[HN Gopher] Password of three random words better than complex v...
___________________________________________________________________
Password of three random words better than complex variation,
experts say
Author : pseudolus
Score : 19 points
Date : 2021-08-07 11:37 UTC (11 hours ago)
(HTM) web link (www.theguardian.com)
(TXT) w3m dump (www.theguardian.com)
| AlexAndScripts wrote:
| Isn't this common knowledge?
| yoz-y wrote:
| Obviously, and unfortunately, not. If it were, then almost all
| websites would handle their password requirements differently.
| [deleted]
| bryan_w wrote:
| I usually add something else to ensure its unique because unlike
| in most TV/Movies, "Horse battery staple" and "Horse
| BAttery.Staple!" Are miles apart and any legit password cracking
| tool won't know that there was 20 common characters between the
| first and second example
| Inityx wrote:
| https://xkcd.com/936/
| ceautery wrote:
| Coincidentally, we're close to the 10 year anniversary of
| https://xkcd.com/936/
| fwipsy wrote:
| Why can't hackers just brute-force word combinations? If there
| are 170k English words, and 95 possible password characters, then
| it seems to me that 170,000^3 ~= 95^8 so a 3-word English phrase
| would only be about as safe as an 8-character random string.
| kazinator wrote:
| But, that is formidable: using three dictionary words, you have
| something that is as secure as 8 characters, those being chosen
| from the full set of 95 non-blank ASCII glyphs!
|
| It's likely way easier to memorize, not to mention type.
|
| Though, by the same lexical token, it's worth acknowledging
| that words from a 170,000 dictionary will include some
| difficult ones that are not in the user's vocabulary.
|
| Say we use a 30,000 dictionary of common words, and make the
| password four words. You know, like correct-horse-battery-
| staple. Wow, I remembered that.
| Uehreka wrote:
| Most people's passwords are 10-ish character not-totally-random
| strings, so that would actually be an improvement. Now bump it
| to four words like the xkcd comic actually says and you've got
| a stew goin'.
| SiVal wrote:
| What drives me crazy is that it doesn't matter how well I design
| my passwords if companies immediately sabotage them with their
| laughable "security" questions. "Pick one of these security
| questions carefully chosen for you by our marketing director's
| 4th grader: What was Mommy's maiden name? What was your first
| pet's name?..."
|
| So now a hacker can just claim to have forgotten my password,
| google for the town I grew up in or mother's maiden name or try a
| list of the top 100 pet names, and not have to deal with my
| billion-year clever password at all. So they allow you to harden
| the front door's security as much as you like but require you to
| pick one of their six easy-access window designs for the side of
| the house just in case you (or anyone else) are unable to get
| through the front door.
|
| I can improve security by providing the wrong answer, but then
| I'll have to record it and won't remember it if surprised by a
| challenge (on the phone for example). What I _always_ want is the
| option to create my own security question, because I can design
| one that only makes sense to me but that I can reliably answer
| from memory.
| eloeffler wrote:
| I did that (provide a false answer) with a yahoo mail account
| and got myself locked out forever... when they introduced the
| security questions it was a measure to double check when
| changing the password. as i was using a password manager i just
| provided nonsense and didn't store it anywhere. years later
| yahoo decided to make it mandatory to enter the security
| question when logging in from a new device. no chance to get in
| there anymore...
| Nekit1234007 wrote:
| I just put passwords in those fields if they are required.
| yoz-y wrote:
| Same, you can generate passwords as answers and save them in
| a password manager note or something.
| vlovich123 wrote:
| You know what's even better? Go to
| http://passwordsgenerator.net/, generate as many N-digit
| passwords as you want and store them in a password manager that's
| reasonably sane (that way you can use a very large N). Google,
| Apple or Microsoft are going to be good ones because they already
| control your operating system and browser. There's also a few
| other popular ones that may offer slightly more features/better
| organization if that's important. Also turn on real 2fa (app or
| even better a U2F key).
|
| No, this won't really protect you from a very determined
| attacker. Then again, neither will using a password of three
| random words. The endless debates about the best password policy
| are counterproductive. At the point it matters, you haven't
| designed your security robustly enough.
| wildrhythms wrote:
| See also: https://en.wikipedia.org/wiki/Diceware
| kgwxd wrote:
| Certainly not if the complex variation is just as long, right?
|
| About 15 years ago I got bit by the common mistake of reusing the
| same password everywhere, it was my email account and I can't
| believe I caught it in time before they changed the password or
| did anything to get my account banned. From then on, I remember
| just one complex password, the one for my password manager. Every
| site gets its own random password, as long and complex as they'll
| let me make it. If I get to pick a user name, I randomly generate
| that too, along with the answers to any security questions, which
| I keep in the notes section of the password manager.
| kadoban wrote:
| Once you get entropy high enough, it's no longer the weak link
| in the chain. So sure, a 50 character long letter/number/symbol
| line-noise can have more entropy than a 6 word random
| passphrase, but it doesn't matter and has some drawbacks.
|
| By the way, for security questions specifically, I'd recommend
| passphrases. Often there are protocols where you need to say
| the security question answer to a human and they need to verify
| it. You're not going to have a great time spelling out a bunch
| of nonsense letters, and there's also more chance someone would
| be able to talk customer service into "oh I don't know, I just
| typed random keys" or something. Your password manager can
| likely do passphrases for you as well so it's probably no
| harder.
___________________________________________________________________
(page generated 2021-08-07 23:01 UTC)