but iirc the bottom half has been sort-of half debunked
Any source for this? It’s literally just random words. Just pick from a large enough list and you’re good.
Comment on [deleted]
A_norny_mousse@feddit.org 2 weeks ago
I hope you didn’t make their actual basic phrase public.
In my opinion any password that’s designed to be human-friendly isn’t secure. Every crutch one uses to remember it, a machine can make much faster use of.
In this case I’d say the core idea: “SWydThIThBaPl!” is relatively safe, but 690720 is almost immediately recognizable as a date - to a machine! - and amng, leum etc. are even easier assuming the cracking program has knowledge of which site they’re trying to gain access to.
So the only good part is the one that repeats for every password.
I think the top half of this xkcd illustrates some of it; but iirc the bottom half has been sort-of half debunked.
In any case, I use only very long and completely random passwords for online accounts.
Does this person think password managers are crutches? You cannot out-remember a machine.
nimpnin@sopuli.xyz 2 weeks ago
A_norny_mousse@feddit.org 2 weeks ago
Things a password cracker does before brute force guessing:
- Dictionary attacks
- Leaked passwords
- Password guessing attacks
- …
nimpnin@sopuli.xyz 2 weeks ago
If you pick 4 random words, the attacker would still need to brute force through (hundreds of?) billions of word combinations. That’s the point.
hangonasecond@lemmy.world 2 weeks ago
Yeah you’re correct. The person you’re replying to is treating dictionary attacks as separate from brute forcing. Dictionary attacks are great on short passwords using likely words, but as soon as you use 2 or 3 or 4 words it becomes computationally unfeasible. I would say a completely random string of the same or much less length is more secure because a dictionary attack won’t work at all, but 3-4 word passphrases are excellent for passwords that you have to manually enter ever.
Blemgo@lemmy.world 1 week ago
I do agree that password managers are generally more secure than memorable passwords, however, they also pose he Achilles heel of a system, as one password unlocks all. That is why 2FA tops everything, as even with a weak password, as a hacker would need to crack an OTP to gain access, or convince the one holding the 2nd device to unlock the account for them.
However I do want to contest the claim that all user-friendly passwords are inherently unsafe. The Electronic Frontier Foundation did a Deep Dive on randomly generated passphrases and shows how secure the system is by entropy alone.
throwawayacc0430@sh.itjust.works 2 weeks ago
Its an example. Not a real password
If you replace the “SWydThIThBaPl!690720” part with a random string like: dsh2box5hRs3wraA (just generated this), but kept the system the same, would your assessment of this system be different? (Assuming someone can actually remember that string of characters)
A_norny_mousse@feddit.org 2 weeks ago
Your new example is confusing. With or without the date?
In any case, what would be the point? “Oh, I can remember the first 4 letters of the password but not the last 20”?
This person needs to understand that they cannot outsmart a machine, at least not in this. FWIW I’ve been using keepassxc for I don’t even remember how many years and never had a problem with it.
throwawayacc0430@sh.itjust.works 2 weeks ago
“Lemmy Forum” = leumdsh2box5hRs3wraA
Protomail Email = prildsh2box5hRs3wraA
Amazon Shopping = amngdsh2box5hRs3wraA