Password Thread

Got a single word in French, written close to phonetic then I've added a number and an non hexa char at the end.

For more security, I add at the beginning an modular set of characters

(For me it #(1)(2)! , with (1) for first letter of the site +1 (a become b, b become c, and so on. (2) is the second letter of the site, still +1)

>screencap recognizable area of login screen.
>md5sum screencap.jpg = username
>sha1sum screencap.jpg = password
>I don't actually do this, so feel free to steal the idea.

Realistically 16 characters is safe in any situation. So I aim for the double.

Fuck Snowden. Fucking anti-Trump cuck.

>being Sup Forums
>not using this
world.std.com/~reinhold/diceware.html

>said no one ever

pwgen is pretty good

slap muh dick in keybaord several times

I have a simple password for my manager connected to huge passwords that are inhumane

just write your own password generator its not that hard with random to just pick from random characters from a string of random numbers, symbols, and letters.

then write a password manager that encrypts the file add un + password to file for each thing you have. the only reason password strenght is emphasized is because normies literally choose things like 'password' and 'hello' etc so hackers can just bruteforce accounts pretty easily given them parameters. once their account is hacked many accounts follow because their other accounts probably use hte same password.

binary code for words
steam is binary for "benis"

I use KeePassX high entropy password generator.

KeePassX > KeePass

1. Bang head on keyboard
2. Use password manager

"ill type it. i use this password for everything so i dont really want to tell you.."

Set your password as: 偉大

I use a password manager that I wrote myself. Plenty of websites around to help you make a strong password, remembering them all is a different story tho..

I use my GPG key.

Master Password is pretty nice

>>screencap recognizable area of login screen.
>they change the colour slightly

>using text in your password
>not using face recognition

Do you don't like a guy who exposed a massive Orwellian taxpayer-funded program that collected reams of data on your Internet habits because he disagrees with you on about an election?

>using face recognition
>not a direct machine-mind interface

I just choose 10 - 15 character long strings of random numbers, symbols and upper-and-lowercase letters. Then I write them down on paper.

For ones I don't need to remember, I generate a 40 digit key in LastPass

For the ones I need to remember I just string together two or three random words and a number.

More like: "I gave up my future only to jeopardize national security and become a SJW cuck on twitter".

I cannot believe there are still people who believe his bullshit. It's a disgrace, he's a disgrace, and you're a disgrace for posting this picture. Sad!

>autistic 40-digit+ password
>"I use this password for everything"
That's fucking retarded

Password manager.
Nothing beats a 16 character long randomly generated sequence of symbols, digits, uppercase and lowercase letters.

for the password manager password, I use various phrases like "BloodForTheBloodGoD_SkullsForTheSkullThrone"

My password manager makes them

>randomly generated
Stopped reading there.

Password managers are a meme, nothing in computers is pure Radom yet. There are attacks that can be done to obtain the "seed". Once that is compromised, reversing the algorithmn for the password manager and adding the seed is trivial.

>nothing in computers is pure Radom yet
>sequences derived from human input is not random

kek

Password managers are a tool of defense against the possible incompetence of the service that you use the passwords on.
If your entire system is compromised, you have bigger problems to deal with than your MMO account.

Theres nothing general to protect you against a targeted attack but you aren't that important or you'd already know how to protect yourself against a targeted attack

>assuming password manager programmers are competent
>what is an indirect attack?

TOP FUCKING KEK. Found the Security+ or CISSP retard.

t. NSA

Oh wait, were you expecting a reply this whole time?

Here's one.

01000111 01101001 01110110 01100101 00100000 01101001 01110100 00100000 01100010 01100001 01100011 01101011 00100000 01011111 01011111 01011111 01011111

Type randomly in notepad
Save result Physical note and file
Use it as password

Password generator

sigh

pass > keeplebx > keepleb

Half the word L33T

...

I have a few passwords that I legitimately could not tell people, only type in or long-windedly explain how to go about typing them.
Never had that happen to me and if it did, I'd tell them I'll make a guest account for them.

I've been looking into it and it's surprisingly hard, though I'm only a layman

short passwords can be beaten by random guessing (brute force)
having a hard to guess password or one with symbols is really no help

longer passwords are venerable to dictionary attacks, where whole words instead of individual characters are used
pre-recorded phrases like quotes are extremely venerable to this
I think dice-ware passwords are venerable to an extent as well

I dont trust password managers myself
because you could be screencapped or keylogged while setting them up if you are already infected
or because your password isn't worth much to an attacker, but the program is worth a million passwords and it seems all to regular that we only find out about a breach years later
sure they provide good protection for those shitty little passwords and I'd use them for that, but for your more important passwords you might want more security

trying to set up a good multi-phase security with a token, but not sure where to start

You realize it's a fake excuse right ?

>what is a dictionary attack
>venerable
what? you mean passwords are respected?

For people using password managers with generated passwords: Don't you fear you will get locked out from all the websites, when something happens to your database or key file (e.g. you accidentally delete it or it will be corrupted)

>I think dice-ware passwords are venerable to an extent as well
only if they're too short
it's simple math m8

>breach
you obviously use a local password manager
>willingly giving someone else all your passwords
hahaha, good one

I dont, all my passwords are 015989 but I use two step vefirication in everything

Use the password "hunter2".

Your password is blocked on Sup Forums, give it a try!

Password: ****************

No. I store it on ZFS, specifically because with snapshots and ECC memory it's the most safe place to store data.

see:

1p'4s'9'f16gg25t'
its easy once you understand how hard brute forcing passwords are. i guide you to how i got the password above.
take a phrase
opisafaggot
now lets modify the phrase so its easily remembered by not easily cracked. we are going to replace every vowel with '0' so we have
0p0s0f0gg0t

password is looking strong but we can make it stronger with some special characters. lets try adding ' after what is every word. youll have to forgive me, my shift key isnt working but just use your favorite special character
0p'0s'0'f0gg0t'
now you might be thinking that theres way too many 0's here. but thats not a problem. just add an increasing number after the 0 or instead of using 0's use a sequence. take x squared
1p'4s'9'f16gg25t'
there, no you have a strong password and all you have to remember is
opisafaggot
x squared
' after every word

like I said dictionary attacks can be very effective against passwords that are pure dicewords; however when a diceword is hardened I believe it becomes magnitudes more secure

take for instance "the lord is my shepherd"
it has about 80 bits of entropy
but anyone could tell you it's a weak password

a long password is always good, but any password that uses whole words is weaker by a magnitude because instead of guessing individual characters that are unrelated to each other

in the same way an attacker can run common phrases, the attacker can run only combinations of whole words

and the longer the password, the more effective this is relative to brute force

here's my reasoning
it's an easy way of protecting passwords for things you might otherwise not bother to secure
like your porn site, newsletters etc

if you lost all these at once, you would certainly be very unhappy
but that's simply a trade of between better overall protection vs. putting too many eggs in one basket

on that basis alone I would recommend their use for trivial passwords, because they protect you against mass user level hacks online
eg. someone tried to log into a million pornhub accounts with the password "password"

but the bigger advantage is that they protect your main passphrases/passwords from a sieve attack

breaches of low level passwords can easily enable attacks on entirely unrelated passwords by the same author
eg. I guess your shitty pornhub password, then use it to make a rule, which I then use to attack your main passwords

even in the catastrophic event your password manager is compromised, it could provide no clue at all as to passwords made elsewhere

i use password123 on everything and haven't had a problem yet .. Snowden's a hack

sorry to break it to you, but this is not a great
if your password was "n00bs"
an attacker would try "noobs", then "noobs1" "noobs2" ...."n00bs" "n00b5"
before they tried six digits of giberish "t76ygu" "fmiet0"

a brute force attack will try ungodly amounts of combinations
combinations that follow a pattern will always be tried before giberish

it's still a very strong password, don't get me wrong
but if you used a "rule" to make it, a rule could be used to beat it
ESPECIALLY if you use that same rule across multiple passwords
the fact you provide " ' " effectively as a word break hurt you greatly in this case, because it allows your "rule" to be reverse engineered from known passwords

I leet mai waifu's name, times five, then throw in a few '#+/)!]~.

Different accounts I use her full name, surname, favourite food et cetera.

*************

diceware implies they're completely randomly chosen words, which implies they're not connected to each other.
it's obviously crucial that the words aren't connected in a guessable manner, you can flip up a random page in a dictionary and pick a word from there. Repeat that until you have a sufficient number of words(4-8)

yeah thats true for 5 characters. not for anything longer than 8. it becomes nigh impossible to crack
obviously you wouldnt use the same rule for every password. just easy ones you can remember.
what i demonstrated is effectively all you need for a password

*****************

wow it really works

the words arn't connected, but the letters are

that's all a dictionary attack does, guesses increasingly uncommon combinations of words

and using the diceware list of words is crazy stupid, because it's been around long enough and there are probably pre-calculated probability based table attacks (is this a "rainbow table"?)

the point I'm making is that a very long password phrase is far from as secure as it's entropy potential might suggest

it's a good password for sure, but computers are only getting stronger and hackers are only getting better at one of the oldest hacking techniques

"8 digits" isn't going to cut it at some point even if your password is completely random

I make weird ass sentences like: Why does Seth Meyers smile so much?

please, if you're getting in over your head don't discuss shit
diceware is secure, taht's not how things work
i don't want to have to explain everything

I use lyrics of obscure Italian rap and disco music.

sure if you are worried about attacks from gpu clusters then just pick a longer phrase. But unless you have information like nuclear codes no one is going to dedicate the hours and hardware just for you at 8 characters.

I use apg
packages.debian.org/wheezy/apg

Obscure James Bond characters

i go to random.org and generate 1000 random strings and pick one

pwgen 10 1

You would only need to take the screencap once you absolute tit

Brute forcing a reasonably long gibberish with an arbitrary made up rule has an absurd complexity once you go out of 9 or so characters.

I create my passwords using a simple rule that ends up with 20 or so characters that are gibberish unless you know the pattern beforehand.

So unless someone brute forces with some sort of adaptive, star trek level AI, a 20 character password of random characters, even if created using mnemotechnique, is very safe.

>How does Sup Forums make a strong password?
Strong?
pwgen -sy 32

Strong and memorable?
curl -s 0x0.st/8Ix.bin | shuf | head -n 8

8 characters, numbers+single case letters(uppercasing or lowercasing letters before hashing is a common misconfiguration), hashed with MD5
a single GTX can do 25 billion hashes per second for MD5[1]
36^8 hashes / 25*10^9 hashes per second ~ 112 seconds
not that long huh?
for mixed case letters + numbers(62^8) it's 140 minutes, but that's still worth it considering you usually do this on a bunch of passwords.

[1]gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40

ok so this all bull shit when you realize most websites (important ones anyway) have ways of preventing brute force attacks

This. Probably don't need to go to that extent, though. Plus you should make the phrase mnemonic. Like your initials so you can remember it: Autobahn Betamax Cinco.

Fun fact: They can even be common words like Alpha Bravo Charlie and still be extremely strong.

Who worth cracking uses MD5 for anything except file checksum?

For 9 letters it is 4000 seconds, for 10 it rises it to 40 hours for lowercased numbers and digits.

For an actual 96 character ascii character set with 10 characters your gtx requires 84 years to crack it with 100% certainity, so 42 on average.

That is not how it works.

You first get a database of user:password. Both are ofc hashed and salted.

Then you obtain user names which you are intrested in, for example by using a dictionary attack on the user name hashes.

You obviously need the salt function as well.

From that point you try to brute force passes for each user.

Once you get both, you can simply input them into the website and get what you want.

Say you have 1000 users.

FIrst get their names, then do a pyramid of attacks on the passwords starting from the easiest methods and ending with brute forcing what remains.

Since most people are idiots and use user/qwerty kind of passes, you can, with a reasonable gpu farm, guess 70-90% of user/password pairs.

I think about 8 hours
but it's entirely dependent on the kind of hardware the attacker has

but keep in mind that the probability of a brute force increases as the number of combinations decreases

if there are a million combinations, it's just as likely your password will be number 2500 as 999,999

iw4nt2bth3l1ttl3g1rL

Will your password really be bruteforced with the cooldowns that everything uses now?

not him, but websites are fairly clever about protecting against automated interface

a simple lock out after an incorrect guess slows down brute forces to the point it's barely worth bothering

facebook for instance detects if you try to access from another region, or from multiple regions simultaneously
and everyone can work out when there is a cluster of suspicious access
eg. every computing in a public library, every computer in a university faculty, thousands of PCs in a small town like you see in russia

contd:

1000 users - getting names is easy as most people are 'niggerdick2121' so a dictionary attak will work. Say, 10 seconds per one on average.

Password - assume secure hash, not md5, so you need to try dictionary attack if that fails for, say 1 minute, then switch to brute forcing. If that fails after 10 minutes simply give up because this pass cannot be cracked _easily_.

Overall - for one user you spend 670 seconds, for 1000 users you spend 186 hours.

Unless you have a botnet going on, then if your GPU farm spent 186 hours at 10kw, you used 1860 kwh of energy. Check your local utility how much that it cost if you disregard cost of the GPUs.

It obviously is actually a lot less, because most passes are cracked with a dictionary/rainbow table and minority acutually goes to brute force or even fails after that.

In the end it all boils down to hash/second and money gained from this operation.

>Using direct machine-mind interface
>Not using astral projection system

Brute forcing is done on a dropped user/pass databases, not through a public interface. If anyone tried 25 billion attempts at guessing a pass then even the easiest DDOS protections would trigger on any website.

are you literally a fucking nigger?