• kromem@lemmy.world
    link
    fedilink
    English
    arrow-up
    54
    ·
    1 year ago

    No. There’s only one piece of advice that should be given to users in 2023 about how to make their passwords stronger:

    Use a password manager

    Just use 32 character random alphanumeric passwords that are unique for each site (you can do more like 12-16 characters if you’ll ever need to enter manually).

    This is it. Stop trying to create clever passwords that you can remember. You aren’t as uniquely creative as you think and there’s been bodies of research into how the various things people do to create passwords that look secure can reduce the generation space so much that they become considerably easier to crack with an intelligent algorithm.

    Test your ability to be unpredictable

    • shucks@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I got it to a stable 54% by using an

      algorithm

      typing f or d for consonants and vowels respectively in sentences I thought up, switching languages regularly,

      and a stable 56% by just typing randomly and adjusting my patterns based on the colored output, which might have skewed my results. Certainly a very cool tool, I also liked the explanation linked on the page!

    • fosstulate@iusearchlinux.fyi
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Two of my colleagues still use locally stored plaintext for individual work credentials, despite having been shown where the password manager is. Both have accessed their files in front of me. If it’s not in those files it’s saved in the browser (because convenience is a hell of a drug). Now you start to see why discrete managers have a hard time, even amongst technology workers.

  • Treczoks@lemm.ee
    link
    fedilink
    English
    arrow-up
    19
    ·
    1 year ago

    Completely useless from many sources where I have to rely on a keyboard for entering passwords.

  • Cosmo@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    ·
    edit-2
    1 year ago

    As a software developer who has worked with a lot of symbols and emoji… PLEASE DON’T DO THIS.

    Software doesn’t all handle these symbols the same way, and without tech knowledge (or even with) , it’s very possible to not be able to log in easily. I’m kinda drunk rn, but I’ll try to explain as simply as I can…

    For example… skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these “multi-char” characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters… And this would probably make your password not match. But basically… text has lots of edge cases; I’d advise to use normal passwords please (also maybe a password manager)

    • banneryear1868@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      1 year ago

      Was gonna say… you’re relying on the consistency of external emoji handlers that you don’t control. Ascii emojis are one thing.

        • banneryear1868@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          It was pretty normal lol. Basically everything between the visual of an emoji and what “text” is entered is not in your control. So it’s great for security but not in practice as a password. What brand was the kombucha I want some.

          • Cosmo@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            I didn’t realize NYC has a physical Juneshine location. So I got a flight… and a Juneshine cocktail…

    • StarDreamer@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Thanks for the feedback! I’ll be sure to use non-printing characters instead of emojis for my passwords! (They can’t guess it if it’s invisible right?)

      In all seriousness, why are people so adverse to using password managers? People are plenty willing to use the browsers built-in “remind my password” instead of a proper password solution such as bitwarden… And they come up with such “hacks” just to avoid using a proper length password.

  • LCP@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    3
    ·
    edit-2
    1 year ago

    I disagree with them.

    1. Emojis do not look the same on all platforms. Let’s take white large square ⬜ for example. Emojipedia shows what that emoji looks like on 26 different vendors. Some are pure white, some are shades are grey, and then there’s Microsoft who in its usual infinite wisdom decided it should be purple. large yellow square 🟨 is a tossup between actually yellow and orange. This issue is also exacerbated with different displays displaying colours differently. Factors such as color accuracy, viewing angle, brightness affect how you perceive colour.

    This also extends to face emojis. grinning face with big eyes (Emojipedia link) isn’t that easy to tell apart from grinning eyes (Emojipedia link)

    1. Emoji support depends on your device. I’m on Windows 11 22H2 which recently added support for shaking face 🫨. Problem is, Windows’ emoji picker Win + . (period) doesn’t have it. Trying to login on a friends phone that’s still on iOS 15 or Android 12, before shaking face came out? Enjoy manually copy/pasting the emoji from Emojipedia.

    correct horse battery staple on the other hand looks the same on all devices.

  • Arfman@aussie.zone
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    Long time ago a friend of mine used a set of key press to generate a smiley face to put in his bios which ended up in a situation where he was not able to type in the same smiley face into the password prompt. I had to teach him to reset his bios battery to get back into the bios.

    • Echo Dot@feddit.uk
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Security experts don’t actually have to work on corporate IT systems.

      So you’ve set your password to contain a 😇 have you?
      Ok so how are you going to type it on this desktop computer keyboard here…
      Yeah I thought not.

      I’ll just go reset your password shall I?

        • Echo Dot@feddit.uk
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          1 year ago

          I’ll let you be in charge of teaching them that. I literally had to talk someone through how to type an exclamation mark today, I don’t think they’re going to handle the extended Unicode character set.

    • Cavemanfreak@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      All the apps I’ve used recently use QR codes (or similar measures, like a sync code) that has you log in from the phone, so it should work anyway!

      • kratoz29@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        But not all apps, sadly, I just experimented it with Crunchyroll, and saw my dad struggling with a crappy app called Vix yesterday.

  • Agent641@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    5
    ·
    edit-2
    1 year ago

    For petty services where you don’t want to have to break out the password manager, try making your own mental salted hash.

    Pick four long words at random. Assign each of these to the four quadrants of the alphabet.

    A-F - Equipment

    G-M - Triumphant

    N-S - Sampling

    U-Z - Fatigued

    Pick one number:

    4

    Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.

    Facebook = Equipment32:

    Lemmy = Triumphant20{

    Pizza Hut = Sampling36{

    If you want more security for these petty services, use longer words, bigger number, or use some other metric, Tweak the algorithm to make it unique to you. Maybe capitalize a middle letter in your salt word based on the length of the service name. Maybe add the first letter of the colour of the service logo to the password, EG

    Facebook = Equipment32:B

    Lemmy = Triumphant20{T

    Pizza Hut = Sampling36{R

    Petty services I would consider to be anything that’s not super critical, and is at a higher likelyhood of breaching my shit.

    For banks, primary emails, or government services, use a more complex algorithm or a random string of chars from your password manager.

    • kpb@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      ·
      1 year ago

      Just come up with one strong password (see https://xkcd.com/936/) for your password manager and use randomly generated passwords for everything else. There’s no reason to manually compute a hash every time you sign up for a service.

      • Marxism-Fennekinism@lemmy.ml
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Also, for a non-remembering solution, use a security key with your password manager, the kind that plugs into USB and you have to tap a button to authenticate. Then you can generate a true random password and store it somewhere safe as a backup, and mainly use the key for day to day.

          • Marxism-Fennekinism@lemmy.ml
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            1 year ago

            Authentication app is another option. I believe some password managers can be set up to take the master password once per device and then accept authenticator codes to unlock for each subsequent time.

            Or, since your phone is probably a lot more locked down than your computer, almost every modern phone since like the days of the iPhone 5S has a cryptographic TPM/secure enclave in the processor while the fact that not every computer has one was a major sore spot in Windows 11 compatibility, it might also be acceptable to just leave the password manager unlocked on your phone all the time, depending on your threat model. Assuming your phone is both encrypted and password protected and you trust the OS to implement both securely, the pin on your phone works more like the pin on your credit card than a traditional password login on a non-encrypted non-TPM computer, so even if a bad actor physically had your phone, it would be very hard to actually extract data out of it without the passcode (assuming it’s just your garden variety cybercriminal and not the CIA or something), which would serve as your master password in that case. Hardware security features can also resist brute force attacks where someone clones your hard drive and hooks it up to their own computer to try and guess the encryption password without the wrong entry time delays slowing them down, a secure enclave will actually enforce the time delays with no easy bypass and can also be set to wipe the phone if you get the passcode wrong too many times.

            Phone apps are also almost entirely sandboxed from each other and can’t directly access other apps’ data, so the risk of a malicious program reading the password manager’s cache or database is also far lower than most desktop operating systems.

    • adrian783@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      too short, for all that effort just use a sentence with a symbol and a number.

      FacebookCanGoToHell!123 is more secure and easy to remember

      • Agent641@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        2
        ·
        1 year ago

        Youre going to memorize a unique sentence for each service?

        A method like this allows you to memorize only 4 words of arbitrary length, a number, and a simple algorthm to yield unique passwords for each service.

        • Evotech@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          You can also add a standard phrase to all of them that is shared between them all just to make them more complex

          Equipment32:thisismypassword

        • Rubanski@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Also you can’t really “forget” a password, because it’s connected to the name of the site. Very clever

      • banneryear1868@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Yeah putting the name of the service in the passphrase is actually pretty secure, unless the rest of the password is like “thisisapasswordforFACEBOOK” cause then one password gets leaked and the rest can be inferred.

    • splines@reddthat.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      The problem with using hash schemes like this is that when your password is leaked you can’t easily rotate the password.

      • lemmyingly@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        This is what got me using a password manager. I didn’t want to trust a password manager because it felt like they would be highly targeted and one vulnerability would reveal everything. And let’s be honest they still are the same.

        So I had my own scheme for generating passwords. I made myself a script that I could use on my phone and PC. It worked beautifully and effortlessly until occasionally a service would force me to choose a new password. When this started happening I made a new scheme for generating passwords and made a new script. When it first happened it was still reasonably easy because there was only one service I had to use the alternative. It started to become more difficult the more services asked for a new password.

        I used my own system for several years until I had enough with trying to remember which services used the alternative scheme and wondered when I’d have to make a third scheme. And if I did then the mental complexity would significantly increase.

        Interestingly only a couple of services publicly announced they had been hacked and none of my passwords have ever appeared on haveibeenpwned. So I wonder why these services asked for a new password and if they had been attacked why they chose not to announce it.

    • vamputer@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.

      “BonyTonyMoansHe’sOnlyGrownLonely” has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.

      The more ridiculous, the better. (And, naturally, don’t forget your numbers and symbols)

      EDIT: Actually, no idea why I made it all one group of words. So long as spaces are in the password’s character space (and they very well should be if friggin’ emojis are), there’s nothing stopping you from doing an entire, punctuated sentence- other than that we’ve been conditioned not to think of a password that way.

      “Skinny Kenny’s friend, Mini Ben, has 20 chins.” That should be a fully-acceptable password with 46 characters (48 if you add the quotes), capital letters, numbers, and special characters.

      • scinde@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        You can’t compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).

        • ferret@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Dictionary attacks aren’t some magic bullet. There are a lot of english words and just four of them IS comparable in cracking difficult to a standard 8-char password that is as random as you can make it. There are a lot more words than there are symbols. Four words is obviously not as good as 46 totally random chars

          • scinde@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.

            True, there are a lot of english words, but the amount of common words is relatively small. Most people aren’t going to choose a password like “MachicolationRemonstranceCircumambulationSchadenfreude”, even if it were generated for them (which is unlikely).

            Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).

            There are also a lot of symbols when you count emojies and the entire Unicode standard.

    • Lupec@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I love it, Bitwarden has supported generating passphrase style passwords for a while and it’s basically that. It’s my go-to these days.

  • Dizzy Devil Ducky@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’d rather staple my forehead to a telephone pole before I ever think about using an emoji in a password. Those things are abominations!