Is this accurate?
>>51632869
Bump for interest
>>51632869
yes
>>51632960
xkcd
>>51632869
Bottom is accurate, top is not.
>>51632869
Its accurate in regards to most brute force attacks.
A password like that would be more vulnerable to library attacks though.
>>51632869
>this image
>What are rainbow tables guis
>>51632995
It assumes a library attack for the second scheme
>11 bits of entropy per word = 2048 variations
No. Dictionary attacks are probably the most common.
https://boingboing.net/2014/02/25/choosing-a-secure-password.html
>>51632869
yes, but you should instead make a person password algorithm and just change it per site.
>>51633006
what are salted hashes?
>>51633006
a completely orthogonal attack scheme
>>51632869
partially, there's various ways to approach password brute-forcing and for some the latter is actually easier to crack
It is accurate. It assumes that the attacker knows your password generation scheme yet the second is more secure (yes, even against dictionary attacks).
>>51632869
>xkcd
>>51632869
>using words in your password
>hard to crack
wew wew wew
>>51632869
Yes. In general there are two types of attacks on passwords.
There is Brute force (trying all possible combinations) and library (trying a list of words).
The best way to protect against the former is to use a password that is as long as possible and contains non-alphanumeric characters.
Library attacks will only really work against ridiculously easy passwords, consisting only of words (and maybe some numbers at the end).
Using leetspeek is actually a good way to counter both, since it makes it easy to remember long passwords and also protects against library attacks.
>>51632995
>>51633019
>>51633040
>>51633140
>If a password is made up from words then it's inherently insecure
By that logic any password is insecure, you just need a dictionary that only contains the legal characters in a password.
>>51633175 cont
I would also.recommend to avoid common formats, such as [word][number]
In general a moderately secure password will suffice for 90% of all cases. Most crackers go for low hanging fruits.
If you expect that someone might be determined to crack your password, such as disk encryption, go all out on security.
>>51633203
It's a lot less secure than if you use let's say a 20-character password made of random letters, numbers and special characters
no
>what are dictionary attacks
>>51632869
>1000 guesses/second
What the fuck? Any actual attack would be on a stolen hash and would be 1000+ times faster than that.
>>51633076
The ACTUAL second password is no longer more secure since it's in every dictionary on the planet. XKCDfags are retarded, so a lot of them missed the point and started using that as their password.
But the technique is more secure.
I'm trying to think up a good personal password algorithm to use for passwords. how easy is it to guess the algorithm if they knew one password?
>>51633333
Solid quints m80
unless your password contains at least one kanji and the rest of it isn't partially in Azbuka or Greek alphabet, it's inherently insecure
>>51633333
Almost impossible. They would need multiple sets datta to even guess.
If you're lazy and mnemnotics are not a concern, you can just convert some data from /dev/random to base64
>>51633333
Here's what I recommend:
-Take multiple (5 to 10) words/phrases that have things in common.
-Replace certain letters (or spaces if phrases) with one or more direct-substitution symbols (like () for o, & or @ for a)
-Always have at least 1 capital letter or at least 1 lowercase letter
-Always have at least 1 number
Now that you have the foundation, either append or prefix your foundation with a string; you would use the longer strings for the accounts you really don't want hacked like
<foundation>368a2791
<foundation>368a
<foundation>36
36<foundation>
Note that foundation would be one of the five to ten pre-assembled words/phrases.
The reason why I recommend this approach instead of long phrases is because some account systems and websites cut-off your password after like 20 characters.
>>51633480
Also this makes it easy to abbreviate passwords in things like web-browser bookmarks.
Let's say I only had one foundation word that started with D
Let's also say I use that 368a2791 string completely.
The abbreviation for the bookmark would be simply "D1". This makes it less likely you'll forget your password, but even if someone got a look at your bookmarks it would be pretty meaningless.
Don't write your algorithm down anywhere, just have it in your head.
>>51633269
sure:
"Tr0ub4dor&3" scheme: ~28 bits
"correct horse battery staple" scheme: ~44 bits
20 random characters scheme: ~140 bits (assuming 128 available characters)
Note that these schemes are adjustable to a desired entropy. You should choose based on which one is easier to remember.
>>51633318
>The ACTUAL second password is no longer more secure
Sure, it's meaningless to compare security of single passwords, it only makes sense to compare password generation schemes. But yeah, the thought that some xkcd fags might use the exact "correct horse battery staple" password is kekworthy.
>>51633533
I messed up a bit.
You'd preserve the actual bookmark title like "<websitename> Login", you would append your abbreviation after that so like
"<websitename> Login - D1"
You could also do like
"<websitename> Login - <accountname> D1"
It's pretty meaningless information; obviously don't put your <accountname> if its some sort of site where people could publicly browse posts you don't want others to connect directly to you or something.
>>51633480
>>51633533
>>51633596
Please, contain your autism.
>>51633480
so I would always use the 36 or the 368a but replace the foundation per site?
>>51633923
You would switch between the 5 to 10 foundations, but you can keep changing up the string prefix or ending to make them all slightly different
If you had two words that started with F, but only one of them had the 2nd letter of e, then you would abbreviate it like
Fe8 if you were using Fe...368, or 8Fe if you were doing 368Fe... (the ... is just a filler for the rest of your foundation).
You can use the same foundation multiple times, but try to make the combination with the prefix or postfix string different for sites you care about.
If you really don't care about a site, use your shortest word and don't go past 368a (i.e. don't use any part of the 2791 part unless its an important site).
If your constant string were something like 65875, your abbreviation (in your bookmarks for remembering the password) might need changing.
Going back to the "Fi" example, if you use 65875 completely, you may abbreviate it like Fi75 so that you know to use the whole thing instead of Fi...65
It's a bit complicated on paper, but it's really just common sense as far as the abbreviations go.
>>51634067
Whoops, I fucked up on the "Fi" part; I meant to put "Fe"
Oh well you get the point anyways.
>>51634067
you're really starting to confuse me here
>>51633270
>not understanding how a dictionary attack works
GG no re.
>>51634199
I don't know how else to explain it better, sorry. Re-read the posts; that's all I can suggest
A single diceware word is ~12.9 bits of entropy. a 7 word passphrase is ~90. Good luck.
(this assumes they know the exact method)
>>51633318
>Any actual attack would be on a stolen hash and would be 1000+ times faster than that.
Cracking a raw sha256(pass), sure.
Nobody is actually retarded enough though not to use PBKDF2 with at least a million iterations.
>>51634988
And noone is stupid enough to store passwords in plaintext
>>51633649
>dat self-hatred because of lower iq
Nobody's going to try to brute force a password nowadays. There are many, many other vectors for attack that are nowhere near as time consuming as a brute force.
>>51632869
>send legit looking email asking for login information
I don't even have to guess then.
