> Bill Burr was a manager at the U.S. National Institute of Standards and Technology (NIST) when he authored a guide to protecting computers and digital accounts with what he believed to be hard-to-guess passwords. > “Much of what I did I now regret,” he said.
> ThisIsMyPassword is more secure than !P@$$w0rD&%
>ThisIsMyPassword Will be cracked in nanoseconds by dictionary attack.
Chase Sanchez
Except it won't. The dictionary attack will, however, easily crack "!P@$$w0rD&%".
Alexander Baker
>nanoseconds No
Ian Ward
Even if "ThisIsMyPassword" was literally in the English dictionary your time frame is optimistic.
Kevin Long
Femtoseconds? You're not suggesting hashes will be checked sequentially, are you? Dictionary crackers can chain words. And you have only 4 word-letters as result.
Nathan Morales
The password consists of words that fit into likely the 5000 most used words, with password being the least used, still being common. It'd be cracked in not nanoseconds but probably a good 5-10 minutes.
Nathaniel Foster
brb changing all my passwords to ThisIsMyPassword
Robert Adams
...
Caleb Williams
A dictionary attack with 2000 words (this is my password most likely in the 2000 most common words), would take about 2 minutes on a modern computer. >1000 guesses/sec That's insanely low.
Bentley Bennett
Same 4 word-letters. At this point I'm assuming they're deliberately spreading false info because other security measures became too strong.
Xavier Edwards
Let's say we have a dictionary of only 100 words, because they are very common. 100^4 = 10^8, that is still 100,000,000 possibilities. Let's say you'd find it after searching only 1/100 of all possibilities, so after 1,000,000 tries. A nanosecond are 10^-9 seconds, i.e. 0.000000001 seconds. So in order to crack the password in nanoseconds, you'd need to be capable of 10^15 guesses per second. That is 1 quadrillion, or also 1 Peta.
Alexander Miller
>That's insanely low. It's not a hash crunch.
Levi Sanders
Why the fuck not?
Dominic Thomas
>"your password needs to be between 4 and 8 digits"
Henry Torres
>Passwords With Random Characters Are Not More Secure, Says Man Who Said They Were More Secure Can you point me to where he said that?
Jeremiah Morris
the number of possible combinations grows exponentially with the number of words you put into the passphrase
Leo Wood
OP password is less secure than XKCD one since it's a logical sentence. By choosing random words it's more secure from social hacking. If you somehow find out couple of the words by looking over someone's shoulder, you can assume what the rest of them are and just try a couple of different ones. If they are random you need to know them all unless you want to try all the possible words out there.
Tyler Taylor
Is any of this shit even relevant? Are you people FBI directors who are being targeted for brute force dictionary attacks?
It seems like every password fuckup is either a. phishing attack on some idiot grandma, orb b. site / server getting compromised and information being stolen
Luke Brooks
it's a website password you FUCKING RETARD
Hudson Jones
>he thinks that's a lot with consumer-grade 10 teraflops cards Absolutely feasible even with such ridiculous time constraints. If there's no hash there's no bruteforce.
Lucas Price
iCloud used to allow unlimited retries so anyone could use a script to get someone's nudes or blackmail material or whatever
Matthew Ramirez
this fucking retard look at this projective defense >checking hashes sequentially like a retard do you have a petahertz system? how the fuck are you going to do anything in a nanosecond?
go fuck yourself faggot stop acting tough on the web
Liam Ramirez
With that phrase you have power of 4. With random letters you have power of 10.
Daniel Baker
So? Databases get leaked all the time. If you're actually trying to bruteforce your way into a website through its login page, you'll have like 5 guesses and then you're locked out anyway for minutes, in which case 1000 guesses/second is insanely high.
Jace Parker
I just use keepass and don't give a shit.
The claim is that X is more secure than Y, but Y's own security has not faltered.
Dominic Reyes
no because you can put "random letters" e.g. asdf wasd qwer into the dictionary as well
Anthony Robinson
You'd still need more than a hundred of those tflops cards. Who do you even think you should worry about cracking your password? Some government organization? Chances are, they will find ways to get the information if they have that much power already. It won't be cracked in nanoseconds, deal with it.
Cooper Gonzalez
see it's explained in the comic dipshit
Noah Allen
5 guesses per IP. And most websites now actually make you do captchas on more than a few failed attempts.
Easton Carter
Is using a non-alphanumeric character more secure if you are using a string of words that isn't a dictionary phrase?
For example if you are just using a word like "potato" then I see why "pot4t0" would be more secure, but is "PotatoWestLordHoplite" less secure than "PotatoWestLordHoplit3" ?
Liam Phillips
passwords need to die in favor of some form of public-key based physical security token, preferably with 3+FA (device + PIN + fingerprint or something).
Samuel Wright
>then I see why "pot4t0" would be more secure It's not. 'Letter replacements' are insecure since you can use algorithms that just replace o with 0 etc without adding very many additional attempts. It doesn't add much entropy. Now, if you spell words wrong, that helps. Patato is much more secure than potato.
Nathaniel Smith
If sequences of letters in your password can be pre-determined, then it's no longer random. So in a random password, those don't exist. Though obviously, true random is impossible anyway. Well fuck, missed the small text. I disagree with the notion that the average user shouldn't worry about databases leaking though. The average user reuses passwords, which makes those more risky than for the advanced user.
Isaiah Hughes
Thanks to the cryptocurrencies this is a reality.
Jacob Jones
It is more secure. It's just not good either. He could have replaced any of the letters with a number (p0tat0, pot4to, po7at0). But replacements like there are incredibly common.
Ian Fisher
nigger you cant even send commands to the gpu in nanoseconds
Grayson Lee
We don't need true random, we merely need something that's not in the dictionary.
Aaron Diaz
>>then I see why "pot4t0" would be more secure >It's not.
>It doesn't add much entropy. >Implying it does add entropy You guys should look up what "more" means. A password of 2 letters is more secure than a password of 1 letter, they're both shit and cracked almost instantly, but one's still slightly more secure.
Christopher Lopez
>biometrics Passwords that cannot be changed are fundamentally insecure. Security tokens aren't a bad idea though, but you're better off having a password database that you use a security token for that regularly changes. Instead of having a security token for every account, or even worse, having one security token for all accounts, even "Insecure russian dating site.com"
Jaxon Myers
I like that guy from the other thread who said he applies an algorithm to a domain name to produce a password for each site
Blake Clark
Wrong, a 2 letter password is exponentially more secure than a 1 letter password. pot4t0 is linearly more secure than potato.
Austin Nguyen
Sure, doesn't change my point. You can't say pot4t0 isn't more secure than potato, because it definitely is more secure.
Benjamin Ortiz
>>biometrics >Passwords that cannot be changed are fundamentally insecure. wrong. as long as the biometrics device cannot easily be spoofed, knowing "who" the user is adds more security
Blake Hall
You should consider the meanings of words, what is security? A password that takes 5 minutes 10 seconds instead of 5 minutes to crack is not more secure.
It's like saying that getting shot by a 50cal is safer than getting shot by a 51cal. It's not. You've reached the point of maximum insecurity.
Elijah Ramirez
pretty much this
just use a password manager and generate long secure passwords Also don't use the defaults change up the length
Lucas Sanchez
And the sun orbits the earth.
Owen Butler
>as long as the biometrics device cannot easily be spoofed You're sending data over the internet. It doesn't matter how particularly secure your device is. If a hacker knows those biometric details, he can fake them.
Eli Walker
no, I'm talking about a device that needs a short PIN plus some biometric shit in order to authorize it doing a signature.
so you get cryptographically strong login locked behind having to physically have the key with you, plus the PIN memorized and your fingerprint/iris/whatever.
the accessed system would only care about the crypto key, and the other stuff is just to protect the crypto key in the device.
ideally the physical token would be physically and electronically hardened to hamper key extraction, would wipe itself after enough wrong PIN inputs, etc.
Jonathan Russell
Let's hope that there aren't any biometric databases out there, or that having password entropy components that never expire is a good idea.
>You've reached the point of maximum insecurity. I disagree. There are no limits to that. There could definitely be situations in which somebody might only have 5 minutes instead of 5 minutes 10 seconds.
Thomas Perry
>A password that takes 5 minutes 10 seconds instead of 5 minutes to crack is not more secure. Except, it is. I know, it is difficult to accept that you are wrong, but don't forget we're all anonymous here. It doesn't matter.
Daniel Howard
kill yourself shill
the biometrics don't get transmitted, it's only for unlocking the local device/token
Adrian Richardson
Define "security" in the context of passwords then.
Liam Murphy
>ThisIsMyPassword is more secure than !P@$$w0rD&% Probably not but "DickCockSuckCuntPussyHorse" is probably more secure.
David Butler
Hackers are smarter than you are. They're smarter than I am. They will get parts of your password, and if these parts can't be changed your security is permanently fucked. You cannot undo having your biometrics stolen. Just imagine a fake login page that takes your biometrics. People can easily be tricked into giving their biometrics alone. Or their pin alone. You cannot assume that your system is secure just because you throw a whole load of security functions together.
Logan James
So you're saying something either is or isn't secure? Where do you draw the threshold?
Logan Miller
that's not how it works at all lmao
you need to unlock the physical device and it can have anti-spoofing methods like reading your heart beat and not just your fingerprint. it's not just a fingerprint reader that's hooked up to the internet jesus christ...
Nah man, you're wrong and just too ashamed to admit it. Security is being free from danger or threat. How secure you are is a question of how big the threat/danger is you are free from. A password that takes 5 minutes to crack is not free from the threat of being subject to 5 minutes of cracking attempts. A password that takes 5 minutes 10 seconds however, is. Which can even be a valid situation if a database with millions of user data was stolen and the hackers are just going after the very weakest accounts.
Lincoln Sullivan
Security is qualitative, user. You need to be more pragmatic- is 10 seconds a meaningful difference? It clearly isn't. I'm sure that added 10 seconds of security will hold your hand at night when you lose all your data. Now it does depend on context- for example temporary tokens in which a computer system only needs for 10 seconds, that ten second difference is meaningful. (this is why credential expiry is important). For credentials that never expire, 10 seconds is as worthless as any other increment, although at that level you have people that expire, so that is your maximum context level of meaningfulness. This stuff is hard to understand but basically it's a factor of how long you want your data to be secure for. But say, for a password that lasts years, 10 seconds is meaningless. Ergo a meaningless security improvement is essentially a zero security improvement. You want to improve your security to make a meaningful difference, and it's this 'meaning' that is unavailable to single digit IQ morons.
Benjamin Smith
problem with this line of thinking is (5 minutes 10 seconds) is resistent to (5 minutes) of cracking time is that computers will get faster
I dont have a problem with saying 10^26 minutes beats 5 minutes 10 seconds
Angel Nguyen
>How secure you are is a question of how big the threat/danger is you are free from. A password that takes 5 minutes to crack is not free from the threat of being subject to 5 minutes of cracking attempts. A password that takes 5 minutes 10 seconds however, is. Okay, so a password that takes longer to crack is more secure. As I said, and you (?, ) denied. So the password taking 5 minutes 10 seconds is more secure than a password that takes 5 minutes to crack.
Wyatt Turner
Let me put it like this. 1 password can be just as secure as another, less secure or more secure. And it is definitely not less or just as secure. So it is more secure.
Henry Powell
Ergo; if your password being secure for 5 minutes ten seconds and not 5 minutes is important to you, then yes, your password is more secure. I am working under the assumption (sue me) that this is not your usage scenario. If this is not your usage scenario, security is objectively not increased.
Dylan Long
No, you got it wrong. I am saying that p4ssword is more secure than password. There are multiple anons arguing here, so it can get a little messed up. Of course I know that p4ssowrd is still a shitty password.
Cooper Taylor
what don't you guys get?
nothing about this scheme is tied to a particular physical token.
hell, you could have 5 different ones stored in various bank safes if you wanted.
the multi-factor stuff is just used to secure any given token, and account keys on remote systems could be updated at will if needed.
Zachary Smith
Security breaches are all or nothing affairs, so yes, security is binary. Either your password is secure or it isn't, there's no grey area there. At the end of the day, there's only one metric that counts and that is; has someone compromised your security.
Oliver Williams
>You're increasing security >But you're not increasing security Ok.
Logan Nguyen
Don't answer questions that aren't targeted to you then please.
Oliver Gray
It cannot be more secure if it results in your security being broken.
Adam Howard
Absolutely not. If you're still secure, you're still in danger of potentionally being cracked. If you have a non-secure password you're more likely to be cracked, but you can still be safe. It's definitely not binary, that would imply it doesn't matter as long as it's not cracked.
Landon Hughes
>Lastpass >Random 20+ character password
Best of both worlds. Long AND random.
Jacob Gonzalez
You're increasing security in a usage scenario that probably doesn't exist.
"Ah yes son, I have a degree from Philibuster university" "What do you mean this university doesn't exist? It exists more than Giveadogshit University"
Daniel Gutierrez
Security being broken is not only a question of password strength. If you are using a shitty web service that stores your password in plain text, no password will save you. No matter how secure you deem it to be.
So really, what are you trying to get at here?
Nah, thanks. I'm good.
Aaron Price
You're increasing security in a marginal way that doesn't do anything you want or improve your situation in any way.
Furthermore, when someone is repeatedly guessing your password you have probability involves and often your 5'10 second thing will fall under 5'
Dylan Sanchez
>Nah, thanks. I'm good. Well, if you want to be a dick and just disrupt conversations for no reasons, sure. I assumed you weren't a shitposter though.
Isaac Adams
there are hedge fund kikes who are trying really hard to short the share of the leading smartphone fingerprint sensor company called Fingerprint Cards AB and they spread fake news and shill on social media. probably to try and keep the share price down so they can place a bid on the company and buy it for cheap
Jackson Murphy
Except for you, I don't think anyone was confused. This is not a private chat. This is a public discussion platform.
Josiah Brown
>that would imply it doesn't matter as long as it's not cracked. Welcome to security, user. Security is context.
Owen Robinson
But the html scrappers and CSRFers!
Logan Davis
>You're increasing security So I am increasing security. Which was the point. Thanks for your input.
Austin Miller
>Except for you, I don't think anyone was confused. I disagree, considering >Nah man, you're wrong and just too ashamed to admit it. And >So you're saying something either is or isn't secure? Where do you draw the threshold? It seems you were completely confused who I was as well. Besides, not everybody posts. >This is not a private chat. This is a public discussion platform. Doesn't make it somehow right to jump into conversations to answer questions that aren't targeted towards you, that are specifically targeted to somebody, without indicating that you're somebody else.
Ryder Green
so if you have a few of his passwords you can calculate the algorithm and get everything else he has?
Josiah Perez
you missed the rest of what I said >in a marginal way that doesn't do anything you want or improve your situation in any way.
its like how you can hold your breath to make your dick .00001 inch bigger but you still have a 1 inch dick overall
Aaron Williams
someone post the comic where the guy gets beat down until he tells what's his password
Camden Myers
Moving the goalposts, I see.
Parker Martinez
...
Jacob Murphy
in a marginal way that doesn't do anything you want or improve your situation in any way
Luke Hall
Depending on how advanced the algorithm is, yes. I did something similar before I started using a password manager. I just considered it from the angle that I'm most likely not important enough to get preferential treatment. At most I'm going to be the victim of a database leak or something, which would result in them knowing one password. I considered the chance of them putting multiple passwords of me next to each other to be 0% in practice. And if I was the target of some sophisticated attack, there are probably better ways of getting my password than to just try and decipher it like that. Like a baseball bat to the face.
Jacob Reed
I'd advise you to take a look at the post that started this all. It's not about it being a good password, it's about it theoretically being a stronger password. As a simple comparison for a more complicated case.
Jordan Lopez
>He's not using made up 10 letter word, not known to any language with semi-random symbols. It's like you're brainlet or something.
Angel Gutierrez
>he's not using a password manager for individually over-secured passwords and then applying whatever stupid rules to the unlocking password
Josiah Bennett
>He doesn't make up a new language, translates the first sentence of the service's site to it, and uses that as a password, every time he signs up for something Get on my level.
Robert Howard
Is 1.001 more than 1.00 when you have a measurement error of +/- .1?