How to Pick a Strong & Easy to Remember Password for your Password Manager
Вставка
- Опубліковано 30 чер 2024
- In this video I show you a method for picking a strong and easy to remember password to secure you password manager, I also explain why some methods you might think are good for generating passwords are actually pretty bad
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my UA-cam channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released. - Наука та технологія
Thanks! I changed my password to correct horse battery staple
#winning :p
Lol it actually appears 5 times in pwnedpasswords.com's database.
@@Ricocossa1
Probably burner accounts to some website that requires an account to download files
@@Ricocossa1 that link didn't work
@@amir3515 It's api.pwnedpasswords.com, which requires you to do specific queries. If you want a browser-friendly version, it's haveibeenpwned.com. Just beware that there's no guarantee the passwords you type through that site are hashed before being sent.
Thanks for pointing it out!
A small tip that works to trip up script kiddies is to include escape characters like ;
include japanese kanji, who the fuck is gonna include that in their dictionary
even better, some unused utf-8 characters :^)
@@deprilula28 issue is some websites don’t accept those types of passwords, I’ve seen quite a few
@@deprilula28 More sites should support unicode. Latin only passwords are a lot less secure than kanji/chinese ideographs mixed in with whatever else. I suppose people would use pretty common characters though. And your IME might expose your password.
Just use ñ, because is isn't in Spanish ewggyiw
Snowden said it right. Don’t think of passwords as words, but more like sentences or phrases.
I recently discovered you and your channel. Great stuff! I have been binge watching all of your content (both old and new) until late into the night. Subbed!
Glad you like them!
@@MentalOutlaw same here
everytime i see ur vids i learn soo much its incredible... you are not like the other youtubers that just show up with the solution and mumble for 9.55 minutes.
Well this is how my old Computer Science teacher taught me to do it, and now I am gonna teach you all.
You start with a sentence, a nice and long one, but one you really like and will always remember.
1.) Furthermore, I am of the opinion that Carthage should be destroyed
now you take the first letter of each of these words
2.) F,IaototCsbd
Already wonderful we got a special symbol even, now you need an extra rule, his favorite was the @ symbol and when it was said so
3.) F,IaototCsbd@146bc (source: wikipedia, dude trust me)
Now you got a password that literally no one can crack and you can remember. might even use the first part of your favorite song, the sudo password for my HTPC was video killed the radio star.
based and Catopilled
Yeah! Quite strong. Its almost like you hashed It. If one has access to a hash code, then hash It. It will be as stronger as the hash. Basically, hard to people guess, hard to computer to guess. Of course, its better to guarantee that hash funcion is on good place. My hash funcion is on my pendrive, e-mail and SSD.
I wish youtube had a save comment feature this is great!
That's pretty good for its length, it nets you about 70 bits of entropy. But all you need to do is remember 4 unorthodox words, like made up names from obscure literature mixed with some uncommon dictionary words. 4 words are easy to remember. Then add some numbers, maybe divide them with some symbols or split the words themselves with symbols. This gets you above 100 entropy, which is classified as "excellent" on keepass. And it's just 4 words to remember with some numbers.
Damn, that Octopus stole my lunch Monaaaaaaayyyy....
I just recently came to your channel.
Even though most of the things goes over my head.
With a lil patience, a normie like me can use some of the simple advices you give like this one.
THANK YOU.....
I really appreciate your content, thank you.
came here to hear kenny say "chungus"
i'm satisifed
I used to have the same password or variations of it on all my accounts. I started using a password manager a few years ago. Best decision ever. I tried to get one of my friends to do the same, and they got hacked.
That punch line at the end 😂😂😂😂😂
I love how you keep talking in first person when talking about how a hacker would go about cracking passwords.
One of mine is a combination of English, Spanish and Nahuatl (Aztec language) words.
It sounds complicated but if you grew up in Central Mexico, like me, it's not hard to remember. Those three languages are all over the place.
Not to mention most Nahuatl words you can't really find online, you learn via word of mouth. Or knowing weird aztec names for things.
Got it: Chungus went to comprar al tianguis de tenayuca mit deinem mamushka
It is actually hard to guess haha
Always funny how often supposedly smart people in fiction have terrible passwords. eg Ozymandias in Watchmen. A notable exception was in Doctor Who where the eleventh doctor uses the reasonably secure four-rare-words method for his password.
Man, You are one of the treasure I found in YT... i wish i could do more for you in return rather than just watch you without AdBlocker... Creators like you deserve better. ❤️❤️
my master password is uncrackable
Hi I have hacker forward Indonesia, such thanks for your password. Sorry for bed england.
nnn auto no problem happy to help ❤️
h
Starts with capital or lowercase?
unhackable1234
Use a key file and/or security key to secure the database with 2FA.
Then encrypt and backup the key file in case you need to access the database without the security key. Also could encrypt and backup the seed to the security key challenge-response so that you can recreate the key if you lose it or break it.
Then use a separate database to create a strong master password for the main database.
A hacker would need your master database, then get either the key file or seed backup and decrypt it, then your other database and password to that database in order to get the password for the master database. It’s kinda redundant but it’s like locking a key in a safe and locking that safe’s key in a safe.
Not really convenient it works if you’re securing extremely sensitive content but this is a bit over kill for normal people
I really enjoy your content, thank you!
I'm a bit late to the party here, but... Even common words work if you just use a couple more. A single new common word added to your password, according to your metric, increases the cracking time by a factor of 10 000, assuming secure hashing. I'd say that's about the same as changing from common words to uncommon words (from 10k dictionary to 100k seems reasonable). Even six common words is not that difficult to remember, and it's a hundred million times harder to guess than four common words.
I personally used diceware to choose my master password's six words (plus one random obfuscating symbol somewhere in there). My password is basically 32 die throws (over 82 bits of entropy) in a row (I actually used a real die here), encoded in a way that's pretty darn easy to remember.
Yeah, the diceware dictionary has a little less than 10 000 words in it, but since I have six of them that doesn't really matter. Mathematically, increasing the exponent generally trumps increasing the base.
I made a sentence about my personal information which I will never forget, used the first litters and numbers with punctuation (e.g., 'Lmni,RtvaJRLaKNCoNt12t1,4,3.') for my pass manager then use complex randomized generated passwords. A good suggestion could be the first sentence/paragraph of your favourite book (which you own) and the ISBN
7:38 You stating exactly how the passwords are generated is a no-no 😅, if the cracker knows you or can social engineer their way into knowing your favourite book, then they have a lot more context as to how to attack you
Humorous and informative video 😄
Yametez, octo-san, don't take my banku no pin
I feel like having a decent password is good but using an authenticator with your main password manager is way more important.
I just keep making combinations I can remember until the Ubuntu installer tells me I'm in the green
one of your best videos
Thank you for this video, it was very helpful.
an md5 hash of my normal password for accounts that are valuable to me is good enough for normies such as myself
I think it would be a good idea to select words from multiple languages, as in "libertatum jahannam beylerbeyi vodka sushi" the cracker would need 5 dictionaries for 5 different, unrelated languages. Most people don't know multiple languages, but you probably know at least a few words from other languages. I don't know Arabic, Latin, Russian or Japanese, but I could come up with these words.
They're not cracking it by hand. They don't need to actually know the languages.
Mental should just give us all a superstrong password we can all use
Lmao ppl would actually use it 😂
13:38 All of a sudden, the overfocus of this channel on privacy makes a hell lot of sense...
A good idea for a video is to talk about hashes and its relation with security and maybe some Linux examples
Can you do a video on encrypting disk ??
The ending was pure gold
Randomly generated pass phrases are pretty good
I like this video a lot
wow thats a great password ! im going to use it
11:30
Plot Twist: He revealed his master password
I feel like long German words (for example Lebensabschnittpartner) are pretty useful basis for password
can you make a video of how to deal with the situation of: a 1080p monitor with a 4k one in a desktop enviroment? the downscale with xrandr is awful.
this video is TOP V!
The worst thing about "how to make a password" video is that it also feeds into password cracking dictionaries. Still, this video is pretty good for at least introducing the idea of "making up your own word."
What are people's thoughts on even a slight marrying the two concepts? The one thing that always bothers me about the correcthorsebatterystaple is that it doesn't even try to use caps or punctuation. "Correct horse, battery: staple." requires little mental effort to manipulate and yet can deter a dictionary attack by chance in case they hadn't accounted for extra characters. Technically it's not 10,000 ^ 4 as so much as now 20,000^4*(50? 100? Whatever the size of the padding characters could be)^4 at least.
i guess i just have a good memory because for passwords/phrases I really need to be secure I dont follow any guideline I just literally randomly mash the keyboard for a good 20 or so characters and then permanently memorize the result on the spot, and type it from memory every time I have to use it again. The longest one I've used was 36 random alphanumeric characters, but I think that's really overkill. I never store or write this I only memorize, even though I change them relatively often as well I usually remember all of them for years after I replaced them. a few times i have had to think for a minute for some but I have never forgotten any when I needed them.
What if you get hit in the head?
Is it possible for someone to learn this power
be careful, photographic memories usually fade past childhood.
@@yes-vy6bn im 24
Hey this vid is almost like a reply to my comment in the last vid =D
Yeah I knew someone asked me about how to pick a good password, I guess that was you, thanks for watching 😁
@@MentalOutlaw Mental Outlaw oh no that wasnt me, i posted an XKCD about password generation, the exact one you showed in this video.
Great content with a lot of humor though. Damn, I can't stop laughing at 13:38
😂😂💀
xD
Dumb question: If I speak multiple languages, would using words/phrases/symbols from each be more secure? I'd assume hackers aren't all native english speaking only. But on the contrary I've done something similar to that and some websites won't let me back in because their backend doesn't know how to handle such symbols I'm guessing.
It would be incredibly difficult if your using different languages especially if the language has specific characters but lots of websites are probably still legacy and don't respect all of utf-8 or just have terrible backends to deal with your extra characters
It only makes it a bit more difficult because they would use a larger dictionary, but it would still be cracked as that's a common thing people try.
MFA like time-based codes to a phone or a smart card can be more secure than a password alone
to a phone or generated from a phone? To has possible transport security problems. From can just be encrypted locally.
I sometimes use whole lines from national anthem lyrics. Probably shouldn't say this but I'm not a POI anyway.
Will foreign characters work? Is multilingual gibberish a viable option? Because I guess that some good ol’ French mixed with Arabic can be pretty hard to crack when you take all the points you gave in the video.
Holy shit I should start using other languages for master passwords, thanks for the idea
Many websites won't accept non-Latin characters, but you can always transliterate them.
i came up with a method that allows the most simple passwords ever, but it's a bit awkward to use atm, need better software support.
you simply hash your password with a slow hash
When your school's SSO doesn't let you use half of the special characters visible on the standard US keyboard
Oh, fun fact: medieval world of occult used curses and random nonsense from multiple languages (from low German to Aramaic) as spells and incantations. I think in some cases it was a sort of cypher or literal trolling (they loved memes and taking a piss at everything and everyone for some reason. Medieval monks would probably frequent 4chan today). Try it out yourself.
Sounds fun
The real big brain move would be using non English words.
I've been using a password manager for a while now.
At what point do you change it's password? I assume It's also the time to change all the passwords within the manager. Every year or two?
I don't have TikTok installed on my phone but I've recently learned that it saves your clipboard every couple of seconds (even in the background) afaik there's nothing stopping other apps from doing so also.
Is it wise to split your accounts in two .kbdx files? i.e. for life-ruining and everything else.
Maybe even append a string to the passwords so that if your clipboard gets stolen it doesn't have the string needed to crack your pw.
As far as I know, with Wayland it's a lot harder for a rogue keylogger to exist in userland (non-root), but with Xorg it's free real estate. GL tho, you kinda are already screwed once a program infiltrates your computer. By then you just have to implement counter measures (changing passwords). Kinda hard to beat that threat model.
As for changing passwords, I don't do it unless I'm emailed by a provider of a database breach. The only passwords I change are ones related to high-profile accounts. i.e.: steam, paypal (probably gonna get rid of that in favor of privacy.com), any financial account except my bank (bank not in my password manager), and email.
If you're using an degoogled custom room on your smartphone, you can just revoke the permission that the app have to acess your clipboard, and there's no need to change the meaningless account's passwords like facebook or twitter, change only the important ones like bank and goverment acc passwords.
Thx
Password; "Coitus et medicamentum et petra et volvere" Latin; Sex and drugs and rock and roll. Not going to forget that one.
Who would have thought being fluent in an obscure language would be so useful?
6:28 Paypal has a password length limit.
If only password policy allowed for some passphrases instead of requiring special character mixed case spaces invalid
That's when you use a password manager like bitwarden
I just bash my keyboard, and reset my password every time i need to login.
I had a question about password cracking attacks.
If I as a web developer implement attempt limits on my sign in, doesn't that eliminate a hackers ability to do a dictionary attack or brute force it?
After X number of attempts the account becomes locked, so not only can they no longer make any more attempts to login, but it won't matter if they do some kind of ip spoofing to "reset" their attempts, because the account internally will be locked until the true user goes through an authorization unlocking process.
Brute-forcing usually means that a hacker has already obtained the hashed passwords and has them in their possession (through leaks ect.)
@@unjumbledfilm6466 Not Really, Brute-Force is just a term, what you're talking about happens after a Service is Compromised and the Password DB is leaked. Even after that it's not really Viable to Brute-Force the Hashes. MD5 is Vulnerable to Brute-Force but it's been kicked out of the hashing standards a long time ago and the newer ones WHIRPOOL, RIPEMD, SHA2 and SHA3 are pretty much useless to Brute-Force(taking a random string > hashing > compare to the original hash) also most of the Services Salt and then hash the password making it pretty much impossible. What the OP is talking about is something more of a attack on a Targeted User rather than the whole Service. It Uses automated tools to try to Brute-Force the password of a particular user using the Service's login system itself.
Theoretically it will prevent any Kind of Brute-Force/Dict attack. But it has a huge Flaw, Let's say I'm a 4ttacker, and my target is User "X', What I'll do is that I'm gonna trip the login attempt threshold till X's account gets locked. Now user X will have to do the Authorisation process to get his account back. But as soon as the account gets Unlocked I'll trip it again. And this will continue.
Now using some Simple 5cripting skills anyone can make a 5cript that'll do this automatically on either a Single User or Multiple Users at once making their accounts Inaccessible and by Using either some VPN or Proxy, Unless you have Cloudflare or some similar 5ervice In which Case using Botnets or Hardened RDP Servers, Anyone can launch a Service Wide 4ttack Which could make your 5ervice Inaccessible to any User(Unless you don't have a Client Side Username Check, In which case a 5ervice Wide 4ttack will be kind of Infeasible). But still, you get the Idea.
TUZBIG9yIE9UUCBvbiB0b3Agb2YgUGFzc3dvcmQgd2lsbCBiZSBhIGJldHRlciBvcHRpb24gdGhhbiB0aGF0LCBhcyBpdCdsbCBwcm92aWRlIGFub3RoZXIgbGF5ZXIgb2YgU2VjdXJpdHkgYW5kIHJlbmRlciBCcnV0ZSBGb3JjZSBBdHRhY2tzIHVzZWxlc3MuCkFsc28geW91IGNhbiB1c2UgQ2xvdWRmbGFyZSBvciBERG9TLUdVQVJEKEEgUnVzc2lhbiBBbHRlcm5hdGl2ZSB0byBDbG91ZGZsYXJlIGlzIG1vcmUgUHJpdmFjeSBGcmllbmRseSBhbmQgRG9lc24ndCBjYXJlIG11Y2ggYWJvdXQgRE1DQSBTdHVmZikgZ2F0ZXdheSB0byBibG9jayBBdXRvbWF0ZWQvTWFsaWNpb3VzIEJyb3dzZXJzIGFuZCBTY3JpcHRzLCBrbm93biBQdWJsaWMgUHJveGllcywgQW5kIENoZWFwL0ZyZWUgVlBOcyhtb3N0IG9mIHRoZW0gYXJlIHVzZWQgZm9yIHRoZXNlIHB1cnBvc2VzKSwgYW5kIERldmljZXMgd2l0aCBCb3RuZXRzLgoKQW5kIGZpbmFsbHkgeW91IGNhbiBpbXBsZW1lbnQgVGVtcG9yYXJ5IElQIGJsb2NrcyBhZnRlciBhIGdpdmVuIG51bWJlciBvZiBwYXNzd29yZCBhdHRlbXB0cy4gTWFrZSBzdXJlIHRvIG5vdCBpbXBsZW1lbnQgUGVybWFuZW50IElQIGJhbnMganVzdCBmb3Igc29tZSByZWxhdGl2ZWx5IHNtYWxsIG51bWJlciBvZiBpbnZhbGlkIGF0dGVtcHRzIG9uIGEgc2luZ2xlIGFjY291bnQgYmVjYXVzZSBtYW55IHBlb3BsZSBsZWdpdGltYXRlbHkgdHJ5IHRvIGd1ZXNzIHRoZWlyIHBhc3N3b3JkIGJlZm9yZSB0aGV5IHVzZSAiRm9yZ290IFBhc3N3b3JkIiBtZW51LiBJbXBsZW1lbnQgcGVybWEgSVAgYmFuIGF0IGxpa2UgNy0xMCBhdHRlbXB0cyBvbiBtb3JlIHRoYW4gMy00IGFjY291bnRzLiAgIA==
So just make my password ebonics?
Just use your nickname as a password
Sneaking in Big Chungus I see.
13:47 oh damn....
I found that funny but I think I'm gonna have to remove that from the playlist on my channel now 💀
CHUNGUS!
13:38 ;))
Best part of the video
not that I'm an expert but I'd suggest that it's even better to simply find a list of 100,000 words and randomly pick four or five of them. Picking character names or brand names sounds very social-engineer-able
yeah random dictionary words that you don't have any special relation to are better, I recommend people look into diceware
yep, just make sure you dont use a pseudo-random word generator. i've tried some online and the same words come up over and over
5:20 I see you too are a man of high culture
Gotta change kakarot to Ultra Instinct Kakarot, since Tournament of Power!
My password on social media is an easy one but hashed. Since its hashed again by the database, will be hard to know what is my password. The least strong unhashed password which is actually strong for most people is to log in on my computer. Well... now is less stronger since you all know, but is yet quite strong. Hahah
I've heard hackers have dictionaries with hashes that correspond to common words and also the hashes of already cracked passwords. So I wouldn't rely solely on the fact that my password is hashed.
what about PINS? I use those on my password manager but idk also (fingerprint and face)
Pins are usually up to 8 symbols and can't be brute forced because of secondary security measures (limited attempts). Use mnemonics or some dates which aren't directly related to you or your family but are of some interest (fall of Constantinople, hour at which polish pope died, 14 words, 88). Can also swap numbers around and use the rhythm/rhymes to remember them.
Fingerprint is fucking satanic and just don't use it on anything important ever, especially the phone (you can source the fp from the very fp reader, what's the point xD), even a child can copy it. Well ok, you can use it as like a first layer or something but defo not the sole protection like some bank apps allow you to. Fun fact: during HK protests most of the telegram groups infiltrated by the police were simply accessed using fingerprints. The law forbids them from forcing you to unlock your devices but why bother forcing when you have the key in your hand.
As to face - it's not great either (social media, physical observation, modelling from memory, physical capture) but definitely better than the former.
Hope I helped
0:10 bet, I convert a phrase to something other than english that has different characters, like arabic for example, then convert that into Unicode and paste it in.
👍👍
I just got a notification from google because my password had been found on a data breach, the same one I used on paypal
It apparently leaked from Linkedin in 2021, and the only reason I still have my savings is because no one tried hard enough
Create Strong and easy to remember password in bash :
$: read -s pass; echo $pass | md5sum | tr '[AaNnTt]' '@' | base64 | tr '[EeHhLl]' '#' | cut -c -25
this is just an idea/example, YOU SHOULD MAKE YOUR OWN VARIATION(DO NOT COPYPASTE THIS!!!)
you can change md5sum to any other hash generator (e.g. sha256sum)
tr '[AaEe]' '@' changes some characters to make your pass indecryptable (at least harder to decrypt)
cut -с -25 gives you only 25 first characters from the output (you can set it from 1 to 40 )
Maybe not the safest method around, but the way I create my passwords is that I invent long random sentences and take the first letter from each sentence. So something like 43 long legged neckbeards landed with star-shaped choppers on the roof of my house. They stole five dollars and kidnapped my dearest ginger auntie. Fortunately i caught them and sent them to jail. That would give a password looking like: 43llnlw*-scotromhTs5$&kmdgaFIct&stt# I get that it's not perfect in terms of entropy because sentences just must have certain structures and there probably is a certain distribution of letters in beginning of words, but it can be fairly well remembered and can create some damn long passwords.
You'll still have the problem of people using the most common words in their password. What happens when half the passwords are Love, Success, Money and God (nod to the movie Hackers :-) )
Which password manager do you recommend? 2FA worthwhile or a meme?
Use pass, the standard password manager. 2FA is good
just dont use phone number 2fa. it makes your security worse, not better
@@yes-vy6bn for account security it is better unless you are hiding from the NSA or FBI you should be fine
What should happen to my passwords when I die?
Protip: use neologisms and intentional spelling errors (make sure they're fun, cringy or otherwise emotionally engaging to reinforce the neural pathways, have some fun with wordplay, make it a whorse) and mix languages, even within words. You don't have to be a poliglot to be able to do this, it can even help you learn a language if you change the password regularly (I know, weird technique but what works...)
what about foreign words?
is my password ******** good?
If It is just asterisks then no. hahahah
********** Didn't know google censored passwords!
@@chippym8316 correcthorsebatterystaple hey you lied
I was scared that my password is going to be brute forced or social engineered, I literally just closed my eyes and randomly typed things and included randomly holding down shift. And I forced my self to remember this 15 characters long string, which I did. And I “reverse” hashed with one of my failed hashing programs that expanded the key into 125 characters instead of hashing it. Which I made sure outputted consistently, and imported only the bare minimum of libraries. AND, I flashed the binary into a atmega microcontroller that looks like a normal usb to input the password by showing itself as a HID to any computer while haing specific gpio ports shorted. I use it as my homemade homemade keypass. I even modified the key to be successfully recognized as input method on android phones and ipad by modifying some libraries. When I can’t short any gpio ports, the key simply opens a notepad program on the current system and writes the whole binary of the program that I wrote, and automatically run it asking for any string input, which only outputs the password that I wanted when I type the 15 characters (I can also just input any other new password to be expanded into a somewhat “reverse hashed” string.
Not even GPUs Im sure some organizations have password cracking ASICs at their disposal...
The NSA has a supercomputer built just cracking passwords
@@JohnSmith-zk3kd whats the hashrate on it?
@@phizlip they don't release the strength of they just said they have it.
it was kinda funny watching 10:40 while having jmnedict on my computer (not for hacking of course)
I don't mind memorizing extremely long randomized passwords. Would a randomized alphanumeric 64 character password be ok? I could memorize a random 128 character password but it would take a few days to memorize.
does this method still work?
Just use diceware
I wrote down a part of my master password on a paper irl and another part of it I memorize. Can anyone tell me how safe that is
chungus
i use a long string of different locomotive models, most websites estimate 2 trillion years+ to crack
My password is my Cuban ex gf name backwards plus the year we met, plus my Russian ex name backwards plus the year we met, plus my second middle name plus the year I graduated.
25 characters. Easy to remember.
Oh... that's the password to my password manager.
I actually don't know the passwords to any of my accounts. I use strongpassword generator, upper and lower case, digits and 15 characters.
If my password manager ever goes away, (it's offline), then I'd have to reset over 20 accounts... a chore but... meh
Hey unsure about this but is it possible for websites to see whats in your clipboard? Maybe copy and pasting isn’t the most secure.
Yes, it is possible. In my case I set Bitwarden (password manager) to clear the clipboard every 30 seconds.
It isn't really necessary because Bitwarden can fill in password fields without going through the clipboard but it's better safe than sorry.
Why not nonsense words? I never see this mentioned. Why not “jilly nilly shipple hipple twing” or “gopple stopple awesome twang”. Something phonetic that you can remember. Open a text editor and start playing. See how fast you can type what you come up with. Once you think you’ve got a good flow going with your chosen phrase, type it several times to stick it in memory then close without saving and use it. And of course as others have mentioned, toss some random punctuation in there too. Tack an exclamation mark on the end or if you’re using windows look into using the alt key plus number pad to generate whacky characters like ñ or æ if the website or app will take it.
44 bits of entropy is not safe. If the attacker has enough money they don’t need it to take decades to crack. They can buy unlimited cloud computing power easily. You should analyze the cost of cracking in addition to time.
Ok, but what if we present a human/algorithm with random keyboard mash type characters and ask them to pick out sequences they can remember, then collect like idk 20 characters, substitute the e a o etc for 3 @ 0, add a random number somewhere and maybe some punctuation so we get
pkovzqkdwkdwcsciujbchyfvccswueeopfowkgotskenzkmpjddhfs ->
pkovz csci hyfv wueef gotskenz kmpj ->
Pkovz 894624 CSC!, hyfv wu3ff G0tskenz KMPJ.
I have a feeling that if replace a biased human with an algo that can distribute characters well and not ignore the least used ones like z q x, etc then no dictionary is applicable. Especially if every person that has a copy of the generator retrains it a bit.
oh shit i didnt watch to the end
10:17 *_HOLY FUCK HOW'D HE FIND MY PW_*
So basically have a seizure on the keyboard and DONE.
ww22ww22 is my super secret password.
Is a 29 caracter password secure enugh?
Yes usually but it can still be insecure for example if you do 11111111111111111111111111111111111111 or treewalldogseenproperdogbroke(' the 1 full of ones would be less secure