Key managment

Why was I just promoted?

you are retard
modern dictionary attacks can crack you're retarded password very quickly

hey thrice

No they can't

>adding in random special chars in random places
Reading is hard
On top of that I dont just use english in them

yes they can retard

Ok then. Tell me which dictionary you would use and OP can tell us how long it would take to run for his password.

that's classified

How many words does his password have?

We don't know, that's not part of the information available to an attacker

lol

I'll give you some info on one
5 words, one of which is spelled wrong, 2 of them have some letters replaced by symbols, and random symbols placed in between words

only if its very few words and no special characters. Good luck cracking a 14 word password.

That is also just one of my passwords that is English only

Ok, assuming no random characters in random places then it would be dictionary_words^total_number_of_words

>14 word password with 3 random characters
this is equivalent to a 15 character normal password

>can crack you're retarded password very quickly
American education

bruce schneier's post about "dictionary attacks" on correct horse battery staple was 100% wrong, idiotic, and cost me most of my faith in him. knowledge of the dictionary does not decrease the entropy of the password.

Only if you're using unicode characters. There are literally millions of possible words and 52 letters in the English alphabet.

>i dont know shit so i say random shit
>please provide evidence user
>it's a sekrit
LEL

According to howsecureismypassword dot net (I didnt put in my real password obv. Just a close facsimile) it would take "2 DUODECILLION YEARS" to crack

that does not count for dictionary attacks

According to howsecureismypassword dot net
"passwordpassword" would take 35 thousand years to crack.

you're actually the dumb one

rip
So whats a better way to calculate it taking into account dictionary attacks?

There are many things that should have costed your faith on him even exincluding that.

>"passwordpassword" would take 35 thousand years to crack.
This is retarded, it would only be 26^16 which is almost 2^75, trivially crackable on the hands on nsa.

>26^16
wrong

Anyone use pass? I think that's what I'll move to soon. But then I have to worry about securing my gpg keys.
but you're literally wrong, entropy is reduced compared to an equivalently long random password. If one can assume a given password contains only dictionary words, the search space is greatly reduced. The only bit-for-bit strong passwords are those that are random, such as those generated by pwgen, or any other random string of chars seeded from /dev/urandom.

>compared to an equivalently long random password
But it isn't compared to that

26 characters on the english alphabet, 16 characters on the string

what about numbers and punctuation ect

It does not contain any.

lol

xD

>knowledge of the dictionary does not decrease the entropy of the password
If you use dictionary passwords, or non-random passwords in general, the entropy is reduced across the board. You always compare to the best-case scenario, especially when the best case scenario is what you should be using. So why are you talking about weak passwords, with weak entropy, when you can use pwgen or similar and measure entropy per bit, and not per dictionary word?

you mean all your passwords are sitting in your bash history? get rekt (i'll rek u)

My hard drive is encrypted.

Because nobody actually uses those in the real world and it's them we need to teach. Good luck teaching your grandma how to use Keepass for a website that doesn't allow copy and pasting passwords.

>for a website that doesn't allow copy and pasting passwords.
Is that a thing? I would not know as I have dom copypaste events disabled.

Except when it isn't, and it's sitting plaintext readable to any and all applications malicious or not.

But how do you remember the encryption password?
Checkmate atheists

>Except when it isn't
It is all the time.

>and it's sitting plaintext readable to any and all applications
I execute potentially vulnerable applications like firefox as a different user.

>malicious or not.
I only use foss applications.

>If one can assume
Based on what? What would allow that assumption to begin with?

>only dictionary words
So any misspelling, added characters, camel casing, etc, invalidates your point

>strawman
How is this relevant to anything I've said? Your retarded grandma can go fuck herself.
>Based on what? What would allow that assumption to begin with?
Based on common user-chosen password traits, and based on reducing the potential search space for a brute-force attack.
>invalidates your point
No, your ignorance invalidates your post. Common traits like you describe, e.g. character substitution as in p@ssword, are easily accounted for at the cost of little increased search space. And regardless of assumptions, a random password has maximum potential entropy, while everything else, diceware included, has less.

keepass
any other answer is wrong and the poster retarded.

Enjoy your backdoor

Fucking imbecile.

>not using pass
>not retarded
Pick one.

Idiot. Kill yourself.

Except "passwordpassword" is going to be one of the first things being tried, along with every other retarded normie password.

I keep my passwords on a gnu/hurd partion, they get so disgusted on ones want to touch them

any program running as your user can see your history

hahahahahaha
tfw when you know enough about technology that it actually makes everything work less

other examples: pacman, making google searches, arch linux,

I use the password generator that comes with Keepassx.

$ grep -i histcontrol ~/.bashrc
HISTCONTROL='ignoreboth:erasedups';
export HISTCONTROL;

Pacman is much better than apt though

You could say it's more apt than apt.
I'll see myself out.

>knowing Japanese
How much of a weeb are you?

>14 words with garbage characters
>equivalent to 14 regular dictionary words
>14 regular words
>equivalent to 14 characters
If the password is in roman letters then that's at least 2 attempts per character due to casing, when applied to a word that grows exponentially.

A (character) = 2 attempts
aA (word) = 4 attempts
aAa (word) = 8 attempts

aaa
Aaa
AAa
AAA
aAA
aaA
aAa
AaA

pass with git
passwordstore.org/

This better be a joke. If you knew what the password contains then you wouldn't be using brute force. Even though it doesn't have any you still have to search for them because obviously you don't know if it contains them or not. The only exception is when you know where the password is used and only then can you make assumptions based on allowed characters and length.

Thank you, you've taught me something very important today

Who stops the NSA from doing a brute force on lowercase-only characters while they do a brute force on all of ascii at the same time?
Nobody

The amount of years it takes to brute-force it depends on what character set the attacker is using. For example, it would be a lot faster if he somehow only used {p, a, s, w, o, r, d} than if he use {A..Z, a..z, 0..9}. And it would be also faster if he knew the length of the password.
And it would be faster if he did it in a parallel way across many computers.
You can't make vague generalizations like that.

the whole point of correct horse battery staple is that it's
1: easy to remember
and 2: still provides a tolerable level of security

because the entropy calculation from the xkcd strip assumes the cracker has the dictionary you generated your password with and knows that your password is just four randomly selected words from it
a truly random password of the same length with alphanumeric characters and punctuation would be obscenely stronger, but the whole point is that it's not memorable and you're just going to end up writing it down somewhere

That's actually a pretty sweet idea. I like it.

No they can't.
Infact long and obscure passwords with random words and patterns aren't easy to crack due to you have to program what the dictionary should check and what patterns are common and more on.

>20-char-masterpass@service-or-site-name
basically that same thing but no hashing
and instead of the site name i use corruptions of the name that aren't very clever, like peepal and fleabay

I love this concept. I've improved your script a little bit. This would make a great alias.

unset input; read -p "Input: " input; echo -n $input | openssl dgst -whirlpool -binary | base64 | head -c 8; echo \!\_; unset input

the only correct way

I decided to try out a few passwords I generated but noticed Lastpass offered something similar.

I put in a joke answer and here is the result.

Pen and paper.

(with added salt) :^)

unset input; read -p "Input: " input; echo -n $input saltycum69 | openssl dgst -whirlpool -binary | base64 | head -c 8; echo \!\_; unset input

How big should the dictionary be?
4 random words from a 200,000 word dictionary is a LOT of entropy.

"the eat house sandwich" will get cracked quickly, but "Fornication revolution obsolution crunk" will never get cracked.

Final print. sends the output to the clipboard.

unset input; read -s -p "Key please.." input; echo; echo -n $input RbZYAwGnbzfYh | openssl dgst -whirlpool -binary | base64 | head -c 8 | xargs -0 printf "%s" \#\1 | xclip -selection c; unset input

dont you think it should be 16 characters instead of only 8?

Well, make yours 16 then. Some sites don't allow 16 char passwords, it's 10 chars btw. added "#1" at the beginning for those sites that require special + number (for the times the first 8 base64 chars don't have any specials or numbers.)

>calls other people retards
>you're password
>you're

ah yeah, I missed the "#1". but hey, dont need to get defensive, I was just pointing out the low character count (at least when it was 8) since we are talking about security here. thanks for your excellent work user

Sorry, didn't intend to come off as defensive, my bad. Just gotta change the 8 to a 14 :)

shit it's summer already

np. I changed mine to 12 and added an extra special character and number. one other thing I wanted to point out too just as a fyi, the "#1" as you know is being added to the start but some sites require a password to start with a letter. just keep that in mind

Good point, yeah I guess it's probably best to just make it as flexible as possible right from the start before using it too much. I assigned a hotkey for it in xfce4. Then I added a 10 second timer to the end of the script that overwrites the clipboard automatically. This shit is definitely going to come in handy.

unset input; read -s -p "Key please.." input; echo; echo -n $input RbZYAwGnbzfYh | openssl dgst -whirlpool -binary | base64 | head -c 14 | xargs -0 printf "%s" \#\1 | xclip -selection c; unset input; sleep 10; echo 1 | xclip -selection c

I'm thinking this could actually be a great model for mobile password management apps. Just storing the seeds and a master salt instead of the passwords themselves. Neat lightweight obfuscation.

just use a password manager ya dumb niggas

you could do this instead: printf "%s#1"
that way the generated password comes before the "#1", and hopefully its not a number. otherwise you can just remember to add a letter to it to make it acceptable, say the first letter of the site/service

"a%s#1"

I thought about that but that just adds another static character to the password along with the ending "#1". I mean really at that point Im just being paranoid I suppose haha

16^65 is a BIG key space ! :p

Similar to what you have, but I use bcrypt instead of sha3sum. Domain name as the salt and password as the password.