Which password is harder to crack?

for four words? Yeah, it could work, if it's in English. If. Big if. Huge fucking if.
Because 'correct horse battery staple' can have permutations. Now do that with every single word in the English dictionary. Now include other languages.

If it were easy to crack, then you, my friend would be a gazillionaire just by cracking crypto wallets that use this method for wallet recovery.
Now think if adding such a method will not only slow down the search for nonsense passwords, but also net you nothing with concatenated words.

Top because correct horse battery staple has become such a meme that anybody with half a brain would include it and any common permutations of it in a dictionary attack. Now if you pick any other four words it'd probably be reasonably secure but that one particular combination would be cracked easily.

so?
do you realize how many english words there are? this is no set of 26/36/64 characters, this is picking words out of a list of thousands
you can get away with less words because there's so many more words to choose from than printable characters

The first one
It's also several times harder to remember

There's a lady at my job whose a bit uneducated and mispronounces various words all the time. I've been compiling a sort of dictionary of the funnier ones. I'm thinking of using combinations of them as a password because they are close enough to real words to be easy to remember but the spellings are different enough to avoid dictionary attacks.

eg. she pronounces specifically as "persifically"

I don't want to reveal all of the different words I have catalogued for security reasons but they are pretty funny. If I take the correct horse battery staple approach with these incorrect words I should come up with a pretty safe password no?

Only thing I'd have to worry about is being attacked by someone else familiar with these words which are mostly my other coworkers none of them are technically competent enough to do it nor do they have any reason to care.

Taking the correct horse battery staple approach is already secure because of how large the pool of words is. You using a few words from a tiny pool will result in a password with significantly less entropy.

Even if the pool is only known by a very small number of people and I don't tell any of them I'm using this method to create passwords?

I understand what you are saying. My list is much smaller than a normal dictionary which does make it less secure in a sense but surely that's only true if other people know I'm using this particular approach to generate my password AND they know most or all of the words in my pool.

Both are insanely impossible to brute force but
>hywdCv@7xKtN#lRN!3UN^a76$
would take billions of years to crack instead of thousands for the second.

/thread

There's a reason that the security of a password is generally assessed as if the attacker knows the method you used to generate it.

Let's imagine, as a single example, that you're being targeted by a government actor and they want to crack your password. They start by gathering information on you. Hiro gladly gives them all the Jow Forums posts made from your IP, and they see that one describes your password generation method. They go to your work and interview your coworkers about the words that one of their coworkers pronounces weirdly, and amass a small dictionary that they can use to figure out your password with relative ease.

Meanwhile, you could have just picked 4 random words from a 10k word dictionary, and had a password that's equally impossible to guess without knowledge of the generation method, but still impossible to guess if someone does find out (unlike your invented method). It's also a lot effort on your part.

Fair point I guess. I don't see myself doing anything that would ever attract that kind of attention from the government but whatever.

>I don't see myself doing anything that would ever attract that kind of attention from the government
That's not the point. The point is that you're expending effort to make your passwords less secure because you don't understand what you're doing.
Realistically, you could make your password "password1000" and it would probably never be cracked because nobody's going to bother to target you. That doesn't mean you should do it. If you want a secure password, choose actually secure generation methods instead of rolling your own broken ones in an effort to be unique.

Cain and Abel could do it a decade before that comic came out

Have fun running through ten quadrillion password hashes with your skiddy software.

When are you retards going to learn that just because a piece of software is capable of generating every possible password from a set of criteria, doesn't mean it's able to do it in a reasonable number of decades?

>being 12 years old

Honest question, do you actually have autism?

>since it's longer.

Literally the same number of characters, retard. You shouldn't be talking about this kind of shit if you can't even fucking count

>taking it literally

What is this, tits for ants?

Are you folks still arguing about this shit after six years?

Attached: password_strength.png (740x601, 91K)

>1000 guesses per second
Not everyone is breaking passwords on a raspberry pi

(assume [:print:]) 94^25 = 21291013728972415936552909146297350672338464538624
(assume oxford dictionary) 171476^4 = 864596308417753067776

I think it's pretty clear. Password #1 is by far harder to crack than your reddit meme.

Attached: sniff05.webm (350x263, 288K)

db was sha512 hashed and salted with 128 bits
;^)

first one

T-Mobile's isn't:

iyibiwepacuyoh epogiyetocemomik anivotafibav iwayeyevex ocoritug

How does the attacker know that you only used lower case letters?
In a real life scenario, the attacker does not bruteforce anything, so both passwords are equally secure if your attacker is not in your immediate vicinity.

Considering that in 1999 + 19 you should use a password manager, there is no reason to prefer the second one over the first.
correct horse battery staple is still fairly secure, but why compromise when you can use more secure passwords and not even have to remember them?

>what are password managers

botnet

>you should use a password manager
So (((they))) have all your accounts at once?

>what are foss and fully offline managers such as keepass
End yourself, for mankind's sake.

keepassxc nigga

...

>There's a lady at my job whose a bit uneducated and mispronounces various words all the time.
And she's the one who's teaching you grammar?

Attached: 453.jpg (382x396, 20K)

a single point of failure, you idiot

All eggs in one basket is always the best idea

Not them, but there is such a thing as backing up your data. Flash drives, SD cards, etc.

t. Complete retards who shouldn't be legally allowed to touch any kind of technology in the first place.
Back your shit up, like any other data, and preferably use RAID.

Raid is not a backup!

I know nigga, it's a supplement, not an alternative to backing up. Where did I ever imply it was?

But Käthe assured me that this is fine

Nobody is ever going to brute force your password, you are not important.

The way you get hacked is you use the same password on many services, one of them stores them insecurely, gets hacked, and the hackers test those passwords on various other services too.
Or you get a keylogger or other similar malware on your system.

You don't need to have a "strong" password, you just need to use a different password for every service.

Attached: 1336748924536.gif (300x286, 35K)

>remember everything
>your own memory is somehow not a single point of failure

You fucking brainlet, it is much easier to crack your keepass password than to crack every account you own

Reread post, I lacked the competency to read your 'and' in part to the lack of a cock in my face, apologies!

Then have THAT randomly generated and remember it through a mnemonic?

this is a good threat model, but rainbow tables are a thing.

But you need to have the database in the first place to do so, it's not as simple as hacking an online account. Also

>not as simple as hacking an online account
lol, hacking an online account does not involve bruteforcing.

>what are password managers
You still need to enter a password to use a password manager. They don't eliminate password memorisation, they just minimise it.

>occasionally feeling the tip of your finger slightly touching your asshole doesn't eliminate getting fucked in the ass, just minimizes it
That's a man who gets the proportion thing just right, congrats

Attached: fff.jpg (600x338, 24K)

It's just using the same baseline for both.

The first because if you're brute-forcing then the space character will be treated just like a 22nd alphabet letter, it makes very little difference in cracking since it's a common password trend to use sentences instead of single strings now a days and the skids know, just like they know when to use dictionary-based cracking.

The first password on the other hand requires multiple character tables, including the 2 basic tables needed for the second password, for brute-forcing.

Attached: 9.png (318x578, 21K)

>22nd
27th*

Why stop there? Use characters from other obscure languages.

Okay, tell me how you gonna not have a single point of failure with passwords? I hope you don't have all accounts tied to one mail.

>The first
No shit, Sherlock.

>only remembering one password isnt that much of a benefit over having to remember tens of passwords

>implying i ever said "bruteforcing"
Learn to read.

First one has a lot more entropy so is harder to crack.

2nd is much easier to crack, espically when you use advanced methods (based on human behaviour) and GPUs.

Your best option is to use something like keepass and have it generate passwords > 20 characters in length with all of the characters.

null-byte.wonderhowto.com/news/beast-cracks-billions-passwords-seconds-0172287/

>only remembering one password isnt that much of a benefit over having to remember tens of passwords
That's not what I meant. I meant that the existence of password managers doesn't make discussion of password memorisation and strength irrelevant.

True, but again, memorizing ONE strong, secure password is much easier than memorizing ALL of them.
I don't know about you, but I use over 50 passwords regularily. While I COULD come up with a secure password for each one of them, remembering them all is simply not an option.
But with a manager, I can focus on creating and remembering only one of them, and have all other passwords automatically generated and remembered for me.

The bottom password is longer if you include the spaces

Its a questionable baseline to use given todays computing power and the ability for people to use cloud computing clusters in parallel on a whim. For all intents and purposes, a person could easily be making billions of guesses per second as opposed to 1000/sec if they really wanted to.

>Its a questionable baseline to use
It's irrelevant to the point of the comic, which is about relative strength and memorisation effort.

>For all intents and purposes, a person could easily be making billions of guesses per second as opposed to 1000/sec
Only if you assume they're attacking something utterly broken.

>what is memory palace
>what is using a password manager like KeyPassX like a sane person.

>The Second Edition of the 20-volume Oxford English Dictionary contains full entries for 171,476 words in current use, and 47,156 obsolete words.
It's going to take a while, but in the end it's still only about as hard to figure as a 11 length password with all features. Less if i missed some candidates.

In real world terms, you're probably going to be a dumbass and pick words other people can take an educated guess at. And you're also not going to remember the password above, so you'll be using a manager for that one with an easier to crack key - or keep it in a plaintext file on your desktop.

>In real world terms, you're probably going to be a dumbass and pick words other people can take an educated guess at.
The point of pass phrases is to pick words randomly. If you're not going to do that, you may as well just use "Password1!".

Good luck guessing which passwords follow that pattern.

Normally the one containing words, but in your case the examples are so extreme (quite long vs. very short) that the first one might come out on top.

A few important things to remember:
- If you calculate the entropy of a password, mathematically, the size of the set you pick from is more important than the amount of picks you make. For normal purposes, choosing 6-8 items (words, with spaces between) from a set of 7000 should give you a high enough entropy to consider the password safe. That's why creating a DICEWARE password is not a bad idea.
- For those calculations to be correct, you have to choose RANDOMLY. No patterns that help you create the password, no part you always use that stays the same, no weird "rules" about creating a more "secure" password, unless you apply them RANDOMLY. If it's one password, try and create a story with the randomly chosen words. If you have more than one password to remember, use a generator like Keepass.
- Don't reuse passwords, and change them quickly after a breach or leak. Another reason why password generators are a good idea, makes it easy.
- All this doesn't matter when the attackers KNOW something about you. Don't forget that the LOWEST risk comes from somebody trying to bruteforce your password, in a normal setting that's just not worth it if you don't keep state secrets. Instead, worry about an unpatched, unsecure system + social engineering.

Also, don't choose the words correct, horse, batterey, or staple.

BIG FAT ANIME TIDDIES

Attached: gelbooru.com 4165882 1girl blurry blurry_background bodysuit breasts claws closed_mouth commentary_r (700x990, 103K)

Suck it, CIA

Attached: Screenshot_20180407_105133.png (1920x1080, 192K)

qwerty123

Why are you guys acting like not every single service is now protected against bruteforce attacks?

Because that's a good assumption. There's a thread right now about some well known compnay storing passwords in plaintext. It only takes one shitty service getting owned for your password to get leaked. So you have to use secure, unique passwords everywhere.

you think they are trying to push you dashlane?

>sponsored by Dashlane
It's possible

What about concatenating random posts from r9k?

Attached: d891b57c.jpg (450x306, 26K)

But user, that has nothing to do with bruteforce attacks.

You could have the world best password, but if it stored in plain text format it won't do any good

>hywdCv@7xKtN#lRN!3UN^a76$

like that isn't going to end up on a sticky note on someone's monitor

Nig

Fuck off ledditor.

Rainbow tables.. do you know about them you shit head? No? They are used when an online DB with encrypted passwords is pwned, so you don't have to even brute Force the hash... Only if your password is strong enough you can be Shure an idiot script kiddy will not get access to your account and your original password leaked.

Horse one is easier because it uses dictionary words. The appeal of it is that it's easy to remember but still better than "H0rse245".
If you want the best option: C35rrec@t H@@rs B53attery s111taple

your a retard.

anyone worth their SALT and PEPPER will be able to take care of this

Don't worry no one gives a shit about you and your retarded coworker

I'm sure the CIA/FSB and all the 3lit3 h4k3rs are coming after your passwords user, you are so important....

I get happy and content when I see big tiddies. Sometimes I want to suck them while playing tux racer or reciting the daily verse from templeOS.

Any password that isn't in a skid 10GB password list is safe to use.

also if some agency really wants your password they will just torture you and your loved ones until you give it to them, much easier