Forum menu
Even in the aftermath of the lastpass breach, no security professionals are recommending that you give up on password managers.
They'd also tell you first and foremost to restrict what data is where
50+ sites with sensitive personal data sounds like a *lot* of sites.
Do they really need that data? Do you need them to have that data? Do you need the service they provide?
It could be the answer for all those sites is yes yes yes but if any of them is no removing the data is massively more secure than any password.
Having more complex, non-reused, easily rotated, passwords is a better compromise.
And the complete opposite of what’s considered best practice. Especially the changing them regularly bit.
Weaker, reused passwords are definitely not recommended or good practice.
As for "changing regularly", I didn't say that. But the reason that that practice fell out of favour was because it led to people using terrible passwords.
Kamakazie
Full Member
I don’t get your point then? You know they had a keylogger which could be used to capture both the master password and MFA which could both be reused as long as it was within the same 30s window.Do MFA implementations really allow 2 successful authorisations using the same code just because it’s within a short timeframe?
That would seem to purposefully open it up to this sort of attack which is mad.
A key logger should never be able to get you past MFA
Yes it would normally work because the algorithm for authenticator apps is based on the time and a seed code. An app/site could log and restrict reuse of the code but it's not a standard part of how it works.
This is one of the reasons I prefer to use sms for my 2fa codes.
This is one of the reasons I prefer to use sms for my 2fa codes.
Not sure that would really help - I think a bunch of the sms implementations are based on the same logic - they just send you the code rather than it being calculated on your local device. Still a time window of validity.
Hardware keys are really the way forward, but limited support for them currently.
Aidy
Not sure that would really help – I think a bunch of the sms implementations are based on the same logic – they just send you the code rather than it being calculated on your local device. Still a time window of validity.
Hardware keys are really the way forward, but limited support for them currently
ah yes that's true, it does however protect you from have the seeds leaked as part of your vault
This is one of the reasons I prefer to use sms for my 2fa codes.
Hopefully you arent a good target since sms or rather the phone companies ability to not hand over your number to someone else is notoriously bad.
If someone has keylogged your computer you are screwed since at that level of compromise there is plenty of other options available assuming you are interesting enough to target personally.
As for “changing regularly”, I didn’t say that.
What did you mean by "easily rotated" then?
As for your other points, an overly complex password you can't easily remember is as useful as one written on a bit of paper. I never said it should be weak or used for multiple applications (unless said applications are inconsequential) but 40 characters is way beyond reasonable and just complexity for complexity's sake.
I never said it should be weak or used for multiple applications
Not sure what you meant by "the complete opposite" of "complex" and "non-reused" then.
What did you mean by “easily rotated” then?
... that they can be easily rotated? Easily isn't the same as regularly. I'm not suggesting you're one of them, but there's certainly a *massive* group of people who never change passwords because of the effort involved in devising and remembering a new one, even when they've been recommended to because of data breaches.
40 characters is way beyond reasonable
Sounds ideal, who wants a password that will be reasonable to crack?
Yeah. That's sort of how I got there. As soon as you get to the point where you can't remember all the passwords you need for a reasonable degree of security, why *wouldn't* you have overkill passwords?
Because 18 digits gives you a 6 trillion year cracking time and can be made of three easy to remember words.
Your approach gives you a 300 quindecillion year cracking time (assuming only upper and lower case characters). Great, how is that practically any better than 6 trillion years?
How much easier is it to remember a 3 word passphrase than 6-7 words?
Why do you think a password safe with a single point vulnerability is better than just making it simple to remember but still more than adequately secure?
Fling a random special or numeric character in there and you're sorted.
Cracking time source:
https://www.security.org/how-secure-is-my-password/
I should probably reiterate that I'm not against password managers per-se but I've never come across one that wasn't compromised in some way by either being non-portable or relied on an online database that the user has no control over. My policy was to keep my most critical passwords out of them but then what's left? A few forums and e-commerce sites that hold, at most, my address (I try not to leave open card details that can be used to make purchases by anyone other than me). Well forums are going to tell someone very little if anything so that's not a worry leaving the e-commerce as a plausible if unlikely vector if they can guess how PayPal was funded for a given transaction.
As soon as something better comes along believe me, I'm all for it, I just can't see what that would look like in order to get round all the drawbacks of password managers.
@squirrelking The references used on your reference website are all from 2020 before AI really got going. You may want to have a look at some more recent stuff where the recommendation is now for 18 characters or more. ChatGPT and it's friends can crack certain 16 characters quite quickly. See table Here Edit IF AI can crack things quickly those with access to more computing power can find things trivially easy.
The next big thing is passkeys which I'm struggling to get my head around but appears safer than using SMS 2FA.
Recommendation if you're using pass phrases is now 5 words (up from 4 - don't think it was ever 3), and that's only for randomly selected words. Things which are conceivably sentences or meaningful have significantly less entropy.
ChatGPT and it’s friends can crack certain 16 characters quite quickly. See table Here Edit IF AI can crack things quickly those with access to more computing power can find things trivially easy.
Well a specific bespoke password cracking engine rather than generic LLM. They don't detail what hashing scheme they used when hashing their plaintext passwords, so it could have been quite a low bar (eg MD5sum) rather than something much tougher like Salting with BCrypt which would have taken a lot more effort and a lot longer to crack.
Because 18 digits gives you a 6 trillion year cracking time and can be made of three easy to remember words.
So, the thing is that'll be for a random 18 characters. Words are more predictable for the same string length, and therefore more crackable.
Google reckons most people have a vocabulary of 20k to 35k words. Let's be generous and allow a 40k vocabulary from which you're selecting words (that's pretty generous, given as there will be a lot of words in that list that won't be good candidates). Add your random character, and you're looking at an entropy of about 46 bits.
That's about the same as a 7 character password made up truly randomly. Which is crackable today in 4 seconds.
Now, given as you're doing phrases, and not truly random words, and realistically you're picking from a smaller list, that's significantly less than 46 bits of entropy.
That’s about the same as a 7 character password made up truly randomly. Which is crackable today in 4 seconds.
All depends how it's hashed - no salting, MD5sum, very quick. Salted with a decent hash, still going to take some considerable effort as the salting means you can't use hashing tables.
Plus number of rounds, of salting and re-hashing....
Yes, fair point.
Your approach gives you a 300 quindecillion year cracking time
... today. Do we suppose that computing power is going to go down or up over time?
The fundamental problem is that passwords are a shit solution. You can slice up best practices how you like, but best practice is "something else."
So, the thing is that’ll be for a random 18 characters. Words are more predictable for the same string length, and therefore more crackable.
And I'll just stop you there.
That was three words, unrelated and not really connected unless you're some sort of savant.
Still 6 trillion years.
@cougar yes, today. And I totally agree, passwords and by extension clunky mother****ers that need a stupid manager to administer are a shit solution. I'm still waiting on something better. But in the meantime the best you can do is control who has your data as per always.
I used to use some local program to encrypt a USB key with all my passwords until the author decided to just quit one day and not leave a version up that could still encrypt. Now I have to rely on Last pass? Nah, I'll just keep the least commonly used stuff in the safe and memorise the rest.
Well, we have plenty of "something better" already, it's just that there's pushback.
Microsoft Hello for Windows logins for instance. It sounds counterintuitive but it ties a PIN or biometrics to a physical device. A breach is of no use to anyone unless they lob a brick through your window and piss off with your laptop after bolt-cropping your index finger off.
I used to use some local program to encrypt a USB key with all my passwords until the author decided to just quit one day and not leave a version up that could still encrypt.
TrueCrypt?
And I’ll just stop you there.
That was three words, unrelated and not really connected unless you’re some sort of savant.
Still 6 trillion years.
That's not how it works. In passwords, as for other things, length isn't everything.
40,000^3 is much, much less than 94^18.
And obviously, a really lucky algorithm will get your password in one go 😉
But "Password1!" meets all the complexity requirements!
To take it to an extreme, let's assume I have a one word, 18 character password. That's an obviously smaller set of possible passwords I have to check against than every possible permutation of every valid character.
40,000^3 is much, much less than 94^18.
sure but isn’t the point that a list of words is more readily memorised than a list of characters, so you can have a memorable password that is really very long (I’m thinking of a one man (actually woman) Beckett play I saw. That would have been a hell of a password).
PasswordPasswordPassword is 24 characters, do you think that it would take longer to crack than a 18 character password of complete randomness?
Veering off at a tangent - can you make a password based on Kanji characters? (Bit rhetorical, as I’m aware that the answer is “depends”)
If the attack was "brute force" i.e. just trying all possible variations, and the password had the option of being alphanumeric and with symbols then yes, the longer the passeord the harder to crack. However, if the attack started of with "lets try the old classics password1234, 1234567890, etc. It might get picked up sooner.
PasswordPasswordPassword is 24 characters, do you think that it would take longer to crack than a 18 character password of complete randomness?
Depends how they are attacking it.
Whether they are just using brute force number crunching or working through known patterns of possible words.
Also, by cracking it, they won't necessarily recover "PasswordPasswordPassword" they just need to find another string which when hashed ends up with the same hash as "PasswordPasswordPassword" eg you could be really unlucky and "P@$$w0rd123" could be the first one they try and that hashes to the same thing, so they get it first time...
Whether they are just using brute force number crunching or working through known patterns of possible words.
Assuming that people who are interested in cracking passwords will opt for the stupidest method possible is probably where a lot of people are going wrong.
Why are you all assuming my password is easily guessable or using any compromised phrases?
I mean, yeah those are all idiotic passwords but if that's the best argument you have against my personal methodology then I feel pretty vindicated tbh.
TrueCrypt?
Yup that's the puppy.
^ The rumour was the nsa forced him to add a back door to it. Not sure if it's true but I remember the final commit message was something like "Not Safe Anymore" so it's plausible.
Anyway you can transition to veracrypt
Why are you all assuming my password is easily guessable or using any compromised phrases?
I'm not. I'm trying to explain password entropy and search spaces to you. And failing, obviously.
huh. Must be getting old then, I have no trouble remembering my work laptop Bitlocker password and network login plus my regularly used banking passwords, login details and whatever else.
Good for you. Meanwhile, most other people struggle to remember where they left their car keys when they came home the previous day. It’s why mine have a tracker on. #rollseyes
Having more complex, non-reused, easily rotated, passwords is a better compromise.
And the complete opposite of what’s considered best practice. Especially the changing them regularly bit.
Place I last worked at we used tablets for checking vehicle locations on our site, and to change their locations when the cars were moved, for whatever reason. We had to change the sodding password we’d set up every damned month, for no discernible reason other than ‘security’, when there was no security issue. Everyone set up a simple password and added a digit at the end which changed incrementally. How very secure. /s
Because 18 digits gives you a 6 trillion year cracking time and can be made of three easy to remember words.
Which is all fine and dandy, until you have to set up a password and the site won’t accept a password with that many characters. I frequently use Apple’s ‘use strong password’ facility, but it’s not uncommon to have it refused just because it contravenes some stupid restrictions on character number, or special characters, or some other random bullshit that a company’s IT wonk has determined is ‘best practice’. 😖🤬
this is annoying & whilst IMO all websites should accept Apple’s default password offerings given how popular their service is (it’s just poor website design otherwise!) it is possible to change the format of the generated password to make a particular website happy, just takes a few more clicks & probably is not very obvious if you don’t know you can do it!I frequently use Apple’s ‘use strong password’ facility, but it’s not uncommon to have it refused
Prompted by this thread I took another look at password managers to get fully off lastpass.
I've gone down the KeePassXc route (on windows), with KeePass Android on the phone.
Seems a really nice solution. Can host password DB on your own cloud storage (I'm using Google Drive) so it syncs between devices. Plus additionally, you can use a key file hosted locally on your device(s) so if the cloud DB were ever to be breached the DB would be unreadable without both your master password and the key file.
Form fill integrations with Chrome browser and also in the android apps is good (maybe not as polished as lastpass, but still very usable).
Just posting incase someone finds useful
Also note the ability to host a 1Password DB on own cloud storage seems to have disappeared. I found the 1Password android app extremely clunky when i tried it in the last version.
Someone got fired? Or maybe they never had one.
A cynical person once told me that part of the reason that kind of job exists is so that there is someone to fire when stuff goes wrong.
Also note the ability to host a 1Password DB on own cloud storage seems to have disappeared.
It's only available to legacy users and possibly not at all since 1Password v8 was instituted. TBF it was starting to get a bit clunky towards the end of my use of iCloud hosted 1Pasword DB (I'm now a happy user of the 1Password cloud account nowadays).
it’s not uncommon to have it refused just because it contravenes some stupid restrictions on character number, or special characters, or some other random bullshit that a company’s IT wonk has determined is ‘best practice’.
That's one for the 'disproportionately cross' thread.
"Your password doesn't meet the complexity requirements."
Tell me what they are, I'll meet them.
"Ooh, no, we can't do that, it's a secret."
