this post was submitted on 13 Mar 2024
1019 points (96.9% liked)

Memes

45886 readers
1680 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 

Brute force protection

@memes

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 12 points 9 months ago (5 children)

Rainbow tables and presumably newer stuff I haven't heard of make this sort of thing weaker than it used to be

[–] [email protected] 30 points 9 months ago (1 children)

Salting makes rainbow tables pretty much useless, and salting has been a standard practise for a few decades now.

[–] [email protected] 1 points 9 months ago (2 children)

A few? I always had an easy time cracking my mom's desktop password with them so I guess Microsoft wasn't doing it with XP or Vista.

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago)

Just to give you some opposite example, WordPress, Magento, Drupal, Django are using salts almost 2 decades now.

[–] [email protected] 1 points 9 months ago (1 children)

You do realize XP and Vista are few decades old?

[–] [email protected] 1 points 9 months ago

No I'm a few decades old.

[–] [email protected] 18 points 9 months ago

How does a rainbow table help here? They're more for decoding unsalted encrypted database tables, rather than for actually trying to login.

[–] [email protected] 13 points 9 months ago

The rainbow table would have to include every four word combination. At around half a million words in the English dictionary, that's not a small number.

As another XKCD comic illustrates, it's cheaper to use a wrench.

[–] [email protected] 12 points 9 months ago* (last edited 9 months ago) (2 children)

Dictionary attacks have been around for a long time, but It's still quite strong especially if you throw in a number.

A fully random 8 character password has about 10^14 brute force combinations (assuming upper and lower case + the normal special characters). 4 words choosen at random from the top 3000 words (which is a very small vocabulary really) is 10^13 dictionary attack combinations, add a single number or account for variations in word style (I.e maybe don't always use camel case) and you've matched the difficulty. If you use 5 words it's 10^17 combinations.

A password manager and a hard password is a better idea but there are cases where you can't use a password manager (like the password to said manager).

[–] [email protected] 4 points 9 months ago (1 children)

I'm a basic little shit so, I basically use a correct horse + number password for my PW manager

[–] [email protected] 7 points 9 months ago (1 children)

I use a whole sentence with a typo lol

Something like "On March the 3rd of 2012 my dog Billy ate 8€ worrth of schmeggles!“

[–] [email protected] 6 points 9 months ago* (last edited 9 months ago)

Used beginning letters of the words in song verse sprinkled with special characters for the rythm, feels good while typing

[–] [email protected] 1 points 9 months ago

I do a passphrase like the comic followed by 56 characters of gibberish using an https://onlykey.io/ (acts as a USB keyboard) that has a 10 digit pin (6 characters to choose from) and a kill switch pin (if I were ever forced to unlock it). I use this method for my disk encryption, main account login, and password manager.

I also use a https://www.themooltipass.com/ for vendor diversity (4 digit pin but all hex characters). I prefer the onlykey.

I rotate the gibberish monthly and the passphrase 2-3 times a year.

Once a year I change up the pin codes.

I figure that gives me enough entropy from brute force on all my systems with a balanced level of convienence and security. I literally don't know a single one of my passwords.

[–] [email protected] 4 points 9 months ago (2 children)

Yeah I thought about adding a note that it's pretty outdated - and dictionary based scans were always possible even if less common in the old days - like those infamous passwords "God", "Love", "secret", or like "admin".

The artist is pretty smart most of the time though so I presume they were aware of that possibility and meant that on a more basic level there are multiple ways to make passwords easier for a user to remember, not necessarily just this one rather simplistic take but as part of a whole approach. Then again, they didn't say that, and instead said this, thus the controversy.

Personally I gave up entirely and now I don't even know what any of my own passwords are, though my password manager does:-). I guess... if you cannot beat them, join them!?:-P

[–] [email protected] 5 points 9 months ago* (last edited 9 months ago) (4 children)

My current favorite "memorizable" method (obviously a random hash from a PW manager is still better) is to take a sentence of moderate complexity that includes the name of the service you're signing up for in it, and use the first letter of each word as your password.

For example, "When I wake up in the morning, the first thing I do is go to pawb.social."

Password would be "WIwuitm,tftIdigtps."

Easy to remember, immune to dictionary attacks, and you get a (mostly) unique password for each service, so stolen passwords can only access that one thing.

Edit: To be clear, the value is that you can use the same sentence everywhere, switching out the name of the service to generate semi-unique passwords for each service. Obviously someone analyzing your passwords would be able to figure out the pattern, but that's basically never what actually happens; it's more likely someone gets 1 password and tries your email address + that PW in a variety of services, which this is strong against.

[–] [email protected] 3 points 9 months ago

I dunno, all I do is hit copy, then go to the website and hit paste, and that's pretty easy as well:-P.

I do need to step up my game for work though, b/c it keeps asking me a password multiple times a day so if I could rattle one off that would be better than having to open up my password manager and get it.

[–] [email protected] 2 points 9 months ago (1 children)

This seems like a memory method for someone who has a great memory. (Better than mine anyway)

[–] [email protected] 2 points 9 months ago (1 children)

It's surprisingly easy to memorize. The sentence basically acts as a mnemonic device to remember the password, and it's a lot easier to memorize a sentence that makes sense to you than to memorize something like "Tr0ub4d0r&8".

[–] [email protected] 1 points 9 months ago

I just see myself changing the words around honestly. It's not like i think it's a bad idea just dunno if i can pull it off

[–] [email protected] 2 points 9 months ago

I simply change my keyboard layout. Auto-scramble a simple phrase.

[–] [email protected] 1 points 9 months ago

I have a strict, "do I give a fuck" policy when it comes to security.

I keep the harder to crack passwords for critical things like banking, etc... since there's only a few I can remember them. I also always use MFA.

For all the other shit that I don't give a fuck if it's hacked it's the good old *Banana$1234" type password that I reuse for decades and save to firefox's password manager.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago)

It's not outdated at all, but you need more words.

See diceware, 7 to 8 words is typically all you need