• Viking_Hippie@lemmy.world
    link
    fedilink
    arrow-up
    28
    arrow-down
    2
    ·
    3 months ago

    Pass PHRASES are much better anyway.

    Nobody’s gonna remember “pyf85ruGmmgæ&Oy_w48euaT0lt” so they’ll either write it down, save it to their browser,or use a password manager, either of which makes it less secure.

    On the other hand, something simple that doesn’t necessarily make sense, say “AlmondsMakeFineGrenades” is difficult for both humans and machines to guess, but easy to remember.

    Tl;Dr: an xkcd comic explaining it much better than I just did 😁

    • bonn2@lemm.ee
      link
      fedilink
      arrow-up
      14
      arrow-down
      1
      ·
      3 months ago

      Using words in your password can undermine your security aswell, you need to include some other non-English stuff or you can be very vulnerable to dictionary attacks.

      • Viking_Hippie@lemmy.world
        link
        fedilink
        arrow-up
        12
        arrow-down
        1
        ·
        edit-2
        3 months ago

        Using words in your password can undermine your security aswell

        Only if they’re predictable words and/or in a predictable order. No dictionary attack is going to guess the exact word combination above or equivalent any faster than the preceding keyboard mashing.

        Unnecessarily adding complications only makes the pass phrase harder to remember and thus less effective.

    • shadowedcross@sh.itjust.works
      link
      fedilink
      arrow-up
      6
      ·
      3 months ago

      I use a password manager for a few reasons, but not having to remember hundreds of passwords myself is definitely one of the main ones. I sometimes struggle to remember the few phrase-based passwords I do use.

    • SaltyIceteaMaker@lemmy.ml
      link
      fedilink
      arrow-up
      8
      arrow-down
      2
      ·
      3 months ago

      Until you get hit with a dictionary attack.

      Luckily this isn’t really viable today as most logins just block you after like 5 attempts.

      only sucks when you have 6 passwords and don’t remember which one

      • Viking_Hippie@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        3 months ago

        Until you get hit with a dictionary attack.

        As I explained to the other one, no dictionary attack will happen upon that exact combination of words any faster than the keyboard mashing preceding it.

        Using a COMMON word or a COMMON phrase would leave you vulnerable, sure, but no prediction process is going to happen on the exact combination.

        Hell, add a word or two to “SaltyIceteaMaker” and it would make an extremely secure pass phrase. For something without that string in the user id, of course 😁

        • Johanno
          link
          fedilink
          arrow-up
          3
          ·
          3 months ago

          The main advantage of a password manager is that you can have a different password for each account. Which means in case of a leak you won’t be in risk of losing other accounts.

          And I don’t think I want to remember 300 pass phrases with different words.

          • Viking_Hippie@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            2
            ·
            edit-2
            3 months ago

            The main advantage of a password manager is that you can have a different password for each account. Which means in case of a leak you won’t be in risk of losing other accounts

            Except it’s the opposite: if someone gets the master password for your password manager, that’s all of them.

            And I don’t think I want to remember 300 pass phrases with different words.

            That’s another advantage of the pass phrase over the easily remembered password: repeating an uncrackable passphrase doesn’t pose the risk that repeating a guessable password.

            You can use RentMauriceHouseHurryNow for all your accounts and they’ll all be safer than a billion different strings protected by a single guessable master password.

            Especially if you’re not in the tiny minority of people who actually knows a Maurice who isn’t called The Space Cowboy by some people.

            • Johanno
              link
              fedilink
              arrow-up
              5
              ·
              3 months ago

              Using the same password (no matter how secure it is) for all accounts is a bad idea.

              Assuming you have at least 20 accounts with sensible data, and you don’t even remember that 5 of them exist.

              Now shittywebsite.xy gets hacked and all data is unencrypted and unhashed.

              So now your.email@adress.com with yourSecu4ePassPhrase is leaked.

              You now quickly try to change the password on 15 accounts with the same email and password. But you forgot the 5 accounts you made years ago. Now after some time hackers login into the the old accounts and get your credit card info or whatever.

              Great idea!

              Yes my password manager is a single point of failure, but it is one I personally control and have the view over.

              • Viking_Hippie@lemmy.world
                link
                fedilink
                arrow-up
                2
                ·
                3 months ago

                Good point.

                A series of pass phrases that you can remember yourself is still better than relying on a password manager that can ALSO expose all of your passwords, none of which you remember.

        • SaltyIceteaMaker@lemmy.ml
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          3 months ago

          It’s still less combinations than just scramble tho. It may be enough idk, but an algorithm that just combines words would definitely at some point arrive at like “SaltyIceteaMakerBlueAcorn” it’s only once you add random letters/numbers/special characters that a dictionary attack stops working.

          Although this probably doesn’t matter as it would likely still take like a century or ten to complete

          • Viking_Hippie@lemmy.world
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            3 months ago

            It’s still less combinations than just scramble tho

            Not in any meaningful way, no. There’s what, hundreds of thousands of words in the English language? With no apparent pattern, that’s a near-infinite number of possible combinations of 5 or 6 word phrases.

            Add that most password crackers would use another kind of attack that presupposes that there’s numbers and special characters and you really have redundancy on redundancy.

            an algorithm that just combines words would definitely at some point arrive at like “SaltyIceteaMakerBlueAcorn”

            Not within your lifespan or even that of humanity.

            it’s only once you add random letters/numbers/special characters that a dictionary attack stops working.

            That’s just not true if you don’t consider “might theoretically get there in a million years” as “working”.

            Although this probably doesn’t matter as it would likely still take like a century or ten to complete

            Exactly. So your entire point is moot. A password or passphrase doesn’t need to hold for longer than the existence of the account (or whatever’s being protected by it), the user, or the species of the user.

    • itslilith@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      Use that, but only for the handful of passwords that you

      a) need to remember regularly, even when you don’t have access to your password manager b) need to be really secure

      I’d say email and banking are the obvious ones. For everything else, rely on a good (self-managed, open source) password manager. Sure, a passphrase beats any human-memorable password, but it doesn’t stand a chance against my 250bit entropy machine generated passwords. And thanks to KeepassXC I never have to type any of them. And sure, you can secure your password manager’s database with a passphrase, if you’re so inclined

      • Viking_Hippie@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        3 months ago

        hackers can prioritize English words

        Yeah, all hundreds of thousands of them. In combinations that don’t make logical sense. Do you have any idea how long that would take?

        Even if I limited myself to a 5 word pass phrase from a word list of 5000, there would be 25989619781251000 possible combinations.

        Make that list the entirety of the English language and there’s no way you’d be able to brute force it before the sun becomes a red giant, let alone during the lifespan of an unhealthy elder millennial 😄