I don't know, I feel like something is wrong with the password strength tester on the sign up page. : memes

[–] [email protected] 5 points 3 years ago (4 children)

[–] [email protected] 6 points 3 years ago

That's amazing! I've got the same combination on my luggage.

[–] [email protected] 4 points 3 years ago* (last edited 3 years ago)

Centuries could become years which could become days depending on how computing progresses. We're just trying to make sure your account is secure in the Post Singularity era :)

Just ignore the fact that the actual user content like posts and comments are plaintext in the server.

[–] [email protected] 3 points 3 years ago

The above password is 28 characters long with special characters. In the meme, the password length is 128 but with no special characters. If you add special characters, the password will be strong.

But still, I think the password strength tester needs improvement.

[–] [email protected] 3 points 3 years ago

You need a good gaming chair to type the password.

[–] [email protected] 1 points 10 months ago

Needs better quantum resistance!

[–] [email protected] 1 points 3 years ago

Requires "post quantum" encryption of course /s

[+] [email protected] 1 points 3 years ago* (last edited 2 years ago) (3 children)

[deleted]

[–] [email protected] 1 points 3 years ago

No. Words are just easier to remember. It's about probability. If you only use lower characters, it's 1 in 26, with upper case 1 in 48, with nunbers 1 in 58. With weird chars, I don't know. If you now take one english 6 char word, and compare it to a random string with 6 chars. Which one is more secure? But, if you compare 6 characters with 6 words, then it's not that easy. But random chars will always be more secure if both passwords have the same size. But it might be easier for you to remember 12 words than 12 signs. The orobabikity is so low, who cares if it's 1 or 2 quadrillion years?

[–] [email protected] 1 points 3 years ago (1 children)

This is the reason (relevant xkcd) https://xkcd.com/936/

[–] [email protected] -1 points 3 years ago (1 children)

I think it has to do with the fact that brute force attacks are far less likely to arrange letters in a way that matches a series of legitimate words and far more likely to use jumbled nonsense

That's plainly false if we are talking about machine-generated brute forcing. Any sequence of equal length is equally likely, generally. Furthermore, if someone artificially restricts it to narrower patterns and someone can guess that is the case, the machine generated brute-forcing has an easier time. Dictionaries exist and can be used.

The only reason to make this claim is if you're irrationally married to the idea of typing in your password. At that point, it can no longer be a properly strong password (a hundred characters of random garbage), and so it must be a weaker password you can remember (some long string of words). And then you need to justify it with nonsense.

Get a goddamned password manager already for fuck's sake.

[+] [email protected] 0 points 3 years ago* (last edited 2 years ago) (1 children)

[deleted]

[–] [email protected] 0 points 3 years ago (1 children)

actually, script automated brute forcing would be better at guessing randomized characters for a passwords.

No. It wouldn't. It's neither better nor worse at anything. If you're unfamiliar with programming, it's difficult to understand, but I'll try to explain it to you...

No matter what characters are used, brute-forcing is like counting up from one. 1, 2, 3, 4. Just using more than the 10 numeral symbols. That's why it's called brute-forcing, it is literally trying every password possibility after the other. This will include actual words. This will eventually include even passwords that don't look random to you at all.

By choosing words as your password, if someone can guess that this is what you've done (which is an easy guess, because most people are cretins when it comes to passwords) then they can go look for a dictionary. There are maybe 100,000 words in English. 250k if you use the OED. Other languages' dictionaries are available too. Then they configure the brute-forcing program to ignore the sequential-every-password-possible stuff, and use words instead.

This reduces the number of passwords that you can have chosen by some ridiculously large number.

It's literally, mathematically-provably, easier for the automated brute-forcing to do the non-randomized passwords... assuming someone can guess that that's what you did. And it's not much of a guess even, considering that you blather all over the internet about how you think it's a smarter approach.

the dilemma with your thinking is the time vs success factor. Given enough time and an indefinite number of attempts before security measures kick in and block the active IP, a brute force attack will eventually be successful,

That's not even how this works. It's not 1986, you're not Matthew Broderick hacking into WOPR.

Some Romanian shitbag used stolen credit cards to buy a database dump from another Russian shitbag who got it in an as-of-yet-undisclosed data breach. Somehow, the people who got their database stolen weren't complete morons, and your password is hashed in it. But it was hashed poorly with some reused salt (also included, the Russian wants repeat business?).

The website it was stolen from has at least taken measures that they can't get into amphibeanfursuits.com with any of the stolen data. But you reuse the same password everywhere, including your online bank accounts. How do I know this? Because you're a dumbass who talks about choosing memorable passwords. The typical person out there has 50+ online accounts. If they're remembering their passwords, I know they don't have eidectic memory and know 50 unique passwords by heart. They're remembering one.

So once they brute-force the hash, they've got most or all of your passwords (maybe literally not all, you probably think you're clever by having two or three slight variations on it like "every word in it starts with uppercase!" or some shit like that). And it's alot easier to brute-force this when you assume that they used dictionary words.

Here's where you bust out with "but now you're full of shit DPUGT, because I didn't mean 1 or 3 or even 5 dictionary words, I meant like a phrase from Moby Dick or a passage out of Harry Potter!".

Except you're still wrong. That fucking website truncated the password (and always truncates, since you didn't notice), or it has a maximum password length (don't ask, I have no explanation, this is so far off in WTF territory that I give up).

And so your password will be broken. Likely with the help of Amazon compute time bought with more stolen credit cards or something. There is no lockout that will save you. Their IP will not be blocked.

You tried to be clever with passwords, which is what all stupid people do.

All your passwords have to be different. They shouldn't even reuse sequences longer than 2 or 3 characters, and those only by accident.
You have 50+ passwords (my count's something like 300+ and always going up).
They should all be long as hell. Ideally 50-100 characters or more. This means they're also untypeable from a practical point of view.
They should never be written down anywhere, digitally or physically.

And, if we were making rules for websites/accounts, they shouldn't limit possible passwords. No maximum lengths, no "can't use that character". Like why not? They shouldn't be storing the damned password in plaintext, the hash should be hex and fixed legnth anyway. But can't do anythign about that.

Once you understand these rules, there is only one correct way to do passwords. And it's not setting a new one every 6/10/12 weeks. It's not 2FA. It's not any of the garbage everyone always repeats as if it were wisdom.

It's Get a goddamned password manager already.

[–] [email protected] 1 points 3 years ago (1 children)

https://www.instagram.com/p/CEZZQIdhGjD/?utm_source=FuckOff&utm_campaign=FuckOff

[–] [email protected] 2 points 3 years ago (1 children)

While you make a fair point with your referrer codes in this link, they should be removed completely for lemmy.

[–] [email protected] 1 points 3 years ago* (last edited 3 years ago)

It can be used to uniquely identify the origin (Lemmy and/or other places OP posted this link). So even though it's insulting, the referral variables are still doing their job.

[–] [email protected] 0 points 3 years ago

Don't have a link on hand, but studies have shown being overly generous with the password meter is the only way to significantly increase password strength.

But Lemmy and improved UX? Nah not happening

[–] [email protected] 0 points 3 years ago (1 children)

Does a time estimate for brute force always assume the operation is not parallel?

[–] [email protected] 1 points 3 years ago* (last edited 3 years ago)

IMO, the fact that the "how long to crack" metric on passworm managers never state the assumptions and parameters it uses means that its validity is dubious at best.

Memes

Rules: