this post was submitted on 03 Nov 2023
304 points (87.3% liked)

Technology

59402 readers
2603 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Ertebolle@kbin.social 47 points 1 year ago (6 children)

xkcd still has the best approach to this; four random common words

[–] vamputer@infosec.pub 17 points 1 year ago* (last edited 1 year ago) (1 children)

I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.

"BonyTonyMoansHe'sOnlyGrownLonely" has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.

The more ridiculous, the better. (And, naturally, don't forget your numbers and symbols)

EDIT: Actually, no idea why I made it all one group of words. So long as spaces are in the password's character space (and they very well should be if friggin' emojis are), there's nothing stopping you from doing an entire, punctuated sentence- other than that we've been conditioned not to think of a password that way.

"Skinny Kenny's friend, Mini Ben, has 20 chins." That should be a fully-acceptable password with 46 characters (48 if you add the quotes), capital letters, numbers, and special characters.

[–] scinde@discuss.tchncs.de 4 points 1 year ago (2 children)

You can't compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).

[–] Aatube@kbin.social 3 points 1 year ago* (last edited 1 year ago) (1 children)

If the attacker doesn’t know that you’re using a dictionary password, then dictionary attacks probably won’t be their first choice. I want to remember these passwords across devices and on guests.

[–] scinde@discuss.tchncs.de 5 points 1 year ago

Like someone else said on this thread; that's just security by obscurity, which is bad. Dictionary attacks will be one of the first (brute force related) attacks attackers will use because word passwords are incredibly popular (though admittedly of fewer words: VeryBigDog34 etc..), and relatively easy to do. I agree that having the password across different devices is somewhat of a challenge with a password manager, but not impossible. My very long and complex password is all down to muscle memory by this point, I couldn't tell you what it is from memory.

Also you shouldn't use the same password on multiple things and if you don't use a password manager you will need to memorize a lot of different passwords.

[–] aBundleOfFerrets@sh.itjust.works 1 points 1 year ago (1 children)

Dictionary attacks aren’t some magic bullet. There are a lot of english words and just four of them IS comparable in cracking difficult to a standard 8-char password that is as random as you can make it. There are a lot more words than there are symbols. Four words is obviously not as good as 46 totally random chars

[–] scinde@discuss.tchncs.de 1 points 1 year ago

Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.

True, there are a lot of english words, but the amount of common words is relatively small. Most people aren't going to choose a password like "MachicolationRemonstranceCircumambulationSchadenfreude", even if it were generated for them (which is unlikely).

Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).

There are also a lot of symbols when you count emojies and the entire Unicode standard.

[–] lupec@lemm.ee 11 points 1 year ago

I love it, Bitwarden has supported generating passphrase style passwords for a while and it's basically that. It's my go-to these days.

[–] ammonium@lemmy.world 10 points 1 year ago (2 children)

Four words is too low these days to protect against gpu bruteforcing

[–] elbarto777@lemmy.world 5 points 1 year ago* (last edited 1 year ago) (1 children)

Got a source on that?

Edit: plus brute forcing is just one scenario. I think the xkcd comic refers to using passwords in online services, and those usually have some sort of rate limiting.

[–] ammonium@lemmy.world 8 points 1 year ago (1 children)

https://thesecurityfactory.be/password-cracking-speed/

8 character a-zA-Z is 45 bits of entropy (log2(56^8), about the same as the XKCD password if you take from a 2048 word list. That's crackable in a minute on AWS.

Password hashes get frequently stolen, don't rely on rate limiting if it's something you really care about.

Here are the dice ware recommendations on the number of words: https://theworld.com/%7Ereinhold/dicewarefaq.html#howlong

[–] elbarto777@lemmy.world 3 points 1 year ago (1 children)

Sure, but the average English speaker knows way more than 2048 words. Let's not forget about case sensitivity, made-up or "inside joke" words, names, and specific industry vocabulary.

[–] ammonium@lemmy.world 6 points 1 year ago (1 children)

Even if you take four words of a 30000 word list (quick Google says that's the number of words an average person knows), that's still less bits of entropy than a 5 word diceware password (7776 word list). People are also really bad at randomness, so your own string of random words is likely going to be much worse.

[–] elbarto777@lemmy.world 3 points 1 year ago (2 children)

Thanks for the explanation. What's diceware?

[–] poopkins@lemmy.world 4 points 1 year ago (1 children)

It's the concept of literally using a die to choose with randomness (humans are terrible at trying to be random); a link with details is in a previous comment.

[–] lolcatnip@reddthat.com 1 points 1 year ago

That only works if someone already has access to a system's password database.

[–] Ookami38@sh.itjust.works 7 points 1 year ago (1 children)

I prefer picking a sentence or so that has meaning to me, using the first letters, and then adjusting for numbers/symbols. So if I wanted to make that a pw, it'd be 1ppa505thm2m,utfl,atafn/5. -looks completely unintelligible, but as long as you can remember the sentence and have some ideas of how you would have encoded it, easy enough to remember/recreate.

[–] noodlejetski@lemm.ee 2 points 1 year ago (2 children)

good luck remembering all of those for every account you create, though.

[–] Fal@yiffit.net 3 points 1 year ago (3 children)

Why are you not using a password manager

[–] lemmyvore@feddit.nl 3 points 1 year ago* (last edited 1 year ago)

If you're using a password manager you don't need phrases you can remember, you can generate even more secure passwords. Or start using passkeys.

[–] noodlejetski@lemm.ee 1 points 1 year ago (1 children)

I am, and I'm not jumping through hoops of making up a password sentence for every new website. I let Bitwarden take care of that for me.

[–] Ookami38@sh.itjust.works 2 points 1 year ago

Just use these methods for the pws you either need to know (like your password manager) or don't want stored for whatever reason, like your bank. Otherwise, yeah, just let your password manager generate a password for whatever site.

[–] Aatube@kbin.social 1 points 1 year ago (1 children)
[–] Fal@yiffit.net 1 points 1 year ago (1 children)

Most are cross device. Use bitwarden

[–] Aatube@kbin.social 1 points 1 year ago

Guest machines too. And I sorta prefer whichever browser/OS I’m using’s implementation because they’re usually styled similarly.

[–] Ookami38@sh.itjust.works 1 points 1 year ago* (last edited 1 year ago)

It's as easy to remember a bunch of those as it is remembering 4 random words with no association, I think. And besides, just use that for the big, important, pws like your pw manager.

[–] JigglySackles@lemmy.world 7 points 1 year ago (2 children)

Just be sure to throw in symbols and numbers to beef it up. Dictionary words are easier to brute force.

[–] notapantsday@feddit.de 19 points 1 year ago (1 children)

The whole idea is to make it easier for humans to remember and more difficult to brute force. Long passwords are much harder to brute force than complex passwords with lots of special characters. And they're a lot easier for humans to remember.

There are enough words in any language that it's virtually impossible to guess the correct four words, even if they're in the dictionary.

[–] JohnEdwa@sopuli.xyz 6 points 1 year ago (2 children)

Even so, most password requirements will force you to add them anyway. Quick way to do it is to just pick a number on a keyboard and add it and the symbol to the end. e.g HorseBattery2# and so on.

[–] Jesus_666@feddit.de 9 points 1 year ago

And requirements like that are why my password strengths are completely out of whack:

  • Random websites get 24 randomly generated printable characters stored in my password manager. This is essentially unbreakable with conventional methods and can easily be adapted to fit whichever counterproductive rules the website enforces.
  • My password manager and my home computers get memorable but long phrases. A particular favorite is to start in the middle of a line from a song and continue from there. Nobody's going to guess "make you swear and curse when you′re chewing on" but it's easy to memorize of you already know the song. Even a dictionary attack is going to have trouble with that many words.
  • My work accounts get the bare minimum that complies with whichever rules the admins came up with. Numbers, special characters and mixed capitalization? No thirty letter phrase for you, then; you'll get the minimum eight characters so I have a chance of memorizing the thing. Regular password changes? Great, now the last two chargers are going to be incrementing digits, just like for everyone else.

There's a reason why experts these days argue against anything but minimum length restrictions.

[–] gonta@mander.xyz 3 points 1 year ago

You can even make a complete sentence that makes sense with symbols and numbers.

"Ronaldo doesn't grill 76 Canadian Tacos."

Or whatever

[–] djdadi@lemmy.world 4 points 1 year ago (1 children)

Not 4 of them in a row. Keep in mind the attacker doesn't know " look for exactly 4 words"

[–] Killing_Spark@feddit.de 4 points 1 year ago (1 children)

That's just security by obscurity. It's one other strategy of choosing passwords that a bruteforce attack is going to try if it gets popular

[–] lolcatnip@reddthat.com 0 points 1 year ago (1 children)

That's not what security by obscurity means. And going by your definition, all passwords are security by obscurity.

[–] Killing_Spark@feddit.de 1 points 1 year ago

If your strategy is to just use dictionary words your password will have little entropy and even less so if you use grammatically correct sentences. If the attacker knows this is your strategy of choosing passwords cracking one is way easier than cracking a password that has the same length but consists of randomly chosen characters.

Your password is only safe because the attacker doesn't know your strategy of choosing the password which forces him to use inefficient methods of cracking it, while there would be a more efficient way if he knew the strategy you used. Which is security by obscurity.

[–] Kusimulkku@lemm.ee 1 points 1 year ago

Password database