Password Strength

Passphrases are the way to go. Way harder to crack and infinitely more memorable.

>>59224259
Using a password manager and long, randomly-generated passwords is the way to go.

>>59224287
Well yeah, but with the master password being a passphrase.

>>59223950
last rong tiem

>>59223950
>2017
>not using mashes of verses from 19th Century french occitan poems for passwords...

>>59223950
>not having the account lock after 10 failed attempts

>>59223950
>How long would your passwords and protected keys last under an offline attack?
Infinitely since they wouldn't be able to attack me if I wasn't connected to the Internet

>>59224287
long randomly-generated passwords are meme.

For any reasonable secure passwords, you'd have to either carry the password manager around or in the best way, simply make it easy to remember but hard to guess.

Pass phrases offer the best solution to this problem.

Even as simple as this >>59224379 could be made secure by adding some additional phrases. "MyPasswordsLastRongTiem" would be much secure than shitter like T3st1ng~.

>>59224388
Thanks, I'll add those to our dictionary!

>>59223950
You need at least 50 characters.

50
0

words, spaces, etc. are ok. just make it 50 or more.

>storing passwords with SHA2
maybe if you weren't a complete moron and used a suitable password hashing algorithm, your passwords would take longer to crack.

>>59224690
I have my password manager on my phone, backup my database to my home server. So i do have it on me at all times.

>>59224388
comprehensive dictionaries have every word on wikipedia

>>59223950
>capitalisation doesn't help very much
Wut? Capital letters increase the character space by like 30%.

Oh shit. I just typed in my real password. Am I fucked?

>>59226500
gpg still defaults to sha1 for mangling, as do password databases on sites you use. It all comes down to password strength, even with 64-bit sums like SHA512.
>>59226705
Capitalizing of dictionary words is predictable and adds little overhead to crack.

If you don't have a key length of at least 1024 characters (all, including symbols and accented letters) if various memes then you don't stand a chance for the future

https://password.kaspersky.com/
this is better

File: loss.png (34KB, 426x346px) Image search: [Google]

34KB, 426x346px

;)

>>59226705
Changing "password" to "Password" doesn't help at all because people tend to capitalize dictionary words and dictionary words are very common so they get checked first.

Changing "p3lmo7-pvfsv0n0d" to "p3lmo7-pvfSV0n0d" helps a lot, on the other hand.

>year of our lord 2017
>password systems still only take one input field

>>59227088
Would take only a couples weeks with a couple hundred 10+gh/s dedicated bitcoin hashers.

What about 3 attempt limits and the account locking up?

>>59224690
>"MyPasswordsLastRongTiem" would be much secure than shitter like T3st1ng~.
Citation needed.

>>59226808
No, everything is done clientside. No data gets sent to the server.

>>59224690
>simply make it easy to remember but hard to guess.
This is not possible because human brains work in a very, very, very non-random fashion. When making a passphrase, you're likely to use common English words arranged in a manner that they form an English phrase or sentence. If passphrases become widespread, how many normies who are currently using "Password1" do you think will pick things like song lyrics or the beginnings of famous quotes? It's the same problem that ordinary passwords suffer, where a capital letter is very likely to be at the beginning, a number most likely to be at the end, and so on.

The only way to win that game is to not play it. Deny password crackers their one and only advantage - which is a knowledge of what humans find easy to remember.

Should be using a keyfile and a passphrase. The website should be open about how they store your password and verify how they check your key file.

>>59227258
Stops online attacks (some guy tries to log in to the site with your username and a bunch of different passwords), does not stop offline attacks (some guy hacks the site, steals its password database, and feeds it to a rackful of GPUs running hashcat)

This is also why password reuse is so bad, because if one site gets hacked and your password falls to an offline attack (and most fall very quickly) then he has a username/password pair that he can try on other sites.

>>59227304
Did you even think before making this post?

>>59227403
I did, I have my doubts about whether you did, though.

>>59227260
Consider how you'd go about cracking either password. You would start with the smallest string available and rotate through all character combinations until you solved it. Let's assume that the passwords are "abc" and "ghijkl".

You start cracking with one character strings:
"a": nope
"b": nope
"c": nope
...
"z": nope

None of those worked, so you add a character and go again:
"aa": nope
"ab": nuh uh
"ac": still nothing
...
"zz": nada

Again, you add another character and reset:
"aaa": no
...
"abb": no
"abc": yes!

Let's consider too that each attempt took 1 second. 26 characters in the alphabet would take 26 seconds. Going from "aa" through "zz" would take 11 minutes. Going through "zzz" would take nearly 5 hours. "abc" would be figured out before lunchtime.

But if you keep the pattern going, adding extra character after extra character, it would take you almost a decade to figure out "ghijkl" at that rate

>>59226839
>Capitalizing of dictionary words is predictable and adds little overhead to crack.
Oh i see now, thanks.

>>59227185
>Changing "p3lmo7-pvfsv0n0d" to "p3lmo7-pvfSV0n0d" helps a lot, on the other hand.
Yeah that's what I was saying lol.

>>59224436
>offline attack

>>59223950
>There are USB hashers capable of billions of hashes/s.
How man PBKDF2-sha512 iterations can it do per second? Plain SHA2 should only be used for verifying a file hasn't been altered. It's $CURRENTYEAR for heaven's sake.

So guys, "password" comes up as the #2 most used. What's #1?

Even if all of my accounts get hacked the hacker will get nothing of value and would have literally just waisted his time

>>59229478
'Password1!' to meet arbitrary requirements.

>>59229697
Not everyone does it for the money. Some people are just sadistic.

File: Screenshot_20170304_014859.png (34KB, 640x480px) Image search: [Google]

34KB, 640x480px

fuggg ::::DDDDD

>>59229848
Should've used a passphrase

"Niggerholupsoyousayinwewazkingzandshit"

>>59223950
>Compromise my password by typing into a random text box to see how strong it is

Go Phish somewhere else,billy

>>59230905
You can download the library in your language of choice for offline use.

>>59224287

cat /dev/urandom | tr -dc 'a-zA-Z0-9 !#$%&/.:' | fold -w 30 | head -n 1

and writing it down on the paper is the most superior method.

File: niggap[ass.png (30KB, 1758x779px) Image search: [Google]

30KB, 1758x779px

>>59230693
>Niggerholupsoyousayinwewazkingzandshit
hoily sheet u right

>>59230988
Actually remove blank space from tr -dc characters because it will be confusing. You can also add @<>()[]?*+- and lots of others.

>>59224259
>Way harder to crack
They are exponentially easier to crack than a random password of the same length.

>infinitely more memorable.
Memorizing passwords doesn't scale if you have more than a dozen accounts.

>>59227513

This must be a troll.
password crackers use dictionaries to guess commonly used words

>>59231000
>centuries

Good, can't have niggers going back to be kings.

>dont use an account for a long time
>forget the password

should i finally start using a password manager?

>>59229478
12345 or 123456, most likely.

>>59230988
What is this?

head -c21 /dev/urandom |base64

21 random bytes should do it.

>>59224259
>>59224343
>>59224690
>passphrases meme
Expect when you get hit dictionary attack and find out how easily crackable they are. This exactly why Amazon has stopped using passphrases.

>dictionary attacks
Use multiple languages. Problem solved.

>>59231572
With enough words and a large enough dictionary, dictionary attacks become a non-issue.
Besides, you can still insert a special character, or just a random normal character, within or between words. Or substituting a letter.
Still easy to remember and makes your password a lot better, if you feel passphrases aren't strong enough.

>>59224690
You are not going to remember a new passphrase for each time you need a new account.
One of the biggest dangers is re-using the same passwords. One service could just be stupid enough to save your password in cleartext; or at least in a recoverable form. Or it got hacked to do so. If it then gets compromised it doesn't matter how strong your password was. And if you used it for multiple services, suddenly all these accounts are endangered.
That is where a password manager is superior. You can without much hassle generate a different, secure password each time. If it gets leaked, so what? Someone might have access to that one account, but that's it.

>>59224436
It's an offline attack retard.

>>59227258
Another retard. It's an offline attack.

>>59231572
>dictionary attack
This diceware list
>https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases
has 7776 words. If you use 6 random words, that's 7776^6 possible combinations, and, with an average of 12.9 bits per word, 77 bits of entropy. Amazon and whoever else still allow short passwords, and you can bet few people are using truly random passwords of 80 bits of entropy or more. So all you need to do is remember 6 randoms words, and add a single random character for good measure.

File: xkcd.webm (292KB, 908x646px) Image search: [Google]

292KB, 908x646px

Heh

File: Screenshot_20170304-092040.jpg (170KB, 855x1047px) Image search: [Google]

170KB, 855x1047px

>they're not allowed to inject terms associated with hate speech into their dictionary list