• @AgreeableLandscape
      link
      11
      edit-2
      2 years ago

      Centuries could become years which could become days depending on how computing progresses. We’re just trying to make sure your account is secure in the Post Singularity era :P

      Just ignore the fact that the actual user data like posts and comments are plaintext in the server.

    • Arthur BesseMA
      link
      112 years ago

      That’s amazing! I’ve got the same combination on my luggage.

    • @the_tech_beastOP
      link
      82 years ago

      The above password is 28 characters long with special characters. In the meme, the password length is 128 but with no special characters. If you add special characters, the password will be strong.

      But still, I think the password strength tester needs improvement.

    • @Kuko
      link
      1
      edit-2
      11 months ago

      deleted by creator

      • @yxzi
        link
        2
        edit-2
        2 years ago

        Another advantage is that you can type your password with someone looking straight at your keyboard, but it’s too long (+ random) to memorize

        • @Kuko
          link
          2
          edit-2
          11 months ago

          deleted by creator

    • mekhos
      link
      22 years ago

      While you make a fair point with your referrer codes in this link, they should be removed completely for lemmy.

      • @AgreeableLandscape
        link
        2
        edit-2
        2 years ago

        It can be used to uniquely identify the origin (Lemmy and/or other places OP posted this link). So even though it’s insulting, the referral variables are still doing their job, but we don’t want them to be able to do that.

  • @poVoq
    link
    4
    edit-2
    1 year ago

    deleted by creator

  • @OhScee
    link
    3
    edit-2
    2 years ago

    deleted by creator

      • @OhScee
        link
        3
        edit-2
        2 years ago

        deleted by creator

        • @roastpotatothief
          link
          32 years ago

          I think he came up with the idea originally, of using common words like this.

          Because they really do have higher entropy, even if the attacker knows you are using common words and what dictionary you are using. Most modern systems (like bitcoin keys etc) use this idea now.

    • @DPUGT2
      link
      12 years ago

      I think it has to do with the fact that brute force attacks are far less likely to arrange letters in a way that matches a series of legitimate words and far more likely to use jumbled nonsense

      That’s plainly false if we are talking about machine-generated brute forcing. Any sequence of equal length is equally likely, generally. Furthermore, if someone artificially restricts it to narrower patterns and someone can guess that is the case, the machine generated brute-forcing has an easier time. Dictionaries exist and can be used.

      The only reason to make this claim is if you’re irrationally married to the idea of typing in your password. At that point, it can no longer be a properly strong password (a hundred characters of random garbage), and so it must be a weaker password you can remember (some long string of words). And then you need to justify it with nonsense.

      Get a goddamned password manager already for fuck’s sake.

      • @OhScee
        link
        1
        edit-2
        2 years ago

        deleted by creator

        • @DPUGT2
          link
          02 years ago

          actually, script automated brute forcing would be better at guessing randomized characters for a passwords.

          No. It wouldn’t. It’s neither better nor worse at anything. If you’re unfamiliar with programming, it’s difficult to understand, but I’ll try to explain it to you…

          No matter what characters are used, brute-forcing is like counting up from one. 1, 2, 3, 4. Just using more than the 10 numeral symbols. That’s why it’s called brute-forcing, it is literally trying every password possibility after the other. This will include actual words. This will eventually include even passwords that don’t look random to you at all.

          By choosing words as your password, if someone can guess that this is what you’ve done (which is an easy guess, because most people are cretins when it comes to passwords) then they can go look for a dictionary. There are maybe 100,000 words in English. 250k if you use the OED. Other languages’ dictionaries are available too. Then they configure the brute-forcing program to ignore the sequential-every-password-possible stuff, and use words instead.

          This reduces the number of passwords that you can have chosen by some ridiculously large number.

          It’s literally, mathematically-provably, easier for the automated brute-forcing to do the non-randomized passwords… assuming someone can guess that that’s what you did. And it’s not much of a guess even, considering that you blather all over the internet about how you think it’s a smarter approach.

          the dilemma with your thinking is the time vs success factor. Given enough time and an indefinite number of attempts before security measures kick in and block the active IP, a brute force attack will eventually be successful,

          That’s not even how this works. It’s not 1986, you’re not Matthew Broderick hacking into WOPR.

          Some Romanian shitbag used stolen credit cards to buy a database dump from another Russian shitbag who got it in an as-of-yet-undisclosed data breach. Somehow, the people who got their database stolen weren’t complete morons, and your password is hashed in it. But it was hashed poorly with some reused salt (also included, the Russian wants repeat business?).

          The website it was stolen from has at least taken measures that they can’t get into amphibeanfursuits.com with any of the stolen data. But you reuse the same password everywhere, including your online bank accounts. How do I know this? Because you’re a dumbass who talks about choosing memorable passwords. The typical person out there has 50+ online accounts. If they’re remembering their passwords, I know they don’t have eidectic memory and know 50 unique passwords by heart. They’re remembering one.

          So once they brute-force the hash, they’ve got most or all of your passwords (maybe literally not all, you probably think you’re clever by having two or three slight variations on it like “every word in it starts with uppercase!” or some shit like that). And it’s alot easier to brute-force this when you assume that they used dictionary words.

          Here’s where you bust out with “but now you’re full of shit DPUGT, because I didn’t mean 1 or 3 or even 5 dictionary words, I meant like a phrase from Moby Dick or a passage out of Harry Potter!”.

          Except you’re still wrong. That fucking website truncated the password (and always truncates, since you didn’t notice), or it has a maximum password length (don’t ask, I have no explanation, this is so far off in WTF territory that I give up).

          And so your password will be broken. Likely with the help of Amazon compute time bought with more stolen credit cards or something. There is no lockout that will save you. Their IP will not be blocked.

          You tried to be clever with passwords, which is what all stupid people do.

          1. All your passwords have to be different. They shouldn’t even reuse sequences longer than 2 or 3 characters, and those only by accident.
          2. You have 50+ passwords (my count’s something like 300+ and always going up).
          3. They should all be long as hell. Ideally 50-100 characters or more. This means they’re also untypeable from a practical point of view.
          4. They should never be written down anywhere, digitally or physically.

          And, if we were making rules for websites/accounts, they shouldn’t limit possible passwords. No maximum lengths, no “can’t use that character”. Like why not? They shouldn’t be storing the damned password in plaintext, the hash should be hex and fixed legnth anyway. But can’t do anythign about that.

          Once you understand these rules, there is only one correct way to do passwords. And it’s not setting a new one every 6/10/12 weeks. It’s not 2FA. It’s not any of the garbage everyone always repeats as if it were wisdom.

          It’s Get a goddamned password manager already.

          • @OhScee
            link
            1
            edit-2
            2 years ago

            deleted by creator

    • @Gamerie@feddit.de
      link
      fedilink
      1
      edit-2
      2 years ago

      No. Words are just easier to remember. It’s about probability. If you only use lower characters, it’s 1 in 26, with upper case 1 in 52, with nunbers 1 in 62. With weird chars, I don’t know. If you now take one english 6 char word, and compare it to a random string with 6 chars. Which one is more secure? But, if you compare 6 characters with 6 words, then it’s not that easy. But random chars will always be more secure if both passwords have the same size. But it might be easier for you to remember 12 words than 12 signs. The orobabikity is so low, who cares if it’s 1 or 2 quadrillion years?

  • @testingthis
    link
    12 years ago

    Does a time estimate for brute force always assume the operation is not parallel?

    • @AgreeableLandscape
      link
      2
      edit-2
      2 years ago

      IMO, the fact that the “how long to crack” metric on passworm managers never state the assumptions and parameters it uses means that its validity is dubious at best.

  • @OsrsNeedsF2P
    link
    -42 years ago

    Don’t have a link on hand, but studies have shown being overly generous with the password meter is the only way to significantly increase password strength.

    But Lemmy and improved UX? Nah not happening