this post was submitted on 20 Jul 2024
1630 points (98.6% liked)

linuxmemes

21627 readers
105 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
  •  

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.

    founded 2 years ago
    MODERATORS
     
    you are viewing a single comment's thread
    view the rest of the comments
    [–] Fillicia@sh.itjust.works 7 points 5 months ago (2 children)

    The part where this falls flat is that using dictionary words is one of the first step in finding unsecured password. Starting with a character by character brute force might land you on a secure password eventually, but going by dictionary and common string is sure to land you on an unsecured password fast.

    [–] possiblylinux127@lemmy.zip 8 points 5 months ago

    That'd why words are from the eff long word list and there are 6 words

    [–] SatyrSack@lemmy.one 6 points 5 months ago (2 children)

    Even if an attacker knew that your password was exactly four words from a specific list of only 2048 common words, that password would still be more secure than something like Tr0ub4dor&3

    https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

    [–] Fillicia@sh.itjust.works 4 points 5 months ago

    If the attacker search for your password specifically then xkcd themself posted the reason why it wouldn't really matter

    https://www.explainxkcd.com/wiki/index.php/538:_Security

    If you're doing blind attemps on a large set of users you'll aim for the least secured password first, dictionary words and known strings.

    [–] 14th_cylon@lemm.ee 3 points 5 months ago (1 children)

    No, it would not. 2048 to the power of 4 is significantly less than 60 to the power of 11.

    https://www.wolframalpha.com/input?i2d=true&i=Power%5B2048%2C4%5D%E2%80%94Power%5B60%2C11%5D

    [–] Zangoose@lemmy.world 7 points 5 months ago (1 children)

    That's true but in practice it wouldn't take 60^11 tries to break the password. Troubador is not a random string and all of the substitutions are common ( o -> 0, a ->4, etc. ). You could crack this password a lot easier with a basic dictionary + substitution brute force method.

    I'm saying this because I had an assignment that showed this in an college cybersecurity class. Part of our lesson on password strength was doing a brute force attack on passwords like the one in the top of the xkcd meme to prove they aren't secure. Any modern laptop with an i5 or higher can probably brute force this password using something like hashcat if you left it on overnight.

    Granted, I probably wouldn't use the xkcd one either. I'd either want another word or two or maybe a number/symbol in between each word with alternating caps or something like that. Either way it wouldn't be much harder to remember.

    [–] 14th_cylon@lemm.ee 3 points 5 months ago (1 children)

    Troubador is not a random string

    except it is not troubador. it is troubador, ampersand, digit.

    if you know there are exactly two additional characters and you know they are at the end of the string, the first number is really slightly bigger (like 11 times)

    once the random appendix is 3 characters or more, the second number wins

    https://www.wolframalpha.com/input?i2d=true&i=Divide%5BPower%5B2048%2C4%5D%2CPower%5B256%2C3%5DPower%5B2%2C4%5D4*500000%5D

    and moral of the story is: don't use xkcd comic, however funny it is, as your guidance to computer security. yes, the comic suggestions are better than having the password on a post-it on your monitor, but this is 21st century ffs, use password wallet.

    [–] sus@programming.dev 1 points 5 months ago* (last edited 5 months ago)

    if you know there are exactly two additional characters

    this is pretty much irrelevant, as the amount of passwords with n+1 random characters is going to be exponentially higher than ones with n random characters. Any decent password cracker is going to try the 30x smaller set before doing the bigger set

    and you know they are at the end of the string

    that knowledge is worth like 2 bits at most, unless the characters are in the middle of a word which is probably even harder to remember

    if you know there are exactly two additional characters and you know they are at the end of the string, the first number is really slightly bigger (like 11 times)

    even if you assume the random characters are chosen from a large set, say 256 characters, you'd still get the 4-word one as over 50 times more. Far more likely is that it's a regular human following one of those "you must have x numbers and y special characters" rules which would reduce it to something like 1234567890!?<^>@$%&+-() which is going to be less than 30 characters

    and even if they end up roughly equal in quessing difficulty, it is still far easier to remember the 4 random words