|
I will fully admit that I did not read the link, but typically that time can be reduced by adding computational power through advancement OR work distribution across a larger network of machines. Since many things can increase your threat profile to a level of having a distributed adversary and password complexity is one of the most trivial/accessible methods of increased security it’s not a bad idea to stay a bit ahead there.
|
# ? Oct 1, 2023 22:33 |
|
|
# ? May 28, 2024 00:59 |
|
So, Aaaaaaaaaaaaaaaaaaaaaaaa then
|
# ? Oct 1, 2023 23:12 |
|
The chart misses a lot to the point where it's not worth picking apart, most egregiously that it is describing a blind brute force and not a specific attack on a particular account. It's almost inconceivable how frequently credentials leak, so even if all an attacker has is your email they already have a list of passwords you've used in the past for other services (or they straight up just have your password, 0ms guess) and can use any number of strategies to effectively narrow the field by a lot. At the end of the day you should be using a unique, arbitrary password you did not choose, generated by a trusted generator, the EFF's D6 password chart is very good for this, salted with at least one word or phrase from a different source (because the EFF D6 wordlist is public and should be assumed to be known to your attacker). This minimizes the value of attacking the account by attacking the underlying meat sack (your brain) and because that remains the most effective strategy for password cracking, will cause your attacker to waste a lot of time.
|
# ? Oct 1, 2023 23:25 |
|
Sagebrush posted:
I think you'll find that this chart fits the thread a little better. (I posted it in the thread years ago but this seems a fantastic time for an encore.) And hey, the source is still up. Click through for a few more fantastic charts on the same topic.
|
# ? Oct 1, 2023 23:42 |
|
Everything should have a password failure lockout anyway. It doesn't even have to be severe, like 30 seconds every five attempts pretty much invalidates the brute force strategy entirely. Still, for perfect infosec I recommend giving up all computerised systems and services and moving into the woods to subsist on moss and overly curious squirrels.
|
# ? Oct 1, 2023 23:46 |
|
Sagebrush posted:
It is "orange" level of secure because computers get better at brute-forcing passwords over time (i.e. faster), so eventually every password on this chart will have a time of "instantly" but it will take longer for the trillion-year ones to get there than the thousand-years. It happens faster than you'd think. In fact, that is last year's table, let's have a look at this year's.
|
# ? Oct 2, 2023 00:01 |
|
Deformed Church posted:Everything should have a password failure lockout anyway. It doesn't even have to be severe, like 30 seconds every five attempts pretty much invalidates the brute force strategy entirely. Brute forcing passwords isn’t usually done with online attacks because they’re way too slow even without a lockout.
|
# ? Oct 2, 2023 00:44 |
|
I like using my password manager to generate passwords as long as the limit so when I paste it in it fills the input space like its a progress bar that's completed. Any security gained is secondary.
|
# ? Oct 2, 2023 03:28 |
|
Ariong posted:It is "orange" level of secure because computers get better at brute-forcing passwords over time (i.e. faster), so eventually every password on this chart will have a time of "instantly" but it will take longer for the trillion-year ones to get there than the thousand-years. The usual standard for new encryption algorithms is that if every atom in the universe was incorporated into a machine that was many orders of magnitude faster than any computer we could possibly project being actually built, it would still be effectively impossible to brute-force a random key. This, of course, does not prevent idiots from using their kid's birthdate or their pet's name as their password.
|
# ? Oct 2, 2023 03:55 |
|
zedprime posted:I like using my password manager to generate passwords as long as the limit so when I paste it in it fills the input space like its a progress bar that's completed. Any security gained is secondary. I set my FB password to a randomly generated 128 character string, just to see if it would work, and it did. So bizarrely that is now my strongest password by far.
|
# ? Oct 2, 2023 04:03 |
|
I made my email password my dogs name. Fortunately we named our dog a randomly generated 1024 character string so I think it should be good. It's really poo poo trying to call them at the park tho.
|
# ? Oct 2, 2023 06:22 |
|
One important thing to consider here is that the hackers don't KNOW if you've used special characters and uppercase and whatnot. The information they might have is what the system allows/requires. They might stumble on aaaaaaaaaaaaa before jeH67✓*-#+jjsl, but something in between those is good enough usually. My current workplace has a password policy that requires special characters, but forbids a trailing exclamation point. Very specific, not sure it actually increases security.
|
# ? Oct 2, 2023 06:32 |
|
Phosphine posted:One important thing to consider here is that the hackers don't KNOW if you've used special characters and uppercase and whatnot. The information they might have is what the system allows/requires. They might stumble on aaaaaaaaaaaaa before jeH67✓*-#+jjsl, but something in between those is good enough usually. Marginally? When requiring caps and special characters, people have a tendency to place the capital at the beginning, and a punctuation mark at the end, because that’s what we’ve been trained to do since we could hold a pencil in our chubby little toddler hands. Brute force methods take this into account. The thing is that you’re much more likely to have an account compromised because Linda wrote her password on a sticky attached to her monitor, or Frank fell for a shockingly obvious phishing attempt, etc etc. Doesn’t matter how crafty your password policy is if the most basic social engineering techniques have your users coughing up their credentials.
|
# ? Oct 2, 2023 07:06 |
|
Powered Descent posted:This, of course, does not prevent idiots from using their kid's birthdate or their pet's name as their password. this is because passwords are a disaster and should never have been intended for use by humans
|
# ? Oct 2, 2023 07:37 |
|
dr_rat posted:I made my email password my dogs name. Fortunately we named our dog a randomly generated 1024 character string so I think it should be good. Does everybody look at you when you start making modem noises?
|
# ? Oct 2, 2023 09:47 |
|
Actual advice since its relevant, never answer security questions honestly. Each answer should be a unique letter/number string saved in the notes field for the site's entry in your password manager
|
# ? Oct 2, 2023 09:51 |
|
"My childhood pet? Yeah I just mashed the keyboard and put in some random letters because everyone loved that dog, you know how it is" Security questions suck even more than passwords A minimum wage helpdesk employee won't care about verifying that random string. Automated systems might, but that's (rarely) what security questions are for.
|
# ? Oct 2, 2023 10:34 |
My friend's dad had a habit of making his password one of his children's names, followed by whatever the year was when he made the password. So if he registered for some site in 2009 his password would be Katie2009, and if he registered for a different website in 2016 the password would be Daniel2016. This meant that the passwords were easy to crack, but quite difficult to remember without just resorting to guessing. A flawless system.
|
|
# ? Oct 2, 2023 10:55 |
|
Powered Descent posted:I think you'll find that this chart fits the thread a little better. (I posted it in the thread years ago but this seems a fantastic time for an encore.) As a chart nerd, I really don't like this one. Only the first three columns have real information. The rest is noise, both visually and statistically.
|
# ? Oct 2, 2023 16:03 |
|
This being the awful charts thread, I assumed it was meant to be bad. Just plot it on a graph with a log scale for the y axis. Done and done
|
# ? Oct 2, 2023 16:23 |
|
I'm the seconds column. No, the other one.
|
# ? Oct 2, 2023 17:36 |
|
Sagebrush posted:I'm the seconds column. I'm "miliseconds" with one L
|
# ? Oct 2, 2023 17:43 |
|
Freaquency posted:Marginally? When requiring caps and special characters, people have a tendency to place the capital at the beginning, and a punctuation mark at the end, because that’s what we’ve been trained to do since we could hold a pencil in our chubby little toddler hands. Brute force methods take this into account. Some places put unusual restrictions on the password, like “must be 8-12 characters”, and I always wanted to change how FB passwords work so that they told you a character you had to incorporate somewhere (different per-user). These reduce the likelihood of password reuse, which is I think still the biggest risk to password-based systems.
|
# ? Oct 2, 2023 17:47 |
|
Sagebrush posted:I'm the seconds column. Hobbit time keeping
|
# ? Oct 2, 2023 17:58 |
|
Subjunctive posted:Some places put unusual restrictions on the password, like “must be 8-12 characters”, and I always wanted to change how FB passwords work so that they told you a character you had to incorporate somewhere (different per-user). These reduce the likelihood of password reuse, which is I think still the biggest risk to password-based systems. At one point lowtax got tired of offsites getting compromised resulting in people spamming here, and changed the password requirements to be different from basically everywhere else for exactly that reason. Otherwise, a huge portion of the user base just used the same username and password on all SA offshoots.
|
# ? Oct 2, 2023 17:59 |
|
Blue Footed Booby posted:At one point lowtax got tired of offsites getting compromised resulting in people spamming here, and changed the password requirements to be different from basically everywhere else for exactly that reason. Otherwise, a huge portion of the user base just used the same username and password on all SA offshoots. That still makes me laugh, the new SA password was my strongest one for years. Even now, I occasionally run into sites that can't handle one that long.
|
# ? Oct 2, 2023 18:05 |
|
My favorite is when they disallow " ' and #, gotta love screaming red flags (of super poo poo database security to put it simply) that you can't do anything about
|
# ? Oct 2, 2023 18:10 |
|
Oh sorry, those were supposed to be centiseconds
|
# ? Oct 2, 2023 18:12 |
|
KozmoNaut posted:I set my FB password to a randomly generated 128 character string, just to see if it would work, and it did. So bizarrely that is now my strongest password by far. Facebook actually saves 3 variations of your password because they know capslock will confuse users and phone browsers will sometimes frontcaps fields that shouldn't be.
|
# ? Oct 2, 2023 18:28 |
|
https://twitter.com/halomancer1/status/1708221844195836010
|
# ? Oct 2, 2023 18:35 |
|
It's probably a cat.
|
# ? Oct 2, 2023 18:47 |
|
It's not nice to call Mr. Trump out like that.
|
# ? Oct 2, 2023 19:26 |
|
|
# ? Oct 2, 2023 21:46 |
|
On the one hand it's completely full of poo poo and insane. On the other hand it speaks to my inner doomer so clearly and has rainbows
|
# ? Oct 2, 2023 21:52 |
|
All the circles ought to have distinct graphics like the Mind Prison and the Ecosystem Collapse Spiral.
|
# ? Oct 2, 2023 21:56 |
|
|
# ? Oct 3, 2023 17:04 |
|
I miss the Babylon central bank’s monetary policy
|
# ? Oct 3, 2023 17:49 |
|
So when the label says Homer they actually mean that one?
|
# ? Oct 3, 2023 18:50 |
|
90s Cringe Rock posted:So when the label says Homer they actually mean that one? Not only that, but Charybdis wasn't credited on the paper despite doing a majority of the work Which sucks
|
# ? Oct 3, 2023 19:04 |
|
|
# ? May 28, 2024 00:59 |
|
I’m the (1) break in the X-axis for centuries where data on interest rates definitely exists, (2) the weirdly precise marks within the break in the axis, (3) the totally incorrect data underlying those marks (lol at a 4% interest rate on a short-term loan before the eighteenth century).
|
# ? Oct 4, 2023 17:28 |