How Strong Should Your Passwords Be

All of my passwords were generated using unique highly complex algorithms with quantum behaviors as random seeds all of which I created while I was blackout drunk in a classified location.
I then deleted these algorithms and smashed the sole device that ever held them with a sledgehammer, twice.
I then got blackout drunk again and buried the device’s remains somewhere that I do not know. Every time I recover the device, I hide it again using the same method.
Logging into things is a difficult and often harrowing procedure for me, but at least my 12 Robux are safe until someone breaches the servers.

Sniblet

One time for a client we were doing pen testing for the network at the hospital. They always knew we were coming, but didn’t know when, and we never introduced ourselves until we were done so we could find weak points without the staff being on guard.

I walked in with my laptop and set down at the medical records desk, no one asked me a thing. After a few minutes I approached the lady at the desk and said “hey IT sent me over and said you guys were having some server issues, I just need your log in information so I can check your account on the server.”

No shit this girl wrote her information down and just handed it over without asking a single question. We had access to the network in under an hour.

GhostfaceRuga

Dictionary attacks become much more difficult once you start using words from multiple languages. "correct horse battery staple" is suddenly a pretty good password if the words are in Navajo, Polish, Japanese and Hungarian.

Pakanahymni

everybody knows that you should always use "password" as your password

RusherDevelopment

I actually hate forcing the user to choose a secure password. Telling them feedback how secure it is is fine, but it should be up to the user how important the account is. Sitting there figuring out a secure password you'll never remember just to download some basic thing or set up a subscription encourages people to re-use more secure passwords they use on other sites and then that's where their secure passwords get leaked from.

JFrameMan

My passwords are so secure that even I don't know half of them.

RATsnak

Also, always have a comma in there so that when a site leaks your password, it screws up the csv your password gets dumped into.

skywz

I love to see "%" symbols being declined for passwords; it means the chances of SQL injection are very high.
That character is a wildcard in SQL query strings, and banning it suggests your password gets passed to SQL in an unsafe manner.

geroffmilan

Password requirement sins: 1. Composition rules. 2. Regular password resets (security breach is the only acceptable reason for a forced password reset). 3. Maximum password length (if less than 64 characters).
The bigger the company, the more likely they are to commit one of these sins that is actively recommended against by NIST.

SidewaysCytlan

Honestly, as long as you're not reusing passwords and avoid the top 500 most common, you should generally be fine. I think more responsibility should be heeped onto servers for failing to properly store user data.

TheTundraTerror

13:35
“And you’ll be able to sleep easy at night”

I wish. Now I worry about the catastrophic consequences of someone getting access to my master password. Granted 2FA eases that fear slightly, instead making me fear what can happen if my 2FA device is stolen or just breaks.

It never ends.

TheWheatless

Cool story about password max length: I used a bank once which was later acquired by another bank.
During account migration, maximum length was reduced significantly, so my 32 symbols password no longer worked and I couldn't figure why for a long time.

etopowertwon

Isn’t the biggest obstacle for password cracking that you can’t just spam a site or login service with millions of passwords without getting shut out? So brute forcing works if you get something offline to work with, but not really on online user accounts. The biggest threat there is someone hacking the site and leaking stuff.

dreammfyre

My passwords are just random excerpts from the uncle Ted's manifesto or Hoppe's books with random numbers and with symbols sprinkled throughout

NumeroPerdido

I don't know how zxcvbn copes with emoji but at least when tested with a relatively short password adding one or more emoji caused the estimated brute force times to shoot through the roof. I don't know if using emoji is practical at the moment but at least it would be interesting option for password manager managed logins which allow it.

xard

2^32 would be 4.2 billion, 2^33 would be double that, etc. so 2^53 is much more than billions even with the birthday paradox

retrogameplus

The best password is "incorrect." That way if you type it wrong, most apps and sites will tell you, "The password you entered is incorrect."

r.b.ratieta

My passwords consist of 2 parts: 1st part is a random string of letters, numbers and symbols that is always the same, and part 2 is again entirely random, but also different for each service i use. I have memorized part one since each of my passwords use it but when it comes to part 2 i have them written on a paper but because my passwords consist of two parts even if by some miracle my sheet with passwords got somehow stolen these codes would be useless without part 1 which is only in my memory and nowhere else.

sebotrp

all my friend [REDACTED]'s passwords are just his username spelled backwards... king shit

braiinworms

8:12 One point to make here. This length checked will be done on the server before the password is hashed.
The server could take a 100 chrs password but only hash the first 20chrs

kmcat