• @[email protected]
        link
        fedilink
        English
        11
        edit-2
        1 year ago

        Well, that’ll teach you to actually take care of your pets and not just dump their food in front of them and be done with it.

        (fuck paul tho fr)

    • u/lukmly013 💾 (lemmy.sdf.org)
      link
      fedilink
      11
      edit-2
      1 year ago

      Nooo! The fireeee! This would be better with a physical keyboard.
      Link for compatibility

      My final password was: Pass5@JulyXXXV+Shell+n2by7+droop+🌚+Peru+2020+Qd7+🥚+Zn+BBBBB

      The hardest 2 were chess and guessing the country. Maybe atomic numbers with combination with roman numerals, but that’s sorta fine.

      • @[email protected]
        link
        fedilink
        2
        edit-2
        1 year ago

        That’s where I got derailed on my best run. Chess was easy the first time and maddening the next two.

    • Otter
      link
      fedilink
      7
      edit-2
      1 year ago

      Ah I was just copying the URL to post the same thing. It’s such a fun game to go through, although I gave up pretty quickly

      Tried it again, made it to the chess step

      • @[email protected]
        link
        fedilink
        61 year ago

        One of my coworkers got super into it and got into the high 20s I made an off-hand comment about wondering what it does for rule 34 and he responded “gasp I must know!” Then a couple days later messages me a screenshot on teams. Spoiler: it goes “ehhh let’s just skip this rule”

    • BetterNotBigger
      link
      21 year ago

      I closed my laptop when it asked for the Wordle of the day.

  • Sonotsugipaa
    link
    fedilink
    331 year ago

    Infuriating fact: if a service has maximum password length limits (lower than 1000 characters), they’re reversibly storing your password and if they’re that lazy it’s probably plain text

      • @Downcount
        link
        151 year ago

        Yeah, you actually better not save the users passwords in plain text or in an encrypted way it could be decrypted. You rather save a (salted) hashed string of the password. When a user logs in you compare the hashed value of the password the user typed in against the hashed value in your database.

        What is hashed? Think of it like a crossfoot of a number:

        Let’s say you have a number 69: It’s crossfoot is (6+9) 15. But if someone steals this crossfoot they can’t know the original number it’s coming from. It could be 78 or 87.

        • @[email protected]
          link
          fedilink
          81 year ago

          Dumb question: isn’t it irrelevant for the malicous party if it’s 78 or 87 per your example, because the login only checks the hash anyway? Won’t both numbers succesfully login?

          • @[email protected]
            link
            fedilink
            221 year ago

            It’s actually a really good question. What you’re explaining is called a collision, by creating the same hash with different numbers you can succesfully login.

            This why some standard hashing function become deprecated and are replaced when someone finds a collision. MD5, which was used a lot to hash passwords or files, is considered insecure because of all the collisions people could find.

          • conciselyverbose
            link
            fedilink
            91 year ago

            In the example yes.

            In the real world, finding an input that produces the right hash output isn’t easy. And because a lot of users reuse passwords (don’t do it, but people do), a list of emails and passwords gives you an incredibly lazy and easy to do way to compromise accounts on other sites.

            • @[email protected]
              link
              fedilink
              81 year ago

              Reminds me of a funny moment in my IT internship, ahead of an audit one of the sysadmins came over and was saying “yeah so I pulled all of the department password hashes to check for weak/compromised accounts and noticed one person has the same sysadmin and user password hash” and my boss went “wait everyone doesn’t do that?” And after realizing they outed themselves turned bright red and changed their admin password

          • @kartonrealista
            link
            61 year ago

            With a hash it’s difficult to find a combination that results in this specific hashed password. Think of it like this: you have a biiig prime number and you multiply it by another. Now, that’s easy, but it’s way harder to do it backwards - factorize a large composite number (this is just for illustration). Similarly trying to find a password that works when you input it based on the hashed one is way more difficult than hashing the password in the first place.

          • @Downcount
            link
            5
            edit-2
            1 year ago

            Additional to what others have said: The “salted” part is very relevant for storing.

            There aren’t soooo many different hashing algorithms people use. So, let’s simplify the hashing again with the crossfoot example.

            Let’s say, 60% of websites use this one algorithm (crossfoot) for storing your password, and someone steals the password “hashes” (and the login / email). I could ran a program that creates me a list of all possible crossfoots for all numbers for 1 to 100000.

            This would give me an easy lookup table for finding the “real” number behind those hashes. (Those tables exists. Look up “rainbow tables”)

            Buuuut what if I use a little bit of salt (and pepper pepper pepper) before doing my hashing / crossfooting?

            Let’s use the pw “69” again and use a salt with a random number “420” and add them all together:

            6 + 9 + 420 = 435

            This hash wouldn’t be in my previous mentioned lookup table. Use different salts for every user and at least the lookup problem isn’t such a big problem anymore.

            • @Woe2TheRepublic
              link
              41 year ago

              This was super helpful 🙏🏼 sent me down a whole other rabbit hole of learning

        • Xandris
          link
          fedilink
          21 year ago

          i was more wondering why a length limit implies anything about how they’re storing the password. once they receive the password they’re free to hash it any which way they want

          random memory—yahoo back in the day used to hash the password in the browser before sending it to the server, but TLS made that unnecessary i guess

      • @[email protected]
        link
        fedilink
        61 year ago

        In the least bad case, they encrypt the password instead of hashing it, making it possible to decrypt the password.

        In the most common case, they store the password in plaintext, so there isn’t even any encryption to be reversed.

    • Sibbo
      link
      fedilink
      31 year ago

      They may just base their limit on one or a few block sizes of the hash function.

      • @[email protected]
        link
        fedilink
        51 year ago

        That sounds incredibly unlikely. I would be good money that 99% of password length limits are not based on concrete limits. Things like “100 should be enough 🤷” must be way more common.

        I doubt 1% of programmers are away of their hashes block size. It is also probably irrelevant since after the first round everything is fixed size anyways.

    • @newsonic
      link
      21 year ago

      Nope. No point in storing > 256 or even 128 chars for a password anyway. Useless storage wasted. Also it doesn’t really mean they store the password badly in the server.

      • Big P
        link
        fedilink
        181 year ago

        A hashed password is always the same length though is it not?

        • @[email protected]
          link
          fedilink
          31 year ago

          The length limit is mostly for the user’s sake - companies don’t want people to set their passwords to 30+ character ones that they keep forgetting and call their tech support to reset.

          • @[email protected]
            link
            fedilink
            21 year ago

            That’s really really really annoying, as someone who has a good, strong brain-based password algorithm and hates it when websites forbid my strong password forcing me to make an exception.

      • conciselyverbose
        link
        fedilink
        81 year ago

        Ignoring that they must be hashed to be acceptable and that it’s not possible for 1000 characters of text to add up to a waste of storage worth mentioning in pretty much any environment, it’s literally impossible for a 128 character password limit to be beneficial in any way.

        A limit below that demonstrably lowers security by a huge margin.

      • Sonotsugipaa
        link
        fedilink
        41 year ago

        Ok but are 15 characters too much?

        I’ve seen 14-char limits, which are NOT reasonable

    • @Anemia
      link
      11 year ago

      Couldn’t it just be that they’re using something like bcrypt which won’t take any chars above its limit into account (knowing that there’s a limit will pretty much never matter to a user but why obscure the fact)? What does it even mean to store it reversibly, just because they have a char limit doesn’t mean they are encrypting the password, could just be some frontend shenannigans as well.

  • @[email protected]
    link
    fedilink
    30
    edit-2
    1 year ago

    Best practice in 2023 is a simple, sufficiently long but memorable passphrase. Excessive requirements mean users just create weak passwords with patterns.
    [Capital letter]basic word(number){special character}

    Enforcing password changes doesnt help either. It just creates further patterns. The vast majority of compromised credentials are used immediately or within a short time frame anyway. Changing the password 2 months later isnt going to help and passwords like July2023!, which are common, are weak to begin with.

    A non expiring, long, easily remembered passphase like
    forgetting-spaghetti-toad-box
    Is much more secure than a short password with enforced complexity requirements.

    • @[email protected]
      link
      fedilink
      311 year ago

      Drop “memorable”. 99.9% of your passwords should be managed by your password manager and don’t need to be memorized. On one or two passwords that you actually need to type (like your computer login) need to be memorable.

      • @demonsword
        link
        41 year ago

        99.9% of your passwords should be managed by your password manager

        this looks like a sensible approach until you remember password managers can be cracked, too. I’m with GP on this, a passphrase is easier to remember and is good enough for most use cases, if you need more security you should be using some form or another of 2FA anyway

      • u/lukmly013 💾 (lemmy.sdf.org)
        link
        fedilink
        English
        01 year ago

        I am kinda paranoid about password managers. My passwords are stored somewhere on the computer, all of them, and I don’t like that idea. I can exercise my brain.

        • Gamma
          link
          fedilink
          English
          171 year ago

          I have 350 items in my BW vault. I am not memorizing that many passwords, I’d rather use my brain for something else.

        • @[email protected]
          link
          fedilink
          English
          111 year ago

          I encourage you to think critically about this and re-evaluate your decision. I would say that for at least 99.99% of people a password manager is significantly more secure overall.

          • Browser-integrated password managers will avoid filling your password into the wrong site. This is a great barrier to phishing.
          • Allows a unique password per-site which greatly mitigates the problem of password leaks which are fairly common.
          • Allows you to use much stronger passwords than you can memorize.
          • It’s quite convenient to just click “login”.

          For most people phishing is a far bigger risk than some malware stealing their local password databases. To make database theft even less of a concern most password managers have the option to encrypt the local database file. This means that to steal your passwords the malware will need to extract the encryption key from the password manager process which can often be configured to forget the key quickly after the last use.

          Also consider that if you have malware that can steal your password database and the encryption key it can probably just keylog all your passwords or steal your browser’s cookie jar. So the extra barrier here is minimal.

          I think you are right to be suspicious of having a vault of passwords “ready to steal” but in practice the upsides far outweigh the downsides, especially if you make a security-focused choice of password manager.

        • Scraft161
          link
          fedilink
          English
          91 year ago

          I’ve been using keepassxc for a while now and it’s better than most other options, everything is stored locally and encrypted behind a master password.

          All you micht want to do is make a backup of your vault onto an external drive (best practice would be encrypted via the options you have, I use luks because I’m a Linux nerd).

          • @[email protected]
            link
            fedilink
            English
            11 year ago

            Agreed. Have my password database backed up over multiple places, GPG encrypted of-coarse, you can never be too safe.

        • @[email protected]
          link
          fedilink
          English
          31 year ago

          I’m in the same boat at this point, partly just because I’m not sure how I want to partition things and if the software will work together the way I want.

          I assume password managers themselves store things encrypted until you unlock them with whatever master password.

        • @[email protected]
          link
          fedilink
          English
          31 year ago

          I’ve got 1601 logins and 86 secure notes in my Bitwarden vault… no way I’m memorizing all of that lol

    • @[email protected]
      link
      fedilink
      English
      11 year ago

      forgetting-spaghetti-toad-box

      I don’t know much about PW security but would a passphrase of common words not be more susceptible to dictionary attacks?

      • @[email protected]
        link
        fedilink
        English
        7
        edit-2
        1 year ago

        The idea is that entropy is measured with possible words instead of possible characters. It turns out 7 7-bit ascii characters have less entropy than 4 14-bit equivalent words (that is, the 16,384 most common ones). And that’s in the ideal case it’s a totally random 7 characters.

        Every attack is technically a dictionary attack here, but it doesn’t help enough because the password to a computer is still 30 characters long. To a human it seems a lot easier than ")f1:.{yJCzNv]@R=S  K$~= ", though.

        PS. Turning /dev/random output into 7-bit ascii characters is surprisingly involved in Haskell. C would have been easier. This was the world’s slowest ninja edit.

  • Bappity
    link
    231 year ago

    I don’t get why some sites limit your usage of special characters and have miniscule max lengths?? looking at you PayPal you piece of shit

  • @[email protected]
    link
    fedilink
    191 year ago

    There was a website where I was making an account and it was like: no semicolons.

    To this day I wonder if that was how they blocked sql injection.

    • conciselyverbose
      link
      fedilink
      81 year ago

      Knowing that it’s already in use is.

      Basically all of these constraints are bad practice, though. It’s obviously better to have a long, complex password, and not to reuse passwords between sites, but if you make shit impossible for people to remember they’re going to write it down, and a lot of people don’t use password managers (or use shared devices where they aren’t possible).

      Length limits (that aren’t like 1000 characters) are unconditionally terrible practice. It means your password is probably plain text, because hashes don’t really care or take meaningfully longer based on the length of the input.

      A string of (random) words is a perfectly fine password. There’s an xkcd I’m too lazy to get demonstrating it, but it genuinely does add enough randomness to break brute force.

      • HeavyRust
        link
        fedilink
        91 year ago

        A string of (random) words is a perfectly fine password. There’s an xkcd I’m too lazy to get demonstrating it, but it genuinely does add enough randomness to break brute force.

        Here’s the xkcd.

    • @[email protected]
      link
      fedilink
      0
      edit-2
      1 year ago

      The only security threat would be the site itself. How do they know other users have the same password?

      Options:

      • They have your password in plain text in their DB. CHEFF KISS

      • They aren’t using salts.

      • They are using the same salt for everyone.

      All of them concerning.

  • @jg1i
    link
    71 year ago

    The right answer is use a password manager to generate and store a long password. Then it doesn’t matter.

  • @Crazyslinkz
    link
    41 year ago

    Does anyone use the generator from chrome anymore? Like a 2023 password for me is “suggest strong password”…

    • @[email protected]
      link
      fedilink
      81 year ago

      Are we really starting this shit here?

      Everything on the internet is a repost. Calling it out adds nothing worthwhile to the conversation and just derails any conversation.

      • Big P
        link
        fedilink
        5
        edit-2
        1 year ago

        Yeah but when you see the same 5 posts every month it gets tiring. If the other post was in a different place though, then it’s not a repost

        • @[email protected]
          link
          fedilink
          English
          21 year ago

          If I’ve ever seen the same post 5 times, it was in a day or two and it was a new and exciting thing for some people so everybody would post it and the same time.