Edward Snowden on Passwords - General

[QUOTE=DChapsfield;47490655][img]https://imgs.xkcd.com/comics/password_strength.png[/img] [U]always[/U] [U]relevant[/U][/QUOTE] And yet, there's websites that won't let you exceed an 8 character password limit. I changed a password and made it long and it said Please no longer than 8 characters. What the FUCK. Okay. "Password" it is then you dipshits And I'm pretty sure there's one Microsoft owns that won't let you exceed 12

[QUOTE=Saphirx;47495081]quite a mouthful.[/QUOTE] Now all we have to do is rule out the passwords that, according to the website, don't take 26 quadrillion nonagintillion years and I'd give your password 30 days

i basically have four layers of password security that i've been using for a while now 1st layer means the password is for an account or service that i don't care about. the password is 6 characters long and memorized forever, and i only use it on services or accounts where if it got hacked i wouldn't bother looking into it. 2nd layer means i might need the account later, or i might want to use it later. the password is 8 characters long and memorized forever, and i only use it on services where if it got hacked i would maybe consider looking into recovering the account. 3rd layer means i want the account and care about it (facepunch, other forums, etc.) the password is more than 10 characters long and memorized forever, i only use it for services or accounts where i would definitely recover them if they were compromised. 4th layer means it's ultra important (steam login since i have a lot of games, reddit since i moderate a subreddit, etc) and i would fight tooth and nail to recover my account. memorized forever. dunno if anyone else does this tbh but it's worked for me so far.

[QUOTE=ROFLBURGER;47491312]wheres that one flash game where you enter your password and it tells you how long it takes to crack it [editline]9th April 2015[/editline] [url]https://howsecureismypassword.net/[/url] just enter something close to your password if you're paranoid for example my password is ****** so i entered ######[/QUOTE] I write down lyrics of different songs AND I'm learning new numbers! Trestrigintillion! Haha, what is that?

[QUOTE=SgtTupelo;47496048]I write down lyrics of different songs AND I'm learning new numbers! Trestrigintillion! Haha, what is that?[/QUOTE] tres = 3 tri =3 33*3+3=102 so it's 10^102 don't worry I play incremental games, i know

[QUOTE=J!NX;47490969][code]hitlerdidnothingwrong420yoloswag[/code] much better[/QUOTE] this is strikingly similar to all of my passwords

[QUOTE=ROFLBURGER;47491312]wheres that one flash game where you enter your password and it tells you how long it takes to crack it [editline]9th April 2015[/editline] [url]https://howsecureismypassword.net/[/url] just enter something close to your password if you're paranoid for example my password is ****** so i entered ######[/QUOTE] I got 11 minutes for a password I use on a bunch for random sites. Fuck.

I used to use a single phrase password as a kid, and even to this day I use it for shit that isn't official or has my name attached. But those that do have a number counting up after each letter, making it easy to remember the password for simple shit, and still easy for secure stuff.

[QUOTE=J!NX;47490969][code]ééRïüv[NÆ/¨½áØ¥ºùÚÿ£OÄ×ÌÐ¹Äì9EßUcqXZõôÔ¥%âå¤¤Ýhç;½a-ÖùóÖ2jÚÄ¿Gï³¶êà"}X)gô¯îna¨Ù·È§NB}ØÕª£óïZ&[ÈDS½õ¯Tx÷v~lmûSn%¿b»Ç¸Íúul'SæB/aaØDAXZÕbfÿ8ÃúÌÇÔ8kSÓ¬Ç0eÍÊ>'Yr2ø[äX·üY±sP8ÆFÙè,ÞO)6Û8~¤!?;=,¼L)!M·Ïa¯j,ü¼u[/code] isn't strong enough [code]hitlerdidnothingwrong420yoloswag[/code] much better[/QUOTE] i read the picture above and i still cant understand why the second password surpasses the first

[QUOTE=Tetsmega;47500249]I used to use a single phrase password as a kid, and even to this day I use it for shit that isn't official or has my name attached. But those that do have a number counting up after each letter, making it easy to remember the password for simple shit, and still easy for secure stuff.[/QUOTE] my bf used to use "dragon" as his password for [I]everything[/I] and then I bitched him out

[QUOTE=J!NX;47500344]my bf used to use "dragon" as his password for [I]everything[/I] and then I bitched him out[/QUOTE] Hahaha goddamnit isn't that like, literally on every top ten password list? Right next to "monkey"?

[QUOTE=Used Car Salesman;47501710]Hahaha goddamnit isn't that like, literally on every top ten password list? Right next to "monkey"?[/QUOTE] someone could bruteforce that by physically typing it by hand within 5 minutes

My password is made of 3 words in different langauges B)

My old password was "mypasswordisfuckingawesome"

[QUOTE=Quark:;47495914]i basically have four layers of password security that i've been using for a while now 1st layer means the password is for an account or service that i don't care about. the password is 6 characters long and memorized forever, and i only use it on services or accounts where if it got hacked i wouldn't bother looking into it. 2nd layer means i might need the account later, or i might want to use it later. the password is 8 characters long and memorized forever, and i only use it on services where if it got hacked i would maybe consider looking into recovering the account. 3rd layer means i want the account and care about it (facepunch, other forums, etc.) the password is more than 10 characters long and memorized forever, i only use it for services or accounts where i would definitely recover them if they were compromised. 4th layer means it's ultra important (steam login since i have a lot of games, reddit since i moderate a subreddit, etc) and i would fight tooth and nail to recover my account. memorized forever. dunno if anyone else does this tbh but it's worked for me so far.[/QUOTE] i have about 5 passwords ranging from junk account to super serious.

We should really just jump ship to 2-factor authorization

I have a phrase and different extensions of said phrase and with my email being the longest variation of said phraise. makes me worry about sharing too many

wait did that site just tell me that pussy is in the top 10 most used passwords?

I just use the same password for everything that doesn't cost money or have worth inside of it.

During one part of school we had passwords that we were forced to change every 30 days, most people therefore had simple passwords and just increased a number or the like on them. Security. One month, my password was; "1338, one step ahead of the average noob".

[QUOTE=Hypershadsy;47491790]We're talking Keepass here, not Lastpass. Lastpass is probably more convinient being a browser extension, but there's no guarantee of serverside security. It's likely that they are encrypting it well, but still. Keepass is all local. I have my Keepass db set up so that each password [I]attempt[/I] takes one entire second to verify. Brute force [I]that[/I]. Also, I use the password generator to create absurdly large and unique passwords for each site. If a site I use gets pwned, no harm to any of my other accounts.[/QUOTE] [url]https://www.grc.com/sn/sn-256.htm[/url] Lastpass is encrypted and decrypted locally. Lastpass never actually sees your password at any point in time, the mechanism to retrieve the account is a hash of your username and password. It's just as secure. [editline]13th April 2015[/editline] Oh, I'm sorry. It hashes your username and password to encrypt and decrypt files locally, and then it takes the output of that hash and hashes it with your password again, and that's what's sent to Lastpass corporation. [quote]So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA - it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It's just like it's been digested into this thing. In fact, hashes are called "digests," also, for that reason. What that is, is that is your cryptographic key. That's the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you. They're holding the encrypted results of your own personal database, just because that's what they do. That's the service they provide, essentially, that and creating all these amazing plug-ins for everything anyone's ever heard of. So but what they're holding, they have no ability to decrypt. They never get the key. That never leaves your system. Now, they do need to know that it's you. That is, they need to know that it is you who are logging in. And so there needs to be an authentication process, so you identify yourself to them. But we don't want them to get the key. So what they do is, they take that key, the cryptographic key, and they add your password to it, that is, they concatenate your password to your cryptographic key, and they hash that. So they do another one-way function on your crypto key with your password, which they don't know because they never get it. But they get another blob. So this second blob, this second output from the hash, that's your unique ID. That is, the only way to get that is if you take your username and password, hash it, then add the password to that and hash it again. So it absolutely depends upon both of those pieces of information. So then your username and that goes to LastPass to identify you. And because that contains your password twice hashed into it, nobody who doesn't have your password, even if they have your email address, is able to produce that blob. So you have to have your email address and your password run through this hash twice to get that blob. But notice that your cryptographic key, which is sort of the first byproduct of that because that's the output from the first hash, that goes into the second hash but is lost in the hashing process, thanks to it being mixed with your password. So the LastPass people never get your crypto key. They get a different unique token that identifies you to them so that you're able to log on securely to their facility. And these guys are so paranoid that they don't even save that on their servers. They don't even save that special logon blob, the output from that second hashing process. Instead they, at the time you create your account, they come up with, they use a random number generator at their headquarters to create a unique 256-bit token which they save with your account. And whenever you're logging in, they take this 256 blob you're sending them that's the result of these two hashing processes. They add that to this unique 256k random number, and they hash that. And that's what they compare to what's stored with your account. Which is to say they never store that logon token. They store the result of hashing that logon token with a unique 256-bit value that they created for you. So they dynamically see if it's the same, but they never save your logon token. They just - they don't want it. They don't need it. So they're able to perform a dynamic check whenever you need to authenticate, but they don't keep it statically. So, I mean, this thing is secure every way you can imagine. And it's simple. The reason it appeals to me is that there's no hocus-pocus, there's no mumbo-jumbo, I mean, I can explain it to you and understand it, which means I believe it. Because there's no, oh, then a miracle happens, and just trust us. That's not necessary. The result of this 256-bit hash where they take your username and password and hash that to get the key for the encryption, that is used with the industrial-strength, maximum-strength, AES 256-bit cipher that we've talked about, which takes 128-bit blocks at a time and turns it into 128 bits of gibberish under the influence of the key. [/quote]

[QUOTE=ace13;47519621]During one part of school we had passwords that we were forced to change every 30 days, most people therefore had simple passwords and just increased a number or the like on them. Security. One month, my password was; "1338, one step ahead of the average noob".[/QUOTE] Certain companies, such as ISPs, require you to change your password every 14 days or so, with certain requirements. Those certain requirements are often no use of dictionary words too. Actually, I don't get the deal. It's not that hard to make sure you have a secure password. Really all you need is a master key for each site you visit, and just combine the website name with your login, along with the key, to get your password. That is not something most people would ever want to try. However, for those wanting to use sha256 hashed passwords, I'd like to remind you that even though the security is pretty high by using that alone, using a fixed length type password (say an MD5 of your password, as your password) is not difficult to break if the attacker has any clue that your password is made that way. All they need is to try any combination of that fixed length type word. No more, no less, as would be the case with bruteforcing where passwords can usually be in length 6-infinity usually consisting of any ASCII character. [editline]18th April 2015[/editline] (With MD5 you don't even need that though)

[QUOTE=itisjuly;47490709]Until someone gets your master password.[/QUOTE] It's not really different from a situation where someone gets access into your computer and is able to log all your passwords over time using a keylogger. With a password manager you are safe from server-side password leaks, in which case you can simply generate a new password for that site and you're good to go. If you're really paranoid, you could create two password databases with two different master passwords, one for social media passwords and such running on your everyday OS, and another for more important passwords like your bank accounts, running on an USB stick with a more secure and bare-bones Linux distribution (eg. Tails). But honestly, who here would go through the effort to do that? :v:

[QUOTE=Matoking;47551359]It's not really different from a situation where someone gets access into your computer and is able to log all your passwords over time using a keylogger. With a password manager you are safe from server-side password leaks, in which case you can simply generate a new password for that site and you're good to go. If you're really paranoid, you could create two password databases with two different master passwords, one for social media passwords and such running on your everyday OS, and another for more important passwords like your bank accounts, running on an USB stick with a more secure and bare-bones Linux distribution (eg. Tails). But honestly, who here would go through the effort to do that? :v:[/QUOTE] There's a more sane and easy way to go about it. TrueCrypt on a USB. With a generatable keyfile. Should be difficult enough to crack, given that the keyfile shouldn't be a permanent existing file and the password doesn't even have to be insanely secure. With that setup, they'd need to catch you with the stuff decrypted. And if they do that, there's a high chance what you're doing isn't very legal anyway.

[QUOTE=ROFLBURGER;47491536]today i learned that nigger is in the top 980 used passwords from being 12 and typing nigger into the password security test[/QUOTE] And I learned that "pussy" is in the top 10 most used passwords because people are childish and/or horny idiots idk.

[QUOTE=ace13;47519621]During one part of school we had passwords that we were forced to change every 30 days, most people therefore had simple passwords and just increased a number or the like on them. Security. One month, my password was; "1338, one step ahead of the average noob".[/QUOTE] Our school had premade passwords for our internal network accounts that were like PIN-codes on your debit-card. That's right, whole FOUR numbers. But the school had only like 1500 students so there were no duplicates. But still. If you wanted to get on someone elses account it wasn't exactly hard. Usually we cracked the code by looking at someone type it once. I never did anything bad with it, but when my friend forgot his PIN and was freaking out, I just went "AHEM. I can help!" and logged in for him. His expression was priceless. :v:

I just use a generator somewhere to give myself random strings of alphanumerics, sometimes a string of 20 or so and I dont have much trouble memorizing them. Usually I just split them up into 3 or 4 character sections like a CD key and they feel easier to remember.

Would a row of numbers, like your birthday, repeated 10 times be a safe password? That would be 80 characters long

[QUOTE=Niklas;47556585]Would a row of numbers, like your birthday, repeated 10 times be a safe password? That would be 80 characters long[/QUOTE] Not anymore.

[QUOTE=J!NX;47490969][code]ééRïüv[NÆ/¨½áØ¥ºùÚÿ£OÄ×ÌÐ¹Äì9EßUcqXZõôÔ¥%âå¤¤Ýhç;½a-ÖùóÖ2jÚÄ¿Gï³¶êà"}X)gô¯îna¨Ù·È§NB}ØÕª£óïZ&[ÈDS½õ¯Tx÷v~lmûSn%¿b»Ç¸Íúul'SæB/aaØDAXZÕbfÿ8ÃúÌÇÔ8kSÓ¬Ç0eÍÊ>'Yr2ø[äX·üY±sP8ÆFÙè,ÞO)6Û8~¤!?;=,¼L)!M·Ïa¯j,ü¼u[/code] isn't strong enough [code]hitlerdidnothingwrong420yoloswag[/code] much better[/QUOTE] is that actually the case? random letters, numbers, symbols is more insecure then just say 5 words in a row?