No. There’s only one piece of advice that should be given to users in 2023 about how to make their passwords stronger:
Use a password manager
Just use 32 character random alphanumeric passwords that are unique for each site (you can do more like 12-16 characters if you’ll ever need to enter manually).
This is it. Stop trying to create clever passwords that you can remember. You aren’t as uniquely creative as you think and there’s been bodies of research into how the various things people do to create passwords that look secure can reduce the generation space so much that they become considerably easier to crack with an intelligent algorithm.
I got it to a stable 54% by using an
algorithm
typing f or d for consonants and vowels respectively in sentences I thought up, switching languages regularly,
and a stable 56% by just typing randomly and adjusting my patterns based on the colored output, which might have skewed my results. Certainly a very cool tool, I also liked the explanation linked on the page!
How many websites/services don’t support such lengthy passwords these days?
Few, but those that don’t you can just shorten the length generated.
Just use a password manager, goddamn.
But only save emojis in it lol
Two of my colleagues still use locally stored plaintext for individual work credentials, despite having been shown where the password manager is. Both have accessed their files in front of me. If it’s not in those files it’s saved in the browser (because convenience is a hell of a drug). Now you start to see why discrete managers have a hard time, even amongst technology workers.
Yeah, you can lead a horse to water, and whatnot.
Completely useless from many sources where I have to rely on a keyboard for entering passwords.
Most modern OSes feature emoji pickers though
Mac os and windows? I haven’t seen it on my Mac but maybe on windows? Those are pretty modern. I haven’t seen it in Linux either now that I think of it.
win+. will bring it up in windows
there is a “Characters” app in Gnome that lets you pick emojis
Yup, macOS has one too.
Ctrl + ; should bring up an emoji picker in Linux when you have focused a text field
What part of the word “Keyboard” did you not understand?
Idk, mine can. https://docs.qmk.fm/#/feature_unicode
As it said in the document: With a little help from your OS. So I want to log into lemm.ee from another persons computer. I do have not my own keyboard, I neither have my additional drivers or extensions or whatever. Oops. No login.
As a software developer who has worked with a lot of symbols and emoji… PLEASE DON’T DO THIS.
Software doesn’t all handle these symbols the same way, and without tech knowledge (or even with) , it’s very possible to not be able to log in easily. I’m kinda drunk rn, but I’ll try to explain as simply as I can…
For example… skintone emojis are actually two characters, a face and a skin tone modifier. I think those ones are always two characters but some of these “multi-char” characters can be normalized into a single character. But not everyone handles this the same way. For example, Safari might normalize the emoji, but Firefox might treat it as two separate characters… And this would probably make your password not match. But basically… text has lots of edge cases; I’d advise to use normal passwords please (also maybe a password manager)
Was gonna say… you’re relying on the consistency of external emoji handlers that you don’t control. Ascii emojis are one thing.
Is my explaintion ok? The hard kombucha was… harder than I anticipated
It was pretty normal lol. Basically everything between the visual of an emoji and what “text” is entered is not in your control. So it’s great for security but not in practice as a password. What brand was the kombucha I want some.
I didn’t realize NYC has a physical Juneshine location. So I got a flight… and a Juneshine cocktail…
Thanks for the feedback! I’ll be sure to use non-printing characters instead of emojis for my passwords! (They can’t guess it if it’s invisible right?)
In all seriousness, why are people so adverse to using password managers? People are plenty willing to use the browsers built-in “remind my password” instead of a proper password solution such as bitwarden… And they come up with such “hacks” just to avoid using a proper length password.
I disagree with them.
- Emojis do not look the same on all platforms. Let’s take
white large square⬜ for example. Emojipedia shows what that emoji looks like on 26 different vendors. Some are pure white, some are shades are grey, and then there’s Microsoft who in its usual infinite wisdom decided it should be purple.large yellow square🟨 is a tossup between actually yellow and orange. This issue is also exacerbated with different displays displaying colours differently. Factors such as color accuracy, viewing angle, brightness affect how you perceive colour.
This also extends to face emojis.
grinning face with big eyes(Emojipedia link) isn’t that easy to tell apart fromgrinning eyes(Emojipedia link)- Emoji support depends on your device. I’m on Windows 11 22H2 which recently added support for
shaking face🫨. Problem is, Windows’ emoji pickerWin+.(period) doesn’t have it. Trying to login on a friends phone that’s still on iOS 15 or Android 12, beforeshaking facecame out? Enjoy manually copy/pasting the emoji from Emojipedia.
correct horse battery staple on the other hand looks the same on all devices.
- Emojis do not look the same on all platforms. Let’s take
Long time ago a friend of mine used a set of key press to generate a smiley face to put in his bios which ended up in a situation where he was not able to type in the same smiley face into the password prompt. I had to teach him to reset his bios battery to get back into the bios.
You’re a good friend
Until you get to a prompt that doesn’t support unicode.
Security expert reveals surprising way to induce headaches
Security experts don’t actually have to work on corporate IT systems.
So you’ve set your password to contain a 😇 have you?
Ok so how are you going to type it on this desktop computer keyboard here…
Yeah I thought not.I’ll just go reset your password shall I?
win+.(works on kde too afaik…?)I’ll let you be in charge of teaching them that. I literally had to talk someone through how to type an exclamation mark today, I don’t think they’re going to handle the extended Unicode character set.
Good luck logging in a Smart TV.
Security Experts probably don’t log into smart tvs all that often. Just a guess.
All the apps I’ve used recently use QR codes (or similar measures, like a sync code) that has you log in from the phone, so it should work anyway!
But not all apps, sadly, I just experimented it with Crunchyroll, and saw my dad struggling with a crappy app called Vix yesterday.
For petty services where you don’t want to have to break out the password manager, try making your own mental salted hash.
Pick four long words at random. Assign each of these to the four quadrants of the alphabet.
A-F - Equipment
G-M - Triumphant
N-S - Sampling
U-Z - Fatigued
Pick one number:
4
Now, take the first letter of the service that the password is for, and that selects your quadrant word. Take the number of letters in the service and multiply it against your number. Take the last letter of the service, and on your querty keyboard, move all the way to the right of thst line to select the first symbol there. Thats your unique password thats salted with yo ur personal words and number.
Facebook = Equipment32:
Lemmy = Triumphant20{
Pizza Hut = Sampling36{
If you want more security for these petty services, use longer words, bigger number, or use some other metric, Tweak the algorithm to make it unique to you. Maybe capitalize a middle letter in your salt word based on the length of the service name. Maybe add the first letter of the colour of the service logo to the password, EG
Facebook = Equipment32:B
Lemmy = Triumphant20{T
Pizza Hut = Sampling36{R
Petty services I would consider to be anything that’s not super critical, and is at a higher likelyhood of breaching my shit.
For banks, primary emails, or government services, use a more complex algorithm or a random string of chars from your password manager.
Just come up with one strong password (see https://xkcd.com/936/) for your password manager and use randomly generated passwords for everything else. There’s no reason to manually compute a hash every time you sign up for a service.
Also, for a non-remembering solution, use a security key with your password manager, the kind that plugs into USB and you have to tap a button to authenticate. Then you can generate a true random password and store it somewhere safe as a backup, and mainly use the key for day to day.
what about when you’re on your phone?
Many security keys have NFC, or if you’re on a modern phone, you can use USB type C (Yubikey 5C)
Authentication app is another option. I believe some password managers can be set up to take the master password once per device and then accept authenticator codes to unlock for each subsequent time.
Or, since your phone is probably a lot more locked down than your computer, almost every modern phone since like the days of the iPhone 5S has a cryptographic TPM/secure enclave in the processor while the fact that not every computer has one was a major sore spot in Windows 11 compatibility, it might also be acceptable to just leave the password manager unlocked on your phone all the time, depending on your threat model. Assuming your phone is both encrypted and password protected and you trust the OS to implement both securely, the pin on your phone works more like the pin on your credit card than a traditional password login on a non-encrypted non-TPM computer, so even if a bad actor physically had your phone, it would be very hard to actually extract data out of it without the passcode (assuming it’s just your garden variety cybercriminal and not the CIA or something), which would serve as your master password in that case. Hardware security features can also resist brute force attacks where someone clones your hard drive and hooks it up to their own computer to try and guess the encryption password without the wrong entry time delays slowing them down, a secure enclave will actually enforce the time delays with no easy bypass and can also be set to wipe the phone if you get the passcode wrong too many times.
Phone apps are also almost entirely sandboxed from each other and can’t directly access other apps’ data, so the risk of a malicious program reading the password manager’s cache or database is also far lower than most desktop operating systems.
too short, for all that effort just use a sentence with a symbol and a number.
FacebookCanGoToHell!123 is more secure and easy to remember
Youre going to memorize a unique sentence for each service?
A method like this allows you to memorize only 4 words of arbitrary length, a number, and a simple algorthm to yield unique passwords for each service.
You can also add a standard phrase to all of them that is shared between them all just to make them more complex
Equipment32:thisismypassword
yes, it is what I do now. there was a time when people memorized 10, 15 phone numbers.
Also you can’t really “forget” a password, because it’s connected to the name of the site. Very clever
Yeah putting the name of the service in the passphrase is actually pretty secure, unless the rest of the password is like “thisisapasswordforFACEBOOK” cause then one password gets leaked and the rest can be inferred.
The problem with using hash schemes like this is that when your password is leaked you can’t easily rotate the password.
Not to mention if you suddenly developed amnesia or dementia
This is what got me using a password manager. I didn’t want to trust a password manager because it felt like they would be highly targeted and one vulnerability would reveal everything. And let’s be honest they still are the same.
So I had my own scheme for generating passwords. I made myself a script that I could use on my phone and PC. It worked beautifully and effortlessly until occasionally a service would force me to choose a new password. When this started happening I made a new scheme for generating passwords and made a new script. When it first happened it was still reasonably easy because there was only one service I had to use the alternative. It started to become more difficult the more services asked for a new password.
I used my own system for several years until I had enough with trying to remember which services used the alternative scheme and wondered when I’d have to make a third scheme. And if I did then the mental complexity would significantly increase.
Interestingly only a couple of services publicly announced they had been hacked and none of my passwords have ever appeared on haveibeenpwned. So I wonder why these services asked for a new password and if they had been attacked why they chose not to announce it.
Terrible idea, good luck logging in on desktop.
xkcd still has the best approach to this; four random common words
Password database
I like doing entire phrases with some rhymes thrown in. Makes it easier to remember them.
“BonyTonyMoansHe’sOnlyGrownLonely” has a shitload of characters, and a full sentence (even a nonsensical one like that) is more memorable to me than a random handful of disparate words.
The more ridiculous, the better. (And, naturally, don’t forget your numbers and symbols)
EDIT: Actually, no idea why I made it all one group of words. So long as spaces are in the password’s character space (and they very well should be if friggin’ emojis are), there’s nothing stopping you from doing an entire, punctuated sentence- other than that we’ve been conditioned not to think of a password that way.
“Skinny Kenny’s friend, Mini Ben, has 20 chins.” That should be a fully-acceptable password with 46 characters (48 if you add the quotes), capital letters, numbers, and special characters.
You can’t compare a 46 random character password to a password composed out of words, the entropy of each is very different. Your kind of password is vulnerable to dictionary attacks which are way more common and easy than brute forcing every possibility. A 50+ characters unique random password for each service that is stored in a password manager which is encrypted with a 20+ characters random password is the most secure and future proof (for now).
Dictionary attacks aren’t some magic bullet. There are a lot of english words and just four of them IS comparable in cracking difficult to a standard 8-char password that is as random as you can make it. There are a lot more words than there are symbols. Four words is obviously not as good as 46 totally random chars
Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.
True, there are a lot of english words, but the amount of common words is relatively small. Most people aren’t going to choose a password like “MachicolationRemonstranceCircumambulationSchadenfreude”, even if it were generated for them (which is unlikely).
Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).
There are also a lot of symbols when you count emojies and the entire Unicode standard.
I love it, Bitwarden has supported generating passphrase style passwords for a while and it’s basically that. It’s my go-to these days.
Just use longer passwords?
I’d rather staple my forehead to a telephone pole before I ever think about using an emoji in a password. Those things are abominations!
💯🐴🔋(umm, staple)
