What's more secure: Your own thought up passwords by your puny brain and mind or generated passwords?

Who cares anymore? Nobody gets hacked from their passwords being brute forced in 2018. It's either phished/keylogged or just straight up stolen from compromised site databases,

Not really, symbol-based brute forcing is simply out of the question. Try this:
2ÇJGw8¦ãçö/¡ÁÜtÒÂÄ´/b¸coNåÙöELü

People using generated passwords generally use them with a password manager. So password length should not have to be just 10 characters long, it can be ludicrously lengthy. Also including special characters you can have 95 characters, if you use extended ascii it's even crazier.

Just compare 200 000 ^ 4 to 95 ^12. I've only added two characters and the standard punctuation and symbols It's five times harder to crack now.

Randomly chosen words are nice for using to log into windows or to open up your password manager since they are fairly secure and easy to remember. But randomly generated passwords are safer in the end.

Great and then you get roally cucked by max 16 symbol password fields. Have fun.

keepass says 4 randomly chosen words does not pass 60 bits of entropy. Meanwhile 16 random symbols already pass 120 and are not dictionary crackable.

F#@k1h41dumb5hi1

fun enough for ya?

Attached: Untitled.png (545x523, 19K)

Even if you use a password manager, there's still a human element, and that comes into play as soon as someone tries to hack your password manager.

my passwords are something like this - 1am0n3sm@r7@n0n = iamonesmartanon

what's the entropy here?

Of course. The whole point is that totally random, long passwords are the best to avoid social engineering, brute force and dictionary attacks, but they are stupidly hard to remember.

A password manager gives you the best of both worlds, although you are also creating a single point of failure so you need to make sure your master password is top quality and randomly generated (e.g. 5 word passphrase with a couple of random characters thrown in). Remembering one password like that is easy cos you use it so often.

i.imgur.com/gYI4PLe.png

dude just fucking download a password manager, how can you niggas still have 2004's passwords

>weak
fuuuuuck that's not good.

>password manager
any suggestion?

>2004's passwords
oye don't get up on my case like that. no one's hacked me gmail so far.

School curricula are designed and tweaked by the NSA to ensure that your capacity for random thought is actually deterministic enough to render your made up passwords vulnerable to cryptanalysis.

tl;dr only homeschooled kids should use their own made up passwords

And what if the computer you stored your password manager on catches fire and melts? Bye bye all Internet accounts. A single point of failure is never a good thing.

It's much more common for people to try and hack whole databases of usernames and passwords. It's extremely unlikely you will be personally targeted by a hacker for your keepass database and it would still be a hassle to crack it.

maybe you'd like lastpass since it can synch your database, just make sure you have a good memorable password on it.
I have lost my database 5 times so far and 3 accounts in total for being a hotshot on keepassxc.

i've noticed that the only sites that do shit like that are government-run sites. how the fuck does limiting the password to be 12 characters make it more secure? pajeet security at its finest

You would keep a psassword databse synched to all your devices, possibly through a cloud service. Losing them all at once would be very unlikely.

>helping brute force cracking algorithms choosing real words

kek

Well because your password is 12 bytes, your name is 20 bytes, and a 32 byte structure fits fantasticly in cache. (plain text)

Sigh.. thats not how it works...
xkcd.com/936/

I have it on at least 4 devices and also keep backups because I'm sane.

>homeschooled
So I said to that teachin lady, the only two letters I need are US and A.

DAB ON EM

Attached: pass.png (558x290, 13K)

Made me kek, but fallacious assumption of independent random variables

I generate unique passwords i can remember with my own mental algorithm.

Yeah, good luck remembering that or even typing that.

My name is Steve and I live in a cave.

Length: 38
Strength: Very Strong - More often than not, this level of security is overkill.
Entropy: 180.5 bits
Charset Size: 75 characters

remembering that, ez peasy.

Had a laptop w/fingerprint scanner, used it to manage passwords to everything, didn't need to remember a damned thing...then starbucks killed it.

Dang.

144.37 bits of entropy, 38 characters, dictionary-vulnerable

>typing that
The program types it by itself, I only have to remember 2 different databases - one for casual use, 4-word password, another one with sensitive info, 32 symbol long password etched on on a brick in my basement.
Fucking john wick levels of security here. Fuck the cia

Thanks! I'll use that one.

Nah, bud, web crawlers picked it up already. I can send you one via email. Or steam chat, you have that right?

"generated passwords" is too vague. Pseudo random passwords could be brute forced by knowing how they are generated. A person that decides their password is G@yl0rdFk19scs2bitw9xld is going to annoy pretty much anyone trying to defeat it. If you want security don't rely on fake random passwords but make sure your actual password is at least odd enough that no modern computer could ever guess it before you die.

>32 symbol long password etched on on a brick in my basement
thanks for the info, may come in handy

uh dude... if the feds want your password they will just torture you or your loved ones until you hand it out to them, do you really think they will waste time trying to crack it?

That's not an answer to the question because its not a security issue, its a data integrity issue.

You'll be fucked though if someone gets just one of your passwords

Suck my dick, I was bluffing.
Sure. So long as they have to get off their asses to do it, instead of some chucklefuck at an office pwning me.
>how they are generated
╧Γ%ï╝,Ep»╨╤ªì╤Äl╝räù(K║ûx¥A╨áπsk
How was this generated? How did you figure out how it was generated?

Elaborate please, unless you mean the horse battery meme?

If you loss access that's less secure since you now have to contact support to get back in.

I choose passwords based on things that others like that I am indifferent about. I always add a long strong of numbers to the end of my passwords. Usually that's based on a page i like of a book. Might pick based on an obscure book/character and some particular text. As a result, one of my passwords is 20 chars long, impossible to dictionary attack, is about half numbers, and I'll never forget it. Speaking of which, it's about time for me to make a new password.

>Sorry, your password contains illegal characters!
>Passwords must contain 1 uppercase letter between A-Z
>Passwords must contain 2 numbers from 0-9
>Passwords must contain one special symbol (!@#$%)
>Passwords cannot be over 16 characters in length

wow rage thread anyone

These requirements always piss me off. I make long passwords instead of doing uppercase and symbols. When that happens i am forced to downgrade to a lesser password.

>impossible to dictionary attack
If only you were the only person on the planet to put numbers at the end and use common words

What I do, which maybe it is not very efficient, and borderline retarded, but I have plenty of time and rarely leave the house;

>I have 4 non-English, Latin alphabet, dictionaries in my house
not common languages, some of them quite dated, and as old as 1953
>I roll with my physical polyhedral dice to determine the page in a dictionary
>then I roll for the word on that page
>then I roll for whether the first letter is capitalized
>repeat three more times with different dictionaries
languages are always in the same order
>then I roll 1k100 to determine number at the end
>write it down on a piece of paper
>name of the website or a program the password corresponds to is written using slightly simplified Futhorc, Nordic alphabet
>keep paper in a desk's drawer

I unironically enjoy the process, so the process isn't caused by some induced by paranoia . Learnt a few new words that way and practised writing the runes (people can't guess which passwords are for what at the first glance), I wanted to go with one of Tolkien's alphabet initially .These are not easiest to remember or type in, sometimes I use three or two dictionaries, or use only capitalized first letter for less important places.

Attached: 7379_6efd_500.jpg (500x551, 30K)

>Good luck knowing how many words
>Good luck knowing how many digits
>Good luck knowing if I'm even using common words
Good luck knowing if I'm using words that even exist.
>Good luck knowing if i spelled correctly.
>Good luck knowing if the words have anything in common.
>Good luck knowing if I actually do put all numbers at the end.

damn rules

F#@k7hat5h1tdawg

Literally the biggest computational problem is whether you're using words->numbers or random symbols and you just solved it. Thanks.
You too.

THanks for sharing your IPs along with this personal information, retards.

randomly generated stored in an encrypted text file backed up to multiple places

It is always best to assume the attacker knows process you use to generate passwords. If the attacker knows this, then what is the entropy of the randomness you use.

md5(throught_up_pass + service_name)

What if the cloud service is compromised?

>md5
ruh-roh

Bad idea. Length extension attacks are a thing.

Say for example you use two websites:

website.co
website.co.uk

MD5 along with most hashing algorithms (sha1, sha256 etc) are vulnerable to length extension attacks, meaning you can append additional characters to the end. So someone who has the password to website.co can use it to generate the password to website.co.uk.

You need to put thought_up_pass at the end, so:
md5(service_name + thought_up_pass)

But this scheme sucks anyway because if you need to change your thought up pass for some reason (you got keylogged etc). Also this scheme is vulnerable to rainbow table attacks, which is probably not so relevant if your the only person using it, but if this scheme became popular it would be a serious issue.

Oh really? Assuming the attacker already knows how many words, digits, where they are, they are in the dictionary, they'd have to compute
>3.5e12 passwords a second
Just to find my password 30 years after I'll be dead in the average case.
For things that need entropy, I actually use a password that is twice as long with three times more numbers.

Or just stalk you a bit to see what you find interesting or boring, etc. Thanks for posting personal info on Jow Forums for half a decade

I don't use things I like, dislike, find boring, or any emotion at all. Only things I am indifferent to. So things I don't think about. Things that don't matter to me personally. I find these things by thinking Abbott what others like, dislike, whatever and base password off of those. Good luck finding out who I might be thinking of because I wouldn't tell someone and it's obscure.

No problem, just give me a username or email of yours, and I'll get to it.

dumb faggot

How? If your talking about social engineering, good luck because I self host most things.

If you can't share your email and still sleep well at night, but manage to salivate on an anonymous imageboard, you're a hypocrite. Put your money where your mouth is.

Just generate a random string of characters by bashing your head on the keyboard and use the "reset password" option as a password manager.
>pros
1. You don't have to memorize passwords, not even a master key
2. You don't have a master password, practically eliminating every possible pof
3. Your passwords will be frequently changed
>cons
1. You might need a new keyboard more often
2. It might increase slightly the time you need to access services
3. Might not work with passwords that you can not restore, or realistically also with services with long restoring procedures (banks)

Not that guy but I use passphrases for stuff and never had any issues, usually mix a word from two different languages, then sub in numbers any symbols. Weak example is my old Wifi pass which was alliterative and modified from Red Reagan: R3d_R34g4n1!
Just make a rule or set of rules for yourself and follow them..

I'm not going to dox myself. If i give email you can discover my name and where I go to school. Not because my email is everywhere but because it's attached to my personal website because same domain name and shared ssl cert between my domain names.

>Just generate a random string of characters by bashing your head on the keyboard
This isn't as random as you think.
github.com/hashcat/kwprocessor

Here is my attempt:
asjfsadlfkjdsf

You can clearly see some repeated characters, it is almost always possible to distinguish a string generated by someone banging on their keyboard versus a truly randomly generated string.

>reset password
This is slow as fuck

length extension attack doesn‘t mean the hash is suddenly reversible. You can calculate the hash used by the second site without knowing the password if you have the hash of the first site but that is totally useless.

This

You're absolutely hopeless, then, in terms of security.
en.wikipedia.org/wiki/Kerckhoffs's_principle

I'm a penetration tester and crack password hashes all the time. We have lists of rules like this. We know people substitute the lett e for 3 and if they have uppercase letters it's likely going to be the first letter and they likely add symbols to the end. We have special config files full of these rules, you can see some here:
github.com/hashcat/hashcat/tree/master/rules

>You can calculate the hash used by the second site without knowing the password if you have the hash of the first site but that is totally useless.
That is exactly what I said, but how is that useless? the purpose of the guys scheme is to prevent password reuse between different websites to prevent credential stuffing.

I assumed they knew the structure of my password here. Lern to reeed user.

Just for the record: you should never publish old Wifi passwords because WPA2 has no perfect forward secrecy. If the password becomes known later, anyone can use it to decrypt old captured traffic.

Yooo anyone else use generated names as well?
collapse favoring ecologist
CollapseFavoringEcologist
ÔJfÑ?Ò?ºaúëD)yîÊϽ¥°5,K

>Not using https

Okay have fun with your doxxable info and non-random password.

Right and I said it was a weak example, obviously using leet speak isn't the way to go, as I said it was a Wifi password when I lived out in the country so I wasn't exactly in much danger. If you were serious about security you'd create a unique set of rules in combination with simple ciphers, but that the baseline passphrase would be easy for you to remember before you applied any of the changes to it. At the end of the day if someone is truly serious about breaking a password and there are no brute-force provisions in place there's not much you can do about it.

What about all the metadata. DNS is unencrypted, and https still sends the domain name unencrypted.

Because then you only have the hash. You can't login to the site with the hash.

Oh no I hope no hackers ever find records of the hentai I was jacking off to..

I use a VPN

>At the end of the day if someone is truly serious about breaking a password and there are no brute-force provisions in place there's not much you can do about it.

There absolutely is. For example, Bitcoin private keys have no brute force provisions. Why can't they be cracked? because they have 256 bits of entropy, and to crack that before the sun burns out would be a challenge.

But isn't the guy was using the hash as the password?

I thought the point of discussion was for potentially memorable passwords, the average user can't remember a relatively random string of letters, numbers and characters.

You're supposed to have a memorable username, not password.

Generate random string and encode it into memorable words then.

Huh, could be you are right. I interpreted it as "use random_string + website name" as password and it gets hashed like this server side. If he indeed meant directly using the hash as password you are right (But that is stupid anyways).

Benching your password's strength to its entropy bits is only valid when the password is truly random. I'm not saying your password is weak. Just saying that entropy should in this case be calculated on how many words exist and how many words are used. And that's not even considering the fact that all your used words are in the top ~2000 of most used words.

The strongest passwords are randomly generated strings that you append (or insert)

Actually, if I think about it, it would most likely still not be a problem. In reality, you don't have the hash of "random_string + website" but rather "random_string + website + padding" so you can only create "random_string + website + padding + alternative domain ending" which is wrong because it has padding between the ".co" and ".co.uk" which the real password doesn't. It's still a stupid scheme though.