Popular posts

#Encrypted file on an #encrypted USB

Also, having a random character hash is easier to crack than something like 3 random words (as say the latest security hutsix.io)

Hipkiss

random character hash is easier to crack

Do you have a link for that? Because I found, in fact, a blog article on said site which states the opposite: Higher entropy = more secure password (link). Using words in your password yields lower entropy (because of letter-occurrence in natural language) and, additionally, allows attackers to use dictionary attacks and find your password a lot faster versus using something random... So instead of using 30 characters of words, you should use 30 characters or random hash, as you will achieve a higher entropy that way.

If you have to remember a password (and there is no way to use a password manager), writing out a sentence as passphrase might be a good start to achieve a long password with a better entropy, however, I recommend to at least jumble in another natural language. Most dictionary attacks can do common replacements, like a -> @ , however they usually can only handle a set number of languages. I like to do English/German/Japanese combinations. That's something an attacker has a hard time working out (since that combination is not very common), it makes letter prediction worthless and it opens up a lot more possible words to test against. For example Today'sTenkiissehrnicedesuyo! (which has an entropy of ca. 80 to over 100, depending on the character set used, which is quite strong! If you need more, why not use unicode characters directly? Just use Kanji or Cyrillic alphabet)

Marco Alka Unfortunately I have been able to find it. :/ Apologies.

Hipkiss thought so^^ Did you know that many (if not most) problems in IT security stem from correct advice, which is misinterpreted? You are not alone, a lot of professionals get it wrong! I study that stuff, so for me, things might be clear. However, I think, that the article I linked above is not written in a manner which is easy to understand.

Imho, security should be easy, available, automatic and user friendly. It's hard to achieve, but it's what that sector is in dire need of!

Found it: quora.com/Which-are-more-secure-multi-word-passwo…

So a slight misunderstanding on my part.

Definitely the most important thing is entropy, then # of possibilities. People way over-complicate this. I agree with this statement:

The maths and philosophy web comic XKCD brilliantly explains that the password “CorrectHorseBatteryStable” is far more secure than “Tr0ub4dor&3”. This is because password security is based on entropy, a measure of randomness, and for every extra character you add the number of combinations increases exponentially.

BUT... CorrectHorseBatteryStable is also a terrible password. The reason being, entropy is not applied across the entire landscape of the password. "Correct" is not random, "Horse" is not random, "Battery" is not random, and "Stable" is also not random. They are all words in an English dictionary and in fact the only thing random here is the order of the words. The most important thing in any cryptosystem or password like this is that the inputs must be TRULY RANDOM. So the entropy here is essentially a factor of 4 when it could be a factor of 25 (the # of chars). That said, I think "Tr0ub4dor&3" is a terrible password as well.

I've heard a lot about making sensible passwords that people "will actually remember without writing on a sticky note." And to that I say "Well, I have the ability to remember a few truly random passwords... So if you don't sucks for you." Because I'm not sacrificing my password strength for that.