• AgreeableLandscape@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      3 years ago

      Centuries could become years which could become days depending on how computing progresses. We’re just trying to make sure your account is secure in the Post Singularity era :P

      Just ignore the fact that the actual user data like posts and comments are plaintext in the server.

    • the_tech_beast@lemmy.mlOP
      link
      fedilink
      arrow-up
      4
      ·
      3 years ago

      The above password is 28 characters long with special characters. In the meme, the password length is 128 but with no special characters. If you add special characters, the password will be strong.

      But still, I think the password strength tester needs improvement.

      • yxzi@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        3 years ago

        Another advantage is that you can type your password with someone looking straight at your keyboard, but it’s too long (+ random) to memorize

  • Torrid@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    3 years ago

    the password restrictions for some sites has always been a bit strange to me. Hadn’t we already discovered that passwords that consist of actual words and phrases tend to be harder to crack? I think it has to do with the fact that brute force attacks are far less likely to arrange letters in a way that matches a series of legitimate words and far more likely to use jumbled nonsense

    https://www.bbc.com/news/technology-40875534

        • roastpotatothief@lemmy.ml
          link
          fedilink
          arrow-up
          3
          ·
          3 years ago

          I think he came up with the idea originally, of using common words like this.

          Because they really do have higher entropy, even if the attacker knows you are using common words and what dictionary you are using. Most modern systems (like bitcoin keys etc) use this idea now.

    • Gamerie@feddit.de
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      No. Words are just easier to remember. It’s about probability. If you only use lower characters, it’s 1 in 26, with upper case 1 in 48, with nunbers 1 in 58. With weird chars, I don’t know. If you now take one english 6 char word, and compare it to a random string with 6 chars. Which one is more secure? But, if you compare 6 characters with 6 words, then it’s not that easy. But random chars will always be more secure if both passwords have the same size. But it might be easier for you to remember 12 words than 12 signs. The orobabikity is so low, who cares if it’s 1 or 2 quadrillion years?

    • DPUGT2@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      3 years ago

      I think it has to do with the fact that brute force attacks are far less likely to arrange letters in a way that matches a series of legitimate words and far more likely to use jumbled nonsense

      That’s plainly false if we are talking about machine-generated brute forcing. Any sequence of equal length is equally likely, generally. Furthermore, if someone artificially restricts it to narrower patterns and someone can guess that is the case, the machine generated brute-forcing has an easier time. Dictionaries exist and can be used.

      The only reason to make this claim is if you’re irrationally married to the idea of typing in your password. At that point, it can no longer be a properly strong password (a hundred characters of random garbage), and so it must be a weaker password you can remember (some long string of words). And then you need to justify it with nonsense.

      Get a goddamned password manager already for fuck’s sake.

      • Torrid@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        3 years ago

        actually, script automated brute forcing would be better at guessing randomized characters for a passwords. Modern dictionaries integrated into an automated brute force attack tend to be an indexed list of the most commonly used passwords (#1 for some time now has been variations of, surprise: f*ck)

        the dilemma with your thinking is the time vs success factor. Given enough time and an indefinite number of attempts before security measures kick in and block the active IP, a brute force attack will eventually be successful, no matter what. The attacking script will typically not be compiling a series of every single (for this example lets say english) word in a random order, but is typically doing an exponential increment of each character bit in a sequence until a success pattern has been reached.

        Obviously a password manager is great to maintain the sheer number of passwords a person these days requires, but the notion that 28 random characters is safer than a random series of words equating to 28 or more characters is plainly false. By your own admission, any length is equally likely to be cracked, as it is a time dependant break. One is just more likely to take longer than the other

        • DPUGT2@lemmy.ml
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          3 years ago

          actually, script automated brute forcing would be better at guessing randomized characters for a passwords.

          No. It wouldn’t. It’s neither better nor worse at anything. If you’re unfamiliar with programming, it’s difficult to understand, but I’ll try to explain it to you…

          No matter what characters are used, brute-forcing is like counting up from one. 1, 2, 3, 4. Just using more than the 10 numeral symbols. That’s why it’s called brute-forcing, it is literally trying every password possibility after the other. This will include actual words. This will eventually include even passwords that don’t look random to you at all.

          By choosing words as your password, if someone can guess that this is what you’ve done (which is an easy guess, because most people are cretins when it comes to passwords) then they can go look for a dictionary. There are maybe 100,000 words in English. 250k if you use the OED. Other languages’ dictionaries are available too. Then they configure the brute-forcing program to ignore the sequential-every-password-possible stuff, and use words instead.

          This reduces the number of passwords that you can have chosen by some ridiculously large number.

          It’s literally, mathematically-provably, easier for the automated brute-forcing to do the non-randomized passwords… assuming someone can guess that that’s what you did. And it’s not much of a guess even, considering that you blather all over the internet about how you think it’s a smarter approach.

          the dilemma with your thinking is the time vs success factor. Given enough time and an indefinite number of attempts before security measures kick in and block the active IP, a brute force attack will eventually be successful,

          That’s not even how this works. It’s not 1986, you’re not Matthew Broderick hacking into WOPR.

          Some Romanian shitbag used stolen credit cards to buy a database dump from another Russian shitbag who got it in an as-of-yet-undisclosed data breach. Somehow, the people who got their database stolen weren’t complete morons, and your password is hashed in it. But it was hashed poorly with some reused salt (also included, the Russian wants repeat business?).

          The website it was stolen from has at least taken measures that they can’t get into amphibeanfursuits.com with any of the stolen data. But you reuse the same password everywhere, including your online bank accounts. How do I know this? Because you’re a dumbass who talks about choosing memorable passwords. The typical person out there has 50+ online accounts. If they’re remembering their passwords, I know they don’t have eidectic memory and know 50 unique passwords by heart. They’re remembering one.

          So once they brute-force the hash, they’ve got most or all of your passwords (maybe literally not all, you probably think you’re clever by having two or three slight variations on it like “every word in it starts with uppercase!” or some shit like that). And it’s alot easier to brute-force this when you assume that they used dictionary words.

          Here’s where you bust out with “but now you’re full of shit DPUGT, because I didn’t mean 1 or 3 or even 5 dictionary words, I meant like a phrase from Moby Dick or a passage out of Harry Potter!”.

          Except you’re still wrong. That fucking website truncated the password (and always truncates, since you didn’t notice), or it has a maximum password length (don’t ask, I have no explanation, this is so far off in WTF territory that I give up).

          And so your password will be broken. Likely with the help of Amazon compute time bought with more stolen credit cards or something. There is no lockout that will save you. Their IP will not be blocked.

          You tried to be clever with passwords, which is what all stupid people do.

          1. All your passwords have to be different. They shouldn’t even reuse sequences longer than 2 or 3 characters, and those only by accident.
          2. You have 50+ passwords (my count’s something like 300+ and always going up).
          3. They should all be long as hell. Ideally 50-100 characters or more. This means they’re also untypeable from a practical point of view.
          4. They should never be written down anywhere, digitally or physically.

          And, if we were making rules for websites/accounts, they shouldn’t limit possible passwords. No maximum lengths, no “can’t use that character”. Like why not? They shouldn’t be storing the damned password in plaintext, the hash should be hex and fixed legnth anyway. But can’t do anythign about that.

          Once you understand these rules, there is only one correct way to do passwords. And it’s not setting a new one every 6/10/12 weeks. It’s not 2FA. It’s not any of the garbage everyone always repeats as if it were wisdom.

          It’s Get a goddamned password manager already.

          • Torrid@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            3 years ago

            There’s no need to get so emotionally heated. You’re making a lot of personal assumptions about me and my actions, and projecting information I never included in my comments. I also don’t appreciate you being so condescending. I’m familiar with coding, and there was really no reason for you to be so rude. That being said, there’s no sense trying to discuss things with someone like you.

            I hope you heal whatever part of you felt it was alright to fly off the handle like that.

    • AgreeableLandscape@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      3 years ago

      IMO, the fact that the “how long to crack” metric on passworm managers never state the assumptions and parameters it uses means that its validity is dubious at best.

    • mekhos@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      While you make a fair point with your referrer codes in this link, they should be removed completely for lemmy.

      • AgreeableLandscape@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        3 years ago

        It can be used to uniquely identify the origin (Lemmy and/or other places OP posted this link). So even though it’s insulting, the referral links are still doing their job.

  • OsrsNeedsF2P@lemmy.ml
    link
    fedilink
    arrow-up
    0
    arrow-down
    1
    ·
    3 years ago

    Don’t have a link on hand, but studies have shown being overly generous with the password meter is the only way to significantly increase password strength.

    But Lemmy and improved UX? Nah not happening