Keep your data safe across devices
-
@luetage: Assuming equal length, indeed. Using special chars isn't a bad idea, at all. On the contrary. But
- Having a long, complex password/passphrase is better than a short simple one
- It's easier/faster to type normal chars rather than lots of special chars
- Adding lots of the same char doesn't add a lot of entropy
So a long passphrase is recommended nowadays. Of course adding special chars in them is extra better, but is not necessary.
Try it yourself on https://ae7.st/g/test.html. You can see there that
- Dictionnary words lower the entropy (it's fun to see it drop when you add the last char of the word there )
- Even then, adding several words is better than a shorter complex password
- Adding a single complex char up the entropy
- Adding several time the same complex char doesn't help that much
-
@Cqoicebordel said in Keep your data safe across devices:
Adding several time the same complex char doesn't help that much
This assumes that the attacker has knowledge that you've re-used the same character. What sane attacker would assume you've used an ampersand 20 times in a row?
-
@lonm: No, it's the entropy calculation directly. I'm not talking about attacks right now.
But even then, it simple to build a cracker that would test that any char is repeated a number of time.
The entropy number convey the amount of information a password (or anything) contains. A password with less information in it is easier to crack. It's a simple as that.
Sure, there are complexity in its implementation, but that's what is discussed there. -
@Cqoicebordel said in Keep your data safe across devices:
No, it's the entropy calculation directly. I'm not talking about attacks right now.
My error - I'm jumping into a conversation already in progress️.
-
@cqoicebordel: I will take a concrete example, looking at the password suggested above,
Sync2&&&&&&&&&&&&&&&&&&&&
Let's have a cracker that brute force, and then for each of the brute forced step, test that each char is repeated between 0 and 30.
So, to each step of the brute force, we add n*30 steps (n being the length at which we are).
So, to crackSync2&&&&&&&&&&&&&&&&&&&&
, we must first come to the stepSync2&
. 6 chars passwords crack is estimated to 11h (based on http://toplinestrategies.com/blogs/net/how-much-time-needed-crack-password-brute-force). Multiplying it by 6*30 because we took the extra steps of checking repeated => 1980h. That's not bad for a 25 chars length password.
Now, let's look at how long it would take to crack a 10 chars password, based on the same page : 1700 years.
So, adding 20 times '&' wasn't that helpful. Having a real strong, shorter password was better.
Sure, my logic was flawed, as I only checked for a single char repeated, and I didn't take into account other complexities we can add. But all in all, it doesn't change much.
All that to confirm what Julien said : you really have to know what you are doing with entropy -
@luetage If you want to test your password(s) strength try https://howsecureismypassword.net
An example....horse-clock-parking-curtain
Make a few changes to strengthen...ho9s3-clo%ck-9ar#ing-(urt>in ( pain to remember though)Me? I use between 3-5 words with absolutely no relation as passwords. I also change them frequently.
-
@Cqoicebordel Sorry, but what if the actual phrase is somewhere between start and end, what if there is a single different character mixed in there? Without knowing what to try for, your example simply doesn't work. Of course if you know the password, you can come up with a method to find it more quickly. But why look for a password you already know? I have to read up on this topic, but I can't figure out why the entropy should be lower right now. Without knowing specifics about the password/creation brute force has to be used
edit: ok, I get it now, the entropy is of course lower, but practically this doesn't make a difference, since attackers still have to check everything.
-
@luetage: Attackers have indeed to try every possibility, but there are shortcuts they can implement, like the "check if any char is repeated" I described above. There are others, like checking for the presence of "qwerty" or any keyboard shaped "word" in your password.
But what you have to know is that, mathematically (I'm not speaking of specific implementation, just the theory), a lower entropy means it's easier to find, period.
Now, I'm not sure I understand your first sentence. But since you seem to get it in your edit, I won't answer more.
But if you need more explanations, don't hesitate to ask -
@OlgaA
Hello Olga!Trying out Vivaldi Browser on both Windows 10 and Android. My favourite feature is screenshot (or Capture Page), not available on most other popular browsers.
Coming back to the topic, the Android browser kept crashing today for some reason, and I had to finally reset it after trying other methods which didn't work. The problem that I noted was bookmarks sync. I had organized the various speed dial items on my Desktop yesterday, and they all synced to the Android browser too, although the sync is quite slow in my opinion. But today when I reset the Android browser, the default speed dial items on Android synced to my Desktop browser, essentially duplicating many of the bookmarks.
- Kindly fix this.
- Please provide a click option to delete all duplicate bookmarks in the browser (based on a logic that we choose. for example, if duplicates exist, delete the most recent one, or delete the least nested one, etc.)
Thanks.
-
I'm really enjoying the password discussion as it's a few ideas I've been pondering myself.
Just for reference, I made the move to Keepass a number of years ago. For each service I used at the time, I made a pretty long pseudorandom string using all possible characters allowed for each service (some didn't allow spaces or certain symbols in passwords at the time, etc).
I don't use a browser I don't trust, but I've never stored passwords in the browser. If the browser gets compromised, my passwords would be compromised. Browsers are more likely to be compromised as they're the internet-connected bit of software, not the password manager. Additionally, in the spirit of "stick to what you're good at", browser makers make good browsers, where password managers are a secondary feature. In contrast, password-manager makers make password-managers, so focus all their effort on engineering their password-manager. I'd rather use a browser to browse, and a password-manager to password-manage.
Occasionally I'm on a borrowed computer that I trust, and I have to open my password manager on my phone, attempt to read it, and manually type in a whole password into a web site. It's a complete and utter pain, but it's possible if you're slow, patient and persistent! It's especially troublesome if you're not sure if you're reading an "0" or an "O", or you use a foreign keyboard where the symbols are different...
I've often wondered whether some sort of more human-memorable route is the way to go, but worried about entropy and ease of guessing. My concern with using dictionary words is that you can brute-force a password made out of dictionary-words by considering every word as a "character". Of course, the entropy is still extremely high because a dictionary contains far more words than the alphabet contains characters, so the potential search space is much larger. It's nice to see these concerns compared and somewhat quantified. I still think it might be possible to take a shortcut by using the laws of a language to guess a password that may or may not contain dictionary words. For instance, if you know the password might contain English words, instead of just trying "Q", you could try "QU" and you've potentially guessed 2 characters in the space of 1. For German words, when guessing "U", you could perhaps guess that it's the end of a word ending in "UNG", and you've potentially guessed 3 characters and identified a word boundary...
It's certainly made me think. At the moment, I think I don't have a bad solution, as the random characters/numbers/symbols and length assure me a reasonable degree of entropy - but there's got to be a way of making it slightly easier for me as a human without making it significantly easier for a computer to crack it.
-