Select the best password: nastyvillage7123_# nasty7123_#village+

>>61795071
Trick question.
The wrong option is replying without saging.

>>61795071
2nd one.

>>61795071
>nasty7123_#village+
?

Last

>>61795071
Second one.

>>61795071
Are you asking to pick the stronger password, under the presumption that it needs to endure a brute force attack?
Theoretical models for password strength are largely meaningless. In reality it depends entirely on how the attack is carried out. Using the right dictionary/wordlist can radically cut down on time need to crack a password. No different from fuskering images on a server.

>>61795071
pas$word

File: Untitled.jpg (181KB, 1612x604px) Image search: [Google]

181KB, 1612x604px

3 is better than 2 and 2 is better than 1

proofs

They're all good passwords. Except the last one.
The last password should be upped to 5 words though, and should include uncommon words.

There's no point having a word salad password if you're just going to pick 4 words from a dictionary of 1000 words.

>>61795169
???

The fuck am I looking at

>>61795071
3rd obviously

File: 89e.jpg (31KB, 680x383px) Image search: [Google]

31KB, 680x383px

>>61795169
>4 dictionary words

>>61795182
zipped size

entropy and shit, senpai

>>61795071
they all look pretty strong

but

if they have been reused you're fucked, if that combination exists in pop culture for some reason you're fucked

sage
/thread

>>61795196
>measuring entropy by zipping
Wew.

OP you're a fucking dumb idiot if you think it's 3

>>61795188
Random, unrelated words. It's not dictionary.
Also the attacker wouldn't know you're using 4 words instead a random string. Also you may add a separator (. / * ~) between the words.

>>61795196
I don't have a picture of a facepalm handy but imagine if you will next to my post a picture of picard recursively facepalming straight into oblivion of facepalming

not the 1st - words followed by numbers followed by special symbols is very common pattern
2nd is better
3rd - this is probably not xkcd-style because the 'nasty' and 'village' words are not randomly picked. Anyway I would pick 4 random words over 2 words filled with common patterns.

>>61795230
>Random, unrelated words. It's not dictionary.
Dictionaries are random unrelated words mate.

>>61795220
>>61795235
Prove me wrong.

>>61795258
Prove yourself right, fucker.

>>61795258
existence of dictionary attacks prove that passwords have lower entropy than charset^len

>>61795071
None of them. Why would I use a password that was posted on 4chan?
Also, the 3rd password there isn't even that good. You need to pick very uncommon or even made-up words for those sorts of passwords.
That could reasonably be dictionary attacked.

>>61795250
You don't understand how dictionary works. It doesn't make sense in this case, even if you know the victim is only using words. Unpredictable order, unpredictable separator.

Dictionary attacks are not used to bruteforce a SENTENCE, it uses usual words and names.

>>61795317
Yeah yeah, technically it's called something different to bruteforce a passphrase with a bunch of words from a dictionary. Same shit still, it's like having a 4 digit password, shit sucks.

>>61795345
Could you elaborate?

>>61795345
> it's like having a 4 digit password
But when your alphabet consists of 10K characters.
BTW I wonder how will one bruteforce Japanese/Chinese passwords.

>>61795345
>same as a 4 digit password
Where your abc is way longer than 26

>>61795361
Probably, on what?
>>61795366
>But when your alphabet consists of 10K characters.
Sure, that's implied.

>BTW I wonder how will one bruteforce Japanese/Chinese passwords.
Don't even know how passwords for those really work.
>>61795378
I said digit by the way, not character. So the correct response would be "way longer than 10".

>>61795366
>using unicode characters in pass
Nice meme my friend

>>61795389
>digits can be only base10
But that's wrong, you fucking retard

>>61795392
> Nice meme
https://apple.stackexchange.com/questions/202143/i-included-emoji-in-my-password-and-now-i-cant-log-in-to-my-account-on-yosemite

>>61795411
It's not common to refer to a digit password, and mean something else than base 10. Besides, you'd still be wrong because base 26 isn't something that's used.

>>61795378 >>61795366
While your point is valid, it's linear function for alphabet and power function for length, so on bigger values even one more symbol equals drastic increase of dictionary to achieve same entropy.

>>61795258
I don't think you understand Russell's Teapot do you?

>>61795071
3rd.

More entropy bits since it's the longest. And no, dictionary attacks aren't that sophisticated. Even if they are, it'll still take decades to crack.

>>61795071
>He still believes passwords will save him

>>61795071
the longest one

>>61795110
>>61795122
>>61795147
>>61795228
>>61795287
wrong

>>61795169
>>61795183
>>61795249
>>61795526
>>61795549
right

>>61795071

come on man its /g/

enough of use correcthorsebatterystaple as our su login it aint funny

>>61795568
In principle I agree with the 3rd one, but that is a poor choice of words. They're too commonplace.

Something like "cerebusxanthiancryologytinfoil" would be much better.

>>61795568
The entropy of the second one is better though.

File: 1494584335983.gif (278KB, 280x359px) Image search: [Google]

278KB, 280x359px

>>61795071
No password

Last one

>>61795071
Option D: Lockout after 5 bad attempts

>>61795689
Nobody bruteforces from a login page, it's done with the just the database. So that's not an option.

File: password_strength.png (91KB, 740x601px) Image search: [Google]

91KB, 740x601px

>>61795071
Third one. I, too, read xkcd.

>>61795902
Second one literally has more bits of entropy than the third one though.

>nasty7123_#village+

this one

Remember911

>>61795568
>right

wrong, you're a retard

word passed passwords are really shit

>>61795071
You're a nasty basement dweller trying to sidetrack the masses of /g/ with vague wording

The best password is one you don't share. Your passwords, by definition, are all wrong.

>>61796511
Even if they're all wrong, some are better.

>>61795568
>wrong
you're wrong

Second one: 50^19 big number
Third one: 2000^4 small like ops benis

>>61795071
>I just read that one xkcd comic: the thread

>>61795700
Option E: Self-deleting database

depends on what method the evil person uses to try and crack it

>>61795317
>Dictionary attacks are not used to bruteforce a SENTENCE

but they are

and by using it you are reducing your search space significantly and if you only use words then you will get owned orders of magnitude faster

>>61795071
all of them are shit especially if youre using smth worse than bcrypt with cost 7. and no, third one is not better, the entropy means nothing if i can crack it using english dictrionary set at 4+ words to start.

>>61795366
>BTW I wonder how will one bruteforce Japanese/Chinese passwords.
chinks generally use numbers only

they'll only resort to letters when forced to (and then it's simple english words they know or chinkshit in pinyin because their input methods don't work in password fields)

>>61795071
Couldn't you break the 3rd one in like 4 seconds with a diactionary attack.

StupidNastyVillageDance

>>61795071
All of these passwords are now public and thus insecure.

>>61798653
No.

>not CorrectHorseBatteryStaple

Number 2.

When I used to crack passwords for reasons I can not say, I never did brute forcing, it's a fucking waste of time.
I had a wordlist, and I would use masks.
One of which, I would run the wordlist twice or more to combine words.

So if it took me 2 seconds for the wordlist, it would take, what, 4 minutes for the last one?
If you wanted it to be secure, do the four words, and add padding in the middle of a word.
>muh length

tbqh the mac password generator is top-notch.

typecasts1]cannibalization
cloners144(overcompensatory
steamy2538\monochromaticity

>>61795568
The first two pass a dictionary attack. The third one doesn't.

So stop pretending to know shit about security.

>>61798653
More like 2 minutes.

>>61798847
>steamy2538
And they say mac isn't for homosexuals.

>>61798848
>dictionary attack magically knows all words start with uppercase

>>61799555
Not magically no, just through software. Not that difficult to try words with and without capitalization, it would just take twice as long.

>>61795071
None of them, because you've already posted them on the internet and they're now in some guy's wordlist.

>>61795317
You don't know much of this do you

Objectively any option besides the third one.

I've brute forced numerous passwords similar to the third one. With a good wordlist, it would take under 5 hours.

>inb4 silly physics man meme comic
Yeah nah, you shouldn't base your security decisions on web comics, but rather on the advice of experienced security analysts like myself.

File: 1501254388385.jpg (575KB, 1056x1274px) Image search: [Google]

575KB, 1056x1274px

does uppercase matters? and text with numbers?

I use two types of password:
*name(example) - RebeccaKrelm7
*chip code - EM638325TS

Are they too easy to crack?

>>61801615
Uppercase doubles the amount of tries it needs to do.

Just use 8 asterisks.
If somebody cracks your password, they won't even realize it.

StupidNastyVillageDance because it is the longest

>>61795071
>StupidNastyVillageDance

length is the most important factor

>>61801682
kek

>>61797394
>password breakers
>evil
The'yre not always evil

>>61801615
>giving credit for photo memes

ez pass
veo-4%aAjwHsfam73;#+b

>>61801615
If the case of each letter is chosen randomly, you improve password security; for example, a 10-character password would go from e14 to e17 possibilities. If you use a predictable pattern (e.g. all uppercase, start of each word uppercase) there's no significant difference.

File: le_meme_font.jpg_large.jpg (65KB, 588x328px) Image search: [Google]

65KB, 588x328px

All are terrible passwords.

If you really want a good password then simply choose a word with at least 8 characters and insert symbols between words.

h*o*l*o*c*a*u*s*t* (18 char)
r/a/i/n/b/o/w/s/ (16 char)
c#u#c#k#o#l#d#r#y# (18 char)

Now you suddenly have a strong password very resistant to brute-force and dictionary attacks that are easy to remember.

>1 language password
StüpîdÑãßtyخرا

>>61795071
>they all contain words
they're all shit

>>61801773
So you're telling me

842%a&_#f)w0~33g:8c@6!1

is weaker than

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

>>61801933
And now the "put the same character between each character" is another thing they try for. Good job dipshit.

>>61801933
This is good but even better is if you just make a few characters of mumbo jumbo and then repeat the same word a lot of times, example:

#_$,,applesapplesapplesapplesapplesapplesapplesapplesapplesapples

This is highly uncrackable. and it's easy to remember. Crap + 10x apples

Friendly reminder that self-generated passwords are inherently insecure. Even if you avoid obvious patterns like words, your attempt to randomly mash the keyboard will be nowhere near true randomness. Either use a password generator, or give up and go for password1.

>>61801942
Do password breakers use only english when breaking passwords?

>>61795071
corr3ct h0rs3 b4ttery_st@pLe

>>61801972
Yeah that reduces efficiency of dictionary attack by a ton. There's like hundreds of symbols.

>>61801979
This is what dictionary attacks were designed to crack. Granted this will probably take the longest. I would still recommend just putting a symbol after each letter, much less typing.

List of symbols:

https://en.wikipedia.org/wiki/List_of_symbols

>>61801958
if you are attacking the password knowing nothing about it then yes.

>>61802039
This. If you use anything other than /dev/*random against a given character set, you're an imbecile.

The amount of information you leak about your password habits is very relevant.
Paring down the first password to the different groups of things it is for the entropy 26^12 + 10^4 + 1024(even if i'm an idiot and it's actually * ) is several dozen magnitudes easier than 68^18.

>>61802056
Horrifically bad password.
"letter substitutes" do very little to increase the complexity of an attack.

>>61802056
This is very prone to dictionary attacks.

>>61802072
Try cracking any password with a style like >>61801933

good fucking luck

>>61801958
Technically yeah. A lot weaker, actually.

>>61801979
Even without the crap at the beginning, applesapplesapplesapplesapplesapplesapplesapplesapplesapples is already a really strong and virtually uncrackable password.

>>61802058
It already basically takes forever to crack that but if you want that extra push all it takes to screw up that supposed dictionary attack is to insert a random digit before the last apple. Then it basically takes forever and it's infeasible. Just way too many possibilities to explore.

>>61802077
really depends on the attack ,
>12345678901234567890 (repeated a bunch , im not spam 4chan)
is a very safe pass as no algo will guess a password to be that long , you can also type the word penis 27 times and get the same result

>>61802089
>good fucking luck
Are you retarded? You've just made your method public - it's now trivial for an attack vector to attempt character insertion alongside a regular attack. /dev/*random will be nearly truly random and completely unpredictable besides an assumed or known character set.

Hackers these days dont try to waste their time cracking individual passwords.

They just hack a forum/site and steal all the credentials instead.

The stupidest thing you can do besides having a common password, is re-using the same password for multiple sites.

>>61802181
strong passwords are important for that, too. non-retarded sites only store password hashes.

>>61802211
sure I agree,

But there is hardly a reason to come up with a strong password for your furry fanfiction site

>>61795902
>>61795183
>>61795526
NEVER use actual full words in your password. NEVER EVER EVER. Not even if part of them are capitalised. Not even if you replace some letters with lookalike numbers.

There's a reason the concept of passphrase never took off.

>>61802211
Wait, if they do not store the password itself at any point then how can they even log you in in the first place?

>>61802160
Each symbol decreases the efficiency of a dictionary attack by a factor of 2. There are currently 136,690 unicode characters. YEAH, good luck with that.

http://www.babelstone.co.uk/Unicode/HowMany.html

>>61802160
>thinking the NSA doesn't have access to your /dev/(pseudo)random.

>>61802239
>unicode
>in you passwords
How do you type that?

File: screenfetch.png (49KB, 1142x480px) Image search: [Google]

49KB, 1142x480px

>>61795071
this is a stupid question.
it depends upon the method of attack.

against only a dictionary attack #2 is the strongest becuase it has least dictionary words and most characters

against a full brute force attack #3 is the strongest because it is longest length and will thus take the longest to randomly find.

but the correct answer is this:
>>61795103, implying that the correct answer is to reply and sage

I'm using 4-5 greek words for passwords with spaces in between

good luck brute forcers.

>>61802211
>strong passwords are important for that, too. non-retarded sites only store password hashes.
Unfortunately a lot of sites don't take security seriously, and it can be hard to tell which is which unless you poke around to see what kind of limitations there are on the password.

>>61802239
>>61802258
Also, /dev/*random completely eliminates dictionary attacks. Why are you advocating for insecure and weak passwords? I thought at first it was because you type them out, but given you use bring up non-ascii, you don't. If you don't type passwords, there is literally no reason to shoot yourself in the foot and use your insecure method.

>>61801958
>>61802093
depends upon method of attack to be honest

many dictionary attack files will have an entry for
>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
but not for
>842%a&_#f)w0~33g:8c@6!1

but, a brute force attack that simply tries all possibilities sequentially, without using a dictionary, will crack
>842%a&_#f)w0~33g:8c@6!1
much much quicker than
>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

>>61795071
None of them. All of those options contain dictionary words.

>>61802044
it depends on how their cracking the password.

a dicitonary attack can be in any language or a combination.

a brute force attack can sequentially try streams of bytes, essentially 'counting up' starting at 0, this method doesnt care what language something is in because its not trying specific letters or words, its trying specific bytes

you will crack any password 100% of the time (given enough time) if your passy cracker simply starts at \x00 and counts up to infinity

File: dictionary_attack.png (38KB, 963x516px) Image search: [Google]

38KB, 963x516px

reminder

>>61802398
What if the password happened to be generated randomly, and by chance contained dictionary words?

>>61802258
>go to character map
>copy your symbol and paste in password
WEW
E
W

¡¢£¤¥¦§¨©ª«¬®¯°±23´µ¶·¸1º»¼½¾¿͖͕͔͢͝ΔΣϠϡϢϣ

>>61802343
>insecure
How the fuck is a dictionary attack going to crack a password in time when it has to go through over 100k unicode characters?

Your method is overkill and nobody is going to remember -h'!")@"!8l1,+u_;'9#!"&!$(27493'!'+_8#$?02

>>61795071
>nasty7123_#village+
This one. Anyone who says "StupidNastyVillageDance" is the best should be banned from /b/.

>>61802462
this must be hell to find this character sequence again in character map.

your almost better off converting it to hex and keeping the hex sequence handy

>>61802518
I agree.

anon is better off just keeping passwords as sha sums of the service name salted with a repeated known value such as:

user@Homebase ~]$ echo "ssh +mysalt" | shasum
9fa807da72912db5618f358f8980b7ab1737546b

at least then he wont have to write it down and can easily get the password when needed

>>61802546
This is already somewhat prone to a dictionary attack

>>61801933 is much better

>>61801933
>implying your shit wouldn't get raped by a dictionary attack

Here ya go OP
PhuREepADYgON

Get a fucking password manager

>>61802558
>Somewhat prone to a dictionary attack
No it isn't. It only has two english words in it. Your method is more prone to a dictionary attack due to the fact that it's just a short word with a simple rule. You think "a e s t h e t i c" is a good password?

>>61795071
In a pure brute force attack the final one is the best
In certain mixes of dictionary and brute force attacks the second one is best

>>61802238
they just bcrypt hash what you put in the password field, and if it matches it logs you in

I don't know why you all make it so complicated. Good passwords are easy. For example
G+ood passwords3areE as§y
Bonus points for using a bigger dictionary, like multiple languages and specialized words.

Also, use something like that as master key for a password manager and then generate random passwords for every service. The biggest problem by far is re-using the same password over and over again.

>>61802578
It wouldn't. Too many possibilities. For every word, you now also need to check for all possible symbols in between. This enormously increases the complexity. It's really not trivial because you need to check every possible combination.

>>61802462
This is a very secure password if generated randomly, yes. But so is

MqDpKzwzcd2eG56Z2

which has 96 bits of entropy, sufficient for most cases.
>>61802518
>Your method is overkill and nobody is going to remember -h'!")@"!8l1,+u_;'9#!"&!$(27493'!'+_8#$?02
You use a password manager, you imbecile. If your basing password strength on what you can remember, you're a complete idiot.
>>61802557
Oh look, it's this retard again, who thinks hashing common phrases and strings increases their entropy. Didn't you say you use a password manager? So why are you still advocating this stupid, insecure method?

>>61802578
>>61802606
There are over 100,000 unicode characters you dumb fuck.

I NEVER said use the most common unicode characters.

You can use ones like these:

༺༛༒༑༐༗༖༕༔༓༴༵༶༷ཇཏཌཋ༇ႋႊႃႄ⇲⇱⇳⇳⇬⇭⇮⇦⇥⇤⇢∎∍∌∊∂∝∛√∋ↂↈ↉

You can use moon runes or other language characters instead too, I don't give a shit.

>>61802655
you have me confused with someone else.

password managers are retarded.

my point is if you want to use random character strings your better off hashing something with a salt than having something you need to write down

>>61802655
but tbqh both of these methods are stupid to begin with, I use rsa keys everywhere I can including logging into my local machine

I heard you like hashes so we hashed your hash

>>61802655
anons right tho a hash of a salted phrase is very entropic and is extremely resistant to both bruteforce and dictionary attacks

it would take a brute force/dictionary attack that knows your method of password creation.

it is really only vulnerable to someone who watches you enter a password, basically

>>61802655
are you implying that a single password is more entropic than a hashed service identifier + a password salt?

Try cracking a file with a password like:

S妹i妹c妹k妹f妹u妹c妹k妹s妹

Good luck niggas, you're gonna need all the luck in the multi-verse to crack that shit.

>>61795071
Today's lesson is not to use /g/ for password advice.

>>61802665
Why type alt+243 when just adding 243 is exponentially more secure
>>61802606
Assume only ascii characters are used.
Putting this rule into a dictionary attack will times the time required to Crack it by 256. 1 hour to 256 hours powerful companies can Crack it easy but database collectors (most haxors) don't have the resources nor patience for that

>>61802755
Try cracking a file with a password like:
YouAreAFuckingFaggotYouBastardCumLovingNiggerAbortionGoFuckYourMotherInHerPenisThatsRightISaidInHerPenisBecauseSheIsAFreakingMutant

File: 1392269340064.gif (150KB, 618x439px) Image search: [Google]

150KB, 618x439px

>>61802772
the more memes you use, the more likely someone is to guess it.

>>61802772
fuck.
howd you know my password?

>>61802772
Easily crackable with dictionary attack. Try adding different languages to the mix.

They all suck, use a password manager

>>61802869
ベイトです

>>61802864
>28 letters would take more than 100 billion years to crack.
>There are 26 letters in the alphabet
>there a hundreds of thousand of words

How on earth would cracking 28 words be any faster than cracking 28 letters retard?

>>61795152
this is the only correct answer here

>>61802886
>using ベ smileys unironically

>use a password manager
And how are you going to get that across systems/devices? Trust it to a cloud?

>>61802906
are you illitirate? Do you kid know what DICTIONARY attacks are?
fuckin retard go kill yourself.

>>61802938
https://www.youtube.com/watch?v=9GP0KDuzgBc

>Not using a one-time-pad to generate your passwords.

>>61803036
Fuck off rasnov, it took us forever to crack 0.0001% of those transcripts.

>>61803036
>one-time pad
>passwordS

>>61795071
literally who cares any of them are good enough

>>61802906
If the attack guesses some common sentence structures

>>61803020
>illitirate
Fantastic.

>>61795071
All three are shit.

Cracked an md5 hash with all 3 using a custom dictionary I got from from some pentests I did.

First and second passwords got cracked using a hybrid attack

Last one got cracked via wordlist.

>>61795071
3rd duh

>>61795169
My bruteforce script get number 3 the fastest because it normally tries every combination of a-Z for 30 letters. Number 2 is the hardest because of the non-standard a-Z symbols in it and because the last symbol is also non-standard a-Z.

>>61803713
>tries every combination of a-Z for 30 letters

>>61803812
Some languages have more than 26 letters.

>>61795071

StupidNastyVillageDance

winrar

>>61803928
Lol fail.

>>61795071
It's a toss up depending on what you mean by "best". Last is best to remember, second is probably best against attacks. But the last has a high enough entropy to not be found in a database leak of md5 hashes

The real trick is having a very uncommon user name.

Nobody is going to guess my password "password123" in combination with my username "[email protected]"

>>61802455
It doesn't matter if the password were randomly generated or not. If it contains dictionary words, it is susceptible to dictionary attacks.

>>61803972
That won't protect against offline attacks, where passwords are hashed, but usernames are (obviously) not. You don't know what you're talking about.

>>61804071
What's with people falling for the weakest of baits today?

How does /g/ feel about randomly perturbing the number of rounds of pbkdf2 by a few percent as part of an anti-brute-force strategy?

>>61798015
>residing your search space significantly and if you only use words then you will get owned orders of magnitude faster

Let's use diceware as an example. Diceware has a total set of 6^5 words or 7776 words.
>5 word randomized words + capitalization or lowercase + a choice of "", " ", "-", "_" between words
>7776^5 * 2 * 4 = 67 bits of entropy
>8 random letters of all printable ASCII
>100^8 = 53 bits of entropy
WHERE IS YOUR GOD NOW

>>61803972
this. just generate the username with keepass password generator too.

>>61804350
just make sure it doesn't start with a digit :^)

>>61804004
Dictionary attacks ARE NOT easier, it's unfeasible you're using a big word list + separators + mixed case.

Dictionary attacks are only useful for retards who use a word and a number. If you use six completely unrelated words (not from a sentence) you have enough bits of entropy to produce a NIST approved password. Seven words is unbeatable. Brute forcing with ASCII would actually be more useful than brute forcing with a dictionary that will have more words than there are letters and the entropy/bit ratio will be only slightly lower.

>>61795071
Third misses numbers and symbols so enterprises don't allow it.

>>61795568
>>61795568
>>61795568
>>61795568
>>61795568
tard

>>61806873
>doesn't understand that hash crackers can start with word strings and move seamlessly into character brute forcing with minimal duplication of work

>>61802300
I hate my mom but fuck you

>>61795258
Zip doesn't encode to minimum entropy, literally no compression algorithm does that. You can write a Shannon entropy estimation script for a string in 10 minutes, but I guess that's too hard for you anon.

>>61803812
>Did the heat death of the universe happen and nobody told me about it

none of those because there are words

Based on the posts in this shit, people must think dictionary attacks could break into the fucking NSA or something. A dictionary attack can get a few words fairly quickly, but anymore than 5-6 and I don't see how it could do shit, especially if you add a couple non-word characters.

Dictionary attacks are not the end-all-be-all. They're for people who are stupid enough to have their password be shit like avocadotoast or nopassword

File: fu.jpg (15KB, 300x300px) Image search: [Google]

15KB, 300x300px

>>61808545
>people who are stupid enough to have their password be shit like avocadotoast
So fucktrump isn't a good password?