Is this true?
is this how we should really be making our passwords?
>>53067912
enjoy your dictionary attack
>notthisshitagain.jpg.png.gif.mp3.tiff.tar.gz.7z.bz2.zip.net.latex
>>53067912
Not correctly, most bruteforcing methods would use dictionaries to make guessing easier, but I think even then that the scond method is more effective than the first.
>>53067975
To make it even more effective, simply using a specific character seperating the words and adding a number in front or behind said method increases the difficulty to bruteforce it, even with dictionary attacks significantly.
In theory
but you have 30-50 accounts
and you are not going to remember 50 random 4 word strings
so just generate a completely random password and write it down/store it in a password manager.
make a 4 word password as your master password if you wish to
>>53067942
This, it's not valid in and of itself but using simple to remember word combinations separated by a random string is better than either element alone
>>53068011
>store it in a password manager.
recommendations?
Mypass#normiebook10
Mypass#tweets10
Mypass#2001
Mypass#videos4u
Have a master code followed by a delimiter followed by a unique passphrase for each website. It's the easiest to keep consistent and memorable for each site.
>>53068040
I write them down since physical access means you are fucked either way.
>>53068033
what do you mean by a random string.
give an example of what you would recommend the password look like?
>>53068048
this is true, I use permutations of a couple different passwords in a similiar fashion
a mixed method is better than either individually, which are prone to brute force or dictionaries, respectively
>>53068064
correct-qaz;horse-qaz;battery-qaz;staple
>>53067975
Dictionary attacks are retarded unless you know the person youre hacking and the rough length of their password. Starting from their interests , date of birth , age , pets , family , etc. you can make a list of all the possible combination of those keywords and their many variations and only keep those that look like the right length so you dont spend countless hours trying passwords that arent even long enough / too long.
IF you dont know jack about the person youre hacking then good luck. You never know how stupid the person might be. I once let my computer run for 10 hours trying to bruteforce a wpa2 key and the fucking key was 1234123412
>>53067942
This
>>53067912
how about combining long words with holding shift all the time and changing some letters into numbers leet style guise - for example ilovecock -> !L)V#C)Ck ?
>>53068623
Thanks. Added to my dictionary ;^)
>>53068656
idk if its better, maybe it needs some numbers too :<
>>53068623
shit, time to change my iCloud password
>>53068767
i thought this is a standard 4chan password. aside from 1L)V#F#M!N!N#P#N!S#s
>>53068040
This >>53068055 is the best.
Just get a little black book.
I just use random >64 char pwds, crypt them with master pwd and upload to the net.
I can access them everywhere I can get my hands on gpg.
>>53067912
3efb9ijn!-@)#($*%&
Is this secure?
Can we just shift to the biometric future already where my password for everything can just be my retina.
>>53068996
https://howsecureismypassword.net/ this shit says TRILLIONS OF MOTHERFUCKING YEARS
>>53068996
not anymore, anon
>>53069010
This is not the way to go in my opinion. Someone could brute force your eyeball easier than your password desu senpai
>>53069022
how safe is my password: trustNo1
>>53068996
>>53069022
>>53069024
I just wanted to know if keyboard patterns like that are secure
>>53069052
>trustNo1
why wouldn't you trust the Number 1?
>>53069022
>https://howsecureismypassword.net/
>Idon'tlikemarshmallows
>423 sextillion years
wew lads
>>53069091
It's the loneliest number that you'll ever do.
>>53069038
If someone is brute forcing my eye out, I think I have more problems than just people logging into my bank account.
>>53069103
>at least i got my (you).
>>53068915
but isnt copy/pasting a random 64 char password insecure? im asking because mental retardation
People talking about dictionary attacks, but what if my passwords are using made up words?
>>53069022
>RoboForm is free
>go to the website
>it's actually proprietary
are u avin a giggle wtih me?
>>53067912
It's pretty much true. Even more so if you try to pick obscure words or mix in one or two words from a foreign language.
>>53068623
>buy a new keyboard
>the collisions are different
>>53069325
enjoy your botnet mate :∧)
Put a chinese character somewhere in your password, bam unhackable
>>53069358
>not buying the same k120 layout again and again and again
no but actually is it possible to get different keys on a standard qwerty keyboards? i mean under 1234567890+letters
>>53069377
I was kind of wondering if using moon runes would make a password uncrackable.
>>53067942
>implying bruteforce does'nt work on his password
>>53069397
fuck this, lets upload dank meme images as passwords instead (which are password protected 7zip files)
>>53069377
Ironic because most code monkey hackers are Chinese.
Besides, it will only work if the password is stored as utf or some fancy shit.
>>53069394
I think I misread as holding both shifts.
Like TE QUIK BOW FOX JUPS OE TE AZY DOG
Uncrackable password that you'll never forget, but you're fucked on any non-physical keyboard or a keyboard with different key groupings.
>>53069397
A lot of sites would tell you to use ascii only.
My password is "tr1pfag....."
According to passwordmeter it has 99% strength
>>53069010
My phone has a facial recognition unlock mode but you just need a face similar to yours to unlock
>>53069462
You should worry more about your user account and wifi password anyways.
>>53069471
Added to my rainbow table. ;^)
>>53067912
>is this how we should really be making our passwords?
>passwords
No. You should only memorize one password, the one to your KeePassX database. Once you use KeePassX (*not* an online password manager) the rest of your passwords can be random and 25+ characters.
>>53069397
I use mix cased alphanumeric sentences in moonspeak for a good amount of my passwords. They usually just describe what website I'm logging into.
>>53069377
let me type that in the >>53069022 botnet
>ilovecock自殺
>10 days
doesn't work m8.
>create strong password
>encrypt it in base64 or w/e you want
>write tyhe encrypted passes somewhere
In case you forget them you take that paper and start decrypting. Your brochachos and others will never find them if you have that paper with you at all time.
Also encrypt them multiple times if you have the patience.
>>53069010
>get punched in the eye
>suddenly locked out of my Google House™ and waiting for Google Law Friends® to find the shortest route for me behind the bars due to attempting illegal property access
>>53069512
>KeePassX
What do for phone or when you're not at home?
>>53067942
Do you realize how long it would take a dictionary attack to execute with even just two random words? Do you realize how big a fucking dictionary is?
Now think about four words. You're not brute forcing that. This is way different than PIN numbers which go from 0-9.
>>53069446
How are you hitting B but not M?
>>53069601
Use KeePassDroid on Android.
>>53069621
i can hit B and not M too mate, it differs around keyboards i guess.
HE QUIK BROWN FO JUPS OER HE LA DOG
>>53069547
>>encrypt it in base64 or w/e you want
>base64
>encryption
I just use:
Schindlers List #1488
Good luck breaking that.
>>53067912
No because xkcd told all the hackers about the password
>>53069606
way faster than checking every combination of characters individually
>>53069651
THE QUC BRW FX JUMPS VER THE AZY DG
>>53069606
Dictionaries ain't that big.
The dictionary here is (most likely) the vocabulary of the person creating the password. Let's see how much that is.
There are currently about 170 000 words in the English language, with about 50 000 in use.
For a normal (an English native) person, 30 000 is approximately the amount of words they know.
Let's assume that we then have a dictionary of 30 000.
For two words, that means there are 900 000 000 combinations. This is about 2^(29), or 29 bits of entropy.
For four words, we get that the entropy is 60 bits.
Now consider a password with both upper and lower alphabets , numerical symbols and other symbols . We have (26*2+10+~20) = about 80 possible characters. For us to get 60 bits of entropy, we need about 10 characters (2^60 is about 80^10).
So your four word password is only worth a password of 10 characters.
Now remember that this is pretty much the optimal case: A normal person, when trying to think of 4 random words, will not come up with the most unusual words. With luck we could make the vocabulary be only a few thousand words, maybe 5000.
This is about 50 bits of entropy, meaning we only need a password of 8 characters (2^50 is about 80^8).
So if it is possible to brute force 8-10 character passwords, that means that you're fucked.
>>53069994
Diceware is fine. They keep the words short (5ish characters) and every word adds 13 bits of entropy. Main advantage is that it's easier to remember five diceware words (by forming a mental picture) than a 14 character random alphanumeric+symbol password. It's also easier to remember a good master password using 7 or 8 words than 24 random characters. Furthermore, salting the password with a foreign, misspelled non-diceware or slang word or a number at a random position increases entropy, although I'd recommend just adding another word.
Personally I use a 8 word passphrase with two non-English words. Good luck cracking it.
>>53069547
>encrypt it in base64
>>53067912
It's sort of true, although you simply can't beat a long ass string of characters you also can't remember it unless you're actually autistic. Picking 4+ random words is significantly better than the standard(read: shit tier) password that people normally come up with that meets password requirements, like "London89".
>>53067912
>mfw I use combinations of multiple english words and romanized moonspeak words with a couple of numbers
Easy to remember, long, not vulnerable to dictionary attacks. Fuck special characters. Special characters a shit.
>tfw my password is qwerty1
>>53069606
do you not realize how fast computers are able to do exactly what you're describing?
one of my responsibilities at my old job was maintaining the password cracking software, and it used dictionary attacks as one decryption method. the english dictionary had a few thousand words in it, which were combined in groups of 2-4 words along with trailing/leading numbers and punctuation.
this generally led to a range of several hundred billion possible combinations, but the network nodes that actually did the heavy lifting could churn through several hundred thousand to tens of millions of passwords per second, and we had ten nodes. the longest a document ever sat in the decryption queue was maybe six days, and that was only when decryption fell back to bruteforcing the decryption key for old Office documents (3 days worst case).
>25 GPU Monster Devours Passwords In Seconds
>https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
>350 billion guesses per second
>2012
>>53069103
Two can be as bad as one. It's the lonliest number since the number one.
>>53069606
hi, im here to prove you wrong
i have a dictionary downloaded right now
http://www.math.sjsu.edu/~foster/dictionary.txt
assuming the same circumstance of a 4 word password all lowercase then it's literally just a matter of appending each word to each other
there arecat dictionary.txt | wc -l349900 words in this dictionary, it's pretty comprehensive
i actually don't know if this is correct or not, but i think you should be able to calculate the total number of combinations with 349900^4, please correct me if i'm wrong
if i'm right though, that means there's only
14989107348600100000000 possible combinations
which is basically fuckin nothing considering we're using a dictionary with a lot of fluff
if we reduced this down to say the most common 5000 words in english we would end up with 625000000000000 combinations
for online attacks, this is sufficient
but when the attacker already has the hash, you're in trouble
tl;dr use keepass or something, don't just string words together
>>53067942
the whole point of it is that it takes a large amount of time to break even with a dictionary attack
fuck, the math for how much entropy the 4 word password has accounts for that
also, take note that this pretty much only goes for websites and shit, since you can do a fuckton than 1000 guesses/sec for local password attacks, see shit like >>53072621
so if you don't have like 256 bits of entropy in that case, you're fucked
>>53069994
the important bit, the most important bit in fact is that you actually randomly generate your pass, don't pick the words yourself
because your attacker's effective search space shrinks drastically otherwise
>>53072962
I've always wondered how the FBI cracks .rar files of pedos. Pretty much explains it.
Yes, it works, as long as you are actually selecting the words randomly from a large enough list. Anyone who says otherwise (this includes "hurr durr dictionary attack!") doesn't understand math. A good summary of the reason why:
https://tgad.wordpress.com/2013/09/18/what-is-entropy/
>>53068996
qwerty keyboard geometric pattern mapping passwords are no longer a good idea. You basically have a fancy version of 1qaz2wsx. Long ass passphrase is the way to go.
>>53073156
4 words from a diceware dictionary selected at random has 51.6 bits of entropy. That's equivalent to about 8 fully randomly generated characters, or about a 16 digit pin. Not ideal, but it's far more than what most people's passwords have, and would take about a week for a high end computer to crack, or an hour on a dedicated password cracker (assuming you had the password hash to compare it to and that there was no key stretching, obviously if you're doing this over a network it would take much longer).
>>53076809
>I only need to defend against adversaries willing to resort to physical violence
I can't stand xkcd
Literally reddït the webcomic
>>53073156
Four random words from that dictionary (assuming true randomness in selection of words) carry 74 bits of entropy. That's nor negligible, especially considering that adding another word would extend it to 92 bits, which is pretty fucking uncrackable. It's not as easy as you think.
tl;dr diceware with 7 words is secure
>>53072621
Unless your machine can crack on the order of 2^60 passwords/s you can't even crack a five word diceware passphrase. The fact that you can crack "himom" doesn't make all passphrase insecure.
>>53068048
A lot of sites store passwords in plain text. Enjoy having all your shit hacked by one tiny leak
>>53067912
I have a book and I've written in the margins of each line, I've written a website name.
I just use that line as the password for that site. one day I'll run out of passwords, but who cares.
Fuck websites that require symbols/numbers, by the way, nobody wants to hack into my code academy account or whatever
I use an 8 word password to encrypt my drives. Exactly how unsafe is this?
>>53076915
that would be your autism
>use 4 words for password
>one is a random english word
>one is a name
>one is a romanization of a japanese word
>one word pertains specifically to the website and varies from account-to-account
Did I pass?
>>53067912
Maximum character long password for e-mail and anything that deals with money (paypal, amazon etc.) everything else can be simple passwords unless you want to go full tinfoil
Am I banned?
#include <stdio.h>
int main(int * argc, char * argv[])
{
if(argc < 2)
{
return 0;
}
char table[75]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#@$%&-+()*?;";
int characters = 0;
srand(time(NULL));
while(characters <= atoi(argv[1]))
{
printf("%c", table[rand() % 75]);
characters++;
}
printf("\n");
}
>>53068811
Feminine penises are god tier though
echo "desired password" | openssl sha1
The cool part is if you ever forget your password you can open a terminal emulator on your phone and generate it
>>53078422
Nope
>>53078422
yep
>>53067912
Kind of. As others have mentioned, dictionary attacks can make this method insecure, but if you introduce a random string somewhere, misspell one of the words in a memorable way and/or introduce a numerical digit somewhere then you'll be in pretty good shape.
>>53078644
>thinks dictionary attack take a dictionary of the English language
>posts on /g/ with the attitude of an expert
Back to /v/eddit, asshat.
>>53076809
If you're in that kind of situation, you're fucked either way. You're fucked whether or not you give them the password, and if they don't need to ask you for the password, you're still fucked since the NSA don't just kidnap and waterboard shoplifters and petty criminals.
>>53078531
>openssl sha1
>not just using sha1sum
>>53067912
How to Password: A guide by Anon
>look at the keyboard
>type four words in one language while looking on the keyboard at other language's keys
>even better type an unusual name like anime name in romaji
So, let's say we take "Boku no Hero Academia".
Transliterated into Russian, it's "Бoкy нo Хиpo нo Aкaдeмия". Typing that in English keyboard layout while looking at Russian keys nets you "<jre yj {bhj yj Frfltvbz".
"<jre yj {bhj yj Frfltvbz" is your password.
Enjoy. You can use this operation recursively, but that will hardly get you more secure passwords.
>>53077468
>every password is different
>examples were only examples
Pls
![[HorribleSubs] Rokka no Yuusha - 08 [720p].mkv_snapshot_14.03_[2015.09.14_20.47.52].jpg](https://i.imgur.com/TfTUITd.jpg "[HorribleSubs] Rokka no Yuusha - 08 [720p].mkv_snapshot_14.03_[2015.09.14_20.47.52].jpg")
>>53079110
>AйЛъвEннимeйEндoMaнгo694201488DeusVult
beat this, faggots
>>53078459
>atoi
into the trash it goes
>>53078291
If your password is compromised on two sites you get back into possible bruteforce territory.
are password attacks even relevant, in the era of HTTPS and lockouts?
>>53080164
Yes
>>53079110
If only you could type passwords with an IME (and everything supported UTF-8)
>>53068040
keepass
Also decrypted passwords are only stored in memory iirc (not sure how this works with the copy paste feature though)
>>53079262
Is there a better way? Or am I just being messed with?
>>53081217
Other than having been deprecated for like 20 years, atoi() is fine here.
Your real problem is that rand() is a very bad prng, and then you're making it infinitely worse by seeding it with time(). That means if someone wants to guess your password, and they know, say, which month you created it in, they only have to test 86,400*30 or 2,592,000 passwords. Even at best, rand() is only going to create ~4,000,000,000 different passwords of a specific length, since that's how many seeds there are.
If you want to create a secure random password, just read in some characters from /dev/random, and base64 encode them.
>>53081485
That's pretty informative
Thanks
>>53080545
They're in the paste buffer, but it gets cleared after a user-defined time (default 12 seconds). Doesn't really matter though, because if somebody can read the memory on your machine, then they can also probably get the contents of the paste buffer.
You are all morons. The comic shows how a password where you have to remember four things (the words) creates more entropy than a password where you have to remember five things. (the word, 0, 4, &, 3) If you're worried about brute forcing, just add more words.
This is why I have a script with a dictionary of about 2048 common words to generate shit like that for me
>>53082546
the default setup should get you about 60 bits of entropy which is pretty far in the realm of uncrackable for properly hashed passwords (read: pbkdf or equivalent)
my passwords are between 7 and 10 words, with a total of ~30 to 45 characters.
>>53072248
And then you find out all those eroge JRPG porno games you torrent are filled with all kinds of fun malware. Oh, ho, ho.
>>53072962
Yeah, well, you could just put a lockout after 5 attempts in place.
>>53079110
that's cool and all, but all the russian stuff just makes no sense to an english user
with something like "<jre yj {bhj yj Frfltvbz" one might as well just use random base64 characters or something% base64 < /dev/urandom | head -c20
JTkz80Va2IX0oS/8AUbq
>>53073293
>also, take note that this pretty much only goes for websites and shit, since you can do a fuckton than 1000 guesses/sec for local password attacks, see shit like >>53072621
>so if you don't have like 256 bits of entropy in that case, you're fucked
Um, no. Even at 1 quadrillion hashes per second (2,860 of these machines >>53072962) it would still take 10 years to have a 50% chance of cracking a password with 79 bits of entropy.
>>53084544
The point is that it's easy to type and remember.
You type a phrase in one language while looking at the keys of another language. If you are bilingual or have a bilingual keyboard markings, it's easy as fuck to do, because you remember one phrase, but type another.
>>53084838
Meant for >>53084479
>>53078459
You do realize that this code is seriously bugged, right?
>>53079005
OpenSSL's installed on everything, sha1sum is not.
My pass is: InstallGentooFfsMotherfuckingFaggots
>>53067912
Just use a personal password algorithm. Never need to rely on keepass ever again
>>53067959
WHO THE FUCK USES .latex EXTENSION FOR .tex FILES
>>53067912
>>53067959
>>53068008
>>53068011
>>53068033
>>53068040
>>53068048
>>53068055
>>53068064
>>53087399
>>53086128
>>53084838
>>53084544
>>53084479
>>53084205
>>53084191
>>53082694
>>53083623
>>53082546
I'll teach you faggots how to setup a password:
Type anything stupid like "Happiness"
Then open your terminal emulator and...
echo "Happiness" | sha512sum
If you use windows (make sure to be administrator):
del C:\
>>53069052
probably safer than mine: hunter2
>sysadminisacunt555
>>53067942
>>53067912
Wouldn't the easiest one be to make a 2 - 3 word phrase that contains at least one slang term?
>>53067959
>Somehow forgetting .exe
>>53069325
>non-proprietary = free
:^)
I’d just like to interject for a moment. What you’re referring to as Linux, is in fact, GNU/Linux, or as I’ve recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called “Linux”, and many of its users are not aware that it is basically the GNU system, developed by the GNU Project.There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called “Linux” distributions are really distributions of GNU/Linux."1
>easy to remember
>impossible to guess
>will never be found by all of the computers in the world working together before the heat death of the universe
What's your excuse?
Consider thinking about some paragraph or poem you like and thanks to this ended up memorizing and then extract a couple of letters from each in order to build a 29+ alphabetic pass.
For instance taking the first letters from each of the words from this piece from Mark Twain that I like:
"It is true, that which I have revealed to you, there is no God, no universe, no human race, no earthly life, no heaven, no hell. It i all a dream"
...results in "iittwihrtytingnunhrnelnhnhiiaad", which is a 31 characters long pass
It's not alphanumeric nor it has special symbols or upper case but that is meaningless since the size alone can keep you safe enough in any kind of foreseeable computational power growth. It's easy to remember since it's something that you like and, unlike what XKCD proposes, it's highly resistant against dictionary attacks.
>>53087419
>same password for all sites
Do yourselves all a favour, and just start using random passwords with a password manager.
Then sign yourself up to https://haveibeenpwned.com/ and laugh every time you get an email because some moronic system admins couldn't secure their systems, but only one of your accounts is potentially compromised instead of all of them.
I think 1password is the fucking tits but if you prefer free there is keepassx and others. Just don't use LastPass, they're the devil now.
ćó®®ęć†ķó®śęļą††ę®īś†ąĻłę
come at me
