Reminder to use strong passwords
-
I guess what I mean is, it’s a single point of failure. Usually an extremely strong one, granted.
And your memory is not a single point of failure?
-
these are called pass phrases and yes, they tend to be way more secure at least until quantum computers render all traditional cryptography meaningless.
until quantum computers render all traditional cryptography meaningless.
I’ll cross that bridge when it actually happens.
-
Basically what diceware does. It’s just that humans are really bad at picking random words (“banana” is over represented, for instance) that’s what diceware helps with.
I look around the room or think about what I’m doing. My username was made that way.
-
until quantum computers render all traditional cryptography meaningless.
I’ll cross that bridge when it actually happens.
You’ve got an estimated 10 years or so before quantum computers can crack all current encryption by using Shor’s algorithm.
One of the most important quantum computing algorithms, known as Shor’s algorithm, would allow a large-scale quantum computer to quickly break essentially all of the encryption systems that are currently used to secure internet traffic against interception. Today’s quantum computers are nowhere near large enough to execute Shor’s algorithm in a practical setting, and the expert consensus is that these cryptanalytically relevant quantum computers (CRQCs) will not be developed until at least the 2030s.
-
I look around the room or think about what I’m doing. My username was made that way.
Not recommended. People can and do crib the kinds of things you’re likely to have around you. It can narrow the field of guesses more than you’d think.
-
And your memory is not a single point of failure?
Well, no, not really. If I forget a password I’ve only lost access to the one site, and it’s recoverable. Just an partial failure. Not going to lose everything unless I literally die in which case I don’t care about anything anymore. And no one is going to breach my brain short of tying me to a chair, and that’s not really my threat model.
-
Well, no, not really. If I forget a password I’ve only lost access to the one site, and it’s recoverable. Just an partial failure. Not going to lose everything unless I literally die in which case I don’t care about anything anymore. And no one is going to breach my brain short of tying me to a chair, and that’s not really my threat model.
Gotcha, the boomer method.
-
Password managers are OK but I have hesitations on them personally. I’m leery of putting all my most high-value stuff in one place behind one password. What I do instead is memorize a truly unreasonable amount of passwords, though, which I recognize is not a reasonable expectation for others. For threat models in which you’re not worried about in-person attacks, it may actually be a good idea to just write your passwords down, maybe keep your password book in something with a lock on it. I’m not advocating for any particular method, just putting it out there so people can make an informed decision.
I use horse-battery-staple passwords for core stuff (unlocking my computer, bank stuff).
I use the password manager-generated passwords for everything that’s in a browser.
-
'Pass word1!
Oh, ’ and spaces aren’t allowed?
we want you to have a secure password so we’re only letting you use letters, numbers, and !@#$. nothing else. also, you have to use at least one of each, and it can only be 8 to 12 characters long. remember, we’re doing this for your security!
-
Ideally all lowercase letters to make them easy to type when you need to use them in another device. Unfortunately, a lot of places don’t allow that, preferring less secure and more inconvenient passwords.
30 characters? you don’t need that, we only let you use up to 10. also yes you have to have at least one lowercase letter, uppercase letter, number and a symbol (which can only be !, @, #, or $). we’re doing this for your security, of course
