Passwords With Random Characters Are Not More Secure, Says Man Who Said They Were More Secure

A dictionary attack with 2000 words (this is my password most likely in the 2000 most common words), would take about 2 minutes on a modern computer.
>1000 guesses/sec
That's insanely low.

Same 4 word-letters. At this point I'm assuming they're deliberately spreading false info because other security measures became too strong.

Let's say we have a dictionary of only 100 words, because they are very common. 100^4 = 10^8, that is still 100,000,000 possibilities. Let's say you'd find it after searching only 1/100 of all possibilities, so after 1,000,000 tries.
A nanosecond are 10^-9 seconds, i.e. 0.000000001 seconds. So in order to crack the password in nanoseconds, you'd need to be capable of 10^15 guesses per second. That is 1 quadrillion, or also 1 Peta.

>That's insanely low.
It's not a hash crunch.

Why the fuck not?

>"your password needs to be between 4 and 8 digits"

>Passwords With Random Characters Are Not More Secure, Says Man Who Said They Were More Secure
Can you point me to where he said that?

the number of possible combinations grows exponentially with the number of words you put into the passphrase

OP password is less secure than XKCD one since it's a logical sentence. By choosing random words it's more secure from social hacking. If you somehow find out couple of the words by looking over someone's shoulder, you can assume what the rest of them are and just try a couple of different ones. If they are random you need to know them all unless you want to try all the possible words out there.

Is any of this shit even relevant? Are you people FBI directors who are being targeted for brute force dictionary attacks?

It seems like every password fuckup is either
a. phishing attack on some idiot grandma, orb
b. site / server getting compromised and information being stolen

it's a website password you FUCKING RETARD

>he thinks that's a lot with consumer-grade 10 teraflops cards
Absolutely feasible even with such ridiculous time constraints.
If there's no hash there's no bruteforce.

iCloud used to allow unlimited retries so anyone could use a script to get someone's nudes or blackmail material or whatever

this fucking retard
look at this projective defense
>checking hashes sequentially like a retard
do you have a petahertz system? how the fuck are you going to do anything in a nanosecond?

go fuck yourself faggot stop acting tough on the web

With that phrase you have power of 4. With random letters you have power of 10.

So? Databases get leaked all the time. If you're actually trying to bruteforce your way into a website through its login page, you'll have like 5 guesses and then you're locked out anyway for minutes, in which case 1000 guesses/second is insanely high.

I just use keepass and don't give a shit.

The claim is that X is more secure than Y, but Y's own security has not faltered.

no because you can put "random letters" e.g. asdf wasd qwer into the dictionary as well

You'd still need more than a hundred of those tflops cards. Who do you even think you should worry about cracking your password? Some government organization? Chances are, they will find ways to get the information if they have that much power already.
It won't be cracked in nanoseconds, deal with it.

see it's explained in the comic dipshit

5 guesses per IP.
And most websites now actually make you do captchas on more than a few failed attempts.

Is using a non-alphanumeric character more secure if you are using a string of words that isn't a dictionary phrase?

For example if you are just using a word like "potato" then I see why "pot4t0" would be more secure, but is "PotatoWestLordHoplite" less secure than "PotatoWestLordHoplit3" ?

passwords need to die in favor of some form of public-key based physical security token, preferably with 3+FA (device + PIN + fingerprint or something).

>then I see why "pot4t0" would be more secure
It's not. 'Letter replacements' are insecure since you can use algorithms that just replace o with 0 etc without adding very many additional attempts. It doesn't add much entropy.
Now, if you spell words wrong, that helps. Patato is much more secure than potato.

If sequences of letters in your password can be pre-determined, then it's no longer random. So in a random password, those don't exist.
Though obviously, true random is impossible anyway.
Well fuck, missed the small text. I disagree with the notion that the average user shouldn't worry about databases leaking though. The average user reuses passwords, which makes those more risky than for the advanced user.

Thanks to the cryptocurrencies this is a reality.

It is more secure. It's just not good either. He could have replaced any of the letters with a number (p0tat0, pot4to, po7at0). But replacements like there are incredibly common.

nigger you cant even send commands to the gpu in nanoseconds

We don't need true random, we merely need something that's not in the dictionary.

>>then I see why "pot4t0" would be more secure
>It's not.

>It doesn't add much entropy.
>Implying it does add entropy
You guys should look up what "more" means. A password of 2 letters is more secure than a password of 1 letter, they're both shit and cracked almost instantly, but one's still slightly more secure.

>biometrics
Passwords that cannot be changed are fundamentally insecure.
Security tokens aren't a bad idea though, but you're better off having a password database that you use a security token for that regularly changes. Instead of having a security token for every account, or even worse, having one security token for all accounts, even "Insecure russian dating site.com"

I like that guy from the other thread who said he applies an algorithm to a domain name to produce a password for each site

Wrong, a 2 letter password is exponentially more secure than a 1 letter password.
pot4t0 is linearly more secure than potato.

Sure, doesn't change my point. You can't say pot4t0 isn't more secure than potato, because it definitely is more secure.

>>biometrics
>Passwords that cannot be changed are fundamentally insecure.
wrong. as long as the biometrics device cannot easily be spoofed, knowing "who" the user is adds more security

You should consider the meanings of words, what is security?
A password that takes 5 minutes 10 seconds instead of 5 minutes to crack is not more secure.

It's like saying that getting shot by a 50cal is safer than getting shot by a 51cal. It's not. You've reached the point of maximum insecurity.

pretty much this

just use a password manager and generate long secure passwords
Also don't use the defaults change up the length

And the sun orbits the earth.

>as long as the biometrics device cannot easily be spoofed
You're sending data over the internet. It doesn't matter how particularly secure your device is. If a hacker knows those biometric details, he can fake them.

no, I'm talking about a device that needs a short PIN plus some biometric shit in order to authorize it doing a signature.

so you get cryptographically strong login locked behind having to physically have the key with you, plus the PIN memorized and your fingerprint/iris/whatever.

the accessed system would only care about the crypto key, and the other stuff is just to protect the crypto key in the device.

ideally the physical token would be physically and electronically hardened to hamper key extraction, would wipe itself after enough wrong PIN inputs, etc.

Let's hope that there aren't any biometric databases out there, or that having password entropy components that never expire is a good idea.

youtu.be/YNsJBBESeUU

>You've reached the point of maximum insecurity.
I disagree. There are no limits to that. There could definitely be situations in which somebody might only have 5 minutes instead of 5 minutes 10 seconds.

>A password that takes 5 minutes 10 seconds instead of 5 minutes to crack is not more secure.
Except, it is. I know, it is difficult to accept that you are wrong, but don't forget we're all anonymous here. It doesn't matter.

kill yourself shill

the biometrics don't get transmitted, it's only for unlocking the local device/token

Define "security" in the context of passwords then.

>ThisIsMyPassword is more secure than !P@$$w0rD&%
Probably not but "DickCockSuckCuntPussyHorse" is probably more secure.

Hackers are smarter than you are. They're smarter than I am. They will get parts of your password, and if these parts can't be changed your security is permanently fucked. You cannot undo having your biometrics stolen.
Just imagine a fake login page that takes your biometrics. People can easily be tricked into giving their biometrics alone. Or their pin alone. You cannot assume that your system is secure just because you throw a whole load of security functions together.

So you're saying something either is or isn't secure? Where do you draw the threshold?

that's not how it works at all lmao

you need to unlock the physical device and it can have anti-spoofing methods like reading your heart beat and not just your fingerprint. it's not just a fingerprint reader that's hooked up to the internet jesus christ...

Burr is a wise idiot.
youtu.be/3PWyB2rBiyo

No, I'm just asking you a simple question.

Nah man, you're wrong and just too ashamed to admit it.
Security is being free from danger or threat. How secure you are is a question of how big the threat/danger is you are free from. A password that takes 5 minutes to crack is not free from the threat of being subject to 5 minutes of cracking attempts. A password that takes 5 minutes 10 seconds however, is. Which can even be a valid situation if a database with millions of user data was stolen and the hackers are just going after the very weakest accounts.

Security is qualitative, user. You need to be more pragmatic- is 10 seconds a meaningful difference? It clearly isn't.
I'm sure that added 10 seconds of security will hold your hand at night when you lose all your data.
Now it does depend on context- for example temporary tokens in which a computer system only needs for 10 seconds, that ten second difference is meaningful. (this is why credential expiry is important). For credentials that never expire, 10 seconds is as worthless as any other increment, although at that level you have people that expire, so that is your maximum context level of meaningfulness. This stuff is hard to understand but basically it's a factor of how long you want your data to be secure for.
But say, for a password that lasts years, 10 seconds is meaningless. Ergo a meaningless security improvement is essentially a zero security improvement. You want to improve your security to make a meaningful difference, and it's this 'meaning' that is unavailable to single digit IQ morons.

problem with this line of thinking is (5 minutes 10 seconds) is resistent to (5 minutes) of cracking time is that computers will get faster

I dont have a problem with saying 10^26 minutes beats 5 minutes 10 seconds

>How secure you are is a question of how big the threat/danger is you are free from. A password that takes 5 minutes to crack is not free from the threat of being subject to 5 minutes of cracking attempts. A password that takes 5 minutes 10 seconds however, is.
Okay, so a password that takes longer to crack is more secure. As I said, and you (?, ) denied. So the password taking 5 minutes 10 seconds is more secure than a password that takes 5 minutes to crack.

Let me put it like this. 1 password can be just as secure as another, less secure or more secure. And it is definitely not less or just as secure. So it is more secure.

Ergo; if your password being secure for 5 minutes ten seconds and not 5 minutes is important to you, then yes, your password is more secure.
I am working under the assumption (sue me) that this is not your usage scenario. If this is not your usage scenario, security is objectively not increased.

No, you got it wrong. I am saying that p4ssword is more secure than password. There are multiple anons arguing here, so it can get a little messed up.
Of course I know that p4ssowrd is still a shitty password.

what don't you guys get?

nothing about this scheme is tied to a particular physical token.

hell, you could have 5 different ones stored in various bank safes if you wanted.

the multi-factor stuff is just used to secure any given token, and account keys on remote systems could be updated at will if needed.

Security breaches are all or nothing affairs, so yes, security is binary.
Either your password is secure or it isn't, there's no grey area there. At the end of the day, there's only one metric that counts and that is; has someone compromised your security.

>You're increasing security
>But you're not increasing security
Ok.

Don't answer questions that aren't targeted to you then please.

It cannot be more secure if it results in your security being broken.

Absolutely not. If you're still secure, you're still in danger of potentionally being cracked. If you have a non-secure password you're more likely to be cracked, but you can still be safe. It's definitely not binary, that would imply it doesn't matter as long as it's not cracked.

>Lastpass
>Random 20+ character password

Best of both worlds. Long AND random.

You're increasing security in a usage scenario that probably doesn't exist.

"Ah yes son, I have a degree from Philibuster university"
"What do you mean this university doesn't exist? It exists more than Giveadogshit University"

Security being broken is not only a question of password strength. If you are using a shitty web service that stores your password in plain text, no password will save you. No matter how secure you deem it to be.

So really, what are you trying to get at here?

Nah, thanks. I'm good.

You're increasing security in a marginal way that doesn't do anything you want or improve your situation in any way.

Furthermore, when someone is repeatedly guessing your password you have probability involves and often your 5'10 second thing will fall under 5'

>Nah, thanks. I'm good.
Well, if you want to be a dick and just disrupt conversations for no reasons, sure. I assumed you weren't a shitposter though.

there are hedge fund kikes who are trying really hard to short the share of the leading smartphone fingerprint sensor company called Fingerprint Cards AB and they spread fake news and shill on social media. probably to try and keep the share price down so they can place a bid on the company and buy it for cheap

Except for you, I don't think anyone was confused. This is not a private chat. This is a public discussion platform.

>that would imply it doesn't matter as long as it's not cracked.
Welcome to security, user.
Security is context.

But the html scrappers and CSRFers!

>You're increasing security
So I am increasing security. Which was the point. Thanks for your input.

>Except for you, I don't think anyone was confused.
I disagree, considering >Nah man, you're wrong and just too ashamed to admit it.
And >So you're saying something either is or isn't secure? Where do you draw the threshold?
It seems you were completely confused who I was as well.
Besides, not everybody posts.
>This is not a private chat. This is a public discussion platform.
Doesn't make it somehow right to jump into conversations to answer questions that aren't targeted towards you, that are specifically targeted to somebody, without indicating that you're somebody else.

so if you have a few of his passwords you can calculate the algorithm and get everything else he has?

you missed the rest of what I said
>in a marginal way that doesn't do anything you want or improve your situation in any way.

its like how you can hold your breath to make your dick .00001 inch bigger but you still have a 1 inch dick overall

someone post the comic where the guy gets beat down until he tells what's his password

Moving the goalposts, I see.

...

in a marginal way that doesn't do anything you want or improve your situation in any way

Depending on how advanced the algorithm is, yes. I did something similar before I started using a password manager.
I just considered it from the angle that I'm most likely not important enough to get preferential treatment. At most I'm going to be the victim of a database leak or something, which would result in them knowing one password. I considered the chance of them putting multiple passwords of me next to each other to be 0% in practice.
And if I was the target of some sophisticated attack, there are probably better ways of getting my password than to just try and decipher it like that. Like a baseball bat to the face.

I'd advise you to take a look at the post that started this all. It's not about it being a good password, it's about it theoretically being a stronger password. As a simple comparison for a more complicated case.

>He's not using made up 10 letter word, not known to any language with semi-random symbols.
It's like you're brainlet or something.

>he's not using a password manager for individually over-secured passwords and then applying whatever stupid rules to the unlocking password

>He doesn't make up a new language, translates the first sentence of the service's site to it, and uses that as a password, every time he signs up for something
Get on my level.

Is 1.001 more than 1.00 when you have a measurement error of +/- .1?

Gee, I never knew Bill Burr was a techie.

That's pretty gud.
But why overcomplicate?