• cm0002@lemmy.world
      link
      fedilink
      arrow-up
      52
      arrow-down
      5
      ·
      5 months ago

      I would hope so, sentences and words are some of the most secure passwords/phrases you can use

      • bjorney@lemmy.ca
        link
        fedilink
        arrow-up
        17
        arrow-down
        4
        ·
        5 months ago

        Words are the least secure way to generate a password of a given length because you are limiting your character set to 26, and character N gives you information about the character at position N+1

        The most secure way to generate a password is to uniformly pick bytes from the entire character set using a suitable form of entropy

        • laurelraven@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          15
          arrow-down
          2
          ·
          5 months ago

          That’s only really true if you’re going to be storing the password in a secure vault after randomly generating it; otherwise, it’s terrible because 1) nobody will be able to remember it so they’ll be writing it down, and 2) it’ll be such a pain to type that people will find ways to circumvent it at every possible turn

          Pass phrases, even when taken with the idea that it’s a limited character set that follows a semi predictable flow, if you look at it in terms of the number of words possible it actually is decently secure, especially if the words used are random and not meaningful to the user. Even limiting yourself to the 1000 most common words in the English language and using 4 words, that’s one trillion possible combinations without even accounting for modifying capitalisation, adding a symbol or three, including a short number at the end…

          And even with that base set, even if a computer could theoretically try all trillion possibilities quickly, it’ll make a ton of noise, get throttled, and likely lock the account out long before it has a chance to try even the tiniest fraction of them

          Your way is theoretically more secure, but practically only works for machines or with secure password storage. If it’s something a human needs to remember and type themselves, phrases of random words is much more viable and much more likely to be used in a secure fashion.

          • hedgehog@ttrpg.network
            link
            fedilink
            arrow-up
            5
            ·
            5 months ago

            Generally people don’t memorize private keys, but this is applicable when generating pass phrases to protect private keys that are stored locally.

            Leaving this here in case anyone wants to use this method: https://www.eff.org/dice

          • bjorney@lemmy.ca
            link
            fedilink
            arrow-up
            2
            ·
            5 months ago

            We are talking about RSA though, so there is a fixed character length and it isn’t meant to be remembered because your private key is stored on disk.

            Yes the word method is better than a random character password when length is unbounded, but creating secure and memorable passwords is a bit of an oxymoron in today’s date and age - if you are relying on remembering your passwords that likely means you are reusing at least some of them, which is arguably one of the worst things you can do.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          That’s why you need lots of words. (6) If you combine that with a large word list it gets very secure.

        • shrugs@lemmy.world
          link
          fedilink
          arrow-up
          0
          arrow-down
          1
          ·
          edit-2
          5 months ago

          so you are saying 44 bits of entropy is not enough. the whole point of the comic is, that 4 words out of a list of 2000 is more secure then some shorter password with leetcode and a number and punctuation at the end. which feels rather intuitive given that 4 words are way easier to remember

      • Fillicia@sh.itjust.works
        link
        fedilink
        arrow-up
        4
        ·
        5 months ago

        The part where this falls flat is that using dictionary words is one of the first step in finding unsecured password. Starting with a character by character brute force might land you on a secure password eventually, but going by dictionary and common string is sure to land you on an unsecured password fast.

      • ClamDrinker@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        5 months ago

        While this comic is good for people that do the former or have very short passwords, it often misleads from the fact that humans simply shouldn’t try to remember more than one really good password (for a password manager) and apply proper supplementary techniques like 2FA. One fully random password of enough length will do better than both of these, and it’s not even close. It will take like a week or so of typing it to properly memorize it, but once you do, everything beyond that will all be fully random too, and will be remembered by the password manager.

        • shrugs@lemmy.world
          link
          fedilink
          arrow-up
          0
          arrow-down
          1
          ·
          5 months ago

          see, you didn’t get the whole comic. 4 words out of a dicitionary with 2000 words has more combinations then a single uncommon non gibberish baseword with numeral and puction at the end. as long as the attacker knows your method.

          a dicitonary attack will not lower the entropy of 44 bits, thats what the comic is trying to say

    • hendrik@palaver.p3x.de
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      edit-2
      5 months ago

      It’s assymetric crypto. You’d need to find a matching public key. Or it’s just some useless characters. I suppose that’s impossible, or what we call that… Like take a few billion years to compute. But I’m not an expert on RSA.

      • slazer2au@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        5 months ago

        Public keys are derived from the private key. The asymmetric part is for communication not generation. Afaik

        • hendrik@palaver.p3x.de
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          5 months ago

          I’m pretty sure the cryptographic parameters to generate that public key are included in the private key file. So while you can generate the other file from that file, it’s not only the private part in it and you can’t really change the characters in the private key file. Also not an expert here. I’m fairly certain that it can’t happen the other way round, or you could impersonate someone and do all kinds of MITM attacks… In this case I’ve just tried changing characters and openssh-keygen complains.

  • wizzim@infosec.pub
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    While the joke is funny, what is the context? Why did she post the original tweet in the first place?

    • MystikIncarnate@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      It’s lady gaga.

      If you’ve followed her at all, even indirectly, this is NOT the weirdest thing she’s done, and bluntly, the weirder stuff wasn’t justified (to the public at least).

      I’m not trying to throw shade at Gaga at all. Lady, let your freak flag fly all day long. You don’t need my permission to do it, but if you want it, you got it. Weird isn’t bad, it’s just weird.

      IMO, at this point, gaga doesn’t need a reason to be weird.