What's your criteria of a good password?

I use ?p@$$w0rD! and then I add website name followed by a percent sign at the end e.g. ?p@$$w0rD!Sup Forums%

4 random words and 4 digits.
And if the website allows it, add a few control characters and Unicode confusables.

if a website has issues with long, random passwords then its a shitty site made by shitty developers, and I know not to trust it with anything of importance.

permutations that humans think up and find memorable are very non-random. Crackers know this well and try human-like patterns (like l33tspeak) first. random passwords that are unique among all your accounts shouldn't just be for a special class of secure stuff, they should be for everything, all the time.

>posting the old password policy
blogs.sap.com/2017/10/12/password-policy-for-sap-support-portal-and-sap-one-support-launchpad-about-to-change/
>Starting November 4th, 2017, you may choose a more complex, safer password. It must be at least 8 characters long – maximum length is 255 – and include three of the following: Uppercase letters, lowercase letters, numbers, symbols. The “exactly-8-characters” oddity will be a thing of the past.

it took them until november of 2017 to realize that eight characters was too short? what kind of fucking incompetent bozos are they? eight characters has been too short for over a decade.

Then again it is SAP, so I guess I shouldn't be shocked.

Okay, disclaimer, this is not an official opinion of the company, etc.

service.sap.com and websmp###.sap-ag.de run primarily off of backend SAP systems running SAP R/3 4.7 and BASIS 620 (extended support for these editions ended in 2012 for customers) on systems OW1 and OW2, with legacy incidents (customer tickets opened 2013 or earlier reside on system CSS/CSN). These are very old versions, and the remote function call libraries on them convert all chars to uppercase and have a hardcoded field length of 8 characters.

In 2014 SAPstarted a concerted effort to get everything off the old versions onto the latest and greatest stuff. Tickets go into BCP (CRM on HANA in-memory DB), most of the support portal runs off systems W71 and W72, and support backend functionality was migrated to I7P.

While we were migrating the support portal functions, we wanted it presented as one support portal, and not have two passwords for the same username, because that would be confusing as shit. So we set ABAP parameter login/password_downwards_compatibility to 1, which made all the password rules you saw in that image, so your password would be the same on all systems.

Now *almost* every single function has been moved to newer releases (automated download of software packages and use on RFC connections still requires an 8 char password, which is separate from your "main" password now).

Logon attempts are logged and five wrong password attempts (regardless of the time between password attempts, it can be days or weeks) locks the users out, requiring SAP to be contacted to reset the password and unlock it.

Smart users just get a free X.509 client certificate with a 2048-bit private key for automatic browser logon to the support portal anyways.

Passwords that I don't find memorable are ones I have to trust to some app or cloud service or write down.

I write numbers while holding shift, so 1234 becomes !@#$ for example.

easy to memorize

I put 123456 everywhere I can

easy to remember, hard to guess, hard to crack

basically a pass phrase, not a pass word.

Instead of go phrases. IKissedAGirlAndILikedIt is 1000x more secure than shitty 123445679101112. But this is also not secure enough. Make the phrases more random but memorable so its not easy to forget. YesterdayGToldMeToChangeMyPasswordLikeThis this would be secure. Now if you change some of the words to numbers, for example, replacing the o with 0 or i with 1, that would make it much more secure.

>using passwords
>not using passphrases
Size matters user.

This.

I'm not comfortable with anything short of something like: 20

And a password vault like KeePass(tm)(c)(r) does this for you.

Just make a secure single password for the vault and you're golden.

Use a local password manager. I like KeePass, but there's plenty of others. Bam, encrypted file that you can back up and secure like any other file. You don't need to trust any cloud service.

And writing passwords down would be preferable to having easily guessable or easily crackable passwords that are shared across sites. It makes you vulnerable to physical things (like theft, fires, losing your notebook, etc), but thats a risk that most of us are pretty good at managing.

>You don't need to trust any cloud service.
Not him, but I use Google Drive to sync my KeePass vault across multiple devices (and each device thus keeps a local copy for offline-redundancy if I ever care).

And before you get up in arms about muh botnet cracking attempts you can secure vaults further with stuff like keyfiles, OTPs, or even an entire established Windows account (on Windows).

Easy to remember password hashed an arbitrary number of times.

eg doggy = 6683ffdec0bf23f22fa36f8dd9ed3558

Attacker has to know your simple password and the number of times you hashed it.

Is that fucking MD5?

softwareengineering.stackexchange.com/questions/115406/is-it-more-secure-to-hash-a-password-multiple-times

>live in country of 4 million people
>have own language
>write passwords in native language with some punctuations

also, non english words if you know them

It's an example. Sup Forums wouldn't let me post a longer one. It's still more secure than using doggy directly

2 factor > Anything single factor

random words like OffcerBisonMondayLunch

Is your password Perkele1?

Ит'c eжeн бeттep тo aцтyaллъ инcтaлл a цъpиллиц кeъбoapд aнд вpитe ъoyp пaccвopдc фpoм тхaт.

This is clever

Not really

>[same statment]service name[same number]

Why the fuck would you do anything else? I don't understand people who need password managers and think they need a totally unique password for their Fagbook and Twatter account.

I have about 4 passwords that I use depending on what the requirements of the service are.

If you're talking about a master password that you want to remember (like for LastPass) , I use a five/six letter word, then abbreviate it, then add a number after each word that's meant to form a simple sequence.

I use a "4 word password" with some random additional characters in it to avoid dictionary attacks. Length is more important than using a bigger pool of characters to prevent brute forcing, and not using typical complete words avoids dictionary attacks (and I don't mean replacing "o" with "0", that's far too obvious).

Not using the same password everywhere is the other key rule, just to avoid attacks based on leaked hashes from services that don't know how password security should work (i.e. not using salts). Either add something to the password that makes it unique to the service (e.g. "fb" at the end for Facebook) or use a password manager to generate random passwords.

>Not using your local dialect
Plebs.

...

>implying my mask isn't ?d

leeeeeeeeeength

Protip: ANY password under 10 characters is insecure.

...

Thanks for the free passwords, I needed some.

But seriously, this.

>thinking about passwords and performing mental gymnastics for every site like or or most posts in the thread
I just perform the mental gymnastics for my vault and let keepass handle the rest. Can even set up reminders to change passwords at an interval, password history, tags and notes (i.e. username and associated email), whatever.

Also it comes at no inconvenience to me.

I love KeePass' autotype when set up correctly, haven't looked into helper extensions, but I just unlock my vault and it will fill in login info for me. Don't even need to copy/paste.

16 characters, 32 for banks/credit cards, 64 for password manager
Mixture of lower and uppercase, numbers, and special characters.

Seems... sketchy as fuck, wouldn't want my password generator to have internet access.

Do you even have control of the seed for this?

Are people really supposed to remember their passwords, or are you writing them down or using a pwd mgr prog.?

e`R=kh*fd2'Ey^Iw/xIK
>symbols not allowed
zWT8VZQgbbPwJqamfCZi

Remember one good password for a vault.

Protect the password and the vault, the vault protects your passwords.

$&@gmailsucks23dicks
$&@netflixsucks23dicks
$&@my_banksucksallthedicks

-Easy to remember, easy to type fast
-Hard to check by brute force & dictionary attacks
-Use one main password and 1 super secure password (for money/email stuff).
-Make sure your passwords already have a special char & a capital letter so you dont have to memorize several different variations of it

>someone hacks your vault, locks you out of it, has immediate access to EVERYTHING, TOP LEL MATE

>not using a keyfile stored on an external device
>not making regular offline backups
Just keep using that same password you use for everything.

2 things

1) You lose that keyfile, you're fucked. Or if someone else gets access to that keyfile, again, you're fucked. Your vault manager cleanly organizes every single one of your accounts for a hacker to go through and pick and choose. They'll know exactly which bank you use, your exact account info, your exact email, and theres no mystery for them

2) Even assuming I used 1 password for most things and a separate password for important things, statistically the odds are with me. Even IF sony/yahoo/whatever gets hacked and attackers get my password, they won't know what else I used it on.

Lastly, the extra requirement of always having to copy paste your passwords because they are un-memorizable is useless because software has no issue with copying passwords. Think about it, you're choosing passwords that are impossible for a human (you) to remember, so you have to copy paste it and write it down every time you need to use it. Keyloggers, screen-sharing, copy-paste buffer sniffing malware would literally have 0 problem with this, so you're not really adding any extra security, just a false sense of security and hassle for yourself.

You know what the safest password is? One thats not written down anywhere except memorized in your head.

What if I also use a strong password I memorize in addition to that keyfile?

>Keyloggers, screen-sharing, copy-paste buffer sniffing malware would literally have 0 problem with this
They also have no problem with me typing my password out on a keyboard. If my computer was infected with malware there is not a single method of password entry that is secure.

Then your keyfile is just as strong as this password you memorized. Now why do you need the keyfile in the first place? Its an unnecessary middleman you have to use and in the end its just a big list of websites, accounts and passwords. Its still a 'vault' in a sense, but not that its protecting anything, but instead its a target that you would be fucked if it was compromised.

I guess the reason I'm so passionate about this is because at my old work there was some IT nerd who was obsessed with fucking ridiculous passwords like and it was just a big old hassle and people ended up copy-pasting passwords around in unsecured chat programs anyway.

Almost maximum complexity from Keepass with 12, 24 and 36 characters since there's no standards that makes them put a minimum or at least saying what minimums are like 's image.

Sure, it would get both in both cases, but if you had a vault it would also provide attackers with a clean list of everything you ever owned and how to access it.

Unless you used a separate vault for important shit, to separate the stuff you care about from the stuff you don't. But even then, both vaults are just as secure as those 2 passwords you memorized, so why do you need the vaults at all?

I just filter the output of argon2 for ascii chars only.

You need both the keyfile and password to unlock the database. One or the other is not enough.

>what is literally two factor: the post
Which I think KeePass also supports.

Not the safest but kept me from getting hacked: [Your name/last name/Some weird foreign name][a punctuation mark if allowed][Name of the site you're need the passsword for/Noun or verb describing what the site does][Number][Random symbol]

Well thats just the situation of hacking the full vault. You're still copy-pasting passwords around every time you need to use them. God help you if you somehow lose access to your vault. If your harddrive fails you better hope you had it backed up on cloud. If you had it backed up on cloud you better hope that your cloud account isnt hacked (like The Fappening). Or if you dont have immediate access to your PC you better hope you have it on your phone, but if you have it on your phone thats just another vulnerability point as well.

Also, if someone has keylogging software on your computer it would be trivial to send a 1-2kb keyfile, or to copy that into a thumb drive. Then, again, at that point your shit is only as secure as your keyfile password which you use for -everything-, unless you have separate vaults with separate passwords.

2 factor is good too, and I would definitely recommend it for any sort of online account, but 2 factor can be bypassed through social engineering. Did you hear about that youtube fiasco where callers would call the youtubers IRL phone provider and ask for a new SIM card and then they had access to future phone texts, which would be used for the password reset process? Every time you add more steps you also add more points of failure.

>social engineering
>social engineering
>mental gymastics
>^
>braindead stupid
>mental gymnastics
>^
>^
Perfect

>Sorry, your password needs to contain an Uppercase Letter.

Cont.

I have to go soon so let me just conclude by saying this. Ideally you should separate your passwords by levels of how much you care about it. Email/Bank > sentimental value > burner accounts.

And again, the safest password is one that is stored in your brain, not copy pasted in any text document, chat log, email, or keyfile. An encrypted keyfile would be good, but its an incredible hassle and you'll have to keep backups of it. I do this for my RSA key, but thats about it.

Meh, I'm fine with a password vault.

If somebody's going to data mine the shit out of me and pilfer everything and the kitchen sink there's no way I can be prepared for everything. I'd prefer to be safer in general while not being singled out, such as in a website database breach.

For that I use a password vault.

I hate all these fucking restrictions

I can't use good passwords that are like 250 characters long because they're passphrases that contain no upper/lower/number/symbol characters

I'm literally made less secure by their restrictions

My password is あ times the minimum number of characters.

Only downside is you have to copy paste it since password fields don't allow Japanese input.
Being in the unicode range is much more secure than relying on ascii only passwords.

I bet on the backend its converting that unicode character to a space or something. Your password is literally 5 spaces

KeePass

>if you had it backed up on the cloud you better hope that your cloud account isn't hacked.

The password database file is literally useless if you've got it encrypted with a strong password.

Again, then its just as secure as the password you memorized, so why do you need the keystore in the first place?

Who knows, it depends on the backend. Chances are though it is actually converted to ascii before hashing.

1324

shit, who would have guessed

Passwords are old news, it's all about pass phrases now.

Anything that doesn't require me to mess with pass generate characters and can have 24+ characters. I get a little hard on websites that can have hundreds of characters.

literally this
random.org/passwords/

Literally don't even need a website to do this

>thinking about passwords and performing mental gymnastics for every site like or (You) or most posts in the thread

Well no, I said to use a password manager so you only have to do it once. Maybe you missed that bit.

I apologize if my intent was misunderstood, I wasn't quoting you.

First letter of each word in the first 1/2 lines of the song playing on the radio
I listen exclusively to dadrock for 15 years so I know practically all songs in rotation

They can't (well it's harder) get into my important accounts as I use 2 factor auth.

They can have my Reddit account if they wish (note my spacing)

>dropbox gets hacked
>they literally have all your passwords with minimal effort

My vault is literally a fireproof safe that I keep in a secret location and my passwords are all hand written, I've memorized all of them with memory palaces. NO ONE is getting me my friend.

> low tier
some letters and numbers
> higher tier
some letters, 1 capital, and numbers
> penultimate tier
more complicated version of previous
> ultimate tier
a combination of two of my passwords

dont use unicode because you wont be able to log in from some devices

>not using locations and movements of astrological bodies to generate and store passwords
pfft

If a random forum is hacked, my password might be leaked in plain text. If my keystore is leaked I know for sure it's strongly encrypted and will be useless for a long time (probably no one will even attempt to open it). The keystore allows me to use different passwords for different services.

Why are people implying their passwords are stored in cleartext?

Hello Podesta.

DICTIONARY

A
T
T
A
C
K

10+ random characters and numbers. Doesn't need special characters (or at least not more than 1) or a combination of uppercase+lowercase letters.

This is kinda stupid. One special symbol is enough if you want to include it.

They are not. Which is why it makes no difference if your password is "password" when compared to "@I3nP42". It makes it more secure against dictionary attacks, but dictionary attacks are only good for a single target and only if a service is not defended against brute forcing. Nobody wastes their time getting a single password.

>what is your criteria
>is
>criteria
In english we say what is your criterion.

who is we