Use strong, unique passphrases.
Passphrases are easier to remember and harder to crack.
#Passphrases #PasswordStrength #Authentication

8,192 French #Diceware word list for use with computers.

#passwords #passphrases

https://theworld.com/~reinhold/wordlist_fr_8192.txt

"The challenge in storing encrypted backup data is that strong encryption requires strong (or “high entropy”) cryptographic keys and passwords. Since most of us are terrible at selecting, let alone remembering strong passwords, this poses a challenging problem."

#MatthewGreen, 2020

https://blog.cryptographyengineering.com/2020/07/10/a-few-thoughts-about-signals-secure-value-recovery/

This isn't as hard as people seem to think;

https://xkcd.com/936/

What's missing is education, including replacing "password" with "passphrase".

No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user knows that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.

1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.

¹https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

#Passphrases
#PasswordCracking

Vor kurzem wurde das 2024 update zum hive systems password table veröffentlicht und wird gerade wieder viel geteilt.

Leider behandelt hive systems das Theme passphrases absolut inadequat, deswegen haben wir das zum Anlass genommen unsere passphrase Tabelle zu aktualisieren.

Details im Kommentar.

New Episode: hpr4047 :: Change your passwords once in a while

Hosted by Deltaray on 2024-02-06 is flagged as Clean and released under a CC-BY-SA license.

Tags: #passwords, #security, #cyberSecurity, #PassPhrases, #PasswordManagers

https://hackerpublicradio.org/eps/hpr4047/index.html

Strong passphrases can be the only barrier between adversaries and your valuable information. As we have increased our reliance on passwords, adversaries have developed increasingly sophisticated ways to crack them.
Ensure your passphrases are long, unpredictable and unique. Follow as many of our principles as you can to create the most secure passphrase possible.

Read more about creating strong passphrases https://www.cyber.gov.au/protect-yourself/securing-your-accounts/passphrases/creating-strong-passphrases

New webpassgen release 20231024.

Two new password generators:

- Obscure passphrases
- Pure random whitespace

Other features include:

- Colored mouse selection to match the requested security level.
- "Every Word List" size now surpasses 2^16 unique words.
- Noto Sans Mono replacing the system font for more consistency.
- Passwords are aligned vertically.
- Base4 now uses the digits 0-3 instead of DNA nucleic acid sequences.

#passwords #passphrases #opensource

https://github.com/atoponce/webpassgen/releases/tag/20231024

If you have to remember them - passphrases are better than passwords.

What is a passphrase? Comparing #passwords vs. #passphrases:

https://proton.me/blog/https-proton-me-blog-what-is-passphrase

What is #Fedi's opinion on #passphrases vs #passwords? Are passphrases just better?

For example,
Passphrase: pillowybarbsspike
Password: Tfu90PQ8vs352

#Passphrases are a great idea. I set mine to "password one two three exclamation point".
#infosec

On LLM and passphrases ...

The thought has occurred that given that large language models are trained on texts, which one presumes includes not only Internet sources by scanned-in copies of published books and articles ...

... there's a strong probability that any given published word sequence appears within such a corpus ...

... and that given even a small sampling of a passphrase which is itself drawn from a similar corpus ... LLMs should be really good at guessing a given passphrase.

(How might it get a small sampling? Oh, say, shoulder-surfing, or acoustic signatures of typed characters, or leaks from inadvertently-entered phrases in the wrong dialogue, or other cues from context.)

Upshot: if you're relying on a single phrase from any published set of works ... as a long secret key ... you might want to reassess your threat model.

(I don't know that combining phrases from multiple sources might be an improvement ... though there are reasons to suspect that might also be at increased risk.)

(Oh, and by "you", I also mean "all the systems you're relying on, directly or indirectly". That would include, say, corporate, institutional, or governmental systems to which someone's previously relied on what they'd thought would be a long and hence difficult-to-crack phrase.)

(I also suspect that state-level actors will have first capabilities in this manner, but that that threshold will rapidly fall to far less-capable entities.)

(Many moons ago discussing security issues with a corporate user, I suggested that phrases from, oh, say, Alice in Wonderland would not be especially secure. Their passphrase was based on, of course, Jabberwocky.)

Edit: Markup.

#Passwords are a popular topic today - which is good! Far too many people make up easy/simple passwords, reuse them, and complain that it's too hard to figure out #strong passwords AND remember them. I get it! But just adding more symbols or numbers just makes it harder for you to remember, but not a machine to guess. Computers can quickly go through the iterations of 'i', '1', '!', '|' that you used to change up the letter 'i' you have in your password. So why not make it easier on yourself and harder for the machine? Great question! Use #diceware! I've been using it myself for decades now, and enforce its use for #Sysadmins at my company. Use it to create super secure, random #passphrases of 4-6 words that are easy for you, and extremely difficult for a machine. Aside from the manual way of doing it (like I do) a #netizen made a site where it does the dice rolling for you and spits out words from the list that is likely better than whatever you do lol. Give it a try, be #CyberSecure https://diceware.rempe.us/#eff

Hello Fellow Mastolorians!

In the 1830s, Americans thought tomatoes were poisonous, and many people refused to have anything to do with them. But within the space of just 10 years — without TV, radio or the Internet — consumer perception and behavior completely changed. This bodes really well for infosec pros concerned about how to improve consumer security behaviors.

#ICYMI — I joined Carey Parker, host of the consumer security and privacy podcast Firewalls Don't Stop Dragons for a light-hearted discussion on a serious topic: password security. Listen in to find out what the history of tomatoes in the U.S. can teach infosec professionals about educating consumers on good password hygiene.

More than 9,700 people have read this blogpost so far!

Grab a few tomatoes ​​​, have a listen (or read the transcript), and let me know what you think!

https://loistavainfosecurity.com/blog/f/tomatoes-one-time-pads-and-the-california-gold-rush

@FirewallDragons
#OneTimePads
#CaliforniaGoldRush
#Passwords
#Passphrases