• bjorney@lemmy.ca
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    4 months ago

    Words are the least secure way to generate a password of a given length because you are limiting your character set to 26, and character N gives you information about the character at position N+1

    The most secure way to generate a password is to uniformly pick bytes from the entire character set using a suitable form of entropy

    Edit: for the dozens of people still feeling the need to reply to me: RSA keys are fixed length, and you don’t need to memorize them. Using a dictionary of words to create your own RSA key is intentionally kneecapping the security of the key.

    • shrugs@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      4 months ago

      so you are saying 44 bits of entropy is not enough. the whole point of the comic is, that 4 words out of a list of 2000 is more secure then some shorter password with leetcode and a number and punctuation at the end. which feels rather intuitive given that 4 words are way easier to remember

      • bjorney@lemmy.ca
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        4 months ago
        1. we are talking about RSA keys - you don’t memorize your RSA keys

        2. if you rely on memorizing all your passwords, I assume that means you have ample password reuse, which is a million times worse than using a different less-secure password on every site

        • prole@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          4 months ago

          Derp. Forgot where I was.

          I find passphrases easy to remember and I have several. I appreciate the concern, but I understand basic password safety.

    • laurelraven@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      That’s only really true if you’re going to be storing the password in a secure vault after randomly generating it; otherwise, it’s terrible because 1) nobody will be able to remember it so they’ll be writing it down, and 2) it’ll be such a pain to type that people will find ways to circumvent it at every possible turn

      Pass phrases, even when taken with the idea that it’s a limited character set that follows a semi predictable flow, if you look at it in terms of the number of words possible it actually is decently secure, especially if the words used are random and not meaningful to the user. Even limiting yourself to the 1000 most common words in the English language and using 4 words, that’s one trillion possible combinations without even accounting for modifying capitalisation, adding a symbol or three, including a short number at the end…

      And even with that base set, even if a computer could theoretically try all trillion possibilities quickly, it’ll make a ton of noise, get throttled, and likely lock the account out long before it has a chance to try even the tiniest fraction of them

      Your way is theoretically more secure, but practically only works for machines or with secure password storage. If it’s something a human needs to remember and type themselves, phrases of random words is much more viable and much more likely to be used in a secure fashion.

      • ClamDrinker@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        4 months ago

        And even with that base set, even if a computer could theoretically try all trillion possibilities quickly, it’ll make a ton of noise, get throttled, and likely lock the account out long before it has a chance to try even the tiniest fraction of them

        One small correction - this just isn’t how the vast majority of password cracking happens. You’ll most likely get throttled before you try 5 password and banned before you get to try 50. And it’s extremely traceable what you’re trying to do. Most cracking happens after a data breach, where the cracker has unrestricted local access to (hopefully) encrypted and salted password hashes.

        People just often re-use their password or even forget to change it after a breach. That’s where these leaked passwords get their value if you can decrypt them. So really, this is a non-factor. But the rest stands.

        • laurelraven@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          That’s fair

          It’s still a rather large pool to crack through even without adding more than the 1000 most common words, extra digits, minimal character substitution, capitalization tweaks, etc