Thanks a lot!

How can you distinguish a & character randomly selected by diceware from a & character arbitrarily picked by me?

Yeah I thought the same thing, also subbed :)

Welcome aboard! 🙂

His recommendations are close, but not quite sound. Passwords need to be random.

Thanks!

Password cracking software like JohnTheRipper can "read" words, by treating them just as another type of symbol. These symbols can be either single characters or entire words. - Diceware has a character space of 7776 (words). This symbol space has 12.92 bits entropy per symbol. - Lowercase alphabet has a character space of 26. This symbol space has 4.7 bits entropy per symbol. A 7-word passphrase, parsed as *words* would have *90.44 bits* of strength. (7 times 12.92) If you assume the average English word is 6 characters, a 7-word passphrase, parsed as *letters* would have *197.4 bits* of strength (4.7 times 42) So if a password cracker were to treat a Diceware passphrase one character at a time, the length would make it more difficult to crack than attempting words at a time.

@@Cyberspatial Got it! Thank you very much.

Aditya Das thanks!!

We’ll get there one day. It’ll look like a combo of authentication methods. For now, the tech hasn’t caught up yet. Some issues with biometrics: - Pregnancy can change a woman’s blood vessel patterns in her iris. - Twins and look-a-likes don’t mix with facial recognition - Injury and trauma can wear away fingerprints. - There may be instances where you don’t want to authenticate using features tied to your identity - Machine learning has given rise to deep fakes that let attackers generate face and voice prints. Biological features aren’t something you can hide easily. Passwords are still in use because they have a proven track record of working well when implemented correctly. It’s a love-hate relationship for people and we’ll all celebrate when they’re phased out!

@@Cyberspatial I don’t think they’ll ever be phased-out, especially not in high-security settings. It’s another factor of authentication, and for things where it really super-duper matters, no one should just toss-out the “something you know” factor just because you have a bunch of others. Maybe I’m paranoid, but you know what they say, it isn’t paranoia if they’re really out to get you.

@lies damnlies Totally agree. "What You Know" is always going to be a factor.

Yeeeah, riiiight. Having passwords leaked in data breaches isn't enough, let's leak my genetic sequence as well

I have found that biometrics are prone to give false negatives. The number of times I have to enter my pin to open my phone because the phone doesn't recognise my finger is about 50% of the time. I don't see passwords going away any time soon.

Thanks!

It's a bit arbitrary, but you start to get diminishing returns for larger dictionary sizes because of the logarithmic nature of entropy.

Much appreciated

Memorise a short sentence. Make random And silly. Include uppercase letters . Add symbols and random numbers. BeansandeggsFART#178180

Thanks! More coming...

We'll show you how to build up to this using in password manager very soon!

You can start with one and slowly change your passwords over to a random and unique one. Do a few accounts everyday and after a month or two you'll be good to go!

Salt should already be built into the PM. 2FA probably means you're using a cloud PM.

@@Cyberspatial - If I understand how PM works, salt and 2FA have nothing to do with PM either cloud-based or not.

Your PM will may support different key derivation algorithms that uses salts. Cloud-based PMs use 2FA to authenticate you. It's not a true 2FA for encryption of the database. KeepassXC supports pseudo 2FA for encrypting, whether through Challenge Response with a Yubikey or a keyfile on a thumb drive.

no

Human beings are very bad at doing things randomly.

Assuming the password is random, 91-bits is actually pretty strong if the site is using a proper key derivation function. It's 91-bits multiplied by the number of seconds it takes to attempt each try. If the KDF is bcrypt or better yet Argon2d, the time it would take is infeasible to brute force.

@@Cyberspatial I'm still annoyed that the 14 character limit blocks using the dice method. Google allows 100 characters, which allows a good DICE phrase. Another site allows 250 characters. So it seems to me like those sites are aware of the newer password security methods.

Low entropy. You're gonna want 4-5 more words.

The 90's TV show Seaquest. That's not random, it's a pop culture reference.

If you were to create a dictionary based words from all your childhood inner incidents and did a log2() on the final number, how many bits of entropy would you get per word? For instance log2(100) is 6.6 but log2(10000) would be 13.2

@@Cyberspatial But a hacking software couldn't know that dictionary. From my point of view, the words are not random, which makes them memorable. But wouldn't the hacker still have to brute force the English language? But if I just picked 5 general words that popped into my head, there would probably be some associative pattern that's already been recognized and pre-programmed. If I picked a string of key historical dates, those have probably already been pre-programmed. But 'where was I on such and such historical dates', how could that be programmed?

KeepassXC can do Extended ASCII, which gets you part of the way there. If you want all Unicode characters too, learn to write a python script to generate it for you! It's not hard!

That's the observable universe.