>enter 38 character password >sorry, your password must

>>58094412
whats worse is that my work specifies that passwords have to be EXACTLY 8 characters

fucking dumbasses

>>58094515
Are you kidding? Who came up with that idea? Some manager?

File: 1459964491546.png (7KB, 420x420px) Image search: [Google]

7KB, 420x420px

>>58094515
>tfw I'm the one who decides password length

>>58094412
same with password managers

>yes I totally think it's a good idea to not know a single one of my own passwords for anything and to rely on some program that's only available on (some of) my personal devices to be able to log in to anything

why is every single person but me on this damn earth too retarded to use pattern passwords?

>pick 1 base pattern, a short phrase or set of words with some numbers and other stuff that you can easily remember
>title and keywords/numbers/etc from your first favorite videogame or a movie or something
>"SwallowsFlyOnMay5...If'Robots'Die"

>maybe pick a few of different length to have different "security levels"

>add initials of whatever it is you're making a password for
>"SwallowsFlyOnMay5...If'Robots'Die_4C"

>different password for every single thing you need to make a password for
>only need to remember as many passwords as you have security levels (1 low 1 high recommended)
>mass-cracking computers won't realize it's a pattern (if they can even get the plaintext at all) so as long as nobody is going after you personally and an actual human doesn't see the plaintext your other pattern passes won't be cracked

This has the advantages of both worlds and only a fraction of the risks

>>58094515
We used to have the same thing but the password was generated for us, automatically.
It consisted of two four-letter English words. Apparently, there are thousands of these combos. One guy was gleefully telling everybody his was pinkfrog. How decadent.
You have to wonder how a dictionary attack would go.

File: 1476299310026.gif (1MB, 330x312px) Image search: [Google]

1MB, 330x312px

>>58094515

>use same password for everything because it's easy to remember
>some logins force me to change password to include stupid numbers and symbols
>end up forgetting my password for fucking everything every time I log into something where my computer hasn't saved my info because I can't remember what login uses what numbers and symbols

JUST LET ME USE MY SIMPLE EASY TO GUESS PASSWORD, NOBODY WANTS TO HACK INTO MY SHIT AND READ MY SPAM MAIL

>>58094412
Who fucking cares.

>>58094568

Maximum password length should be infinite. Zero limits whatsoever. They're all the same length when stored as salted hashes anyways.

>>58094412
this is a bullshit meme.

there is more keyspace in running a hash like the first word than there is on the second.

Just let your password manager take care of that.

File: 1478811057258.jpg (83KB, 957x621px) Image search: [Google]

83KB, 957x621px

>>58094724
If one of your passwords was compromised your entire pattern would lose it's purpose.

>hurr I will out smart a program that generates secure passwords
pic related is you

File: qrewr.png (81KB, 409x406px) Image search: [Google]

81KB, 409x406px

>Enter 128 char long random password
>Accepted
>Try to login
>fail
>wtf?
>password was clipped to an unknown number of characters

>>58099926
>as you type the newest character you entered replaces the last

>>58099814
Ditto.
Do you trust all your data from every website you've used in the hands of a single site that probably won't even disclose the fact that passwords were leaked in the event of a hack?

Semi-Local solutions make sense but you'd be pretty damn fucked if someone found an exploit.

I think the brain is pretty versatile. Its not impossible to make a pattern that's easy to remember for you but impossible or difficult for a person or machine to guess.

>>58094412
>xkcd never heard of dictionary attacks

>>58100402
>implying I'm not mixing English, Japanese and French plus a fictional character's name in my passwords

>>58100402
>not mixing few languages, random numbers, and spelling mistakes
good luck cracking that

>>58100427
>>58100446
Are you the guy behind xkcd, or why do you feel addressed?

>>58099627
>1GB file as password

>>58099627
No, because as password length increases, the size of the web request increases too. A limit of 10,000 chars should be reasonable for bandwidth purposes.

File: b23.png (473KB, 600x706px) Image search: [Google]

473KB, 600x706px

>>58094412
>4 words from dictionary

>>58100470
This doesnt excuse setting the cap anywhere below 60 characters or so.

>>58100541
Agreed

File: 1462293161301.png (366KB, 530x633px) Image search: [Google]

366KB, 530x633px

>>58094724
>>yes I totally think it's a good idea to not know a single one of my own passwords for anything
What's wrong with that? Computers are good at remembering things. I can back up my password manager in a dozen different places.
And don't forget the main way in which passwords fall to cracking attacks after database leaks is because the password crackers know a lot about how humans choose passwords, and try those patterns first. If I didn't come up with it, and it's just something spat out by /dev/random, it won't have that problem.
>and to rely on some program that's only available on (some of) my personal devices to be able to log in to anything
Well you need to be on a device to log into something, so you might as well store passwords on a device, given that we have nice password managers that take care of encrypting them and protecting them for you. If you don't trust the device to run your password manager, why are you logging into something on it?

>This [pattern passwords] has the advantages of both worlds and only a fraction of the risks
You're objectively wrong.
First, there's a pattern. At all. All the password-cracking wizardry today is based on the fact that human brains like patterns and find them easy to remember. Random data is objectively more secure.
Second, how do you know a human won't look at your passwords and look for the pattern? Cracked password lists do turn up for sale on darknet markets. Why take the risk when it's trivial to protect yourself against it with a password manager?
Third, you haven't solved the remembering problem, just reduced it.
>"Crap, does this website use my high security, medium security, or low security pattern?"
>"Wait, what were the characters I tacked onto the pattern for this site again?"
>"Do I even have an account here?"
>"Fuck, what did I answer for the secret questions?"

I tried the random word method with "nigger faggots suck dick" and my account got hacked anyways.

>>58094412
>>58094515
PeopleSoft?

>>58094556
My guess is it's running something on legacy unix, which had an 8 character limit.

>>58100402
Those numbers assume the best possible attack, which in this case would be a dictionary attack. See
https://tgad.wordpress.com/2013/09/18/what-is-entropy/
for the math.

>>58100470
An alternative is to hash both before and after the request, so that everything is truncated down to the same size before it's sent. This also allows you to do fun things like using the same password for login credentials and client-side crypto, if you use a good enough KDF/hashing algo before it's sent and use different salts.

>>58100793
Jesus christ that thing is so fucking garbage

The Australian Government mandates that all passwords for Centrelink (Poor/NEETbux) are exactly 8 characters long, containing at least 4 numbers and are case insensitive.

If you crack someone's password you can get access to their MyGov account and from it view all their tax information they've ever submitted online, you can find their Tax File Number (Equivalent of Social Security Number), you can view all the payments the government makes to them, and find out their bank account number and information.

The Australian Federal Government ladies and /g/ents

>>58094412
>not using a password manager
i shiggy diggy
keepassx dot org

if you intentionally fuck up typing the words it works

>>58100495
There are 171,476 words in a complete dictionary. The combinatorics of combining words into passphrases is far more complex than combining 26 letters, 10 digits and a handful of symbols.

>>58101501
>all eggs in one basket

>>58101901
Only if you have an unlimited number of characters. You don't.

>>58101901
Granted that you are not choosing common dictionary work. Using an unmodified combination of words leaves you vulnerable to a dictionary attack.

>>58098603
Want to find out?

http://world.std.com/~reinhold/diceware.html
https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases
>not using diceware

>online banking service i use accepts my 8 letter babby tier password
>ebay needs 8 letters minimum, a symbol, a number, a capital and it needs to be written in blood
so fucking stupid, at least it allowed Killniggers2016!

>>58094724
Kid, you obviously haven't been in the real virtual world long enough to realize your "carefully" thought out plan is a failure. Just look at >>58094515 . Suddenly you have to make exceptions, then more exceptions, then even more exceptions...

Besides, if you're using a password manager that isn't available on all your devices, then you haven't looked past the first result on google.

>gee i better make a real secure password so the big bad computa hackers cant decipher it!1!1111
this is how deluded u fuckheads are, noone gives a shit about your sofurry.net password

File: 1482269481870.gif (141KB, 640x480px) Image search: [Google]

141KB, 640x480px

>>58094412
who needs passwords?

>>58102213
No, you don't seem to understand the math here. All words must be chosen at random, with each word having equal probability. If you do so, then you end up with something like 12 bits of entropy per word, which is about twice that of a randomly selected character (again, assuming each character has equal probability), and about 10 times as much per character when a human is selecting them. This is not debatable, if I selected 8 words from the diceware table using perfect dice, no computer that is built in this universe could have the computational power necessary to guess it.

>>58103802
Actually, just checked my math. 8 words is enough for our lifetimes (most likely), you would need closer to 15 words to get into "physically impossible" territory.

>>58100807
You mean like something from the 1970s?

>>58103894
I'm not sure of the exact years, I just know that a lot of software with extreme legacy support will do this. Banks are notorious for it, they don't want to update their software because it works and upgrades could break things so they just hash things down to 8 characters behind the scenes (the worst ones will actually just truncate). It's better than it used to be, but you see it pop up every once in a while.

>>58103894
here's more details:
https://en.wikipedia.org/wiki/Crypt_%28C%29#Traditional_DES-based_scheme

File: 1444506308832.jpg (141KB, 680x680px) Image search: [Google]

141KB, 680x680px

>>58099627
>tfw I use a ℵ0 character password and the system hangs until someone reboots it

>>58103955
>using a countably infinite password
scrub

>>58098603
Oh they can do a lot more than just read your email, anon-kun.

>>58100466
>only the first few bytes are recognized
>it's shorter than the minimum password length

>>58099627
Great, now you can DoS using the password field.

>>58104014
we've been over this, hash before post

>>58100446
We're talking about the range of 1000 guesses per second and up for three days straight and up, I'm sure there are a lot of ways to narrow down the possibilities a lot by dictionary- and psychological profiles a lot.

>>58104033
>1000 guesses per second
... I have no idea what threat model you're talking about here. That's way too fast for online attacks or keystretched passwords on single thread, and way too slow for offline bruteforce.

I've been using two or three passwords across all kinds of online accounts, and I realize it's not safe at all. I want to change, but I feel like I have a terrible memory and I'll end up forgetting an important password when I least expect to. The random word string sounds interesting, but I'll probably end up using the same four words everywhere.

>>58104060
Use a password manager.

>>58104053
read the fucking thread

it literally starts with a contemplation about the security of 28 bits of entropy at 1000 guesses/sec

jesus

>>58104074
Terrified of forgetting the password to the password manager.

>>58102981
that escalated quickly

>>58104086
You're not being forced to forget all your other passwords. Keep remembering them if you want. The password manager is just there in case you do forget one of them. And you apparently will since you're capable of forgetting the one important password to unlock them all.

>>58104086
Then practice with typing it in like, 5 times a day for a week before you start actually using it for passwords. Trust me, you'll remember a new password (especially a random word one) more quickly than you'd expect, and using unrelated passwords is among the most important things you can do for online security.

>>58100402
>dictionary attacks
they used words as a single element you retard, so yeah, a 4 word is better than a random bulshit 8char that youll be forcing to memorize

looks like its you that never heard of diceware