How valid is this for choosing your passwords?

the whole point is that each extra character is more entropy than just using symbols and also balances human ease of use

I can remember of the password seventeenchargerearbudbook really easy and its still a lot of entropy

it's good, but does anything beat just regularly changing passwords?
I think it's fail safe, anyone know better?

Attached: loadout.png (720x503, 610K)

and no those arent just things on my desk baka

>But what if dictionary is made by weaboos?
>They can't crack ESLs passwords.

The good dictionaries are made by crawling the web so they pick up all the other languages, slang, phrases, sayings, misspellings, etc.

>seventeen
>charger
>earbud
>book
Those are all in any basic dictionary you fool

>all a cracker has to do is open a dictionary to crack your password

shit you got me

is this any better?

What they can't pick up are those phonetic approximations for English speakers. Like Luftwaffe - looft-vah-fay

I might be wrong but someone to even try to bruteforce your password has to have the database, right?

Without the database even the shitty passwords are safe because almost every website has a login attempt limit.

what about some non real words that you can remember?

flopypistopolgofuckyourself

?

This is the best idea, choose a long phonetic word that won't be in any dictionary.

in a 7000 word dictionary (like diceware) that is still a 7000^4 which is still probably better than most state level governments could crack

this sounds like the right idea, non real words in a long string of characters

Attackers can compensate for this now. Steve Gibson's password haystacks are more resilient and have a nice balance of security / memorability.

grc.com/haystack.htm

Now to be clear, this is still less secure than an all-random password. But if you're looking for something like your picture the haystack is as close to the best of both worlds as you can get.

>sign up for something
>the password has to have 1 uppercase letter, 1 number and 1 symbol
>close tab

They don't use the website to directly try to log in. They get hashes from a hacked password database and run a dictionary or other type of attack against there. They then have a users password for that site and some people (read as most) use the same password everywhere so they can access other sites using it.

No you are missing the point. As soon as someone online starts doing it (all the pajeets in india), then the spiders pick it up and put them in the dictionary

thank you for the first valid answer in this thread

>grc.com/haystack.htm
Steve Gibson needs to leave the 1980's and join us in modern times because people don't crack passwords this way anymore. Not really anyways. He also needs to stop coding in assembly if he wants other people to care.

Hey thanks user!

Attached: tumblr_m8ksxdlqqo1qzbqw1o1_1280.png (779x588, 524K)

I get your point, what I'm saying is that it's highly unlikely that someone would phonetically transcribe a foreign word in English. I know it happens, but the more obscure the source language is and the more non-generic the source word is, the more unlikely it will be to find that transcription on the Internet.

...

Do you guys really think someone will spend thousands of $$$ to rent s supercomputer to bruteforce your password?

lmao get a fucking grip, they only way you will ever get hacked if a database leaks and your a dumb idiot that uses the same password for everything

>your a dumb idiot that uses the same password for everything
ummmmmmmmmmmmmmm

>Steve Gibson needs to leave the 1980's
Yes.

>because people don't crack passwords this way anymore

They don't? As far as I'm aware actual password cracking is still done through hash matching and/or brute force, both of which this password style protects against.

Now phishing and keyloggers are real things, but no password scheme can protect against that.

So fucking what? It'd still take forever to get all the words correct and in the right order.

Valid. But mostly use that as your pw wallet pw and just generate the rest.

yeah but you can spice it up a bit and protect against that shit so why not?

Actual hashmatching/bruteforcing is only done by goverments because its costs thousands of dollars to do.

Your averege russian/pajeet can't afford to brutoforce anything.

just don't be retarded and use a password manager

Every time someone posts this, someone who thinks they are clever posts "what is a dictionary attack". The calculations for time to brute force are BASED on the assumption that a dictionary attack will be used. Did you even engage one god damned braincell before you posted this. Please stop.

use md5 value for your password

Lol retard. Anyone can literally make millions of attempts and rainbow tables(except writing rainbows is limited by IO speed)

Yes it is pretty valid. I have long recommended multiple word combos with spaces. Works great and very easy to remember.

Right, but I'm still not sure what the person I was replying to was getting at when they said "people don't crack passwords this way anymore".

As far as I can tell to actually crack a password you need one of those two approaches. If you're just looking to get past security then things like phishing and exploits enter the mix. But if you have a password hash and it's not a weak hashing method then those are basically the only options.

>the current state of Jow Forums

when will it end?

>They don't? As far as I'm aware actual password cracking is still done through hash matching and/or brute force, both of which this password style protects against.
The basic flaw here is the assumption they are going after individual accounts, which isn't the case in most situations.

>brute force
This is really only done for high value accounts now. Trying to go after weak admin or CEO accounts etc. Otherwise it isn't worth the time or effect

>hash matching
This is what people do, but they aren't looking at individual hashes, they are looking at bulk dumps, getting email/password pairs from those, and trying them on other sites.

So looking at your password going "it would take 1000 years to crack this" is stupid because if it is already in someone's table, then it's a constant time lookup, not years.

The only useful metric for password strength is: "how likely is this to already be in a table?".

I didn't believe you, but apparently there are 175,000ish words in English, and 4 of them together results in 39,077,436,211,953,100,000 permutations per this site: stattrek.com/online-calculator/combinations-permutations.aspx

Even with a massive cracking array it'd take a week or more. For most systems it'd take centuries. And that's if you go in knowing it's 4 english words with no funny capitalization and no extra characters. Not knowing that, it'd take much longer.

It would probably actually work as a password. I'd still throw a symbol in but it would work.

Fine then. Elaborate on why and how is it so fucking hard and costy to write a loop to calculate and match hashes. Then go educate yourself on how many calculation current CPUs can do per second and how easy GPU acceleration is.

I'm not sure you understand how large rainbow tables are, windows baby with no CS education

There are only a few thousand commons words that people are likely to choose.
> no funny capitalization and no extra characters
Doesn't add as much entropy as you'd think because text is already low entropy. Don't believe me? Look at the compression ratio on large text files. Password crackers can handle this as well given an input dictionary of words.

How many password+hash pairs can you realistically store on an HDD?

no

Lol storagelet. Seriously complaining about storage? The cheapest fucking pieces?
CS brainletism at its finest.

As some user said a while ago a mixture of brute and dictionary resistant memorable passwords is the best way to go. Your pic related is resistant to brute force attacks but not so much for dictionary attacks.

ie: f+u-c+k-w+a-d+

Attached: 1521051919208.jpg (1600x1132, 1.11M)

>How many password+hash pairs can you realistically store on an HDD?
Why would I store my tables on a harddrive when I'll be cracking the dumps in the cloud?

I'm not personally complaining about storage. It's adding to the point the other poster made, it's an obstacle for pajeet braincels like yourself hehe

"words are in the dictionary!!1"
>I don't understand the difference in entropy between an entropy space of ~50 characters and 14000 different words

"rainbow tables"
>I don't understand salts

"what about a complex but short password?"
>I don't understand that all passwords below a certain length (typically 9) can be bruteforced on common retail graphics cards in only a few hours

Thanks for the reassurance that the majority of you have no fucking clue what you're talking about.

Attached: 5bda236a06d5b3133344f43feeee732a.jpg (236x323, 14K)

I remember a few months ago some guy with 12 GTX1080s was running them 40 days 24/7 without luck using hashcat/hashview, and he had to let it go because of power bills. So yeah fuckk of idiot

inb4 gimme sauce, its on reddit somewhere google it

thanks for the reddit spacing

>r-reddit!
you sure proved him wrong

>>I don't understand salts
To be fair, a lot of things still don't salt.

wasn't arguing against him. everything he said is right but he's still a redditsoy

Oh, I see. Yeah you're not wrong but the situation doesn't really change just because they're efficient in their brute forcing.

Like if I cut through wood with a handsaw or a powersaw, the idea that wood is being carved away into a desired shape or cut still applies. And the core concept still applies here with password cracking.

If someone gets a dump and looks for hashes, that information was still generated somewhere and even if it's all one massive central system processing the hashes it would still take as long as the password strength generators say to get to that point.

I agree with you almost entirely though, and your point of how likely a password is to be in an existing table is spot on. However, it also means that password cracking hasn't changed - which was the only thing I was actually complaining about.

Even a little extra entropy adds a lot of password permutations to run through. And on top of that, the assumption is still that you go in knowing what the structure of the password is which most attackers wouldn't.

>spacing out different replies is redditposting
back to frogposter

last time i used pol was in 2012 and have never used pepe, sorry redditsoy but you have to go back. bringing up pol outs you as a soyboy

>Muh dictionary attacks

How the fuck does that even work if you're using multiple words, it's not like the program is going to return whether one word is "correct" and then keep trying CorrectHorse X Y

Really? Sounds like you'd fit right in.

sounds like you fit in on reddit, freshman cs major

>name calling on both sides, even from the guy who accused the other of name calling

the absolute state of this thread

So, ad hominem instead of argument.
Are you a girl?

Attached: 707px-Graham's_Hierarchy_of_Disagreement-en.svg.png (707x530, 109K)

the absolute state of reddit spacing on Jow Forums.org. you do know this site is 18+, right?

I usually recycle old passwords by adding random stuff like words or symbols into it. I don't see why people are having such a hard time remembering new passwords, just typing them 20-30 times is enough for muscle memory anyway.

That comic is so stupid, it's like he doesn't know the first thing about cracking codes.

I stopped replying. you can't help ""soy"" posters with their delusions

So, another reddit reply to somehow prove you're not a shit eating redditor. Have you had your soylent yet this evening? you're not you when you're hungry

im sorry

what?

No reply = mad
if you're not mature enough to handle dissenting opinions then you're not old enough to use this site

good on you. high road wins every time

samefagging

Attached: Mussolini3.jpg (246x400, 18K)

meant for

all me xd

>dissenting opinions
>whining like a child and screaming SOOOYYYY is an opinion

please go back

are you mentally ill? learn to read, fag
xd = under 18
please review the rules before continuing to post on Jow Forums.org
Jow Forums.org/rules

Attached: Screenshot 2018-04-16 20.38.37.png (666x380, 147K)

it is my opinion that you're a shit eating fag for using reddit spacing on Jow Forums. sorry if that upsets you, soy

>30 posts to deal with someone's autistic outburst over the spacing in a post

>freshman cs major
You must be projecting. I dropped out and joined a startup ~10 years ago

>name calling.
i agree with what you were saying though

It's valid. The only problem is that people don't choose from a large enough sample of words if you just ask them to come up with it on their own, they're probably taking it from ~500 popular words depending on their literacy and even from those not very randomly . The basic principle is good, choosing a diceware passphrase is as good as it gets.
world.std.com/~reinhold/dicewarefaq.html

>startup
avatar posting is against the rules, please review Jow Forums.org/rules before continuing to post

Attached: thesoylentgrin.jpg (620x465, 70K)

>There are only a few thousand commons words that people are likely to choose.

Massive assumption people are only generating this passwords using their own everyday vocabulary. Most likely they'd pull from a dictionary. Hence you could end up with words like "furuncle", which most people have never heard of, but once known are memorable.

>deleted

>pjw watcher is horribly autistic
not surprised

Attached: 07a940a6a7d1f7d72de62be0a7dbc96ed3ceab1423827a6fd296107a3e35a0ac.jpg (1024x923, 156K)

>pjw watcher is horribly autistic
i don't know what that is, are you some kind of schizo or something?

>he won't stand by his daddy

still don't know who that is, googling the initials brought me to a youtube channel but i have youtube blacklisted on my network. sorry but I don't waste my time on websites for children

>he blocks youtube but not google
>larping this hard

google as a neologism for making an internet search, sorry stallman but I'm not going to say "duckduckgoing the initials", sperg

Even with dictionary attacks/rainbow tables/whatever else, a few easy non-dictionary modifications could probably push any password to reasonably uncrackable
Add something like "lincucks" or "ganoo" or really any slang and you should be fine

Literally just copypaste a Shakespeare sentence. No fucking way a bot with a dictionary attack will be able to come up with that, and it's easy to remember too.