I intend the following to merely be some food for thought for the inquiring, (password) security aware lurker
Of course there is something that can be done -- for starters, users should use strong passwords and programmers/sysadmins should use best practices for password storage and security in general. This is their job.__SKYe wrote:Yup, nothing can be done about this other than hoping that you get notified about the breach before any nefarious individual actually accesses your account, so you can change your password.6t8k wrote:And that is assuming an attacker can't crack it faster because it's not random, and/or because he can sensibly use rainbow tables because the passwords weren't stored in the database in a secure fashion.
They are in fact more secure in the real world because people use stronger passwords with them: it's no news that people, by and large, don't use long enough and/or unique passwords. A password manager is never going to generate you a password that any other person uses (i.e. would easily be cracked because these lists are naturally tried first by attackers) even if it's just 10 characters long. So while that's true in principle, it kind of misses the point: it's not about diminishing returns, it's about sensible and effective measures, and using a password manager is immediately more effective than trying to remember any password. Even if you come up with a strong one, odds are you'll forget it, and resort to writing it down or using a weaker one.__SKYe wrote:Since you can use the maximum length allowed for any given website, they are technically more secure, but beyond a certain length, you get exceedingly diminishing returns.
What about that advice is misleading - would you say that random passwords decrease security?__SKYe wrote:But the advice to use randomized passwords is somewhat misleading, though. [...] if you string together, say, 3~4 four words of 5 characters each, separated by any punctuation of your choice, you'll easily get into the 17~20s characters without much effort and it still remains easy to remember.
I understand the aversion to doing this for, and having to remember, many passwords, though.
Maybe that method of chaining a number of words can work, but keep in mind people usually don't choose these words at random, but are influenced by natural language, which has significant bias. If they're not chosen at random, that approach loses what advantage it may have over passwords. If you have more than say, ten or even just five online accounts, I salute you if you have good passwords and can remember all of them (Troy Hunt is the guy behind haveibeenpwned.com, which has been mentioned here).
By the way, if you like choosing passwords/-phrases yourself, you can totally do so with password managers. Choose a nice and long phrase, different for each site, and save it in your password database. You'll still reap some benefits this way like averting: forgetting, most keyloggers, shoulder surfing.
That has nothing to do with aversions. It's about being inquisitive about what might be good practice that you find yourselves able and willing to adopt in order to maintain good online security.
By all means, try not to. The secrecy should lie in the password itself, not in the method used for chosing it. In other words, best is to use random passwords.__SKYe wrote:just generate the passwords according to some rule that only you know
Kerckhoff's principle is a fundamental element to many, many aspects of modern information security, including passwords.
Remarks fit into the quote in bold:
@Bassa-Bassa/ReyVGM:ZellSF wrote:That applies to offline cracking only. Computing power doesn't really help you against server side rate limiting [...]6t8k wrote:Using passwords with at least 8 characters length would be old advice by the way. Here (archive), researchers recommended using at least 12 characters. And that was in 2010. Computing power grows all the time, so with time, longer and longer passwords are economically crackable
Sure, but don't you want to protect yourself against offline attacks? It's not dubious advice just because it's not as relevant for a different threat model (after all it doesn't protect you worse from online attacks).
Sure, picking a longer password might help you, but only if you're the sort of person who re-uses passwords and then only if the server that's compromised have properly stored the passwords.
While you naturally should never reuse passwords as you say yourself, the question whether you do is irrelevant here: longer passwords offer better protection either way. In the same vein, longer passwords are always more secure regardless of the way how the server stores them. Can you explain a scenario to me where that isn't the case? There is only one case where a longer password doesn't help you at all: if the server seriously stores your password in plaintext.
So I still see telling people to use long passwords for online services as a stupid half-measure that will only give them a false sense of security.
For the reasons I gave above, I don't follow. The only scenario I can imagine where longer passwords have disadvantages over shorter ones would be if you 1) have to remember it and 2) always have to type it in.
couldn't have explained better than Zell what password managers do!
As mentioned by SKYe, KeePassXC is a good choice. If on Windows you can't go wrong with KeePass (without XC) as well.
KeePassXC as a software project was originally based on it, their database formats are interoperable, so you can easily migrate from one to another if needed.