How do I make a good password Jow Forums? Should I use upper and lowercase...

How do I make a good password Jow Forums? Should I use upper and lowercase, symbols and numbers or is the length more important?

Attached: wifi-password-57f560ef5f9b586c359127f9.png (768x512, 8K)

Other urls found in this thread:

world.std.com/~reinhold/diceware.html
twitter.com/AnonBabble

The length is the most important part. Special character, numbers, etc don't mean shit

whynotboth.png

horse battery staple

[spoiler]correct[/spoiler] horse battery staple

Use 6-8 words, all lower case. You can add a number or two at the end to make yourself feel safer. Diceware password generator on fdroid is a good example.

Here, read and learn: world.std.com/~reinhold/diceware.html

Use the EFF long dictionary to pick your words. A good password MUST have at least 7 words. Go with 8 if it's a very important pass, or 9+ if you're paranoid. Be careful with your password, and store it only inside your brain. Use a piece of paper to help with the memorization, but don't forget to burn it afterwards. Don't forget to create a new passphrase every year too, we aren't safe. Never.

Think of cracking a password as throwing dice.

If I have a pin which is 4 digits long, consisting of the options 0-9, the odds of guessing my password are 1/10 (the odds of one die being correct) to the 4th (the number of dice that need to be correct). That's a successful guess rate of 0.000001%.

Now, making it longer increases the power term. And adding in more choices decreases the "per die" odds. So adding in numbers and letters and symbols decreases your odds to about 1/40. But random numbers and letters are hard to remember, so what if we could make the odds incredibly low while picking easily remembered things? What's a set that we all remember with thousands of elements in it? WORDS IN THE LANGUAGE!

If you pick a 4 word phrase, the 1989 Oxford dictionary had 171,476 commonly used words. (1/171476)^4=1.1566091E−21. Odds are good nobody will crack that, and odds are good that you WILL remember it.

>Special character, numbers, etc don't mean shit
Yes it does. Most sites don't let you use some 100+ char password. A good chunk of them cap at around 20 characters.


Pic-related.
Left = Only upper/lower case letters. Around 90bits of entropy.
Right = Numbers, Special characters. Around 150 fucking bits of entropy. The password is nearly TWICE as hard to crack just by adding those.

Attached: screenshot.3.png (1322x233, 14K)

The big problem with random string passwords is that you have trouble remembering them, thus weakening your security by however strong your password recovery system is.

And most people don't use truly random letter/number/symbol strings either, making them much more susceptible to dictionary based attacks. You can kiss a lot of that entropy goodbye.

The advantage of the "dictionary as character set" approach is a high entropy to rememberability ratio.

diceware or broke

Include nonprintable codepoints or, if not limited to Unicode, byte sequences that are invalid UTF-8 and some NULs and newline bytes.

>is that you have trouble remembering them
That's why you use KeePass so that you don't need to remember them. I've been using it since 2010.

I have 1000+ accounts with randomly generated high entropy passwords. Haven't had a single issue yet. The only passwords I remember is my main email and bank account.

words are easy to remember, use those

it doesn't matter the possibility for a dictionary attack:
six words out of a 1000 word dictionary is still 1000^6 possible options -- assuming you instead generated a password out of all ascii characters from 32 to 126 (94 characters, and we're making a nice big assumption that the site is okay with all printable ASCII characters), you'd have a much harder 9 or 10 character password to hit that level of security (94^9 has a bit over half as many possible options, although 94^10 ends up being about 53 times more options as the six words)
the words do need to truly random (and ideally not sentences since those will narrow your attacker's search space by quite a bit)

you can easily increase your security for the word-based password by using a bigger dictionary to pick from (1000 words is small time) and adding another word or two
the biggest issues you might face are garbage shit sites that don't allow long passwords

This. I've been on KeePass for a few years now and I only have to burden myself with its password. I can commit to memory one good password and let it handle the actual bullshit.
It also lets you schedule reminders if you want to cycle passwords, easy since it'll make new ones for you just set them on the accounts.

I use (((the cloud))) to sync my db across my devices, phone included, but move the keyfile and etc. offline.
It would be particularly bad if I lost my db, sure, but the same bads also apply to remembering multiple passwords and forgetting over time.
Fortunately the cloud keeps the db intact and also backed up locally across the multiple devices I use, as well as external key files for each device so it comes with a lot of redundancy.

If my db goes missing on one device another very likely has it, same for key files. If I forget the password that's 100% on me and would have happened regardless.

this is full on retarded

bait

have a single password you remember that gains you access to a password manager, use a password manager that auto-generates a 12+ character password consisting of numbers, letters, uppercase, lowercase, and symbols

You still have to remember your KeePass password, which would be more easily remembered if it were dictionary based.

This guy is retarded. Don't do this.

keyfiles/2fa/etc it supports are additional, the password is important, but now downplayed
how users go about securing their database is their business, and optimally it should never fall into an attacker's hands

My keepass database doesn't even have a password. it just uses a keyfile.

So the only way someone is gaining access is if they found a vulnerability in how KP processes keyfiles and exploited that, or somehow physically accessed my computer while I had KP open.

>but you could lose your keyfile or it could become corrupt
Backups of my keypass database + keyfile are made daily. Yes, every single day.

>have excellent passwords with several special characters in each
>go to log in using browser on phone
>most of the special characters are hidded
Why do they do this?

>hidden
fuck u mean?

tpbp

>passwords you can actually memorize
- think of an object in the room you're currently in
- describe that object using a sentence
theres you're password
>passwords that are the most secure
use a password generator and store the passwords in an encrypted file like an autist OR get a password manager.

Just write it on a piece of paper dumbass. I bet you grew up with a phone glued to your face.