26 points

Pass PHRASES are much better anyway.

Nobody’s gonna remember “pyf85ruGmmgæ&Oy_w48euaT0lt” so they’ll either write it down, save it to their browser,or use a password manager, either of which makes it less secure.

On the other hand, something simple that doesn’t necessarily make sense, say “AlmondsMakeFineGrenades” is difficult for both humans and machines to guess, but easy to remember.

Tl;Dr: an xkcd comic explaining it much better than I just did 😁

permalink
report
reply
13 points

Using words in your password can undermine your security aswell, you need to include some other non-English stuff or you can be very vulnerable to dictionary attacks.

permalink
report
parent
reply
11 points
*

Using words in your password can undermine your security aswell

Only if they’re predictable words and/or in a predictable order. No dictionary attack is going to guess the exact word combination above or equivalent any faster than the preceding keyboard mashing.

Unnecessarily adding complications only makes the pass phrase harder to remember and thus less effective.

permalink
report
parent
reply
6 points

Until you get hit with a dictionary attack.

Luckily this isn’t really viable today as most logins just block you after like 5 attempts.

only sucks when you have 6 passwords and don’t remember which one

permalink
report
parent
reply
4 points
*

Until you get hit with a dictionary attack.

As I explained to the other one, no dictionary attack will happen upon that exact combination of words any faster than the keyboard mashing preceding it.

Using a COMMON word or a COMMON phrase would leave you vulnerable, sure, but no prediction process is going to happen on the exact combination.

Hell, add a word or two to “SaltyIceteaMaker” and it would make an extremely secure pass phrase. For something without that string in the user id, of course 😁

permalink
report
parent
reply
3 points

The main advantage of a password manager is that you can have a different password for each account. Which means in case of a leak you won’t be in risk of losing other accounts.

And I don’t think I want to remember 300 pass phrases with different words.

permalink
report
parent
reply
1 point

It’s still less combinations than just scramble tho. It may be enough idk, but an algorithm that just combines words would definitely at some point arrive at like “SaltyIceteaMakerBlueAcorn” it’s only once you add random letters/numbers/special characters that a dictionary attack stops working.

Although this probably doesn’t matter as it would likely still take like a century or ten to complete

permalink
report
parent
reply
6 points

I use a password manager for a few reasons, but not having to remember hundreds of passwords myself is definitely one of the main ones. I sometimes struggle to remember the few phrase-based passwords I do use.

permalink
report
parent
reply
3 points

Use that, but only for the handful of passwords that you

a) need to remember regularly, even when you don’t have access to your password manager b) need to be really secure

I’d say email and banking are the obvious ones. For everything else, rely on a good (self-managed, open source) password manager. Sure, a passphrase beats any human-memorable password, but it doesn’t stand a chance against my 250bit entropy machine generated passwords. And thanks to KeepassXC I never have to type any of them. And sure, you can secure your password manager’s database with a passphrase, if you’re so inclined

permalink
report
parent
reply
0 points

Good, now hackers can prioritize English words in your passwords for bruteforce attacks!

permalink
report
parent
reply
1 point

hackers can prioritize English words

Yeah, all hundreds of thousands of them. In combinations that don’t make logical sense. Do you have any idea how long that would take?

Even if I limited myself to a 5 word pass phrase from a word list of 5000, there would be 25989619781251000 possible combinations.

Make that list the entirety of the English language and there’s no way you’d be able to brute force it before the sun becomes a red giant, let alone during the lifespan of an unhealthy elder millennial 😄

permalink
report
parent
reply
14 points

How do you find out the entropy of a string?

permalink
report
reply
15 points
*

Put into your passwordmanager and look at its judgement. 13 characters with only lowercase letters + numbers is pretty bad honestly

permalink
report
parent
reply
6 points

Looks like the cat’s seen some shit. Makes sense since they’re in cybersecurity.

permalink
report
reply
3 points

You gotta be careful with that sort of thing! Have people not seen Freakazoid?!

permalink
report
reply