Password Security

Is it safer to type passwords every time or make the browser remember them (I don't want to use a password manager)?

Are (really) long passwords unnecessary since brute-forcing or dictionary attacks require decent hardware and time (most hackers probably use phishing)?

I use passwords always under 20 characters in length and over 9 with decent complexity like numbers, letters uppercase+lowercase and symbols.
I also should change them every now and then but aint nobody got time fo dat and I'm too lazy.
I'm thinking it shouldn't be a big problem though since I only register to really big websites like Google and Facebook that have (I believe decent security) and it's unlikely
that my info will get leaked in a database somewhere.

Can somebody educate me further about password security?
Isn't keeping your email address secret important too? To avoid phishing?

Also where should I look too see if my info got leaked like password and email.

Other urls found in this thread:

howsecureismypassword.net/
youtube.com/watch?v=7U-RbOKanYs
haveibeenpwned.com
twitter.com/NSFWRedditImage

Make your password as long as you can and use lots of symbols. Try to avoid complete words and do not start your password with an uppercase letter. Try not to use numbers or lowrecase letters as the last two characters.

And stop using Facebook & Google

>do not start your password with an uppercase letter. Try not to use numbers or lowrecase letters as the last two characters.

I can understand the first part but can you explain this?

Why should I even use a very large password?

> howsecureismypassword.net/

Even a short one but over 10 is enough if someone uses numbers, upper+lowercase letters and symbols.

>Coconut37
>Joey1995

Can't really explain better than this

Well complexity is to prevent bruteforce. Length is to prevent human brain. (:

>(I don't want to use a password manager)
Stopped reading right there.

but don't most systems only allow a few attempts to log into an account?

I don't understand how a hacker can brute force a facebook account password?

ok fine... give me reasons why should i use one

Firstly: you really should try to use a password manager, once you get used to it, life is great. I use Keepass (Free) hosted on Dropbox (free). Its on my phone, my desktop, my work PC. Bl00dy brilliant

I disagree with this, if we get into a slugging match I'll try and find a citation. You should go for passwords which are easy for humans to remember, but hard for computers to crack.

Combinations of 5 or 6 uncommon words, mixed with special characters and numbers you can remember. The best example I ever heard was from Edward Snowden actually

>MargretThatcherIs100%Sexy!!!

Its not perfect, plenty of problems in there... but it gets the idea across

I may have inverted those two

usually a hacker would have to obtain the hashed password so he could brute-force offline
i dont know how he would get it though from big companies like google and facebook
maybe if they got leaked?

right, that makes sense then

thanks

nobody really uses brute-force or dictionary attacks though except on some occasions

phishing is a lot easier with a spoofed email address

here, I can agree with this and you're right but maybe I'm too paranoiac to use a password easy to remember

Also check this
> youtube.com/watch?v=7U-RbOKanYs

Nobody brute forces passwords in 2017. Its all rainbow table generation and cross referencing compromised databases.
Just dont re-use passwords and dont use common ones like "pizza" or "password123"

If your password is over 16 characters long with uppercase / lowercase letters, numbers and at least one symbol such as _ then it's already impenetrable.

An example : hyPothetic4l_709F

since gmail already looks through private emails to gain user data
they should look for common elements in emails

>logos
>phrases / keywords

and compare them to templates they have from the official platforms
if the common elements match the templates from the official email addresses,
but are from random email addresses, notify user that the email is a scam

for example, in pic related
why couldn't the email service recognise the highlighted elements?

and figure out that it doesn't match?


why is this not a thing?

passwords for any at-rest-encrypted-data needs to be 50 characters minimum.

words and spaces are OK.

Facebook changes template slightly, nothing works
or
scammers just copy template better.

Check this out. howsecureismypassword.net/
It's not very accurate but it gives you an educated guess about your passwords

I'll clarify what I mean

I'm not saying emails would be marked as spam if the template didn't match

If the template matched, but the email address was unknown
then it would be marked as spam

You don't even have to use a random email address. You can spoof sender address address to anything you want like [email protected].

well then couldn't they compare the ip address of the sender to the usual ip of the official email?

eg: if an american user gets an email from somewhere in somalia

they probably do and your email gets marked as spam

so thats why they send with a different email address? to not get marked as spam?

bump

oh nah dont let this thread die on me i still need some answers

haveibeenpwned.com

Here's one big reason

Answered on this earlier, will try again
>Get a reputable password manager
>Make your password for that stupidly complex, but easy to remember
>Use the generator to spew out "unique & random" 20-30 digit passwords for each new account

You don't need 20-30 digit passwords. Those are overkill.

Try this and see what I'm talking about

howsecureismypassword.net/

It's useless if everyone's security is shit.

>Have secure passwords
>Website gets hacked
>Database gets dumped
>Despite them saying their stuff is all encrypted and salted, it's actually not


You're only ever warned about a data breach months or years after it occurred and that is ASSUMING the person who breached it goes out of THEIR way to provide journalists with the information to get them to post it because no website/company will fucking do it as it hurts their revenue. There's probably been thousands of breaches we don't know about and companies never say anything about it.

Where are databases dumped usually and how can I see them?

Make the browser remember them also click show password safest stay safe

>overkill
Not if you're using the aforementioned pass manager
It does the work of remembering that shit for you if you're that daft

Always on an onion site via tor theyll have torrent links

I'm saying that it's stupid to use a 20-30 digit password. It's ridiculous.
Even a complex 12 takes forever to crack.

What is the most popular website that hosts these (most used)?

I've been pwned...

Here 5 free safe passwords that contains at least 78 entropy bits: