base64 for an easy & strong encrypted key-pass.

[RU55EL]

https://howsecureismypassword.net/

Nice site!

Apparently, the password "howsecureismypassword" would take 410 billion years to crack and it's really easy to remember — there's a lesson there for us all, I think

It is even better at https://www.betterbuys.com/estimating-p ... ing-times/

results for "howsecureismypassword"

∞

INFINITI

Yep, you can't take those password checkers too seriously. We have brains, it's good to use them every so often...

[debiman]

what seems difficult to hack for humans, is easy for machines.

i don't know why this is so difficult to understand?
base64 encoding looks tricky to human eyes, but is a simple standard mechanism available on all computers. a good (*) password cracking program should take these into account.
the fashionable "leet" = "1337" replacements are an even more blatant example.

beside plain dictionary words, the above website does not take any of this into account.

fwiw, i'm not using dictionary words anymore. I use only random passwords, as long as possible (40 characters - but not all login services allow such length).
My password manager is secured with 2-factor authentication.
The password part is a gibberish word that is pronouncable enough to remember it, plus some extra chars.

(*) i'm playing devil's advocate here

[bester69]

what seems difficult to hack for humans, is easy for machines.

i don't know why this is so difficult to understand?
base64 encoding looks tricky to human eyes, but is a simple standard mechanism available on all computers. a good (*) password cracking program should take these into account.
the fashionable "leet" = "1337" replacements are an even more blatant example.

beside plain dictionary words, the above website does not take any of this into account.

fwiw, i'm not using dictionary words anymore. I use only random passwords, as long as possible (40 characters - but not all login services allow such length).
My password manager is secured with 2-factor authentication.
The password part is a gibberish word that is pronouncable enough to remember it, plus some extra chars.

(*) i'm playing devil's advocate here

You are very confuse and very wrong if using 40 characters word, In 2019 at
today's date, any full ASCII word with just a lenth >=8 characters is unbreakable unless there are several supercomputers working in that brute attack decoding. There is no regular home computer in world able to break a full ASCII word of just 8 characters, and it would take them several years in the best of the cases. But If you dont understand that, go to a any mathematics and ask them about the minimun unbreakable length of characters for todays CPU's.

You dont need a 40 chars word, its enought with o one between 8 or 10 characters. You arent very good at mathematics, arent you?

[sunrat]

I'll play devil's advocate's sidekick. You don't really need an unbreakable password to hide your pr0n collection.

[debiman]

You are very confuse and very wrong if using 40 characters word, In 2019 at
today's date, any full ASCII word with just a lenth >=8 characters is unbreakable unless there are several supercomputers working in that brute attack decoding. There is no regular home computer in world able to break a full ASCII word of just 8 characters, and it would take them several years in the best of the cases. But If you dont understand that, go to a any mathematics and ask them about the minimun unbreakable length of characters for todays CPU's.

You dont need a 40 chars word, its enought with o one between 8 or 10 characters. You arent very good at mathematics, arent you?

i don't know where you are getting these alternative facts from (please do share some links) but i think it's plain to understand that a longer password is harder to crack, duh.
also i don't use "words", but completely randomised passwords, which i do not remember in my head. maybe you need to re-read my last post.
also last time i looked it was still 2018. maybe in besterland the clocks are running faster?

[kopper]

any full ASCII word with just a lenth >=8 characters is unbreakable unless there are several supercomputers working in that brute attack decoding. There is no regular home computer in world able to break a full ASCII word of just 8 characters

They might seem unbreakable when you don't consider various facts, like people choosing their passwords themselves rarely use the whole key space when doing so. Even when big key space is supported, people still usually pick something simpler if complexity is not enforced by other means. Unless you're not trying to target an individual account with strong password, various cracking methods can be quite effective. Best way to ensure you're not among the easy targets is to refer to the hundreds of best practices documented online. Like the ones already mentioned in this thread.

You're not defining new paradigm here by stating that 8-10 character password is adequate for all purposes, with every hash algorithm, with or without salting. Frankly, I think you're naive to think that 8-10 characters is future proof with conventional computing hardware, let alone quantum computers which I believe you have even less insight than cryptography.

You are pulling facts from you rear to support a broken idea of re-inventing something (password salting) which is already properly done elsewhere.

[bester69]

any full ASCII word with just a lenth >=8 characters is unbreakable unless there are several supercomputers working in that brute attack decoding. There is no regular home computer in world able to break a full ASCII word of just 8 characters

They might seem unbreakable when you don't consider various facts, like people choosing their passwords themselves rarely use the whole key space when doing so. Even when big key space is supported, people still usually pick something simpler if complexity is not enforced by other means. Unless you're not trying to target an individual account with strong password, various cracking methods can be quite effective. Best way to ensure you're not among the easy targets is to refer to the hundreds of best practices documented online. Like the ones already mentioned in this thread.

You're not defining new paradigm here by stating that 8-10 character password is adequate for all purposes, with every hash algorithm, with or without salting. Frankly, I think you're naive to think that 8-10 characters is future proof with conventional computing hardware, let alone quantum computers which I believe you have even less insight than cryptography.

You are pulling facts from you rear to support a broken idea of re-inventing something (password salting) which is already properly done elsewhere.

Ive studied a litle bit, and any strong word with a >= 8 characters cant be decoded with nowadays home's CPUs, debiman is freaking by chosing a 40 characters word, perhaps in five years we will need to increasee that to a >= than 9 characters.

As for quantum computers, forget about that technology, You wont see it in this life (only NASA). It wont be available for home users before One or two hundred years long. I see more chances to contact aliens before that.


As for the topic, I see my purpose, a good, easy to remember and trusted strategy using bas64 + Obscurity.
Ejmp.: dog >> base64(dog) = ua/SnqhgwS >> Obscurity(ua/SnqhgwS=) = u€a/SnqhgwS€=

In my opinion cant be decoded without the Obscurity-algorithm, and you can't decode the algorithm without know it. Its a perfect and easy way to use simple words like "dog, yellow, monday, etc" as passwords, without any possibility to be broken.

[debiman]

Even when big key space is supported, people still usually pick something simpler if complexity is not enforced by other means.

a.k.a dictionary words.

Unless you're not trying to target an individual account with strong password, various cracking methods can be quite effective.

this.

You are pulling facts from you rear to support a broken idea of re-inventing something (password salting) which is already properly done elsewhere.

reinventing indeed:

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. (...) The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack.

[RU55EL]

[...] In 2019 at
today's date, any full ASCII word with just a lenth >=8 characters is unbreakable unless there are several supercomputers working in that brute attack decoding. There is no regular home computer in world able to break a full ASCII word of just 8 characters, and it would take them several years in the best of the cases. [...]

[BS mode ON]

Hmmm...

"password"

perfect...eight digits...totally uncrackable...

[BS mode OFF]

I wonder how long it would take john the ripper to crack "password"?

How did they crack the enigma machine?

[bester69]

[...] In 2019 at
today's date, any full ASCII word with just a lenth >=8 characters is unbreakable unless there are several supercomputers working in that brute attack decoding. There is no regular home computer in world able to break a full ASCII word of just 8 characters, and it would take them several years in the best of the cases. [...]

[BS mode ON]

Hmmm...

"password"

perfect...eight digits...totally uncrackable...

[BS mode OFF]

I wonder how long it would take john the ripper to crack "password"?

How did they crack the enigma machine?

read deeply, we're talking about a strong 8 ASCII characters, this kind of password:

[RU55EL]

[...] read deeply, we're talking about a strong 8 ASCII characters[...]

What makes an ASCII character strong 8?

What makes the letters p, a ,s, w, o, r, and d less strong than K, m, f, t, or the number 6, or #, ], }?

I prefer large password with arbitrary numbers, letters and punctuation, it is easy for me to use a 40 digit password. The computer does all the work...that is what password managers are for. (Like KeePassX)

[debiman]

it is easy for me to use a 40 digit password. The computer does all the work...that is what password managers are for. (Like KeePassX)

this.

there's numerous examples in the computer world where somebody said derisevely "we will never ever need more than 12 characters for filenames" or "more than 4 billion IP addresses? you must be mad!" - only to be the one laughed at a few years (ok make that decades) later...

...

according to this it will take 2 days (maximum; i tried 5 different ones) to crack a complete random 8 char password including the full range of ASCII characters.
adding one unicode character (like £ or €) raises that to 2 million years.
i'm not sure how the javascript behind the site works; it can't be all that accurate, but just assuming it's correct:
it says "a computer" - what does that mean?
how long would it take "a supercomputer"?
how long would it take "malware deployed on 10000 home computers"?

is there a better site to test passwords? this one seems to think the opposite: adding unicode chars decreases password strength...

makes me think those online teszting tools are crap in any case...

[kopper]

In my opinion cant be decoded without the Obscurity-algorithm, and you can't decode the algorithm without know it.

Keyword here is knowing. You can't implement it anywhere but on your own limited stuff without people finding out how it works exactly. If you use this only yourself, then why not rely on password generators included in various software like Keepass which it seems you are already using. Get the same result, with zero effort. I can't wrap my head around your logic.

It's not about opinion. Obscuring code only slows the first attempts to find out how it works. After that, it's meaningless. Truly secure algorithms provide protection even if you know the internals.

As for quantum computers, forget about that technology, You wont see it in this life (only NASA).

This is something that cannot be reliably determined. Everyone, especially those not participating quantum computing research can believe what they want. But if NASA will get it, so will the US government. And probably other nations, for example China, can get it working even faster. So by your estimation, people whose threat model includes nation state will get their pants soiled during our life time.

I feel like I've swallowed a huge bait on this whole thread, so maybe this should be my last contribution.

[bester69]

..... then why not rely on password generators included in various software like Keepass which it seems you are already using. Get the same result, with zero effort. I can't wrap my head around your logic.
....

Because My purposed idea was to get secure passwords we can always remember.. so we dont have to need available a password manager with a dangerous master key for it.

Imagine you're out and need to get access to some document/application you encrypted.. And you cant run keepassx in the cloud, or you dont have the master key to open an accesible KeepassX module. That's the idea.. we will use easy recordable passwords such as (monday, cat, yellow, 1980, stretch, etc) for each one of our encrypted accounts/documents... As we're using an only knowed obscutity-algorithm + base64 enconding, we can open a browser tab an apply base64 to our simple word (monday, cat, yellow, 1980, stretch, etc) plus our algorithm to compose the secure password and get access to our encrypted account. that's my whole Great idea!! EASY PEACE!

[RU55EL]

Because My purposed idea was to get secure passwords we can always remember.. so we dont have to need available a password manager with a dangerous master key for it. [...]

I don't use a password manager for my bank accounts or email. I have no problem remembering several 25 digit passwords of arbitrary numbers, letters, and punctuation to access these accounts. It is good to use your brain as well as your computer. There is no reason that you can't remember good passwords if you put in a little effort.

[debiman]

I have no problem remembering several 25 digit passwords of arbitrary numbers, letters, and punctuation to access these accounts. It is good to use your brain as well as your computer. There is no reason that you can't remember good passwords if you put in a little effort.

arbitrary?
it is adorable that you are able to do this, but i think it has very little to do with effort, and more with some sort of genetic disposition.

[bester69]

Because My purposed idea was to get secure passwords we can always remember.. so we dont have to need available a password manager with a dangerous master key for it. [...]

I don't use a password manager for my bank accounts or email. I have no problem remembering several 25 digit passwords of arbitrary numbers, letters, and punctuation to access these accounts. It is good to use your brain as well as your computer. There is no reason that you can't remember good passwords if you put in a little effort.

hehehe And then, One day, Ups!!, Your forgot that key you thought wou would never forget.. I have six or eight different passwords in my mind I always use sometime combined with a two steps SMS authentification, but they are all of them easily recordable, not 25 digit passwords.. take care with that.. I recently forgot my whole life 4 number digits account bank,, It was really creepy, suddenly I was using my credit card, so I had forgotten the number i was using for years, insiting with the movil PIN, It got locked. It took me two days or so to recover my mind of that extrange lapsus. perhaps It have to be with drinking so much on some weekends.

[RU55EL]

I have no problem remembering several 25 digit passwords of arbitrary numbers, letters, and punctuation to access these accounts. It is good to use your brain as well as your computer. There is no reason that you can't remember good passwords if you put in a little effort.

arbitrary?
it is adorable that you are able to do this, but i think it has very little to do with effort, and more with some sort of genetic disposition.

Can you remember your old phone number from years ago? Or your previous address. No special genetic disposition required.

All it takes is a little effort. I didn't learn the multiplication table overnight, but I was able to learn and remember it. The problem is that many people aren't willing to put in the effort.

These days you really only need to remember one or two good passwords, as long as you have a phone or computer with you. Those passwords can give you access to dozens of other secured passwords.

bester69, I have locked myself out of accounts by repeatedly typing a password too quickly and not realizing the cap lock was on. After the third attempt the account locks...Ooops! No big deal, I just to jump through a few hoops to get the account restored. Also, because we never seem to go anywhere without a cell phone, you should always use two factor authentication with important accounts.

[debiman]

Can you remember your old phone number from years ago? Or your previous address. No special genetic disposition required.

i specified "arbitrary", which i took to mean "completely random".
did you not mean that?

fwiw, yes, i remember my childhood phone number. it had 5 digits. and let's be fair, i also still remember the area code, that's 5 more digits.
so make that 9.
still very far from 25, AND that's digits from 0-9, not random characters a-zA-Z0-9 plus all sorts of punctuation.

like i said, if you can, good for you, i can't.

[RU55EL]

[...] i specified "arbitrary", which i took to mean "completely random".
did you not mean that?

That is what I meant. At least, as random as possible. Nothing is truly [mathematically] random.