How can i handle secure password
modedit split from https://forum.vivaldi.net/topic/32927/password-paranoia-in-vivaldi-forum/
@Gwen-Dragon dude what. i have 2 accounts and the older one kepps a short password. now this is lame because i have to write down the whole password and security? it gets lost with the former purpose of improving it lol...
@pauloaguia Good idea to show users how safe a password may be.
@pauloaguia speculation, since brute force works on dictionaries.
this should be upped to 36characters minimum 12 is too short, not nearly secure enough.
and i hate to say it but, the way we do passwords on pretty much all of these sites/services is far far less secure then it oculd be, and its less secure because its more complicated.
stringing 3-5 (or more) words togather, is far more secure then a password that has special characters and numbers and caps and lower case, etc... EatDogPooHackingJerks is more secure then 3atD06P00H4k1n6J3rK5 for example but will take a bruit force tool far longer to crack then your average 12 char-impossible-to-remember-without-writing-it-down password that, you endup emailing and texting yourself or having written down several places so you wont forget it...yeah...not very secure....but i go into offices and still see post its with passwords taped to monitors... so...secure....bangs head into desk
12 chars...well im expecting next time theres a bit of paranoia, it will jump to 24 or 36... because, thats the best way to ensure a passwords secure, make it so long that it can be a whole pome or line of shakespear... but require special characters and numbers!!!
mib2berlin last edited by
Hi, these brute force examples are not for the real world.
Why is it my credit card password only 4 digits and very secure?
If you try more then 2 times it is blocked, same with Linux user accounts and many other services. My router need 3 minutes after second false, 15 minutes for the third and so forth. Happy brute forcing.
Funny are Windows user with 20 digit passwords, I can delete it in 5 minutes if I sit in front of the PC.
I think 8 - 12 digits are a good compromise.
The first Quantum Computer is already in operation since 2019, that is, it will soon be irrelevant, if a password has 6 or 60 characters
@Catweazle Then only a good 2FA with hardware/tokens will help.
@Gwen-Dragon , guess who uses a Quantum Computer
The transparent user
@Ashen I have used "Password Phrases" like that for the last 15 years (company policy).
But there are more issues than that...
Search the forums for "entropy", there are a few discussions.
Also read Steve Gibson's pages on passwords, especially his Haystack page and his theories on entropy and password padding.
Interesting stuff and there are more recent articles on the WWW.
aeonscrim last edited by aeonscrim
@Ashen While the points you're trying to make are legitimate, your grammar is SO bad that you're not getting the point across.
Here are some counter points to what you wrote (not necessarily counter to what you were trying to tell people).
- 2FA is going to replace passwords eventually (imo ~5 years) making this topic moot, but in the meantime....
- Tripling the character requirement does NOTHING if people can't even remember 12 and have to write it down.
- As someone else pointed out, entropy is king.
- Your example of "EatDogPooHackingJerks is more secure then 3atD06P00H4k1n6J3rK5" is first grammatically incorrect (thAn, not thEn) and second, mathematically incorrect as you've added 10 more possible combinations per place. While adding numerics may only increase the crack time by seconds, fundamentally it's still more secure. The same goes for adding special characters. Also, stringing commonly paired words/phrases together is not nearly as effective as stringing RANDOM words together (entropy). However, as you pointed out, if the user can't remember it, neither matters.
- RANDOM CHARACTER password generation is EXPONENTIALLY more secure than any other method BECAUSE it's so random. The only things that make these types of passwords more secure is how many characters you're able to use and the number of characters you actually use. You are correct that the single most destructive point about this method is the inability to remember it (entropy).
- The point of your last sentence is probably the most accurate and informative. Make your passwords as long as plausible and use as many different characters as you possibly can (entropy).
I have taught classes on how to increase password entropy. As part of that class I asked students to make passwords that they wouldn't likely use but that they felt were strong both before and after the class had been taught. 100% of them made better passwords and only 1 could ever be cracked (24 hour time limit). The clients ended up reporting a ~25% reduction in password reset tickets and a nearly 100% reduction in password security violations.
It's as much a problem of human nature as it is algorithmic security .
We can create passwords with all letters, numbers, signs and symbols. For an algorithm it is therefore equal we use "Vivaldiisagreatbrowser" or "hs8i2199Ipxbqdhdnkd # [1" (P=number of signs(Spain 112)^lenght of password)
With the implementation of the Quantum Computer, the passwords become obsolete and, as @Gwen-Dragon indicates, then only a hardware token can have the required security.
On the other hand, to use a strong password also depends on the importance and interest that an application or document may generate, which in 80% of users is rather scarce, but in return, a strong password and 2FA is vital In companies, banks, administrations and governments (Merkels smartphone was already hacked some time ago (password 1234?))
PD @Gwen-Dragon , it may possibly interest you
Knuthf last edited by
@Catweazle You use 32 characters to establish how to organise 8 bits - 256 values. Then further down you exhibit that you have no problems with others sniffing whatever you type - running an insecure OS: Win10.
The main principle of encryption is to make it difficult enough for others not to guess but in a way that allows the certification "agencies" to intercept the messages and everything you write - nothing must be that secret.
It is very easy to make something that messes up what you write so much that the NSA cannot guess what it is within finite time. It just requires abstract algebra, but of course, the students of business admin never studied this. But ask, and some things are very easy to make. But do not expect that it is easy unless you have studied the subject. And I am very sorry, it is easy enough to be changed as frequently as it suits me, - which is pretty close to the key to everything. The "password" can then be 1-3 characters and can be many. It can also be simple facts: the fingerprint, facial shape, screen behaviour, login id on some sites - names of relatives, best food, music preferences that you know but very difficult for others to guess. Very discrete to implement, certainly as part of a browser code.