Password Strength

You need at least 50 characters.

50
0

words, spaces, etc. are ok. just make it 50 or more.

>storing passwords with SHA2
maybe if you weren't a complete moron and used a suitable password hashing algorithm, your passwords would take longer to crack.

I have my password manager on my phone, backup my database to my home server. So i do have it on me at all times.

comprehensive dictionaries have every word on wikipedia

>capitalisation doesn't help very much
Wut? Capital letters increase the character space by like 30%.

Oh shit. I just typed in my real password. Am I fucked?

gpg still defaults to sha1 for mangling, as do password databases on sites you use. It all comes down to password strength, even with 64-bit sums like SHA512.
Capitalizing of dictionary words is predictable and adds little overhead to crack.

If you don't have a key length of at least 1024 characters (all, including symbols and accented letters) if various memes then you don't stand a chance for the future

password.kaspersky.com/
this is better

;)

Changing "password" to "Password" doesn't help at all because people tend to capitalize dictionary words and dictionary words are very common so they get checked first.

Changing "p3lmo7-pvfsv0n0d" to "p3lmo7-pvfSV0n0d" helps a lot, on the other hand.

>year of our lord 2017
>password systems still only take one input field

Would take only a couples weeks with a couple hundred 10+gh/s dedicated bitcoin hashers.

What about 3 attempt limits and the account locking up?

>"MyPasswordsLastRongTiem" would be much secure than shitter like T3st1ng~.
Citation needed.

No, everything is done clientside. No data gets sent to the server.

>simply make it easy to remember but hard to guess.
This is not possible because human brains work in a very, very, very non-random fashion. When making a passphrase, you're likely to use common English words arranged in a manner that they form an English phrase or sentence. If passphrases become widespread, how many normies who are currently using "Password1" do you think will pick things like song lyrics or the beginnings of famous quotes? It's the same problem that ordinary passwords suffer, where a capital letter is very likely to be at the beginning, a number most likely to be at the end, and so on.

The only way to win that game is to not play it. Deny password crackers their one and only advantage - which is a knowledge of what humans find easy to remember.

Should be using a keyfile and a passphrase. The website should be open about how they store your password and verify how they check your key file.

Stops online attacks (some guy tries to log in to the site with your username and a bunch of different passwords), does not stop offline attacks (some guy hacks the site, steals its password database, and feeds it to a rackful of GPUs running hashcat)

This is also why password reuse is so bad, because if one site gets hacked and your password falls to an offline attack (and most fall very quickly) then he has a username/password pair that he can try on other sites.

Did you even think before making this post?

I did, I have my doubts about whether you did, though.

Consider how you'd go about cracking either password. You would start with the smallest string available and rotate through all character combinations until you solved it. Let's assume that the passwords are "abc" and "ghijkl".

You start cracking with one character strings:
"a": nope
"b": nope
"c": nope
...
"z": nope

None of those worked, so you add a character and go again:
"aa": nope
"ab": nuh uh
"ac": still nothing
...
"zz": nada

Again, you add another character and reset:
"aaa": no
...
"abb": no
"abc": yes!

Let's consider too that each attempt took 1 second. 26 characters in the alphabet would take 26 seconds. Going from "aa" through "zz" would take 11 minutes. Going through "zzz" would take nearly 5 hours. "abc" would be figured out before lunchtime.

But if you keep the pattern going, adding extra character after extra character, it would take you almost a decade to figure out "ghijkl" at that rate

>Capitalizing of dictionary words is predictable and adds little overhead to crack.
Oh i see now, thanks.

>Changing "p3lmo7-pvfsv0n0d" to "p3lmo7-pvfSV0n0d" helps a lot, on the other hand.
Yeah that's what I was saying lol.

>offline attack

>There are USB hashers capable of billions of hashes/s.
How man PBKDF2-sha512 iterations can it do per second? Plain SHA2 should only be used for verifying a file hasn't been altered. It's $CURRENTYEAR for heaven's sake.

So guys, "password" comes up as the #2 most used. What's #1?

Even if all of my accounts get hacked the hacker will get nothing of value and would have literally just waisted his time

'Password1!' to meet arbitrary requirements.

Not everyone does it for the money. Some people are just sadistic.

fuggg ::::DDDDD

Should've used a passphrase

"Niggerholupsoyousayinwewazkingzandshit"

>Compromise my password by typing into a random text box to see how strong it is

Go Phish somewhere else,billy

You can download the library in your language of choice for offline use.

cat /dev/urandom | tr -dc 'a-zA-Z0-9 !#$%&/.:' | fold -w 30 | head -n 1 and writing it down on the paper is the most superior method.

>Niggerholupsoyousayinwewazkingzandshit
hoily sheet u right

Actually remove blank space from tr -dc characters because it will be confusing. You can also add @()[]?*+- and lots of others.

>Way harder to crack
They are exponentially easier to crack than a random password of the same length.

>infinitely more memorable.
Memorizing passwords doesn't scale if you have more than a dozen accounts.

This must be a troll.
password crackers use dictionaries to guess commonly used words

>centuries

Good, can't have niggers going back to be kings.

>dont use an account for a long time
>forget the password

should i finally start using a password manager?

12345 or 123456, most likely.

What is this?
head -c21 /dev/urandom |base64
21 random bytes should do it.

>passphrases meme
Expect when you get hit dictionary attack and find out how easily crackable they are. This exactly why Amazon has stopped using passphrases.

>dictionary attacks
Use multiple languages. Problem solved.

With enough words and a large enough dictionary, dictionary attacks become a non-issue.
Besides, you can still insert a special character, or just a random normal character, within or between words. Or substituting a letter.
Still easy to remember and makes your password a lot better, if you feel passphrases aren't strong enough.

You are not going to remember a new passphrase for each time you need a new account.
One of the biggest dangers is re-using the same passwords. One service could just be stupid enough to save your password in cleartext; or at least in a recoverable form. Or it got hacked to do so. If it then gets compromised it doesn't matter how strong your password was. And if you used it for multiple services, suddenly all these accounts are endangered.
That is where a password manager is superior. You can without much hassle generate a different, secure password each time. If it gets leaked, so what? Someone might have access to that one account, but that's it.

It's an offline attack retard.

Another retard. It's an offline attack.

>dictionary attack
This diceware list
>eff.org/deeplinks/2016/07/new-wordlists-random-passphrases
has 7776 words. If you use 6 random words, that's 7776^6 possible combinations, and, with an average of 12.9 bits per word, 77 bits of entropy. Amazon and whoever else still allow short passwords, and you can bet few people are using truly random passwords of 80 bits of entropy or more. So all you need to do is remember 6 randoms words, and add a single random character for good measure.

Heh

>they're not allowed to inject terms associated with hate speech into their dictionary list