I used to use sentences for passwords e.g iuseredditforpornonly Now I use bitwarden to randomly generate them.

Most places have a maximum number if characters for passwords.

I use a password manger, and use very long and very random passwords for almost everything. 98% of my passwords i dont know, I also enable 2FA when and were i can.

for the passwords i must remember, i most make sure i can remember them and that they are not guessable, and are as decent as i can make them.

You can do the math yourself if you want to compare. Each word from a common dictionary can be considered a “character” from a character set 5,000 units large, so four words give you 5,000^4 possibilities. Now compare that to, say, 16 characters from “A-Za-z0-9 and 20 special chars” = 56 characters, so 56^16 possibilities.

5,000^4 = 625 * 10^12 = 10^15 roughly
56^16 = 10^28 roughly
56^9 = 5*10^15 roughly

So four words equal nine characters from a common password.

https://unix.stackexchange.com/questions/230673/how-to-generate-a-random-string

Of course Windows makes things difficult.

https://devblogs.microsoft.com/scripting/generate-random-letters-with-powershell/

https://keepass.info/help/kb/pw_quality_est.html check this out and read about password entropy

LPT: Use a password manager like LastPass so that you don't have to remember all of your passwords.

I don’t think any of the places I have passwords allow for spaces or that many characters. Good tip though if they do.

It's more likely that someone will gain access to your computer than that they'll gain access to an encrypted storage location in the cloud.

Your passwords are encrypted in two ways in the cloud. First, it's encrypted on your computer, and then that encrypted information is put into the cloud provider's storage. They encrypt it a second time, to make sure that no one is getting access to their stuff(the state of your data as it is when they're handling it).

Your passwords are much safer in LastPass than they are in a plain text file on your computer. They're also automatically entered. One of the biggest ways people steal passwords is by tricking users into entering them into pages that look fake. One of the great things about LastPass is that it remembers your passwords for sites you've entered passwords on, and it puts a button on each form you've already filled, so all you have to do to fill it in is to click the button to fill it. You don't have to remember your password. And if you go to a site that looks real but isn't, you probably won't have entered your password on that site, and you'll probably get suspicious when that button to automatically fill isn't there.

Another great thing about LastPass is that it sets you up to have random passwords on every site, as they've always recommended, so you click LastPass' button to generate a password for the current site, and it generates it, fills it in, and saves it, all at once. You don't have to remember your site passwords at all or keep track of them at all. And if one of them happened to fall into the wrong hands, it wouldn't affect you so much, because your password will be different on every site.

LastPass also helps you by identifying sites where you've previously used the same passwords, and gently nudging you to change the password for that site. It's not a huge annoyance, just a different color to the LastPass button, but it helps. That helps you secure your old passwords.

And the last thing they provide is that they monitor sketchy websites to see if any of the names and passwords you've entered into LastPass have shown up on the lists of people's stolen names and passwords that get traded on those sites.

It's really worth every penny, and my mom who is not tech-savvy has a lot easier time using LastPass than she ever had using a text file like you are.

What about the requirement for a number and special character?!?!

Use this LPT to set the password for your password manager.

Brute force no longer works after accounts are locked out after so many attempts.

What is it that we’re trying to keep them out of that they can attempt every combination imaginable without triggering security flags?

But I have so many passwords to remember that the universe would experience its heat death before I memorized them all.

A text file is not encrypted - if someone gets hold of it they have all your passwords. It's far less safe than something like LastPass which is encrypted so even someone with access to their systems can't read your passwords. There's also two-factor authentication in case someone successfully guesses or keylogs your master password.

A piece of paper would be more secure than a text file.

This sounds great until you realize just how many websites have maximum lengths for their passwords or limits on repeated letters or require symbols or don't allow spaces. I went through my few hundred passwords a few years back and changed them all to follow a similar length strategy as you show here only to be sickened by how often I wasn't allowed to make my password strong.

Try https://hpass.app. It is an open source PWA (Progressive Web Application). It is very easy to use, and with minimal user input generates highly secure, unique passwords for all sites you visit. Go to https://hpass.app/info.html for a full description.

You could just pick three words and have a stronger password than doing complicated manipulation for two words.

Length equals strength! Special characters/caps, etc. add very little security if your password is shorter than 12 characters. A pass phrase, even without gibberish added, is stronger than a password. "My shoes are green with black laces." is 36 characters, including the period. Throw that in a password checker and see what it tells you.

LPT: use a random password generator

No thanks, the password I used when I was 9 is my password forever

In addition: make passwords short sentences. A lot of websites and apps support upwards of 50 characters, so take advantage!

InfoSec dudes always told me length is just as secure as the special characters, etc. So their advice for people was pick a phrase that uses the whole of the 14-28 character limit.

My VP told me he tends to uses expletives. So for instance for Gmail his password may be:

FuckingGmailBullshit2023.

His favorite was for a program at work he hated with a passion so his former password was:

IFuckingHateYouMuthafucker1

His goal was for something to so screw-up the desktop guys needed to ask for his password lol

Modern password crackers know most people subdtitute A with 4 or @, I with 1, S with 5 etc. Those passwords crack almost as quickly as ones without special characters.

Simple math:

Password 1: mynameisjohnsmith is 17 characters long using plain lowercase letters - has 26^17 combinations.

Password 2: xq7$L9p& is 8 letters long using captials, numbers, and special characters too and has 64^8 combinations.

Password 1 format has about 4 Billion times more combinations than password 2. If a supercomputer could crack password 2 in 1 second, it would take over 120 years to crack the first password.

I think that was the point of the xkcd comic referenced earlier.

Yeah but you also have to satisfy the requirements of the password which almost always wants a special character. I just use ch@racter5 !nstead of l33ters if necessary to use my easier to remember phrase.

The issue with that is that it makes it way harder to remember, without actually making it that much harder to crack (because any dictionary attack is also going to include common substitutions). Now you need to know which o you replaced with an @, or was it a 0? Did you swap an i or an l with a 1, or maybe it was an e with a 3.

I use 1Password and it's amazing.

Every login I have has a 15-20 unique password!

They could but how would they know what my phrase is? Ultimately I choose 4 words and put them together with some numbers and a symbol and that’s been sufficient for years. Probably time I change it but the hacker would need to know where spaces are included and how long each of the words are. Brute force can only go so far and when you throw 24 digits it starts to get too hard to crack in an efficient time for the hacker

The is the real life hack! It saves your passwords and you can use a long password with all the variations of password requirements! There’s even mobile version. I’m a huge Keepass fan.

Haven't multiple password managers been compromised? Kinda defeats the purpose to keep all your eggs in one basket. Memory or physical keys are the only internet proof solutions I'm aware of.

We had a discussion at work about using a password manager AND adding something unique to the end of the password that you entry manually. Eg password manager stores z0?!aP5 but the password is actually z0?!aP5FukU Makes auto changing passwords etc a bit more tedious but could be a good idea?

A password manager is a place where all of your sticky notes are encrypted, salted, and hashed preventing most hackers from accessing them, even in event of a breach.

All you need to remember is ONE strong password such as tigglebittys1886Fr33edumb$32$.

Remember that password. You can do it. Everyone can. You have one job. You never need to remember any other passwords again thereafter. If you can’t remember 1 fucking password, you are no longer my mom

Choosing four random words is called dice words. It’s got decent entropy, but not the highest. And there’s a difference between four random words and four chosen words. But for most use cases if I recall correctly, you gotta go for five or better.

They tend to be longer and part of it is knowing the dictionary that they were chosen from (still computational expensive). We don’t know that the four random words were four random user words or if they were actually dice words.

I think what this is really about are password strength detectors. And they have limitations cause they don’t know how you generated your password..

If I recall correctly, even NIST is saying at this point that hard character requirements are a thing of the past (NIST 800-63B) and size matters

Yeah no one is gonna guess that! What sites do you use that for? 🤣 Remember any comment you make online like this gives a threat actor information to try and crack your passwords. General concepts are ok but anything specific gives them advice on an approach to cracking it.

+1

it’s been known for a while and is so dumb most sites still require the “complex” characters and sometimes even limit which special characters you can use. I’m glad most orgs have gotten rid of having to change your password every 60 days as it’s been shown people will pick really simple passwords to remember or start writing it down.

Way to miss the point

4 words from a dict of 2000 is 2000^4, or about 2^44

A single word from a much larger dict (Randall uses a 64k dict) with common patters is only 24 bits of entropy

Now you could argue that 2^44 isn't enough nowadays. With bcrypt or scrypt you're likely to be limited to aout 2^8 hashes per second, so about 2^36 seconds or 2000 years to run through it.

A truely random 12 character password from a set of say 96 characters would be 2^79, or around the same as a 7 words from a 2000 word dictionary

Good luck getting people to actually choose and remember that type of password

You nailed it. To remember the password, it’s an easy way to avoid forgetting it.

This is such bad advice, this article goes over why.

Once they know the first part it's nothing to guess your other passwords. Just use a password manager, that is the answer to creating a strong password.

That just seems like a great way to be a victim of social engineering. You're simply combining your interests and anyone willing to do some work finding out how you make passwords and what you use could still gain access to your account.

I feel that secure passwords should be passwords you're comfortable showing others: they're too complicated to remember in short amounts of time, and they're absolutely random with no pattern between passwords. Whenever I give advice on passwords in particular, I show a password I use to emphasise what random is.

I pay $30 for LastPass and I think it's an essential 'gadget' everyone should have. Comes with password generators too.

This is terrible advice. The only way to make your passwords secure is to make them completely random for each website and store them in a password manager.

As soon as someone figures this pattern out, this password is useless.

I was thinking this would be good and I'll show my wife so she can stop using easy passwords. Instead I'm going to show her this so she knows what not to do.

This is absolutely miserable. Who is upvoting this?? This is telling you to basically use the same password for everything and just change the last two letters. Are you kidding me? That’s among the worst things you can do to protect yourself.

Best possible practice is using a unique randomly generated strong password for every account and keep track of them in a secure password manager. Don’t follow what this dipshit animation advises.

Yes, LastPass is shit. That’s why I don’t recommend it. I recommend Bitwarden or KeePass (if you can deal with a horrid UI).

Bitwarden stores everything that gets sent to their servers with military grade encryption. Even they can’t access it. And even if they get hacked, the attackers still wouldn’t be able to decrypt the passwords without your master password (and they’ve had third party security audit to prove this). You can also self-host Bitwarden.

KeePass is my go to. Completely free, completely open-source. And it is only self-hostable. The database has military grade encryption and can be secure with master passwords, key files, and yubikeys for added security. And there’s no way for a government entity to force a company to reveal your passwords (because you own the infrastructure they’re stored on).

According to Bitwarden's password testing tool "snoop dogg took a" takes centuries to crack. Seems anything longer than that is just adding inconvience and wasting time, especially for those typing on a phone keyboard.

why to remember? just use password manager like bitwarden or keepass

Honestly, the issue is also repeated use of the same password since it takes just one leak of a long password for it to fail everywhere

This is not entirely true in this case. It can be true if the worlds have been chosen randomly from eg. 10000 worlds, but the probability of dogg after snoop is much much higher than 1/10000 and I am not counting that this is a real English sentence which probably limits what type of words will be after each other.

(Anyway passwords should be stored with intentionally slow hash (KDF) functions, so burte-forcing even the simpler passwords are useless.)

Margret_thatcher_is_110%_sexy

Pick a random obscure quote you've never shared with anyone that you like and keep the first (or last if you're paranoid) letter of each word and keep the punctuation.

Example:

"He who hates does not know God, but he who loves has the key that unlocks the door to the meaning of ultimate reality." -MLK

password: HwhdnkG,bhwlhtktutdttmour.

I use the "Correct Horse Battery Staple" framework (if I may call it that way 😁). It's based on an XKCD comic. https://xkcd.com/936/

The idea is to that you make a passphrase instead of an overly complex password that you might easily forget. Focus is on length instead of complexity.

Since 2FA is enabled on my account I don't worry too much about the password looking "simple" (dictionary words, no numbers or symbols). Usually I get 20 to 30 characters which is fine for me.

For inspiration:

https://www.correcthorsebatterystaple.net/