2y ago

Creating a password in 2023 be like

96 comments

Obligatory https://neal.fun/password-game/
- Nooo! The fireeee! This would be better with a physical keyboard.
  
  Link for compatibility
  My final password was: Pass5@JulyXXXV+Shell+n2by7+droop+🌚+Peru+2020+Qd7+🥚+Zn+BBBBB
  The hardest 2 were chess and guessing the country. Maybe atomic numbers with combination with roman numerals, but that's sorta fine.
  
  That's where I got derailed on my best run. Chess was easy the first time and maddening the next two.
- Well, that'll teach you to actually take care of your pets and not just dump their food in front of them and be done with it.
  (fuck paul tho fr)
- Ah I was just copying the URL to post the same thing. It's such a fun game to go through, although I gave up pretty quickly
  Tried it again, made it to the chess step
  
  One of my coworkers got super into it and got into the high 20s I made an off-hand comment about wondering what it does for rule 34 and he responded "gasp I must know!" Then a couple days later messages me a screenshot on teams. Spoiler: it goes "ehhh let's just skip this rule"
  
  Use lichess.org’s board editor
- This game made me so angry haha
- I closed my laptop when it asked for the Wordle of the day.
  
  Enter the same thing 5 times and you're good for the day :)

Infuriating fact: if a service has maximum password length limits (lower than 1000 characters), they're reversibly storing your password and if they're that lazy it's probably plain text
- reversibly?
  
  Yeah, you actually better not save the users passwords in plain text or in an encrypted way it could be decrypted. You rather save a (salted) hashed string of the password. When a user logs in you compare the hashed value of the password the user typed in against the hashed value in your database.
  What is hashed? Think of it like a crossfoot of a number:
  Let's say you have a number 69: It's crossfoot is (6+9) 15. But if someone steals this crossfoot they can't know the original number it's coming from. It could be 78 or 87.
  
  In the least bad case, they encrypt the password instead of hashing it, making it possible to decrypt the password.
  In the most common case, they store the password in plaintext, so there isn't even any encryption to be reversed.
- They may just base their limit on one or a few block sizes of the hash function.
  
  That sounds incredibly unlikely. I would be good money that 99% of password length limits are not based on concrete limits. Things like "100 should be enough 🤷" must be way more common.
  I doubt 1% of programmers are away of their hashes block size. It is also probably irrelevant since after the first round everything is fixed size anyways.
- Nope. No point in storing > 256 or even 128 chars for a password anyway. Useless storage wasted. Also it doesn’t really mean they store the password badly in the server.
  
  A hashed password is always the same length though is it not?
  
  Ignoring that they must be hashed to be acceptable and that it's not possible for 1000 characters of text to add up to a waste of storage worth mentioning in pretty much any environment, it's literally impossible for a 128 character password limit to be beneficial in any way.
  A limit below that demonstrably lowers security by a huge margin.
  
  Ok but are 15 characters too much?
  I've seen 14-char limits, which are NOT reasonable
- Couldn't it just be that they're using something like bcrypt which won't take any chars above its limit into account (knowing that there's a limit will pretty much never matter to a user but why obscure the fact)? What does it even mean to store it reversibly, just because they have a char limit doesn't mean they are encrypting the password, could just be some frontend shenannigans as well.
- Fun fact: Lemmy instances cap at 60. they’re not storing reversibly, they’re just using bcrypt and rather than pre-hashing the pw before bcrypt like most bcrypt users do, they just truncate to 60.
  
  60 makes sense, 14 does not

Best practice in 2023 is a simple, sufficiently long but memorable passphrase. Excessive requirements mean users just create weak passwords with patterns.
[Capital letter]basic word(number){special character}
Enforcing password changes doesnt help either. It just creates further patterns. The vast majority of compromised credentials are used immediately or within a short time frame anyway. Changing the password 2 months later isnt going to help and passwords like July2023!, which are common, are weak to begin with.
A non expiring, long, easily remembered passphase like
forgetting-spaghetti-toad-box
Is much more secure than a short password with enforced complexity requirements.
- Drop "memorable". 99.9% of your passwords should be managed by your password manager and don't need to be memorized. On one or two passwords that you actually need to type (like your computer login) need to be memorable.
  
  99.9% of your passwords should be managed by your password manager
  this looks like a sensible approach until you remember password managers can be cracked, too. I'm with GP on this, a passphrase is easier to remember and is good enough for most use cases, if you need more security you should be using some form or another of 2FA anyway
  
  I am kinda paranoid about password managers. My passwords are stored somewhere on the computer, all of them, and I don't like that idea. I can exercise my brain.
- forgetting-spaghetti-toad-box
  I don't know much about PW security but would a passphrase of common words not be more susceptible to dictionary attacks?
  
  The idea is that entropy is measured with possible words instead of possible characters. It turns out 7 7-bit ascii characters have less entropy than 4 14-bit equivalent words (that is, the 16,384 most common ones). And that's in the ideal case it's a totally random 7 characters.
  Every attack is technically a dictionary attack here, but it doesn't help enough because the password to a computer is still 30 characters long. To a human it seems a lot easier than ")f1:.{yJCzNv]@R=S K$~=", though.
  PS. Turning /dev/random output into 7-bit ascii characters is surprisingly involved in Haskell. C would have been easier. This was the world's slowest ninja edit.
- Obligatory XKCD

I don't get why some sites limit your usage of special characters and have miniscule max lengths?? looking at you PayPal you piece of shit
- "This password would take 1 century to crack!"

There was a website where I was making an account and it was like: no semicolons.
To this day I wonder if that was how they blocked sql injection.
- Mandatory XKCD
- Escaping by obstruction ^^

Then, please give us your phone number for 2fa, instead of letting you use a more secure app

The right answer is use a password manager to generate and store a long password. Then it doesn't matter.

If for some reason you want a secure password and aren't using a password manager https://www.grc.com/passwords.htm

Does anyone use the generator from chrome anymore? Like a 2023 password for me is "suggest strong password"...

"password must contain a PUA codepoint"

Remides me of https://neal.fun/password-game/
- That was my immediate though too!

Fuck that shit, just give me the password

This is a repost :)
- Are we really starting this shit here?
  Everything on the internet is a repost. Calling it out adds nothing worthwhile to the conversation and just derails any conversation.
  
  Yeah but when you see the same 5 posts every month it gets tiring. If the other post was in a different place though, then it's not a repost
- And?
- I dont know how to make a crosspost in the app

96 comments