Stopped Clock Files
-
As in, "Even a stopped clock is right twice a day."
-
Unicode could be very useful in this. He points out that building password controls that measure the Unicode of the password will increase its length significantly and make it much harder to crack.
Wtf does that even mean?
-
He pointed out that according to data he has been collecting, about 30 per cent of users would have a password on a top 10,000 password list
Uh huh.
-
Wise though Atwood's words are
-
He points out that building password controls that measure the Unicode of the password will increase its length significantly and make it much harder to crack.
My password has 3 Unicode, but I heard 3.5 Unicode is the industry standard.
Also, the idea of putting CJK/emoji into password doesn't make much sense. Obviously as someone who uses Latin script you're not going to remember a phrase in Japanese, so you're going to keep it in a password manager. And if you're going to keep it in a password manager anyway, then why not use a longer ASCII password?
-
@Maciejasjmj And let it generate the password for you, as it'll actually be (pseudo)random.
-
@Maciejasjmj Plus it seems to assume that every device you'll use to login has equal capability to type unicode characters.
-
Also:
- Password rules are bullshit
- Enforce a minimum Unicode password length
I don't know about you, but that sounds like a password rule
They heavily penalize your ideal audience, people that use real random password generators. Hey guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
So just generate another one, duh. Hell, a good password generator will let you ensure your password does have a number and a symbol without compromising the randomness - Keepass certainly has patterns that can be used for that.
The only real bullshit rule is the maximum password length that isn't in the high hundreds. And obviously ones that highlight the underlying problems with the site (disallowing the apostrophe, no case-sensitivity, etc.). Each and every other one can be worked around with a password generator, and helps those without a password generator - even if the user is being dumb and just adds an exclamation mark, it still gives the cracker a couple more possibilities they need to check.
-
@Maciejasjmj said in Stopped Clock Files:
Keepass certainly has patterns that can be used for that.
As does LastPass.
-
@Maciejasjmj said in Stopped Clock Files:
and just adds an exclamation mark
Hey! I resemble that remark! :P
-
Paging @accalia
Filed Under: My password is https://archive.org/stream/warandpeace030164mbp/warandpeace030164mbp_djvu.txt
-
@sloosecannon With reasonable assumptions for size of alphabet and length of password, you should be able to do something sufficiently secure. After all, 6432 = 6277101735386680763835789423207666416102355444464034512896
-
My KeePass password is just 8 characters, but thanks to the magic of slow hashing functions, I calculated that it would take at least $100 million USD to crack ;)
-
@anonymous234 said in Stopped Clock Files:
My KeePass password is just 8 characters, but thanks to the magic of slow hashing functions, I calculated that it would take at least $100 million USD to crack ;)
BRB, got a Kickstarter to make...
-
-
@Maciejasjmj I'll just sell you the password for $50,000.
-
Only five of the top 25 most-used passwords are over 10 characters, so going into double figures is a smart move and should be enforced by developers.
OK, that wasn't in quotes so he fucking made me go to 's blog post, where he actually said this:
Note that only 5 of the top 25 passwords are 10 characters, so if we require 10 character passwords, we've already reduced our exposure to the most common passwords by 80%.
does he think that means? Ugh...this is just stupid. Appropriately enough.
But do you know what I didn't find in the post? Anything about avoiding '#' characters in your passwords.
https://meta.discourse.org/t/bug-smtp-password-field-does-not-escape-comment-sign-hash/23344
-
@sloosecannon said in Stopped Clock Files:
Paging @accalia
Filed Under: My password is https://archive.org/stream/warandpeace030164mbp/warandpeace030164mbp_djvu.txt
discourse actually accepted that as a password..... but it handled it poorly indeed.
-
@accalia said in Stopped Clock Files:
@sloosecannon said in Stopped Clock Files:
Paging @accalia
Filed Under: My password is https://archive.org/stream/warandpeace030164mbp/warandpeace030164mbp_djvu.txt
discourse actually accepted that as a password..... but it handled it poorly indeed.
Which is probably why he added that :P
-
Just use OpenID
-
@sloosecannon said in Stopped Clock Files:
@accalia said in Stopped Clock Files:
@sloosecannon said in Stopped Clock Files:
Paging @accalia
Filed Under: My password is https://archive.org/stream/warandpeace030164mbp/warandpeace030164mbp_djvu.txt
discourse actually accepted that as a password..... but it handled it poorly indeed.
Which is probably why he added that :P
-
@accalia
I feel like I should be either offended or horrified that you're using the meme pic I pioneered here to refer to Jeff as Senpai.
-
@izzion said in Stopped Clock Files:
@accalia
I feel like I should be either offended or horrified that you're using the meme pic I pioneered here to refer to Jeff as Senpai.why not both?
cause you should feel both. :-P