I just make my passwords a short phrase, easy and almost always strong
My passwords are just qwertyuiop1234567890
"NippleBaby007"
Using this somewhere sometime
Sites that set a maximum length on passwords ([I]cough[/I] Microsoft) are absolutely fucking stupid.
My passwords are just my username backwards.
Easy to remember.
He asks why babybaby123 is considered weak, but it's common to bruteforce via a dictionary and consecutive numbers. Although I guess SloppyKisses is more strong because capitals?
[QUOTE=slayer20;48669239]My passwords are just my username backwards.
Easy to remember.[/QUOTE]
Thanx
The other problem with saying what a password must contain is that it just means you're narrowing down what a bruteforce program needs to look for.
Yeah, passwords are kind of becoming a hassle. Not really trusting password managers; I usually don't hear about those getting cracked open, but if it ever happens, the fallout could be ridiculous. The safest route would probably having an IRL paper with unique passwords, but I can't be bothered with that.
I just use a couple of the same passwords for most sites; a few other passwords for sites I don't really care about or trust so if one of those passwords ever gets leaked, there'll be virtually no damage; and then a few unique ones for critical services like email, paypal, etc.
[QUOTE=The DooD;48669340]The other problem with saying what a password must contain is that it just means you're narrowing down what a bruteforce program needs to look for.[/QUOTE]
Not really, people can still use more than those. Although the average person probably doesn't. :v:
The amount of combinations is insane still though, the hacker would need to be able to bypass the bruteforce protection (by getting the database or something like that) that 99% of (good) websites has anyway.
[QUOTE=Skipcast;48669449]Not really, people can still use more than those. Although the average person probably doesn't. :v:
The amount of combinations is insane still though, the hacker would need to be able to bypass the bruteforce protection (by getting the database or something like that) that 99% of (good) websites has anyway.[/QUOTE]
not if a website says you need at least 1 number and 1 special character and 1 capital. you know it's just going to be Monkey1! instead of just monkey 90% of the time
This idiot just explained exactly why these passwords are they way they are. Okay, let's say your password was likliklik. Okay. So you go on your Facebook, and you have your password likliklik. Okay, so you go to your Gmail, likliklik. You go to your bank account, likliklik. Finally, you go to storiesmydogtoldme.com and typed in likliklik.
Oops. storiesmydogtoldme.com was hacked. They now have your email address and password for all your accounts. Now the hacker goes and says, hmm, why don't I try this email and and password for a bunch of social networking sites? What about all the popular banks?
And then your bank account gets hacked and you start blaming the bank. The reason why companies do this is because idiots like the one in the video are too stupid to use proper security.
The way to solve this, of course, is to just have different passwords for everything. This is where password managers come in, and everyone should have one.
Also, there's always Diceware for creating easy to remember passwords.
[url]http://world.std.com/~reinhold/diceware.html[/url]
[editline]12th September 2015[/editline]
[QUOTE=Marik Bentusi;48669401]Yeah, passwords are kind of becoming a hassle. Not really trusting password managers; I usually don't hear about those getting cracked open, but if it ever happens, the fallout could be ridiculous. The safest route would probably having an IRL paper with unique passwords, but I can't be bothered with that.
I just use a couple of the same passwords for most sites; a few other passwords for sites I don't really care about or trust so if one of those passwords ever gets leaked, there'll be virtually no damage; and then a few unique ones for critical services like email, paypal, etc.[/QUOTE]
If aes256 gets cracked, password managers being vulnerable are the least of your concerns. All government data, all banks, every website you know, will be vulnerable. Or, I could just break into your house, ransack it, find the piece of paper, and use that instead of figuring out how to crack aes256.
My password is based off an obscure historical event with a misspelling, and I've also got several permutations based on synonyms of one of the words. I'm hoping that people won't guess that.
[QUOTE=The DooD;48669340]The other problem with saying what a password must contain is that it just means you're narrowing down what a bruteforce program needs to look for.[/QUOTE]
On paper yes but the most commonly password is still "password" so not really.
[editline]Wait actually no they aren't[/editline]
Actually they aren't narrowing it down.
Suppose my password is "x" that leaves 26 guesses.
Now google says "you need a number".
It sounds like now the bruteforcer knows that he doesn't have to guess "x" but rather "letter" "number"
Your "narrowing it down" only kills 26 guesses(the ones without numbers) but adds 26*9 guesses to make.
It's a fallacy.
I just use a password which includes all of the conceivable requirements and has a few variations for different sites
[QUOTE=Killuah;48669835]On paper yes but the most commonly password is still "password" so not really.
[editline]Wait actually no they aren't[/editline]
Actually they aren't narrowing it down.
Suppose my password is "x" that leaves 26 guesses.
Now google says "you need a number".
It sounds like now the bruteforcer knows that he doesn't have to guess "x" but rather "letter" "number"
Your "narrowing it down" only kills 26 guesses(the ones without numbers) but adds 26*9 guesses to make.
It's a fallacy.[/QUOTE]
Uh, if a password needs to have a number in it, then the amount of combinations of a password of length 1 will be 10 instead of 36 (assuming only small letters and numbers exist), a p-word of length 2 will have 26*10+10*36 combinations instead of 36^2 combinations. For any password length, the amount of combinations is narrowed down.
But: It makes little sense to incorporate this into a brute-force algorithm, since the run time isn't improved much compared to other methods, and the password length could be infinite anyways. You're only really giving hackers an advantage when the length is limited.
[QUOTE=Killuah;48669835]On paper yes but the most commonly password is still "password" so not really.
[editline]Wait actually no they aren't[/editline]
Actually they aren't narrowing it down.
Suppose my password is "x" that leaves 26 guesses.
Now google says "you need a number".
It sounds like now the bruteforcer knows that he doesn't have to guess "x" but rather "letter" "number"
Your "narrowing it down" only kills 26 guesses(the ones without numbers) but adds 26*9 guesses to make.
It's a fallacy.[/QUOTE]
What you are trying to say is right but your enumeration looks iffy.
I'll try to give a better example:
8 char password with only letters:
26^8 = 208827064576 ~ 2.0x10^11
8 char password with letters and numbers:
36^8 = 2821109907456
8 char password with at least one number:
passwords with both - passwords with only letters = 2821109907456 - 208827064576 = 2612282842880 ~ 2.6x10^12
This seems to suggest that adding an extra letter (so having a password of length 9) is quite a bit better than including a number.
I use people I know and add some numbers, like this: StevenisGross73212 (now I do not know any people named Steven, and I hope they're not gross.) So for that one specific site I gotta remember Steven and what he is and the percentage of what he is.
my password for everything used to be asdfghjkl;'
All I had to do was slide my finger across the keyboard across those keys, hit enter, bam! Just looked cool doing my password, girls were watching!
[QUOTE=Skipcast;48669449]Not really, people can still use more than those. Although the average person probably doesn't. :v:
The amount of combinations is insane still though, the hacker would need to be able to bypass the bruteforce protection (by getting the database or something like that) that 99% of (good) websites has anyway.[/QUOTE]
The simple fact that the criteria is there at all massively cuts down on the number of possible password combinations making it far easier to break into than if the requirements weren't there.
[QUOTE=wickedplayer494;48669221]Sites that set a maximum length on passwords ([I]cough[/I] Microsoft) are absolutely fucking stupid.[/QUOTE]
That, and sites that either don't allow symbols, or only [I]certain[/I] symbols.
[QUOTE=Folstream;48670685]Obligatory:
[img]https://imgs.xkcd.com/comics/password_strength.png[/img][/QUOTE]
cue "correcthorsebatterystaple" being added to every dictionary attack since
When I was younger, I used to make my passwords based off patterns on my keyboard. Like forming letters such as V with the keys, and using that as a password. Was easy to remember till sites got stricter on how passwords worked by forcing numbers and capital letters, eventually I forgot my pass because I kept forgetting which key I made capital out of the pattern. Like, I don't get the capital part, or how having a number or even a SYMBOL will make the account less easier to breach. These guidelines can give people wanting to breach an account an idea of what password someone might have. Someone can have the most complex password out there comprised off lowercase letters, and maybe a number or two, but they will have to throw in a symbol because the site says that the password isn't safe. And if you're someone who has a complex password, and has to remember it, it'll be harder(IMO) to remember it because of that random symbol having to be put into the password.
I guess it's understandable that they don't want people who will get their accounts breached easily because their password was abc123, but honestly that is their fault. My only thinking is it's to save the websites ass moreover then ensuring the people registering have a safe account. Honestly, if someone has a password like abc123, and their account gets breached, it should be their fault. Everyone shouldn't be forced to abide by a guideline because one person didn't have a harder password, and got their account breached. But that's just my two cents on the matter.
it's already common knowledge that the best form of password enforcement is sheer length
a basic knowledge of combinatorics will tell you that the longer your password, the exponentially longer it will take for a bruteforce password guesser to work it out
granted, now that it's become common knowledge that simple & long passwords are the new big thing, most bruteforcers will at least go through the english dictionary of words to try first in any combination(which is still significantly better than an 8-9 character password with a mix of letters and numbers, which is hard to remember)
[video=youtube;yzGzB-yYKcc]https://www.youtube.com/watch?v=yzGzB-yYKcc[/video]
The way I do passwords is phrases I would never say like "IdJointheKKK" and then put 2 numbers in variation. So some sites it would be "IdJointheKKK69" and the other would be "IdJointheKKK96". (The more remember-able variant should go to higher-risk popular sites like Twitch or Facebook)
Then just put a notepad document on your computer if its private just in case you forget it (which is really hard the more outlandish you make it) and bingo!
Easy Password
[QUOTE=Killuah;48669835]
Suppose my password is "x" that leaves 26 guesses.[/QUOTE]
that only works if letters are the only things you can have in a password. you are forgetting numbers, spaces, symbols, etc which would make more than just 26 possible single-character passwords.
passwords that have like 5 requisites are the fuckin worst. it just makes the password irritating to come up with and incredibly hard to remember
[editline]13th September 2015[/editline]
"this password must contain a symbol" is the worst offender
[QUOTE=TheWhiteFox1;48671770]passwords that have like 5 requisites are the fuckin worst. it just makes the password irritating to come up with and incredibly hard to remember
[editline]13th September 2015[/editline]
"this password must contain a symbol" is the worst offender[/QUOTE]
"this password must contain a horizontal tab character"
Sorry, you need to Log In to post a reply to this thread.