Password vs Passphrase

Which one do you use Jow Forums?

Attached: password_strength.png (740x601, 91K)

Other urls found in this thread:

security.stackexchange.com/questions/16503/using-passwords-made-of-words
en.wikipedia.org/wiki/Rainbow_table
github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-10000.txt#L1085
twitter.com/SFWRedditVideos

I just use password123. I mean, who is going to think that I'm going to use such a weak password?
It's actually safer this way.

That comic is wrong.

It's best to use symbols and made-up words.
Joos*Looz*N*Snooz or
grubbagegebabedinsuence or something like that

I unironically used this password for my WiFi for 7 or so years.

Have fun "remembering" 20 different retarded comic strips for all accounts you use.
If you use the same password everywhere, you can put your 2^44 among fairy tales.

Unironically used to think this when I was like 11, my club penguin account was "password" and I thought I was a genius.

If you use a password manager, you effectively use one password for everything.

>A random passphrase is a good idea as has been said numerous times here. Two random dictionary words (from a 10000 word dictionary) is roughly as secure as a six random lower-case letters password, in practice this is quite weak (10000*10000 ~ 108, while 266 ~ 3 x 108).
security.stackexchange.com/questions/16503/using-passwords-made-of-words
The whole point of a passphrase is that it is easier to remember actual words. If you have several passwords for several websites, then it is harder to memorize made up words.
If you speak a non English language though, you could use words from that language written in Latin and your passphrase will become infinitely harder.

Not if you also use a key file stored away on your thumb drive.

Ah yes the thumb drive. Accidentaly flash/lose/forget it and you can't access shit.

Stop pretending you don't have at least 12 of them you could use for redundancy.

>throws a dictionary attack at your passphrase
nothing personnel, kid

Attached: 1551273998168.jpg (750x896, 405K)

Yes but I need all 12 at once to enter my database and I only access my database once a ritual- I mean year. So a thief would need to go on a treasure hunt.

Another chapter in the "I'm so clever I trolled myself" saga.

>passphrase
>nigger nigger nigger nigger
it would be nice to login with a jingle stuck in your head

>tiringblizzardbrigadeturmoil
>28 characters
>Entropy: 51.70 bit
>îðÇñþeTúuG*1ð+¦8ð*Ldú´ºçtÙËú
>28 characters
>Entropy: 213.01 bit
Okay lads.

Yes, but it's a password that never goes online.

i just slam my keyboard with my whole hand, then copy and paste whatever i got in my encrypted notepad

That is just opening you up for another kind of dictionary attack.
For that to be properly effective, you need some really obscure words or even words that you just made up. Throwing some random symbols in the middle of some words makes it significantly more effective too.

Attached: 1560212011042.jpg (1143x1500, 154K)

Really, you're invulnerable to any spectre/meltdown thing? You're running 0 unsandboxed apps?

>hurr password reuse is a-ok!
look at this idiot and laugh

You have to invent a hypothetical scenario where someone actively exploited a hardware vulnerability on my machine to support your "keepass is just like using one password everywhere" claim.

No, it isn't.

The suggested password scheme is vulnerable to dictionary attacks. There are 171,476 words in English. If we assume all passwords are four words or fewer, we are left with less than 2 million permutations to try.

You have to mix the two strategies because a random word isn't random enough.

>Feed*And*Sneed

>Hello I don't know about diceware and that this is a proven concept so I will pretend that I am an expert because nobody can prove me wrong!

what? The comic is saying to combine words. You do realize that password prompts don’t tell you how much you got right, correct? Word1Word2 isn’t treated as {“Word1”, “Word2”}. It’s treated as one single word that does not exist in the english language.

kek

I use quotes from my favourite books/movies

underb&, legally retarded or a fucking narmalfaggot tourist

You aren't wrong (dishonesty of using way more letters than exist in English notwithstanding), but you missed the point.
How much longer will it take to remember and more importantly type in?
Diceware is good enough for considerable security (nothing is 100% secure) and easy to remember and use.

Why not just this:
echo 'USERNAME+MASTER PASSWORD+WEBSITE' | gpg --encrypt | sha512sum | sed 's/3/#/g'

You'll always know the password, you can't find it without your gpg key, and you add symbols where you don't know. hell, if you want to go a step further:
echo 'USERNAME+MASTER PASSWORD+WEBSITE' | gpg --encrypt | sha512sum | sed 's/.\{4\}/&\!/g' | sed 's/.\{2\}/&\#/g'

You shouldn't remember passwords anyways.
Password manager, use one or terminate your host process.
And do dictionary attacks suddenly not exist anymore? Restricting yourself to something as stupid as passphrases is the worst thing you can do second only to using your name or pets name or shit like that.
And besides use 2fa and preferably passwords utilising the full utf-8 character space you glow in the dark consumers.

Brute force doesn't care if it's stupid or not.
Dictionary attacks have the word password in them so..

But the reddit cartoon didn't say "use diceware" it said "use 4 common words." Gotta pay attention, reddit. The other user is right in that the xcfgb guy or whatever it's called is as incorrect as he's unfunny. As usual.

>Let's make our passwords into programming exercises. Forget one spacing and you are fucked.

I think by now it is absolutely proven that Randall is an absolute fucking retard, but this doesn't mean that he wasn't illustrating a good concept. What do you want, a 24 page comic?

This comic is retarded, you could break correcthorsebatterystaple with a dictionary attack in like 5 seconds.

>I think by now it is absolutely proven that Randall is an absolute fucking retard, but this doesn't mean that he wasn't illustrating a good concept. What do you want, a 24 page comic?
But the concept is wrong, so how is it good? Is Randall the guy who makes this comic? How did a person become so unfunny and faggy? It's like someone distilled pure Reddit and formed a man through some alchemical homunculi process.

>It’s treated as one single word that does not exist in the english language.
That's not how a dictionary attack works you retard.

I use prime numbers from several number sets my system discovered running arithmetic progressions which I multiply together then convert to hexadecimal. The resulting password is so long, I can't remember it myself. This is used for all my important accounts including my PC and encrypted drives then layered with multifactor authentication via one time secret through Google Authenticator. To access my accounts, I use biometric unlock for my PC and phone which is set to auto-unlock my accounts and encrypted drives/phone.

I almost bricked my machine and all my accounts when I updated my BIOS and fudged the TPM module which erased biometric, PIN, and encryption keys so I had to manually take those prime numbers, recreate the prime composite to convert to hexadecimal, and reenter my keys.

lmao
and (((they))) still have your every single keypress and camera access

>sha512 for passwords
hhhhhhhhh

I use the method of loci to remember 30 character strings of random letters and symbols.

Actually, BOTH random char passwords and passphrases are inherently insecure as one is vulnerable to brute force attacks and the other to dictionary attacks. The best is combination of both. For example inserting a symbol between a long SAT word like circumscribe.

ie: c~i~r~c~u~m~s~c~r~i~b~e~

Further strengthening can be achieved by using 2 or more special characters in a pattern along with case sensitive placement. But this password alone is now 24 characters long making it virtually impossible to bruteforce and at the same time a nightmare for dictionary attacks (efficiency gets cut in half for every symbol or combination of symbols it scans between words).

YET it's relatively easy to remember, at worst you just have to remember the pattern of special characters used between letters if you're that paranoid.

Attached: 234219edb5596486af11e985673ebd6edd0eca_GALVDR643565thumbfull720macgrattuggia_1_5cf63085dd173300.jpg (1280x720, 74K)

I willingly give the alphabet agencies my keystrokes, as a former government dog, I'm doomed to be pozzed for life anyways. As for camera access, I don't have a camera on my PC. Nothing I can do about my phone cameras, I hope they enjoy watching me beat my meat.

>not using 2389472 iterations of rot13

>method of loci
interesting, I'm not familiar but will need to read more about this as my working memory is detrimentally poor yet my spacial memory is extremely sharp. My passwords are way beyond 30 digits of random letters and symbols though

Thanks, just added this concept in my l33tspeak cracker.

>you effectively use one password for everything
Yeah have fun cracking my LUKS password.

Attached: spurdofootdrink.jpg (400x331, 17K)

If your spatial memory is good, you can memorize anything with that method. 30 digits was just an arbitrary length that seemed reasonable at current gen. I could easily have made it 100 characters or something else. I remember a huge amount of such passwords because I swap them out now and then.

Okay, send me your header over mega or similar.

Good luck, you're gonna have to add every special character out there including emojis and scan for characters used in variances. I personally use the crying face emoji with the laughing crying emoji on my HDD pass.

Attached: qqmqrcu23hucupfikvzy(1).jpg (800x440, 115K)

Thanks. Added crying face emoji/laughing face emoji variations.

I just use 16 characters of hex, or 8 if I'm forced to use less (has happened before 5 times to me. Fucking shitty websites)

BASED

My truecrypt encrypted notepad is enveloped in anther veracrypt container. Just in case one of them had a backdoor.

My spatial memory is dangerously good since I've been in the transportation, logistics, and supply chain industry for about 10 years. I'm an expert in analyzing and memorizing maps. I will definitely need to learn this Method of Loci.

ZoLtAx2040KREEMOU-bingybingubon'gy

>forced to use less (has happened before 5 times to me. Fucking shitty websites)
I FUCKING HATE THIS

>I have no idea what PBKDF is

Most people take a couple of years to learn to utilize it well, but you're probably expert tier already because it's actually that sort of memory you need to train to become proficient at it. The method in itself is simple and you'll learn it in a day or so and with it there's basically no upper limit to what you can memorize.

Literally every dictionary attack swaps symbols.
Unless you're replacing every symbol with an alternative one, you are not changing the asymptotic difficulty.

Not him, but tell me the command and I will. Last time I touched luks was a while ago.

>okay just do half the work for me
It's on a publicly accessible http server. That's all the help you get.

Just touching the subject, I'm beyond fascinated by the idea. I really appreciate that kind of name drop, user.

No, you're supposed to prove you're safe in a dangerous situation to automatically prove you're safe in casual use.

Worst I have seen so far has to be
>exactly 8 characters
>only alphanumeric
>no special chars
>does not differentiate between uppercase and lowercase
And who could have guessed as a confirmation I got my password sent to me in plain text in an email.

Yeah you really have no fucking clue what PBKDF or a dictionary attack is. What you are thinking of is a rainbow table attack you absolute imbecile.

Have fun. It's been a source of extreme usefulness in many areas of my life.

What's a rainbow table attack?

>en.wikipedia.org/wiki/Rainbow_table
>use of a key derivation function that employs a salt makes this attack infeasible.
I'm sorry you're such a mongoloid

>not just writing them onto a real notepad and locking then in a safe that only you know the combination to

Attached: 1558230946168.png (604x630, 353K)

As this very nice user pointed out
you want to be using all types of available characters to increase entropy, only real use for a passphrase is for when you'll have to enter the password manually (say, setting up a phone for example)

The more symbols you swap the closer it becomes to a bruteforce attack. At which point you're bruteforcing a 24 character password. Fine if you're a state actor but your quad TITAN gaming rig isn't going to cut it.

What about when you want to access this information from somewhere other than at home?

What I'm saying is, you only gain from swapping *every* lookalike symbol.

That's for KNOWN variances where symbols represent a characters in a word (ie L€€tg4m€R, ©uπ+vv@goπ, £@gg°+$ho€). If a dictionary attack included even just looking for the same exactbsymbol repeating between letters in a long word you're now effectively bruteforcing because there's like a million symbols that can be used including those from other languages (ie moon runes).

It's especially debilitating when long 12+ char SAT words are used.

Fuck this guy is retarded, its not more bits, you can just dictionary bomb it if just plain english (each bit isnt orthogonal in his model)

Remember the passwords to your most used accounts, and carry it with you when you know that you are going to need it. I've being using a notepad for my passwords for over a decade and never had a problem.

Are you a mouth breathing knuckle dragging troglodyte? Why do I even ask when I know the answer is fucking yes.
Can you even fucking read?
>you could break correcthorsebatterystaple with a dictionary attack in like 5 seconds
>I have no idea what PBKDF is
Do you even remotely understand what PBKDF actually is or does you inbred dogfucker?
All the salting and hashing in the world isn't gonna do jack shit when the password in question just got guessed in 20 seconds using a simple fucking dictionary attack.

Bruh once you bring in the emojis in, hackers might as well pack up and leave.

>Two random dictionary words (from a 10000 word dictionary) is roughly as secure as a six
>sort dictionary in popularity order
>cracks your password in few minutes
nothing personnel kid

The vast majority of English words are equally as unpopular. You've done yourself no favours.

github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-10000.txt#L1085

>The whole point of a passphrase is that it is easier to remember actual words
if your password is memorable it is already a weak password.

1q2w3e4r5t6y

it's already on dictionaries so there it is, but my philosphy goes around that, memorizing keyboard movements.

Also, the typical trick of using the NATO phonetic alphabet and a piece of work I can remember(Star Wars-SW-1Sierra-Whisky)

>All the salting and hashing in the world isn't gonna do jack shit when the password in question just got guessed in 20 seconds using a simple fucking dictionary attack.
Okay, let's say we put about 20 seconds worth of PBKDF on that password before we get the derived key.

Now since I'm a troglodyte, please explain to me exactly how you're going to do a 20 second calculation as many times as it takes to get the correct answer in 20 seconds.

>what is a dictionary attack for 100

Multilingual Passphrase combined with password.

You still don't get it you imbecile. How are you that retarded and still alive? How have you not disembowelled yourself with a butter knife while trying to butter a piece of toast?
You can use whatever hashing and salting you want for however a long time you want to and it won't matter when I logged into your account by literally guessing your password till I am in.
I'm gonna spell it out one more time really slowly for you:
It doesn't matter how the password is hashed when you already breached the account by guessing the password or in other words using a fucking dictionary attack.

>There are 171,476 words in English. If we assume all passwords are four words or fewer, we are left with less than 2 million permutations to try
How the fuck did you get that number? There are 8.6*10^20 length-4 permutations of 171,476 words

Nice try, that password isn't in the top 100.
He's safe.

this has to be bait, you should get ur head checked m8, somethin's wrong with you

>It doesn't matter how the password is hashed when you already breached the account by guessing the password or in other words using a fucking dictionary attack.
So apparently, you're going to get around needing 20 seconds per attempt, by already knowing the password. Genius. Why am I too stupid to know that you can just know the password before trying to guess the password

How about doing a million concurrent attempts at once that take 20 seconds each?
Password crackers have massive setups, and they can use cloud computing for basically infinite computing power.
It really doesn't matter.

Is this simply the worst bait I have seen this decade or does the hospital ward for clinically brain dead patients have wifi now?

We're still not talking about cracking passwords. You don't need to crack a hashed password when you can literally use a dictionary attack to simply log in in literally seconds by guessing till you hit the correct password. That retard above somehow brought up PBKDF when everyone else was talking about dictionary attacks. But what is to be expected from someone that is an elite 1337 hacker calling himself lain because he visited /cyb/ that one time.

there is like just 2000 common words and i'm 99% sure that words from your passphrase is here.
so your 4 words passphrase is just 16 seconds to crack on modern hardware

no shit, but how many people have “NiggerAnonFaggot” in their lists? Oh that’s right, none. If you create your own passphrase then you have an almost infinite amount of combinations of words, most of which will not be in a cracker’s dictionary list. “password123” is much different than “mydogisnamedGerald123”.

>a million concurrent attempts
if we assume a 4 word passphrase, in which all permutations total less than or equal to 1 million, that would require a dictionary (d) the size of

d = 1000000^(1/4) or about 31.62 words in our dictionary.

Using my basic understanding of linguistics, most language courses have about 5000 words in order to be 'conversational', so that would result in

5000^4 or 625000000000000 possibilities, OR 625000000 repetitions of your magical 1 million concurrent hashing machine.

>there is like just 2000 common words and i'm 99% sure that words from your passphrase is here.
That's 16 trillion potential passphrases. If we take the comic's number of 1000 guesses per second from this combinatoric dictionary attack, that's 550 years to crack. Exactly as the comic predicted.

>Nigger
>user
>Faggot
Literally all worth their shit? Those aren't uncommon words. Unless you use witenagemot chaulmoogra and gossypol don't kid yourself by saying these are in no dicitonary anywhere.