Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Inverse)   Password hacking article that explains why yours needs to be complex and not include anything even remotely familiar or rememberable   (inverse.com) divider line
    More: Interesting, Password strength, Cryptographic hash function, User, Password, Cryptography, good password, Passwords, Hash function  
•       •       •

1536 clicks; posted to Fandom » on 20 Sep 2020 at 3:46 AM (5 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



77 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest


Oldest | « | 1 | 2 | » | Newest | Show all

 
2020-09-19 9:56:59 PM  
Very complex does not mean difficult to remember.

"I like rye toast!" is an excellent complex password.

Just don't go around telling everyone about your love of rye toast or:

a. They may guess your password.
b. They may think you have strange eating habits.
c. They may argue that rye bread doesn't toast well.
 
2020-09-19 10:05:22 PM  
....which reminds me, I need a new set of luggage locks.
 
2020-09-19 10:06:26 PM  
I always hate that xkcd outed my password
 
2020-09-19 10:07:50 PM  

Joe USer: Very complex does not mean difficult to remember.

"I like rye toast!" is an excellent complex password.

Just don't go around telling everyone about your love of rye toast or:

a. They may guess your password.
b. They may think you have strange eating habits.
c. They may argue that rye bread doesn't toast well.


Or, have a simple change from that

Every first letter of a word is capitalized, each 2nd vowel is a number and every 3rd consonant is a character:
ilikeryetoast

IL1ke#y3To4$t

Your notes say "I like rye toast", but your memorized algorithm makes a complex password...

/not my algorithm, but you get the idea.
 
2020-09-19 10:35:34 PM  
It's always a good idea to use strings that aren't English words.  "Rememberable" is a good example.
 
2020-09-19 11:45:47 PM  
{
Last year, a record was set for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second.
By leveraging this computing power, cybercriminals can hack into systems by bombarding them with as many password combinations as possible, in a process called brute force attacks.
And with cloud-based technology, guessing an eight-character password can be achieved in as little as 12 minutes and cost as little as $25.
}

Perhaps on Apple's website where celebrities store nude photos, they'll let you brute force it indefinitely.  On actual secure systems, there is a bad password threshold that locks out an account after a set number of failures, and ideally with reporting software that monitors and alerts on these attempts.

They might have two-factor authentication that sends an SMS message to your pre-configured phone number, so even a hacker with your password couldn't log in.

I use a password manager tool so I endorse that - I've got over 300 sites and networks in there I couldn't possibly remember.  I also endorse using characters like " " between words in a phrase so even someone looking at the plain text version can't reproduce it.  " " is not " ".
 
2020-09-20 12:02:32 AM  
correct horse battery staple
 
2020-09-20 12:02:47 AM  
*******
 
2020-09-20 12:12:04 AM  

syrynxx: Perhaps on Apple's website where celebrities store nude photos, they'll let you brute force it indefinitely.  On actual secure systems, there is a bad password threshold that locks out an account after a set number of failures, and ideally with reporting software that monitors and alerts on these attempts.


What they do is they grab a password file, typically they buy it on the dark web, and then they run a hasher to guess what the password is. It completely bypasses the bad password threshold.

If the company doesn't know they've been compromised, you can then break into user accounts with the passwords you cracked.
 
2020-09-20 12:14:32 AM  

null: correct horse battery staple


I've tried to use similar passwords and even that exact password a couple times for lulz.  It's always failed because of password length restrictions.  Of course, if someone really wanted to hack into my accounts, all they'd have to do is break into my house and steal my repository of yellow stickies.
 
2020-09-20 12:15:40 AM  

potierrh: null: correct horse battery staple

I've tried to use similar passwords and even that exact password a couple times for lulz.  It's always failed because of password length restrictions.  Of course, if someone really wanted to hack into my accounts, all they'd have to do is break into my house and steal my repository of yellow stickies.


Wait. The password was too long?

Because it should be getting stored as a hash so it shouldn't matter how dn long it is.

I hope that isn't a banking site
 
2020-09-20 12:28:36 AM  

Gubbo: potierrh: null: correct horse battery staple

I've tried to use similar passwords and even that exact password a couple times for lulz.  It's always failed because of password length restrictions.  Of course, if someone really wanted to hack into my accounts, all they'd have to do is break into my house and steal my repository of yellow stickies.

Wait. The password was too long?

Because it should be getting stored as a hash so it shouldn't matter how dn long it is.

I hope that isn't a banking site


Yeah, "My8inchpenis!" is too long for some sites, despite having a capital letter, a number, and a special character.
 
2020-09-20 12:47:24 AM  

Gubbo: potierrh: null: correct horse battery staple

I've tried to use similar passwords and even that exact password a couple times for lulz.  It's always failed because of password length restrictions.  Of course, if someone really wanted to hack into my accounts, all they'd have to do is break into my house and steal my repository of yellow stickies.

Wait. The password was too long?

Because it should be getting stored as a hash so it shouldn't matter how dn long it is.

I hope that isn't a banking site


It seems most websites have limits on how long to make a password.

And I take a few extra precautions for banking or similarly important websites.  Like multi factor authentication for starters.
 
2020-09-20 1:07:33 AM  
My password is Aristophanes!Ridiculous

Fark user imageView Full Size
 
2020-09-20 3:08:25 AM  
hunter2
 
2020-09-20 4:00:56 AM  
Luckily if you type your fark password in the comments it's automatically rendered as asterisks.

Here's mine: **************


/joking
//don't
///really don't
 
2020-09-20 4:28:47 AM  
pwgen -csny 'shuf -i 17-32 -n 1' 160 | shuf -n 1
 
2020-09-20 4:29:53 AM  

batlock666: pwgen -csny 'shuf -i 17-32 -n 1' 160 | shuf -n 1


Ugh. The accents should be backticks.
 
2020-09-20 4:44:28 AM  

Joe USer: Very complex does not mean difficult to remember.

"I like rye toast!" is an excellent complex password.

Just don't go around telling everyone about your love of rye toast or:

a. They may guess your password.
b. They may think you have strange eating habits.
c. They may argue that rye bread doesn't toast well.


That's why my password is a line from a movie I hate.
 
2020-09-20 5:06:58 AM  
Llanfairpwllgwyngyllgogerychwyrngogogo​ch
 
2020-09-20 5:13:03 AM  
I've been using the same passwords for 25 years, though I introduced some new ones over the years.

And lately I've decided to add old phone numbers (10 digit number) to the end of some that I previously used, for more secure places.
 
2020-09-20 5:25:21 AM  
Yeah, well I have a hipNcrypt password. It's the punchline of an obscure joke in Esperanto. You probably wouldn't have heard of it.
 
2020-09-20 5:28:42 AM  
T00 1@ze 2 Loook IT vp, but wasn't there an article contradicting this like two months ago?
 
2020-09-20 5:37:16 AM  
If your password entry system lets someone keep on guessing any passwords for 12 minutes, it's your fault, not the password.
 
2020-09-20 5:37:29 AM  

Joe USer: Very complex does not mean difficult to remember.

"I like rye toast!" is an excellent complex password.

Just don't go around telling everyone about your love of rye toast or:

a. They may guess your password.
b. They may think you have strange eating habits.
c. They may argue that rye bread doesn't toast well.


Wont work for most places these days, they insist it not contain just letters.

Fark user imageView Full Size
 
2020-09-20 5:46:29 AM  
They'll never guess...
Fark user imageView Full Size

P3N15
 
2020-09-20 5:51:10 AM  
Password managers are practically essential because the single biggest risk for being compromised is reusing credentials.  It doesn't matter if your bank uses a strong hash + salting for securing passwords if the username/password you use for your bank is the same username/password you use for some random forum that stores user credentials in plaintext.  Any given credential is only as safe as the weakest site you use it on.  If it's not reused anywhere, then you're not losing access to several accounts when one company gets breached.

Use 2FA wherever possible.  Not all 2FA is equal, but any 2FA is better than none.  For example: a unique device (or authenticator app on your phone) is better than one that sends a code to your email, especially if that email is used as the username for that service.  If they use security questions, do NOT answer them honestly.  Hell, don't even answer them with actual words.  Generate some more random strings and store them on the secure notes feature provided by most password managers.

The main thing to consider with a password manager is it does put all your accounts in one place, but you're only having to defend one target rather than depending on every site you sign up for to be sufficiently secure.  Use a strong password on the password manager, and don't reuse it elsewhere.  Use 2FA on the password manager.  It's not perfect (nothing is), but it's a hell of a lot safer than how most people approach password security.
 
2020-09-20 5:56:23 AM  
trustno1

It's worked for me for decades!
 
2020-09-20 6:03:12 AM  

syrynxx: I also endorse using characters like " " between words in a phrase so even someone looking at the plain text version can't reproduce it. " " is not " ".


But is " " typed from a keboard the same as " " typed from a phone?  Can you be sure that Pepsi brand phones won't substitute " " where Coke brand phones used " "?  This is how people lose access to accounts when an upgrade is pushed out.
 
2020-09-20 6:03:28 AM  

Gordon Bennett: Llanfairpwllgwyngyllgogerychwyrngogog​o​ch


It's a great go to password for people who call in for a password reset.
 
2020-09-20 6:10:23 AM  

potierrh: null: correct horse battery staple

I've tried to use similar passwords and even that exact password a couple times for lulz.  It's always failed because of password length restrictions.  Of course, if someone really wanted to hack into my accounts, all they'd have to do is break into my house and steal my repository of yellow stickies.


It will also fail most sites because of the restrictions that a password must contain a number, as special character, a capital and a lower case letter.  Worse are the sites that insist that no substring of your password contain an english word.
 
2020-09-20 6:44:29 AM  
I just have a couple of strings of 11 random letters, numbers, and symbols that I've memorized. I can switch out the symbols or capitalizations as needed.
 
2020-09-20 6:45:16 AM  

uknesvuinng: Password managers are practically essential because the single biggest risk for being compromised is reusing credentials.  It doesn't matter if your bank uses a strong hash + salting for securing passwords if the username/password you use for your bank is the same username/password you use for some random forum that stores user credentials in plaintext.  Any given credential is only as safe as the weakest site you use it on.  If it's not reused anywhere, then you're not losing access to several accounts when one company gets breached.

Use 2FA wherever possible.  Not all 2FA is equal, but any 2FA is better than none.  For example: a unique device (or authenticator app on your phone) is better than one that sends a code to your email, especially if that email is used as the username for that service.  If they use security questions, do NOT answer them honestly.  Hell, don't even answer them with actual words.  Generate some more random strings and store them on the secure notes feature provided by most password managers.

The main thing to consider with a password manager is it does put all your accounts in one place, but you're only having to defend one target rather than depending on every site you sign up for to be sufficiently secure.  Use a strong password on the password manager, and don't reuse it elsewhere.  Use 2FA on the password manager.  It's not perfect (nothing is), but it's a hell of a lot safer than how most people approach password security.


Why You Should Turn On Two Factor Authentication
Youtube hGRii5f_uSc
 
2020-09-20 7:21:11 AM  
CorrectHorsebatterystapler?
 
2020-09-20 7:33:54 AM  
freaking movie sine -1
arnie helps regurgitate 22
older parcels 1941 delbert
knead breed 2 minuets


Your welcome.
 
2020-09-20 7:41:41 AM  

Gordon Bennett: Llanfairpwllgwyngyllgogerychwyrngogog​o​ch


or this one:

Taumatawhakatangihangakoauauotamateatu​ripukakapikimaungahoronukupokaiwhenuak​itanatahu
 
2020-09-20 8:44:48 AM  
AoxomoxoA.

It's a palindrome.
 
2020-09-20 9:56:39 AM  

syrynxx: {
Last year, a record was set for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second.
By leveraging this computing power, cybercriminals can hack into systems by bombarding them with as many password combinations as possible, in a process called brute force attacks.
And with cloud-based technology, guessing an eight-character password can be achieved in as little as 12 minutes and cost as little as $25.
}

Perhaps on Apple's website where celebrities store nude photos, they'll let you brute force it indefinitely.  On actual secure systems, there is a bad password threshold that locks out an account after a set number of failures, and ideally with reporting software that monitors and alerts on these attempts.

They might have two-factor authentication that sends an SMS message to your pre-configured phone number, so even a hacker with your password couldn't log in.

I use a password manager tool so I endorse that - I've got over 300 sites and networks in there I couldn't possibly remember.  I also endorse using characters like " " between words in a phrase so even someone looking at the plain text version can't reproduce it.  " " is not " ".


....because sites don't lock accounts after a handful of bad passwors attempts.

That reads like something on the front page of the Enquirer.
 
2020-09-20 9:59:27 AM  

Gubbo: potierrh: null: correct horse battery staple

I've tried to use similar passwords and even that exact password a couple times for lulz.  It's always failed because of password length restrictions.  Of course, if someone really wanted to hack into my accounts, all they'd have to do is break into my house and steal my repository of yellow stickies.

Wait. The password was too long?

Because it should be getting stored as a hash so it shouldn't matter how dn long it is.

I hope that isn't a banking site


I use a password generator and will use as long of a password as I can get away with and you might be surprised at home many sites, even banking, limit you to a 16-20 password length.

I don't even know any of my passwords.  I only know the password to my password management app, which anyone can get with a couple of goons and a $5 wrench.
 
2020-09-20 10:04:23 AM  

NotThatGuyAgain: Gubbo: potierrh: null: correct horse battery staple

I've tried to use similar passwords and even that exact password a couple times for lulz.  It's always failed because of password length restrictions.  Of course, if someone really wanted to hack into my accounts, all they'd have to do is break into my house and steal my repository of yellow stickies.

Wait. The password was too long?

Because it should be getting stored as a hash so it shouldn't matter how dn long it is.

I hope that isn't a banking site

I use a password generator and will use as long of a password as I can get away with and you might be surprised at home many sites, even banking, limit you to a 16-20 password length.

I don't even know any of my passwords.  I only know the password to my password management app, which anyone can get with a couple of goons and a $5 wrench.


I wouldn't be surprised so much as scared

Suggests they are storing them in plain text.
 
2020-09-20 10:05:01 AM  

syrynxx: {
Last year, a record was set for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second.
By leveraging this computing power, cybercriminals can hack into systems by bombarding them with as many password combinations as possible, in a process called brute force attacks.
And with cloud-based technology, guessing an eight-character password can be achieved in as little as 12 minutes and cost as little as $25.
}

Perhaps on Apple's website where celebrities store nude photos, they'll let you brute force it indefinitely.  On actual secure systems, there is a bad password threshold that locks out an account after a set number of failures, and ideally with reporting software that monitors and alerts on these attempts.

They might have two-factor authentication that sends an SMS message to your pre-configured phone number, so even a hacker with your password couldn't log in.

I use a password manager tool so I endorse that - I've got over 300 sites and networks in there I couldn't possibly remember.  I also endorse using characters like " " between words in a phrase so even someone looking at the plain text version can't reproduce it.  " " is not " ".


If you tried to type U+00A0 NO-BREAK SPACE, the filter put one over on you. All three blanks you have between the quotes are plain old U+0020 SPACE.
 
2020-09-20 10:44:53 AM  
My password is the last eight digits of Pi.

Brute force that!
 
2020-09-20 11:12:51 AM  

stuartp9: Gordon Bennett: Llanfairpwllgwyngyllgogerychwyrngogogo​ch

or this one:

Taumatawhakatangihangakoauauotamateatu​ripukakapikimaungahoronukupokaiwhenuak​itanatahu


Fark user imageView Full Size

What a coincidence!  I have the same password on my luggage!
 
2020-09-20 11:28:37 AM  

ArcadianRefugee: Joe USer: Very complex does not mean difficult to remember.

"I like rye toast!" is an excellent complex password.

Just don't go around telling everyone about your love of rye toast or:

a. They may guess your password.
b. They may think you have strange eating habits.
c. They may argue that rye bread doesn't toast well.

That's why my password is a line from a movie I hate.


Nowthisispodracing!
 
2020-09-20 11:37:30 AM  

Joe USer: Very complex does not mean difficult to remember.

"I like rye toast!" is an excellent complex password.

Just don't go around telling everyone about your love of rye toast or:

a. They may guess your password.
b. They may think you have strange eating habits.
c. They may argue that rye bread doesn't toast well.


d. Swap numbers for vowels.
e. Remove spaces.
f. Haystacking: add non random symbols [you can remember AND keep using] before and after the 'main password'.

i.e. "I like rye toast!" becomes \\\\1l1ker73t04st!////

Not too diffi.
 
2020-09-20 11:39:02 AM  
 
2020-09-20 11:41:44 AM  
I started using the first letters of the words to famous quotes some are 15 to 20 letters long easier to remember.  but really sucks when the site wants a number and both lower and upper case regardless of the password size.

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness

Becomes

iwtbotiwtwotiwtaowiwtaof

but for some reason, a lot of sites think "1P@ssword" is more secure
 
2020-09-20 12:37:01 PM  
Verizon, for reasons I can only assume are related to customer stupidity, allows people to log in to their phone accounts using their phone number, rather than just a user name. This means that any mook with a phone list and a botnet can just brute-force accounts with common or stolen passwords. It seems I get a (paper) letter from them every damn month telling me they had to lock my account due to suspicious activity. If those people get control of my phone line, I'm farked, and so will you be.
 
2020-09-20 12:59:46 PM  

stuartp9: Gordon Bennett: Llanfairpwllgwyngyllgogerychwyrngogogo​ch

or this one:

Taumatawhakatangihangakoauauotamateatu​ripukakapikimaungahoronukupokaiwhenuak​itanatahu


Lake Chargoggagogmancoggagogchubunagungamau​g
 
2020-09-20 1:06:16 PM  
My passwords are built using an algorithm based on the domain name. Creates a strong password that is different for every site and easy for me to figure out. A hacker would have to get several of my passwords to figure out how they work. Seems extremely unlikely that any hacker is going to take that much time.
 
Displayed 50 of 77 comments


Oldest | « | 1 | 2 | » | Newest | Show all


View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking





On Twitter



  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.