Dropbox stores file histories, even deleted files, so it’s still safe.
What on earth is wrong with just remembering your passwords? I use several different passwords for important stuff, and not one of 'em is written down anywhere, except for the few days it takes me to memorize a new 10-20 random char long string.
For websites of no real importance, I just use lastpass(I use 2 factor authentication for logging in(I use 2 factor auth everywhere I can, actually.)) and have that generate a password for me.
For me a limit on the max size of a password means that I wont be using a given service, because that indicates that the passwords are either not encrypted at all(And thus, nothing else probably is) or that the passwords are hashed with some reversible algorithm.(Like XOR and such)
My password apparently will take 147 octollion quinquagintillion years to crack… (just kidding, it was 33 thousand)
I have 65 passwords in keepassx and most of them are strings like hAu2I*&Y896987(25&^
So uh, no, I’m not memorizing them.
I never said you shouldn’t use a password manager, I’m using one. What I’m saying is that the important passwords that you DO have to remember isn’t that hard to remember. I’m remembering 6 passwords of that type, with length 10+.
I’m using a my password manager for all the useless passwords for sites that is of no real concern to me and I’m using 2-factor authentication with my password manager, even if it’s just for junk passwords.
And I highly doubt you use all those 65 passwords on a daily basis, even on a weekly basis. The 6 passwords I need to remember also all goes with some sort of 2-factor authentication, be that Yubikey or other. I couldn’t really care if I lost all the passwords in lastpass, I’d just have to press a lot of “I forgot my password” buttons, possible answering silly security questions to make sure I’m me.
Of course if I were to suffer memory loss and forget those 6 passwords, I’d be in somewhat of a pickle. But then if that happened, I might be as likely to forget whatever location I stored the passwords in.
My point is, there really shouldn’t be any need to write down passwords, you use everyday, and store them somewhere. Important passwords shouldn’t go in a password manager anyway. But then I might just be a **** in regards to security and such.
But if you insist that you use 65 different passwords every day and that they’re all of equal importance, then I wont argue there.
EDIT:
I didn’t know that there were any kind of censorship in this forum :o
Of course I have to remember at least one password, the one to the password safe, and as a matter of consequence, the ones to my phone and my PCs so I can get to said safe (to say nothing of convenience). Add in my domain login, gmail, amazon, and one bank password, and that’s really all I care to try remembering.
I really should strengthen the amazon and bank passwords some, but they’re at least fairly long, and believe it or not that’s still one of the better underpinnings of a strong password regardless of how weak it is, i.e. “foobar333333333333” is a good deal stronger than “foobar” even with the barely added entropy.
[quote=“Regenuluz,post:22,topic:40280”]
It enables a bunch of attacks. You must have a good poker face if you memorize passwords. And this is a thing now. And it makes rubberhose tactics more effective.
Black hacker on this thread: “hmm everyone talking about the secret of their pass. yummy~”
[quote=“sproingie,post:26,topic:40280”]
No. It is barely stronger than “foobar” because you barely added any entropy to it. That is like saying you can make something a good deal taller by adding a millimeter to its height. (Although that technically could be true if you actually used foobar as the base word in the same way that adding a millimeter to a one millimeter tall structure does make it much taller…)
Your system is basically as secure as passwordxn. No more secure than “foobar3C” (C = Hex 12), but much longer to type and just as hard to remember.
Diceware.
Length is still significant because brute force attacks still exist, and after the most common passwords and their “substitute zeros for the letter O” type of variants, they tend to go shortest first then append suffixes. There is theory and there is what attackers actually do.
(but yes that’s probably too many 3’s to be practical, I just held the key down a bit too long)
Crap! xD I’d better forget my passwords then!
“foobar333333333333” is a lot safer than “foobar”, not only by length, but also because it now includes numbers, so it went from a character space of 26(a-z) to a character space of 36(a-z, 0-9) and it more than doubled it’s length. 6^26 < 18^36(where ^ means to the power of), add in a capital letter and a symbol and the “strength” of the password explodes.
Even “p4ssw0rd” is safer than “password” if we’re only talking bruteforce. (Though all variants of password is already in multiple rainbow tables, as is all strings of length <6, so meh.)
People are not nearly as creative as they think. Brute force attacks are informed by the current password “culture”. If you rely on creativity and obscurity to provide additional security on top of your password, you better factor in Moore’s law. Otherwise current computer users and future generations need to become exponentially more creative with their password tricks.
Length does not mean much. I bet some password crackers already test “password123” sooner than just “password” or will soon. And without doubt, they test “password123” before testing “a”, “b”, “c”, etc.
[quote=“Regenuluz,post:31,topic:40280”]
Adding a digit adds 3-4 bits of entropy. Adding a symbol adds another 3 or four. Adding a capital letter adds a little more than 4 bits. Replacing a letter with a number adds at most one bit of entropy.
Keep in mind that even if no black hat hacker has ever considered that people might use repeated digits at the end of their password, you do not really have a 18^36 character space. Assuming “foobar” was truly selected a random and 333333333333 was a legitimately random number, then you actually have a 6<sup>26</sup>*12<sup>10</sup>. That is still an unrealistic assumption.
Which of the following do you think is most secure?
pikachu, 1101000010010000101100010000000100010101011111, 1502205420042537, 57329965876575, 57329965876575, 1110000011010010110101101100001011000110110100001110101, 1603226554130664165, 31641107307915381, 70696B61636875, 34242C40455F.
People have been misled about password security. It’s easy to understand; people respond better to stories than numbers and have been trained to choose passwords satisfying meaningless criteria thanks to most websites. Using “p4ssw0rd” instead of “password” or switching your keyboard to dvorak to enter your qwerty password sounds clever enough to foil a hacker if you think of it terms of outwitting someone. There is an XKCD comic about passwords that explains what makes a good password scheme, but people mock it as being wrong because they don’t understand the math.
Also, a password is not weak because it is in a rainbow table. Any password of any length could be put in a table. Using a salt makes rainbow tables useless, so it is not something to worry about.