this post was submitted on 20 Aug 2024
193 points (96.2% liked)

Asklemmy

43897 readers
1008 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

For me it's the paranoia surrounding webcams. People outright refuse to own one and I understand, until they go on and on about how they're being spied. Here's the secret - unplug the damn thing when you think you won't use it or haven't used it in a while.

They, whoever it is, can't really spy on you on something that's already off and unplugged!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 80 points 2 months ago* (last edited 2 months ago) (5 children)

I call this one forbidden knowledge because I see it so little in public, but I'm sure it's well known in privacy communities: A password like "I have this really secure password that I type into computers sometimes" is a much stronger and easier to memorize password than "aB69$@m". It seems more often than not I find networks where the SSID is a better password than the WPA key.

[–] [email protected] 5 points 2 months ago* (last edited 2 months ago) (1 children)

I agree - I do use passphrases in some critical cases which I don't want to store in a password manager.

However, I believe passphrases are theoretically more susceptible to sophisticated dictionary type attacks, but you can easily mitigate it by using some less-common 1337speak character replacements.

Highly recommend a password manager though - it's much easier to remember one or two complex master keyring passwords & the random generated passwords will easily satisfy any application's complexity requirements.

[–] [email protected] 2 points 2 months ago

Yeah that's basically what I do, I know the passphrase to decrypt my drive, and the one to open Bitwarden and then I basically let that just handle everything else.

Oh and the sudo one I guess.

[–] [email protected] 31 points 2 months ago (3 children)

I agree but I think the problem is that some apps/sites have strict password requirements, which usually includes adding upper-case, symbols, numbers, and then limits the length even sometimes...

[–] [email protected] 12 points 2 months ago (2 children)

At my previous bank the password had to be a 5 digit PIN code...

[–] [email protected] 11 points 2 months ago

At one point, Charles Schwab allowed a password of infinite length, but SILENTLY TRUNCATED ALL PASSWORDS TO 8 DIGITS.

This is something I sent a few angry emails about wherever I could find an opportunity.

[–] [email protected] 3 points 2 months ago* (last edited 2 months ago)

Sketchy indeed. I've seen this as well, and the redeeming thing about it is that you're locked out after 3 unsuccessful login attempts - so no matter how easy bruteforcing would be, there's a safety catch dealing with it.

[–] [email protected] 3 points 2 months ago (1 children)

Which is funny because those strict rules reduce the number of combinations an attacker has to guess from, thereby reducing security.

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

Provably false. That's only true if the rules specify some really wacky requirements which I haven't seen anywhere except in that one game about making a password.

Think about it this way. If you have a password of maximum length two which only accepts lowercase letters, you have 26 choices for the first character & 26 for the next. Each of the 26 characters in the first spot can be combined with any of the 26 characters in the second spot, so 26 * 26 = 676 possible passwords.

By adding uppercase letters (for a total of 52 characters to choose from), you get 52 * 52 = 2704 possible passwords. It increases significantly if you increase the length beyond two or can have more than just upper & lowercase letters.

Computers have gotten so efficient at generating & validating passwords that you can try tens of thousands of passwords in a minute, exhausting every possible two-letter password in seconds starting with aa and ending with ZZ.

The only way you would decrease the number of possible passwords is if you specified that the character in a particular spot had to be uppercase, but I've never seen a password picker say "your fourth character must be a lowercase letter".

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

By adding uppercase letters (for a total of 52 characters to choose from), you get 52 * 52 = 2704 possible passwords.

You don't add them, you enforce at least one. That eliminates all combinations without upper case letters.

So, without this rule you would indeed have the 52x52 possible passwords, but with it you have (52x52)-(26x26) possible passwords (the second bracket is all combinations of 2 lowercase letters), which is obviously less.

The only way you would decrease the number of possible passwords is if you specified that the character in a particular spot had to be uppercase

Wrong. In your example, for any given try, if you have put a lowercase letter in spot 1, you don't need to try any lowercase in spot 2.

Any information you give the attacker eliminates possible combinations.

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

I think I'm confused on your point.

I interpreted your statement to mean "adding a requirement for certain types of characters will decrease the number of possible passwords compared to no requirements at all", which is false. Even in your example above, with only two letters, no numbers / special characters allowed, requiring a capital letter decreases the possibilities back to the original 676 possible passwords - not less.

Perhaps you're trying to say that passwords should all require certain complexity, but without broadcasting the password requirements publicly? I suppose that's a valid point, but I don't think the tradeoff of time required to make that secure is worth the literal .000001% (I think I did the math right) improvement in security.

[–] [email protected] 3 points 2 months ago

Even in your example above, with only two letters, no numbers / special characters allowed, requiring a capital letter decreases the possibilities back to the original 676 possible passwords - not less.

No it doesn't. It reduces the possibilities to less than the 52x52 possibilities that would exist if you allowed all possible combinations of upper and lower case letters.

You are confused because you only see the two options of enforcing or not allowing certain characters. All characters need to be allowed but none should be enforced. That maximizes the number of possible combinations.

that passwords should all require certain complexity, but without broadcasting the password requirements publicly?

No, because that's still the same. An attacker can find out the rules by creating accounts and testing.

[–] [email protected] 11 points 2 months ago

Here’s what I’ve shared with my company.

margretthatcheris110%SEXY

[–] [email protected] 27 points 2 months ago

the SSID is a better password than the WPA key

This is an insult I am definitely saving for later

[–] [email protected] 54 points 2 months ago (1 children)

"correct horse battery staple" remains firm in my memory

[–] [email protected] 36 points 2 months ago (1 children)
[–] [email protected] 6 points 2 months ago

Difficulty to remember: You've already memorized it

It's true! And nobody remembers the first panel's password.