Is this comic accurate about how to make a good password?

No, its complete bullshit. A bruteforce attack will always start out with dictionary words. Dictionary words drastically cut down the number of possibilities, a password like in OP's pic could be cracked in minutes

high octane bait

What if you just made a chink sentence with english punctuation and numbers?

I used to type words in english that would mean something in my native languages keyboard layout I had but mean nothing in english

I was onto something as a 10 year old

>what is dictionary attack

Similarly, from a young age my passwords are also a combination of words from a foreign language written in the English alphabet and numbers/special characters when needed.

Do brute force attacks also take into account other languages when going through their dictionary? Or would they be as easily found as any other random combination of letters through the method?

Managertards are the worst.
>HEY GUYS I'M GOING TO USE THIRD PARTY, PROPRIETARY, COMMERCIAL SOFTWARE TO SECURE ALL MY ACCOUNTS SO I CAN'T ACCESS THEM IF ANYTHING GOES WRONG BUT THEY CAN IF THEY'RE MALICIOUS OR ANY VULNERABILITIES EXIST
I can't wait for LastPass to be compromised.

I finally figured out why OP's pic is true

Lets say you have a dictionary of 100,000 english words. And you want to brute force attack a password that you know is 5 english words separated by spaces. So the first word you run 100,000 times. Then the second word you run the second word 100,000 times for each of the first words which is:
100,000 x 100,000 = 10,000,000,000 or 10 billion
then for the 3rd word you run:
10 billion x 100,000 = 1 x 10^15
then 4th word is:
1 x 10^15 x 100,000 = 1 x 10^20
then 5th word is:
1 x 10^20 x 100,000 = 1 x 10^25

1 x 10^25 is 10,000,000,000,000,000,000,000,000 which is too high a number to brute force attack

just use some uncommon words from a couple of different languages and mix in like 3 other symbols somewhere and you are good to go

And that assumes you know how many words and how many spaces

You are retarded if you think a dictionary attack uses all of the words in the english dictionary... And even if it did, there are roughly 1 million words, take 4 words out of it at random, brute-forcing it would take 10^24 tries on average...

The bottom half is correct. The top is not. It does not match my password, it does not match your password, it barely matches anyone's password - I did a test with a leaked passwords database and it matched less than a hundred out of million. "just add few bits of entropy and it will match anything" in the bottom left corner of first panel is just laughable.

And then there are retards like who think dictionary attack is not used in bottom half for entropy calculation.
I accumulate some belief in Sup Forums over time, but every time this picture is posted, it all is destroyed.

>every password manager must be proprietary and centralised

Even then the online ones like lastpass send down an encrypted bundle which can be cached offline. You just have no idea how any of this works, enjoy remembering your passwords :^)

>enjoy remembering your passwords

you say it like it is a difficult task or something

which brings me to pw managers are the normiest tier of scams, but still somehow shilled by seemingly competent people, very confusing

This.

"Hey guys, is using four simple words much easier and safer?"
"No, they are the reason dictionary attacks exist."
"Just use exotic technological terms in ancient greek, problem solved!"

Way to move the goal posts..

You don't have to.
Do you seriously believe the word people would pick have a random distribution? In reality most people (let's call them "normies") prefer a tiny subset of language for their password. That's why it's still great advise for normies to not use "correct horse battery staple"-like passwords, because you'd see a lot of occurances of "life is beautiful" or "I love my cat".

However, if you want to use this principle, you need a truly random distribution. So use something like:
>www.diceware.com

Have you seen a dictionary for picking passwords even once? hax0r bs and common substitutions are first on the list. Because guess what? It's more likely that you will use this crap than normal words because websites are forcing that onto you.
It's not like supahackas know which vocabulary you use. They will start with common passwords, then switch to plain bruteforce, then use normal vocabulary with common separators.

I think you are somehow missing the point. When we talk about guessing passwords it's usually about getting the low hanging fruits.

See this graphic some passwords that were leaked a while ago: There are literally thousands of people who use "12345" or some bullshit like that. That's what you get when you don't enforce rules like "you need at least one digit, one upper case and one lower case letter" or something like that.

In a theoretical world were all people were smart you wouldn't need such measures, but since there's a lot of teenagers/seniors/femanons and what not, you need to protect users from themselves by enforcing stupid rules, if only to raise the bar a little bit.

Even if most people will use stupid shit like their birthday, you still need to find out that birthday as attacker. And like I said before attacks usually are not very elaborated. It's much easier to make a bot that tries "12345" and such stuff on each account and then moves on.

So if you simply add a random (!) two digit number and two letters at the end, you just added 10*10*26 = 2600 possibilities. Do the same at the beginning and you have 2600 * 2600 = 6,760,000 possibilities.

So I'd say "a63suckmydick30s" (i picked this randomly) is not a bad password at all. And it's easy to remember if you are not a brainlet and can into mnemonics:
--> a sex threesome
--> suck my dick
--> she's in her 30s

"You already remembered it", like those xkcd turds would say..

what if my password is only one character repeated? Like forty exclamation mark? any techniques to detect that?

>you need to protect users from themselves by enforcing stupid rules

No you don't

let people use whatever they want, they'll pick passwords that fit the security requirements or they'll get burned

You can't fucking coddle people, it weakens them.

>HEY GUYS I'M GOING TO USE THIRD PARTY, PROPRIETARY, COMMERCIAL SOFTWARE TO SECURE ALL MY ACCOUNTS
You do realize that free (as in freedom) software password managers exist, right?

NIST removed the composition rules from their guides
>nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

you can't solve pebkac with technology

point is introducing a spof family

Sort of, but using a few all lowercase English words is actually pretty bad. It's probably not even close to 44bits of entropy and 1000 guesses/sec isn't very fast.

Just throw in a weird or foreign word and do something like put a number midway between one word and you'll probably completely destroy dictionary attacks and effectively have a couple hundred bits of entropy.

Actually this is a good example, but imagine if you started with one or two words and the top 100 English words. It would probably take minutes and would probably get you tons of hits.

Yep. Anthony Snowden confirmed it in an interview. Pass phrases are easier to remember and more difficult to break than passwords.

two or three words and throw a random number or symbol in the middle of one or two of those words and no normal dictionary attack will get it. i'm not talking about replacing e with 3 like grandma i mean just put a 5 in the middle of correct ho5rse battery

this, if people start to use this, hackers will start to hack word combination instead of letter combinations. password tend to suck when people advertise them to everyone

>Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!
Stupid question, but do they mean the literal emoji or the characters that make up the emoji?

>a63suckmydick30s

you should add "lie" at the end for extra security

>hackers will start to hack word combination instead of letter combinations
mathematically youre not increasing randomness significantly by using random letters over words, lets say for argument sake that there are 10 times as many random combinations of letters compared to words of the same length, increasing randomness by 10x means almost nothing in increasing brute force cracking

So essentially the random generators from things like KeePass or LastPass is kind of moot when I could just be creating something more memorable for myself?

But you're not necessarily increasing randomness by 10x. A four word password made up of the top 26 english words is effectively the same as a password made up of 4 lowercase letters.

yes true its about the same, a bruteforce will do much more than 1000 guesees in second that he claims so 4 common words is not enough.

also when you start to add 5 words for a total of say 25 letters, and it has the same entropy as a password of 10 letters, then im not sure anymore if the pass phrase is that much easier to remember. you end up looking pro when u type out 25 letter . but the security of password is not 2^25 or anything, so false sense of security

i also once did this and forgot my passphrase , i forgot grammatical details about it, like if present,tense or future.

yes thats right, there are only 26 letters in the alphabet, by using uppercase/lowercase you get to 52 and then add numbers and that adds 10 for a total of 62 digits. The difference between crunching through 26 and 52 characters means almost nothing to a computer. You dont get astronomically high randomness until you use very large passwords

the trick is to randomly pick words as many posters have already said in this thread

>A four word password made up of the top 26 english words is effectively the same as a password made up of 4 lowercase letters
A four-word password made up of random English words is effectively the same as a log(171476^4)/log(26)=~15 character long password of completely random letters.

Password managers let you get the maximum entropy density per character. You might be able to say it's not worth using a password manager for you when you can make lots of easy to remember passwords that are good, but you absolutely can't say anything you can reasonably remember is going to be anywhere near as good as a truly random password.

>The difference between crunching through 26 and 52 characters means almost nothing to a computer.
>I don't understand exponents

Just stop posting.

In regards to password managers, I made a very basic page that generates a password based on a keyphrase (a short password you would remember) plus the website domain you're signing into hashed together. The only problems with it is sometimes doesn't output a special character (due to base 64) and some websites don't accept the special characters it can output (really the website's fault, but still).

You can find it here: meta1203.github.io/PasswordMaker/
(There's a link to the relevant github page there too)

four words from here: github.com/first20hours/google-10000-english/blob/master/google-10000-english.txt

there's 10000 * 4 combinations. 4000.

Random 8 characters: 95^8

OPs image is bullshit

>>The difference between crunching through 26 and 52 characters means almost nothing to a computer.
>>I don't understand exponents
>Just stop posting.
prove me wrong, youre only getting double the randomness by doubling the amount of characters

its no the exponents though, its the bases

the length is the exponent, this is why he says thats what counts

Same exponent with different bases can make a astronomical difference the same way the same base with different exponents can.

Not him, but you're an obvious retard. a^x/b^x = (a/b)^x. That means the difference between 26 and 52 possible characters is 256 times as many possibilities for an 8 character long password.

is this bait?

Some people are just retarded.

This is better, unless the cracker knows that your password is just 4 words

This probably exists in some password crackers. Then again, have you tried having forty characters repeated as a password? It takes forever to type it and the probability for entering the incorrect number is very high.

The calculation in his example is based on the assumption that the attacker knows the structure of the password. Did you not understand this?

I'm starting to feel a bit better of my personal method then. It's usually 2 foreign words from two different languages + numbers, special characters and they come to be at least 16 characters.

Maximum entropy is really enticing for sure, though...
I was on the verge of moving everything to a password manager and randomizing every notable account's password (emails, banks, etc.), but was still in debate with myself. The idea of having to log in somewhere other than my home PC where I don't have my phone to access the database stored in the cloud or in memory turns me off. It has happened before where I didn't have it to go through 2FA through SMS (I've stopped since then).

its the difference of x^2 and 2^x

the first one grows somewhat quick yes , but the second one is astronomical

(you can change 2 with whatever, it does not change the point)

just leave him be pls, no bully

Reminder that basic highschool algebra proves you to be a retard:

Yeah, that's why I made the site. I can access my generated passwords from any PC with an internet connection, as well as use it on offline PCs that I download the webpage to, without the passwords generated ever being stored. (Though maximum entropy is enticing, and something I'd be interested in implementing)

i showed the most generic example that im correct, no examples can beat that.

if you claim that bigO of x^2 is bigger than 2^x then go ahead, be a retard, i wont stop you

Good luck when many sites and software's say max 16 characters must use meme symbols and numbers

No one is even arguing that, you retard.

The original argument you made was that there was no practical difference between 26^x and 62^x, which is just fucking absurd.

Want a small paraphrase nobody will ever crack? BamboozledGenipap

>ten thousand times four is four thousand

>That's what you get when you don't enforce rules like "you need at least one digit, one upper case and one lower case letter" or something like that.
And when you do, you get
>P4ssw0rd

Thanks, I added this to my dictionary.

im not him, i just reacted when you claimed that this was because of muh exponents, when you are clearly changing the bases.

>i showed the most generic example that im correct
>The difference between crunching through 26 and 52 characters means almost nothing to a computer.
>taking 4096 times as long for a 12-character password is nothing
Where do all these failed abortions and highschool dropouts come from?

Oh fuck :^(

>i just reacted when you claimed that this was because of muh exponents
It is because of the exponents, you literal vegetable: the difference grows exponentially. It's only a factor of 2 for a single character password. For a 32 character password, the difference is a factor of 4 billion.

Oh, no. I wasn't even paying attention. Never spent more than like 10 seconds reading the comic but now I understand.

>>taking 4096 times as long for a 12-character password is nothing
you are so stupid, seriously 4096x is a throw out number in bigO

Still a really cool personal solution you made for yourself. Solves the problem of not having your secondary device when you're out and about because where ever you're logging into will obviously have a connection.
I wonder how you would address the special character issue and entropy.

Actually, how did he come up with 44 bytes?
If you assume at least 30k words dictionary it's already 60 bytes.

>the difference grows exponentially
No it grows polynomially

>taking two hours vs. taking a year is literally nothing
>trying so desperately to save face once you've been exposed as a retard
I think we're done here, kiddo.

>pick lines from movies or songs you like
Don't. Using huge databases of song lyrics, books, movie scripts and quotes in cracking leaked password hashes have been proven relatively easy and extremely successful. If it's not random, it's not safe.

>constant^n
>grows polynomially

no im telling you, you can change the bases from 0 to infinity, and see the growth , how much the bases influence the expression, you get x^a then, (let x vary) (this is a parabolic function, parabolic growth (not exponential! )

then you do the same by changing the length of password (exponent) you then get a^x , this is exponential function, (exponential growth)

if you do BigO you get x^a

Are you confusing password length and dictionary size by chance?

base1^length/base2^length = (base1/base2)^length
Grows exponentially with password length. End of story. Moving on.

He's clearly talking about vocabulary size, not password's length

Why you dumbfuck ameritards keep saying bigO instead of just fucking saying O(n)?

But you're talking about the difference of 26^x and 62^x. How is that not n^c?

welp, I need to change the navy seal pasta to more diverse memes it seems

>He's clearly talking about vocabulary size
He's clearly mentally retarded, and so are you, because the differences due to vocabulary size grow exponentially with password length, and are, therefore, very significant.

you are twisting the discussion, just admit you made a slip and claimed that a polynomial function was exponential , its a noob mistake and i wanted to point it out for laughs.

here is example of the stupid post
you are saying that changing the bases == changing the exponents.
aka x^2 = 2^x

why is big oh even relevant discussing combinatorics?

>32 character long password
>switch from vocabulary of size 26 to vocabulary of size 52
>suddenly it takes 4 billion times as long to crack
>t-t-this is insignificant! 4294967296 = 2!
Get sterilized.

Good way to categorize complexity. That's how you show that the guy saying that x^n and n^x is an uneducated fool.

>yes true its about the same, a bruteforce will do much more than 1000 guesees in second that he claims so 4 common words is not enough.
not with right algorithms

(...) and n^x are equivalent (....)

>reads a klossy tutorial about time complexity
>i'm so educated now!
>taking 4 billions times as long to crack a password doesn't matter now because when i mindlessly write down the symbols, they look the same
Maybe you should reflect on this for a while until you understand why time complexity is irrelevant for this discussion, and that the difference incurred by the change in base grows exponentially with password length.

He says common words. He gives common words 11 bits, so he approximates them to be among the 2000 most common words in the language.
4*11 = 44.

Also bits != bytes

4 billion for a 32 digit password, don't forget. Most services only allow 16 digits. I know this is all just to get those spicy sweet (you)'s but I can't stop myself from commenting your stupid responses to the guy. And that kode part really looks like a projection.

>Or pick lines songs
god tier:

pick lines from misheard songs or songs in language foreign to you but using your language's notation
youtube.com/watch?v=FQt-h753jHI
werks for me

character long password
youre using a very long password to hide your stupidity, the 4 billion comes from using that large of a password, use a 9 character password (like many people do) and suddenly your doubling of character vocabulary means nothing

english dictionary maybe
polish dictionary is 5-8 times more words

Nope, we are talking about the difference of a^x and a^(x+36)