Asklemmy
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
correct horse battery staple?
I found it amusing when the security team in my company sent me parts of my password in plaintext saying it was insecure (because it didn't have special characters in it) and recommended I use a password manager
The account is used for the ancient VPN software and all of our ssh management tools
And windows login if you're using windows.
Yeah good luck using a randomly generated password that you have to type in multiple times everyday
Isn't the bigger issue here that they can see the plaintext password?
The account is used for the ancient VPN software and all of our ssh management tools
And windows login if you’re using windows.
If you're using one password for all those things, you're doing it wrong. Even if the passphrases you pick are easy to remember and type, they should be distinct.
Disk encryption, computer login, and password manager are pass phrase + random characters stored on a pin protected OnlyKey and/or Mooltipass.
Regular passwords are just random characters up to min(max_len, 128).
Use diceware to generate a nice long nonsense passphrase, and use that for your password manager master password. Keep it written down somewhere until you are sure you've memorized it.
I do. It's worth it because there are some sites that are so outdated that their version of security is to not allow pasting (or filling in via pw manager) on password fields, so I have to manually type them in. Typing in a passphrase is easier and faster than a random string.
Define 'strength'... against a dictionary attack? Brute force? Social engineering? 'forgotten password/recovery questions' hack? Stolen session cookie? Keyloggers?
If you're not aware of the above, take some time to learn about each of those things and how good security practices counter each one.
The question is kind of like, 'can you bake a cake?' .. probably yes, but it's really missing a lot of essential information, like what kind of oven, what ingredients do you have, what's your skill level, do you have arms, etc.
Any 'passphrase' can be secure or insecure, depending on the other surrounding factors. 2FA solves many security weaknesses.
forgotten password/recovery questions
This is the security industry's dirty little secret that doesn't get talked about in public enough.
All the excellent security on a site, including complex passwords, perfectly secure storage of a salted hash of that password, multifactor authentication using TOTP, etc., is completely moot if someone can just hit "I forgot my password" (or "I don't have my second factor") and bypass it by doing an email loop. You instead rely on the security of the user's email account.
Yes, I use passphrases for stuff like my password manager, my computer login, and my disk encryption. For my login (which I type a lot) it's four words; for occasional stuff like disk encryption it's six. I'm sold on the argument that a passphrase is way easier to memorize compared to a comparably-secure random password.
The number of possible passphrases is the number of words in the dictionary you use to generate passphrases raised to the power of the number of words in your passphrase (assuming a small chance of reusing the same word in a passphrase). I use this command to generate a random phrase using my stock OS word list:
grep -v '[^a-z]' $WORDLIST | shuf --random-source=/dev/urandom | head -n5 | paste -sd ' '
grep -v '[^a-z]' $WORDLIST filters out words with apostrophes or other weirdness. On my system the filtered list is 77,866 words.
For four words, 77,866 ^ 4 ≈ 3.7 × 10^19 possible passphrases.
Compare that to randomly-generated passwords. I'll assume that random lowercase & uppercase letters, numbers, and symbols add up to 46 characters. The number of combinations is 46^n where n is the length of the password. A four-word passphrase is the same order of magnitude as secure as a 12-character password, which has about 9 × 10^19 possible combinations.
I'm sure that if you make up your own passphrases instead of randomly generating them then the security is much lower.
Very similar heuristic here, insofar as when to use passphrases and how long.
LUKS and Bitlocker volumes get 8 words, computer logins usually get 4 words (potentially more depending on frequency/criticality of system).
Smartcards and mobile devices do have numeric pins due to frequency of use and relative difficulty in copying those for offline attacks.
Websites that are filled in w/ password manager get passwords get the random symbol-laden strings that 'meet requirements'
I use a leetified (using my own custom flavor) passphrase as my master password - I can type it really quickly and it's obscure as hell so I'm happy with it.
@[email protected] Why would the passphrase being long defeat the purpose of using it. That's half the purpose of using passphrases.
Make sure to use made up words or proper nouns and put a pin in an unexpected place. That's an easy way to change it without replacing the whole passphrase
I was thinking it would be easy to brute force if just instead of guessing character by character you do word by word...but I guess just adding one special character randomly would make it a non issue.
most people use password managers
You don’t know many boomers, do you?
According to security.org survey data, in 2021, 22% of Americans said they used a password manager, but in 2023, the percentage increased to 34% with a further 10% of users saying they use a security passkey or other physical password device.
So in the most generous interpretation of that, just over half of people are not doing anything secure.
Most people who matter
can passphrase reach the strength of a good password
Relevant xkcd: https://xkcd.com/936/
I’d love to hear from someone well versed in security if this is legit or significant weaknesses exist, but the math seems to check out as far as I can tell.
That's basically a Diceware passphrase. And, it's kinda ok. The amount of entropy is pretty significant (close to what the comic lists, if the Wikipedia article has it right). And it's really easy to add more entropy. I often recommend passphrases to my users (I work in Cybersecurity) and use them myself. Take a sentence, with spaces, capitals and punctuation. Now throw in a few numbers for fun and stop worrying about brute force attacks, until some idiot decides unsalted MD5 is perfectly fine for storing passwords. Most such passphrases will blow right past the 4 words in that comic and are very easy to remember. Even better, make that the passphrase for your password vault (oh look a plug for KeePass). Then have the rest of your passwords all be unique, 20 character jumbles of letters, numbers, and special characters.
Also, enable Two-Factor Authentication (2FA) wherever possible. Even if it's just a One Time Password (OTP) sent via SMS (which is a shit way to do 2FA), that's better than no 2FA.
For what a civilian target would worry about, using sufficiently long passwords is your best defense. Complexity is barely important.
111111111111111111111111111.1111 is an excellent password.
Everyone should Ctrl+f their password here. But also wait the 10 minutes it'll take to load the whole thing.
If your pw is on this list, change it immediately.
If it's less than 8 chars? Change immediately. If it's less than 10 chars? Change... Now.
If it's less than 14 chars, consider just making your password longer.
This advice will save more people in its simplicity than saying more.
Want a smidge more?
If you're paranoid, take a password that you think is decent, then insert it here, then use the output as your password.
Most times, pws aren't stored in plain text, they're stored using that algorithm. So, if your password is 'password', hackers night easily be able to see that your passwords encrypted value is exactly what that link will output if you put in 'password'. If your password is on that huge list from the beginning of the post, they can easily decrypt the encrypted password, because these passwords's hashes are known.
So, use the hash itself as a password.
Hell, throw a comma at the beginning to throw it off.