Is it really better to use a 24 character password that consists of a string of ordinary words and maybe a number and special character to fulfil the requirements of the site in question? Is that preferable to a, for example, 12-word randomly generated password? You might say that the 24-word randomly generated password is better still, but a "computer expert" I spoke to recently says that special characters are not necessary because every extra letter in a password makes it more difficult to guess by a factor of 56. WDYT?
Bigger is better - this has been proven many times. Google is your friend. A 24 digit password - all lower case letters - is much stronger than a 12 digit randomly generated password. Thank you linesmen, thank you ball boys.
Just use a password manager, Lastpass is nice. For master password, use something that is really long, like 50-60+ chars, but is actually really easy to remember, like, Ilovehorsesandponies01132021andponiesandhorsesloveMEEEEE!!! Then as password hint you can go like: [animal phrase into date into animals to me phrase into caps into symbols] which barely reveals anything to others while almost completely telling YOU your password. And ofc since I just explained to you this hint, now it makes a lot more sense to you. But if you make a hint scheme that no one else knows, and someone else sees the hint for the first time, they will be (very) confused. That pass is 59 chars btw, but it's so easy to remember and includes all types of characters (lower case upper case digits special symbols). This is to make sure that if some1 is trying to brute force your password, they have to include ALL 4 types. Otherwise if your pass lacks special symbols like !, then the guy bruteforcing can bruteforce it without having checked special symbols as a character to try, meaning it will take a lot less tries without special symbols included. Ofc, how the guy knows you DON'T have special symbols is another question, but better safe than sorry. And once u pass a certain number of characters you're defended against anything not quantum computers so you should be good (I think?)
In the discussions I've read over time, the string of ordinary words, otherwise a phrase one can remember, is the best choice in that it can be... remembered. Entropy 113.44 Ditto on the PW manager. As for 24 characters: tobeornottobethatisthequ Entropy 49.58 bit ToBeOrNotToBeThatIsTheQu Entropy 60.58 8FzXo4ZXsA5amuW4qEBwAFD Entropy 114.23 bit 8FzXo4ZX$A%a>uW4qEBwA@D Entropy 128.23 bit ò-P}|¤x欱ùäÁ²Ôr'®øx°1f÷ Entropy 174.21 bit Given that other decree, never use the same password for different accounts, the "rememberable" ordinary words thing quickly looses its allure. I have about 35 active accounts for which I depend on a PW manager and they're all 24 character mixed. In my experience, not many sites accept over 24 and certainly not extended ASCII. Although maybe I should get around to checking if any of the more critical sites might have bumped up past 24. That said, the master PW for my manager is the one 32 mixed character (Entropy 151.80 bit) I have to remember.
First, entropy does not equal how hard it is to calculate a password (it kinda does but not exactly) Second, your entropy calculations are wrong. So, with 24 length and 26 chars, entropy of this password tobeornottobethatisthequ would be log2(26^24) then we can use this rule So log2(26^24) = 24 * log2(26) for easier calculation Then using this site https://www.omnicalculator.com/math/log-2 24 * 4.7 = 112.8 (yours says 49.4) ToBeOrNotToBeThatIsTheQu Entropy 60.58 - Is actually 136.8 bits 8FzXo4ZXsA5amuW4qEBwAFD Entropy 114.23 bit - Is actually 136.942 bits (the pass is only 23 length, u missed 1 it seems) https://www.bee-man.us/computer/password_strength.html this is a nice site too btw 8FzXo4ZX$A%a>uW4qEBwA@D Entropy 128.23 bit - Is actually 151.11 bits ò-P}|¤x欱ùäÁ²Ôr'®øx°1f÷ Entropy 174.21 bit - Idk cuz idk what char table you used, we would have to increase to include the chars from there. But the thing is, you could add 1 letter from greek alphabet, 1 from russian alphabet, 1 from english alphabet, 1 from chinese alphabet, 1 from korean, 1 from japanese etc. etc. And then no1 can break your password without including ALL characters that exist (cuz otherwise your pass could include a char from there and then if they don't include ALL chars, they would never guess your password with bruteforcing simply because the chars your password contains are simply not contained in the chars they are trying to use to bruteforce your password, pretty simple right) So I decided to do a practical experiment, I went to change my master password and upon typing non-english letters, it simply does not detect em as typed As you can see, despite having typed letters in non-english language, you need at least 2 letters (uppercase and lowercase) in english to be eligible. However, after typing 10 letters of non-english alphabet and some digits and then aA from english alphabet to satisfy the requirement, it worked. So that means if you use non-english characters, well you're pretty much uncrackable from bruteforce attacks, as you could have included any utf char you want. Now I don't know which format lastpass uses, but let's say utf-8. According to this site https://www.fileformat.info/info/charset/UTF-8/list.htm?start=120832 there are 121 THOUSAND utf-8 chars. You know cuz if you delete ?start=X there appear 1024 chars. Then as you click More you can see each page of 1024 chars. All the way until the last page at 120832. So around 121K chars. I imagine some chars appear as squares because the browser cannot show em. Let's calculate the entropy of that As you can see, entropy of 121 000 is 16.885. Entropy of 95 chars is 6.57. So having to pick between 121 000 chars and 95 chars is not even 3 times as much entropy. Yet obviously when you're bruteforcing, the number of combinations that can be formed with 121 000 chars is sooooooooooooooooooo much more than the number of combinations you can form with 95 chars. So what does this mean? Entropy is almost completely useless when comparing passwords. So let's ACTUALLY calculate a 24 length password with 121 000 chars vs 95 chars. https://www.mathsisfun.com/combinatorics/combinations-permutations.html Order does matter -> Permutation Repetition allowed -> Permutation with Repetition Formula: n ^ r, where n is our char set and r is the length of our password So 95 ^ 24 = 2.9198902e+47 possible combinatoins 121 000 ^ 24 = 9.701723e+121 possible combinations https://www.mathsisfun.com/numbers/scientific-notation.html That is a number SO big that at that point, cracking the encryption itself (AES-256) would prob be easier than the password. So what's the conclusion? Slap a random japanese korean greek chinese and some other random chars and you're good to go. Just make sure you remember them... Likely not even a quantum computer can beat that. 9.701723e+121 as a number is 9701723000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 that's a lot right Also, your 32 mixed chars system is pretty bad, because if you forget it, how are you hint yourself? With a long phrase it's easy to write the hint in such a way that it completely reminds you the password while someone else will have no clue what it means. Also https://www.grc.com/haystack.htm is broken. We type 3 digits. There are 10 total digits. 1 2 3 4 5 6 7 8 9 0 So total amount of possible passwords (Permutations with Repetitions) is 10^3 or 1000. But why does it show 1110? Because apparently there are 11 digits () in the head of the person who wrote the calculator. Same for other characters, like: 62^7 = 3.5216146e+12 possible passwords. Which is equal to 3 521 614 600 000 According to the site however, it's 3 579 345 993 194 Comparison: Correct: 3 521 614 600 000 Site's: 3 579 345 993 194
This is very good informative and useful topic. I been at this thing for years to search for the nearly un determinable series of combos best suited to thwart even the best of em. On a side note. Anyone ever seen the India/Hindu characters? Now there's a letter design that goes way off the charts टेस्टिंग टेस्टिंग 123 - Testing Testing 123
Well, yeah. It was a kinda post. But not the typical kinda sorta post here at Wilders. The entropy metrics were pulled directly from KeePassXCs Password Generator Tool. What now?! I don't think screen shots of all the others is needed... Cheers.
And here is their response: More info here https://github.com/dropbox/zxcvbn https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler https://www.youtube.com/watch?v=vf37jh3dV2I
