Yes, but I like having some stuff separate. Probably not as efficient, but working so far. Thanks though. PD
If you're a Windows or Linux user, I recommend checking out Schneier's Password Safe (which I talk about in the section called "Extras" here). ...allegedly Yeah, I would doublecheck that against these: How much entropy in that password? zxcvbn: realistic password strength estimation Allegedly. In all seriousness though, "no security implications" is a pretty big stretch unless the code is really clean and simple. How are you determining all this, might I ask?
Ah as I suspected. So it's not a matter of "disk encryption" being somehow weaker than online...you're just making the assumption that an attacker doesn't have access to the website's password database. Pretty bold.
I never said that. I just pointed that I'm not required by any protocol to have a super-massive strong password for websites management (although it's highly recommended depending on the importance of the website in question). If the attacker has access to the website password database: So what? Most good companies will never store the password in the database directly, so even if an attacker get his/her hands in the database he/she won't be able to look and see "Oh, so that's the password of this user", he won't be able to do anything with encrypted passwords. However, it is still possible for the attacker to guess what the password is, and since I don't think he/she will have a super cluster to do so, the time to guess my specific password won't be long enough to do anything to me/my other accounts before the system admins take action, so I'm pretty safe regarding that. And let's say the attacker somehow do get his/her hands on my password, what could happen? Posting stuff to get me banned? Changing my password? Since I don't use the same password on two websites I'm not concerned to use relatively weak passwords because the importance of that website is close to zero (the reason I chose not to use a good password in the 1st place).
Still good, maybe 20 bits less (I obviously didn't use the *actual* phrase, but since it's random gibberish, an equal one): PD
Well, yeah you kind of did, because that's what Haystack essentially assumes. You claimed that "On askfm my password (10 characters, just numbers and lowercase letters) should be hard enough for an online brute-force to crack it on 1.2 Thousand Centuries. If, say I chose the same password for disk encryption, it would take roughly 30 seconds to crack it." The only reason they're guessing centuries for an online password is because they're assuming only a thousand guesses per second. The only way a hacker would be that slow (or slower) is if he were actually trying to brute force on the actual website. If he obtained a copy of the site's hashes, (which is how virtually all brute force site breaches work), then it would go as fast as the "offline attack" scenarios. Wha? Then how do site breaches occur? I'm not sure how this is relevant.
I don't know if you noticed, but that is exactly what I was talking about I didn't mentioned database attack or any other kind of attack. Again, I'm not sure if you got it, but I was talking about a case where I don't care at all about the site or my password, that's why I would not use a super secure password in the first place. Of course, this wouldn't happen so easily in cases where I know I can somehow be compromised by some attack because I would use a strong password in such cases. By many means. Looking in the password database alone wouldn't affect the users at all. What the attacker might do next wasn't mentioned by me Really? You don't? I was explicitly talking about the weak password scenario, where if an attack was succesful I wouldn't mind if an attacker got the hands on my password, because if I actually cared he wouldn't find any flaws on the password itself.
yeah , id rather not use chrome thou , check this http://www.zeropaid.com/forum/thread/google-chrome-googles-back-door-to-your-surfing-habits.47966/ firefox is still the best to this day until proven otherwise
My passphrase generator SimThrow also provides estimates of the strength of a phrase. Above all it provides estimates of average recovery times for specific applications and recovery hardware; and for online and off-line recovery. (advanced mode only) It's interesting to see, that if you do the math, passphrases of a typical phrase length, with only lowercase characters can resist both dictionary and character based brute force attacks. I think it's one of the few tools targeted at passphrases and its analysis. For safe generation, the tool (spreadsheet) must be downloaded and executed locally. Use of the generator can be in off-line mode or online (just for true random numbers). For testing it can also work online, but without macro's. The core capability is also working without macros. History, help and explanatory text require macros. The generator also covers easy to remember but powerful enforcements of phrases such as suggested by Diceware. With those, a 4-word phrase can be about as strong as a 5-word phrase. This also shown by the analysis part. The advanced mode provides may details about the strength and recovery times. An example of standard mode output is: The strength of a passphrase depends on its length, the targeted application and the recovery hardware with it's dictionary. The current passphrase is: None-None-None-None When the phrase is used for WiFi, that phrase can be recovered in for example: 3.1 sec on average! When used for single round of SHA512 , the phrase can be recovered in for example: 8.6 sec on average! Online logins on sites that do not limit erronous logins, could succeed in for example: 52 min on average!
