So which password is better?

urafaggot

Length is far more important than characters. Ideally you'd just have a memorable sentence as a password such as imahugefaggotthatsucksbigcock

You don't. Put it in a password manager, associate the account with your email address so you can reset it if you lose access. Easy.

Ur4f4Gg0t
might be in a leetspeck .lst file so there is that

Not OP, but what site is that? Looks useful.

passwordmeter.com/
I'd substitute a real password because.. you know botnet elderino senior

Thanks, and thanks for the tip.

u.r.a.f.a.g.g.o.t.

is significantly better than both which are very vulnerable to dictionary based attacks

Aggin, just use keepass

All my passwords are impossible to crack because they are in in Linear A

>why yes, having one password to unlock every other password is perfectly secure and safe

Best is the first letter of each word of a sentence.

>linear
>not tetratic
Might as well use "password1"

Change it on a regular basis and require two factor authentication. Don't store your bank login in it.

/thread

They're both of similar entropy. Realistically Ur4fagg4t is at most 1700 times stronger. Which may sound a lot , but even giving it a conservative estimate "9scgyrtmTo" is probably another 1000 or so stronger than that. And "WiUkXApGNL2whOKjJgV4" is 2^60 times stronger

Both are now in my rainbowtable so they will take about equal time to crack.

123456

It sounds kinda bad but they still have to get your master password somehow.

Sure keyloggers are a thing, but nothing will save you in that event. Assuming security around your password manager is sufficient it is a much better way of securing all your different site credentials than potentially reusing passwords where an attacker can potentially get into multiple accounts before you realize the first is compromised.

>Sure keyloggers are a thing, but nothing will save you in that event.
Not using a dedicated keylogger aka password manager can be very helpful in preventing that situatuion.

You don't know what you're talking about. If your local password database gets pwned, (((they))) can already run code on your account and you're fucked either way.

No.
If you have a keylogger then it is going to catch all the passwords you use anyway.
It won't matter if you use a password manager or not.

Your system always needs to be the most secure. If your system is not secure then it doesn't matter what good practices you follow, you are fucked.

I don't have a keylogger. You have a keylogger. Your password manager is a keylogger. I am infinitely more safe because I didn't install a program dedicated to collecting all my passwords.

I do not have a local password database.

>Not creating your own password manager for complete trust, along with your own compiler to avoid the Ken Thompson hack and your own Linux distribution

The absolute STATE of Sup Forums. Off yourself immediately.

>Your password manager is a keylogger.
In that case, everything you type your password into is also a keylogger, so you have a keylogger too. It's called your browser.

I am more inclined to trust browser than a program designed to catalog my passwords.

They're approximately the same strength.

Make your passwords LONGER.
LOOOOONNNGGGEEER.

Then you're a fucking idiot, since you're also trusting every single website you visit not to be running malicious javascript to collect credentials from your browser.

idiot.

A lot of assumptions in that post. Let me just say that you are not describing the situation correctly.

Protip: every program that accepts keyboard input is a keylogger.

@pu7031qu310133

Just generate some random string from /dev/urandom

My bad I thought you meant the browser password manager. That's a level of retardation that's triggering.

I hope you don't use chrome.

what are the advantages you've heard for the first, pray tell?
because I see none whatsoever, aside from being easier to remember
sentences are garbage, language is too deterministic and predictable
use a randomly generated sequence of words, maybe through diceware

that site is shit and that password is shit too
modern gpu-based password crackers can make millions (billions?) of guesses per second, and crackers are unretarded enough to know about common substitutions like letter-for-leetspeek-number so they can easily check those permutations of dictionary words/phrases without actually bruteforcing every 9-character password

decent article here: arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

What about password managers that have actually been audited?
Unlike your browser.

>malicious javascript
>implying they even need that
any site you use a password to log into obviously fucking knows your password, javascript or no
if they want to (or if, like most companies, they are incompetent and get hacked), they can leak your password out to the world freely
the only defense against this is having a separate password for every website, or at least separate passwords for important websites that you care about

Anyone have the xkcd for this? it explained passwords pretty well..

i'm a fan of clipping parts of words together into a easy to remember hard to guess jumble
remember the xkcd example of "horsemagnetbucketdoor"?
instead use "orsemagnebuckedoo" that way you only need to remember the intended password (horse magnet bucket door) and the filter in this case -1 off the start of word 1/3/5/7 -1 off the start of word 2/4/6/8 ect

you could go the extra mile and take 1 letter off the odd numbered word and 2 letters off the even ones but I find it much easier to remember if the pattern just switches sides not values

"I am a faggot!"

/thread

>-1 off the start of word 2/4/6/8 ect
fuck I'm retarded meant -1 off the END of word 2/4/6/8

i found it,
fuck off you cant /thread your own post..

No, it's garbage. It's meant to give you that top panels properly represent the difficulty of a usual password a person has with a reasonably complex word and some digit/symbol additions and replacements, and it does not, the claimed entropy is too low and "add just few bits and it's going to be good enough" does not cut it.

also what is the point of this thread, ofc the second is 'more difficult'. Are u that much of a brainlet to ignore that a regex for the first one would generate less candidates compared to the second? Then why are you posting in this board?

4 words is too few to be secure but the principle holds
the human brain is better at remembering words than random characters

a 6-word diceware password (where each word is selected from a list of 6^5 options through 5 rolls of 6-sided dice) has ~77.5 bits of entropy, but is much easier for your average human to remember than a 13-character string of random alphanumerics (which has similar entropy)

I don't get those kinds of responses. Did you read my post at all? I never said anything about bottom panels, only top ones.

>t. soyboy

I'm not OP.

Are dictionary attacks usually done only in English? What if my password was orenopaasuwaadowasaikoudaze?

They can be done in other languages.
The point of the dictionary attack is that you feed a dictionary to it. The contents of that dictionary could be anything.

But if the attacker knows nothing about me other than maybe my country, will they likely just use an English dictionary?

security through obscurity is retarded
you ought to make security choices such that, even if an attacker knows exactly how you generated your password, they cannot crack it
and no, dictionary attacks are not only done in english
people from other countries have passwords too

What matters is the length, you get a long and easy to remember pw with a sentence.

What if I lose my password manager data (hard drive crash, etc, corruption, etc)?

what matters is randomness
being long becomes much less effective if it is predictably wrong
i doubt you would advocate for "passwordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpassword" to secure anything important, even if it IS long as shit

Most likely, yes.
Though that dictionary could have many loan and common words from other languages included in it.

>what if I drop my basket full of eggs?
make fucking regular backups

You restore your backup, of course.

what matters is length
being random becomes much less effective if it is short
i doubt you would advocate for "4" even if it IS random as shit

please look up 'bits of entropy'
obviously, even if chosen totally at random from all alphanumeric digits, 4 would only be one of 62 options and would not be a high-entropy password (only ~6 bits)
increasing that to 2 characters would immediately increase it from 6 to 12 bits, 3 characters would be 18 bits, and so on

The important measure, the "total randomness" of a password, is the number of bits of entropy

Would use a similar pw. but not this one since its probably in a dictionary. It depends how your guessing algorithm works, if it tries every variation of words up to your wordcount c it would literally take years to try all n^c passwords.

That's the thing.

If everyone used the same formula of combining words then a dictionary attack would be easy because you would just plug in that formula.
As long as you make something individual then they're going to be down to basically the same as bruteforcing.

What xkcd isn't advocating is everyone use four dictionary words but rather use a combination of dictionary words in some way that is easy for you to remember.
That could be taking off a letter, that could be incorporating a foreign word you know, something that individualizes it while remaining easy to remember.

urafaggot is better. its easier to type and to remember.
the other one is terible for memory and fast typing, and provides exactly (0) zero additional security because the substitutions are known and implemented by all password cracking tools.
if you want shitty charaters interspersed, use something like diceware to randomize it.
the only good reason to do so, however, would be if a website required you to use that type of password

Using /unique/ passwords that you periodically change is at least half as important as using strong passwords. For that you pretty much need a password manager for it not to be a giant headache. But if you're using a PW manager anyway you may as well use your meme 32 ASCII character passwords that will not ever get cracked until we're balls balls deep inside quantum computing.
tldr; use a fucking pw manager, it's 2 birds in 1 stone

>32 ASCII character passwords
but my bank has a max of 6 characters and they must be all lowercase numbers

Question: What would you NOT use a password management tool on?

A public computer.

>So which password is better?

>YoureSuchAFuckingFaggotHolyShitAnonWhatIsWrongWithYou

Length >>>>>>> random characters

op.is.a.faggot

>Your password manager is a keylogger.
It isn't.

this
>also using botnet password keepers unirronically

>keepass is a botnet

*hack keepass*
*dumps your passwords*
nothing personnel heh
*steals your keepass password*
nice one kid
*sells your data to 3rd party*
thanks for using our product :)

Hacking an application on my computer?
But then I would already be fucked and it wouldn't matter whether I was using a password manager or not. You would already be able to get everything I input.

>randomness
Fucking WRONG, fuck off.

The person trying to get in to your account has 0% knowledge on your password.
They cannot assume anything about it.
Your password could be a billion zeros for all they know. Still just as random as some shit from a password generator. Just a different kind of random selection.

The ONLY thing that matters in passwords is length. EVERY single password. (type, not instance)
No amount of dictionary attacks are going to matter when your password is 20 words long unless some dumb cunt quoted a film or something.
If you mangle a word or place an in-joke word or any other nonsense not-word in place of a real word, you break EVERY SINGLE DICTIONARY ATTACK. Every one of them.

Heuristics is a meme. It does basic shit at best.
You seriously underestimate just how many iterations it takes to break a password.
The longer the better.
So, yes, actually, your example would work because most heuristics don't even try to find anything beyond several chains of common words.
Hilariously enough, prefixing your "password" chain with 0, z, "," or something else would make it take even longer because most crackers start from 0/a.
You over-estimate how good these shit systems are.

Bits of entropy doesn't matter when you are using words which allows you to make a password far in excess of smaller passwords and even remember them on top.
Standard English character-set allowed in most password fields: 0-9, a-z, A-Z, most standard punctuation on US keyboard. So let's say around 100 odd characters you could use.
Standard English words, excluding obsolete, 171k, including, add 47k. Let's be reasonable though, common English words, 3000.
3000 is much larger than 100. Said 3000 is also easier to make complex algorithms for generation which can be remembered.
Have fun remembering 40*5 (average word length) random digits.
Hope your Password Manager DB doesn't get stolen m8. Hope you remembered to bring it.

Neither, if it isn't more random and longer you're just asking to be brute forced. I always use a minimum of 20 characters. Also, character swapping is only a bit more secure than the original word. Not to mention dictionary attacks that incorporate actual leaked password databases use such passwords, especially rude ones like "my dick" so it's even worse. I recommend getting password manager like keepass and generating passwords. Of course if you get keylogged they get your master, but you can always never lock it, then it remains in memory though. Either way a single point of failure is bad. You can mitigate this to some extent though because keepass supports multiple DBs so your crypto and bank info can have its own master password. Of course there are limits to the effectiveness of this. And if your computer is compromised you are probably screwed anyway. I recommend just using keepass to generate long passwords. Only decrease the length when a site makes you and remember that if they make you use a shit password they probably have shit security everywhere and you should assume that everything is in clear text.

then your bank fucking sucks and is waiting to be hacked. Unless they have timeout protection a computer can easily get that via simple brute force.