids these days, sheesh!
Filed under: Get off my lawn!
Admin
Regarding this, if the attacker has that many machine on hand, he can just build a precomputed hash network and send any password he havested to the zombie that holds corresponding hash to that segment.
Not sure how it can be done, but with Google's search speed for 4 words query, if someone do it in the right way, I assume it's going to be fast.
Admin
You might want to read up on salting, which exists specifically to make precomputed hashes useless.
Admin
There's a finite number of possible passwords that will fit in memory, even with salts added on. You just need a larger password database. Once you have a password for each hash, you've won.