this post was submitted on 03 Nov 2023
297 points (87.2% liked)

Technology

58111 readers
4808 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
297
Security expert reveals surprising way to make your password stronger: use emojis (nypost.com)
submitted 10 months ago by Salamendacious@lemmy.world to c/technology@lemmy.world
271 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Ertebolle@kbin.social 46 points 10 months ago (38 children)

xkcd still has the best approach to this; four random common words

[–] ammonium@lemmy.world 10 points 10 months ago (2 children)

Four words is too low these days to protect against gpu bruteforcing

[–] elbarto777@lemmy.world 5 points 10 months ago* (last edited 10 months ago) (1 children)

Got a source on that?

Edit: plus brute forcing is just one scenario. I think the xkcd comic refers to using passwords in online services, and those usually have some sort of rate limiting.

[–] ammonium@lemmy.world 8 points 10 months ago (1 children)

https://thesecurityfactory.be/password-cracking-speed/

8 character a-zA-Z is 45 bits of entropy (log2(56^8), about the same as the XKCD password if you take from a 2048 word list. That's crackable in a minute on AWS.

Password hashes get frequently stolen, don't rely on rate limiting if it's something you really care about.

Here are the dice ware recommendations on the number of words: https://theworld.com/%7Ereinhold/dicewarefaq.html#howlong

[–] elbarto777@lemmy.world 3 points 10 months ago (1 children)

Sure, but the average English speaker knows way more than 2048 words. Let's not forget about case sensitivity, made-up or "inside joke" words, names, and specific industry vocabulary.

[–] ammonium@lemmy.world 6 points 10 months ago (1 children)

Even if you take four words of a 30000 word list (quick Google says that's the number of words an average person knows), that's still less bits of entropy than a 5 word diceware password (7776 word list). People are also really bad at randomness, so your own string of random words is likely going to be much worse.

[–] elbarto777@lemmy.world 3 points 10 months ago (2 children)

Thanks for the explanation. What's diceware?

[–] poopkins@lemmy.world 4 points 10 months ago (1 children)

It's the concept of literally using a die to choose with randomness (humans are terrible at trying to be random); a link with details is in a previous comment.

[–] elbarto777@lemmy.world 1 points 10 months ago

Thanks.

[–] lolcatnip@reddthat.com 1 points 10 months ago

That only works if someone already has access to a system's password database.

load more comments (35 replies)