Password Thread

>generate
>good
nope
you need to use physical dice

But wouldn't someone just use a dictionary attack?

That's kinda stupid. If it's really a concern for you, use Linux's true random number generator instead.
echo $(shuf -n 4 /usr/share/dict/words --random-source=/dev/random)

$ wc -l /usr/share/dict/words
119095 /usr/share/dict/words

There's 119095 ** 4 = 201175048646341950625 possibilities of configurations here. This has much more entropy than a common "random" password. See

>true random number generator

If the attacker knows your password scheme, the first one is better. If the attacker doesn't know your password scheme, the longer one is better.

This.

If you have a four word password that is 30 chars long, it is equally good as a random 30 char password.
However if they know that you are only using words, the number of chars becomes unimportant.

Number of possible words (~500 000)^4
vs
~50^30

So, if an attacker know that my password is from Diceware,..the first password is more secure?

yes but (~500 000)^4 (possible combinations)..is still good for a password or not?

It's more than enough.

/dev/urandom please

Realistically speaking, if someone got your password, it isn't because they cracked it. More likely, they grabbed it when they hacked into some unsecure website and stole their password list. Which is why it's more secure to use a different password for different places rather than generating one uber-hard password for everything.

autism the post

like linux mint forum.

dicware passwords with small dictionaries used to generate the passwords are slightly weaker to dictionary attacks than short alphanum passwords are to brute force attacks (which is why diceware with a dict size of 7776~ recommends 5+ words now, not 4)

when you start using national corpus of words (which can be in the millions) or large wordlists (like 's 100k~ wordlist, it's 450k~ ish on centos 6) you can basically give people the dictionary you used to generate the password and they won't crack it with a dictionary attack

to put some perspective into this, an alphanum passwords (a-zA-Z0-9) with a length of 9 are slightly more secure than 4 words chosen out of a dictionary of 10,000 words, taking 30 days and 23 days respectively to fully exhaust at 5 billion hashes a second, but if you bump diceware up to 5 words it'll take 230k days to fully exhaust which is slightly longer than an alphanun password of 11 character (120k days)

which would you rather remember?

auEM7onHRzF
BoNe7PmH13b
2UTIWgFVHNf
ZbMROYiJBhk

or

pristine secluding hatchery riddance countable
synopses relieve refueling xbox showbiz
pretense circus repost paragraph gills

a 4 word diceware generated password from a list of 100,000 words would take the same amount of time to crack as a 5 word diceware generated password from a list of 10,000 words, maths is neat

a final point about LARGE dictionaries: short dictionaries can be convenient because you'll have average length words with common spellings without too many 'duplicate' words that will make it harder to remember, the larger wordlists tend to include multiples of words (like bake, baking, bakes, baker, etc) and you'll have obscure words with odd spellings, if you're going to use a dictionary to generate words try to make sure it's not going to have simple words (like a, its, the, hat, etc, which can be weaker to brute force attacks) without ending up in a situation where you have to remember words like "epistemolog"

>but if you bump diceware up to 5 words it'll take 230k days to fully exhaust which is slightly longer than an alphanun password of 11 character (120k days)

and just to add to this because I hit character limit, 12 length alphanum character passwords would take 7 million days to fully exhaust versus 2.34 billion for a 6 word diceware password

god bless
t. phone poster

Wrong.

Thank heavens. I'm appalled on those unoptimized PNG (even JPG)

???

explain, please....

random.org password generator

Who can oppose such convincing argument?

your welcome.

function passwordGenerator(desiredLengthofPassword) {
var string = 'abcdefghijklmnopqrstuvwxyz0123456789';
var output = '';
for(var i = 0; i < desiredLengthofPassword; i++) {
var randomization = Math.floor(Math.random() * string.length);
var evenMoreRandom = Math.floor(Math.random() * 10);
if(randomization * evenMoreRandom % 2 == 0) {
output += string[randomization].toUpperCase();
} else {
output += string[randomization];
}
}
return output;
};

that's utter bullshit

So, a password from Diceware has a 12.9 bits of entropy per word.
And How many entropy has a password of 17 characters , choosed randomly from 78 symbols?

define "choosed random"

A line of shell is much better than your shitty code:

passwordGenerator() {
tr -cd a-z0-9 < /dev/urandom | head -c $1
}

JS is not random: v8project.blogspot.com/2015/12/theres-mathrandom-and-then-theres.html

hahahahahahahaaha
I shouldn't be surprised that you're this retarded since we're on g but damn

This is so shitty even the upper/lower case distribution is uneven.
> a=passwordGenerator(1000000); null
null
> a.replace(/[^A-Z]/g,'').length
541999
> a.replace(/[^a-z]/g,'').length
179965

Randomly selected numbers,..with some true random method, like throw a dice..

Why do people need to over complicate this shit so much. The more secure method is the one that protects against the most likely attack.
If person has a hash or able to mass guess then you want longrandom password and not something that a dictionary attack can be used.
If you expect that the attack will likely be against a password storage mechanism or social engineering or if password guesses are limited in some fashion (lockout and/or expiry) then friendlier passwords are the better choice.

Assuming an equal number of characters, the first one would be *technically* more secure. At that length though, it doesn't really matter, because directly cracking either of them would be realistically impossible. Attacks against passwords of those lengths wouldn't really have anything to do with the passwords themselves.

An average pseudo-random number generated by a computer is more than random enough to create a sufficiently strong password. The only way it wouldn't be is if your computer is compromised. In which case password strength doesn't even matter anymore.

fuck you

When calculating entropy, you assume that the password scheme is known. Which is what happens in

> Babbys first PNG optimization

Except dictionary attacks are a thing.
This assumes pure brute-forcing.
Nothing beats cat /dev/urandom | tr -dc 'a-zA-Z0-9 !#$%&/.:' | fold -w 30 | head -n 1] and pen+paper combination.

>This assumes pure brute-forcing.
Except it doesn't.

then use nonsense words like the names of childhood imaginary friends

jesus chirst go back to Sup Forums

>Childhood imaginary friends
Your autism is showing senpai

It's like you don't even understand the comic.

My /dev/random method is no different than four random words though. And mine is more secure.
When typing my password in public nobody can even guess what am I typing, while when watching somebody else you can guess which words are in their password.
Of course, random words method is easier to remember but mine is more secure.

Pen + paper sucks. You either have to constantly take it with you and risk it being stolen or lost. Or you have to keep it in a safe place and have no access to it when on the go. (And still have a low risk of it being lost.)

>you need to use physical dice

except you don't because when you send your data across the internet over HTTPS you are using generated pseudo-random numbers so if they are not good there why are they good here?

Did you look at cat /dev/random line, imbecile?
It contains 30 characters, which is approximately as four random words, except you are prone to dictionary attacks that way.
You can also do what said but that loses the point of easy to remember.

How do you think the entropy is generated in the comic? It is not on a per-character basis.

does this really need to be more than 1 kb

It's not the same.

I use passwords like this: QtQCxsQ8HAC7TBw5K1QwW37OrhKlOPLYnORfSR3UTJOKKVPu63fuaXHB0FfAgEoK

Thanks. Added to my dictionary :)

Unless you use a word list

...

this thread is so full of bullshit I'll go drink something instead of debunking

Man, are you retarded

Do a little bit of both. Have a few words and a short random character chunk. That way you also meet arbitrary password requirements.

This one is good because you can still add easily memorable symbols so dictionary attacks will eat shit.

>still not getting it
Jesus christ. Come back when you understand entropy and how the comic addresses all your idiotic "concerns".

Passwords containing chactors like ?-,';":&/*#(!*+_×%= take the more computation. This is not a debate

Insignificant.

Go back to school

Not an argument.

Dictionary attacks will crack the second one quickly. There's a reason people create passwords through RNGs and AES.

...

>Dictionary attacks will crack the second one quickly
Add a few symbols and that's not even true.

the second one, the xkcd comic has already been posted

"Jenna from accounting is such a fucking cunt" is a fantastic password.

No it isnt. The only thing it has going for it is length. Dictionary attack with no special charactors or number could crack it in a reasonable amount of time

Go back to remedial math.
You'll pass this next for sure.

I m not sure you even know what a dictionary attack is.

>The only thing it has going for it is length

Sup Forums plz go.

Are you unaware that you can use a dictionary of words and use them in combinations with spaces to crack a password? Its not even hard to write dude. You guys are morons

Wow, so you know how a target password is composed beforehand then? Are you a wizard?

And, contrary to what you might have heard, length is the only thing which matters

>he doesn't understand exponentials

Come back when you can calculate combinations. Should be around the 8th grade.

Fuck xkcd honestly "hurr hard to remember" my ass. Write it down you fukken mongoloid fuck

Wasted quads, desu

Now, how many words are there in the dictionary, little user? Say you had to pick 4 of them, how many possible combinations do you have?

And that's better why, exactly?

>Move the goalpost because i proved you wrong that its vulnerable to dictionary attack
So if it is a length of 20 of only 1s and zeros is harder than a length of 10 with all lowercase letters and certainly harder than a length of 5 with all possible alphanumeric charactors? Retard

>Move the goalpost
The one you arbitrarily set?

Far less than the number of combinstions possible from 31^numberOfPossibleKeyboardCharactors. Brainlet

Such math.
Very convince.

>>>/reddit/

You said it isnt subject to dictionary attack. You see retaded, because its a fucking obvious example of a password that us subject to a dictionary attack. Im not going to write you a fucking proof as to why its more efficient than bruteforcing an ascii alphanumeric password. You can google it

A combination is the length of input to the power of posibile outcomes you fucking idiot. Thats what a brute force does. You learn this in descrete math you little retarded child

Except your "dictionary attack" is heavily modified and assumes how password was composed in the first place which is not feasible in real world.

>modified dictionary attack
I rest my case. It doesnt matter if you knew, if you ran the dicionary attack i described on the second password and your dicionary had all the words and it was set to be as long or longer than the length it would work every time.

>31^numberOfPossibleKeyboardCharactors.
I think you meant the reverse.

In any case, assuming a dictionary size of 5000 symbols (Ignoring "Jenna" in exchange for syntax weakness) versus a symbol size of 70 (a-Z 0-9 and some extra symbols):

5000^8 ("Jenna from accounting is such a fucking cunt") > 70^16 ("a3#45u09asdfLJ@13")

I think the problem here is the understanding of what a dictionary attack consists of. If you're like this guy and your vocabulary list is only a few hundred words, then yes, a dictionary attack will be quick. But a real dictionary list of several thousand will far outstrip random ASCII chars.