this post was submitted on 17 Jul 2023

271 points (100.0% liked)

Programmer Humor

854 readers

1 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

cat_programmer@lemmy.ml

271

Creating a password in 2023 be like (programming.dev)

submitted 1 year ago by likeaduck@programming.dev to c/programmerhumor@lemmy.ml

39 comments fedilink hide all child comments

top 39 comments

sorted by: hot top controversial new old

[–] Lumidaub@feddit.de 43 points 1 year ago (2 children)

Obligatory https://neal.fun/password-game/

[–] user224@lemmy.sdf.org 9 points 1 year ago* (last edited 1 year ago) (1 children)

Nooo! The fireeee! This would be better with a physical keyboard.
Link for compatibility

My final password was: Pass5@JulyXXXV+Shell+n2by7+droop+🌚+Peru+2020+Qd7+🥚+Zn+BBBBB

The hardest 2 were chess and guessing the country. Maybe atomic numbers with combination with roman numerals, but that's sorta fine.

[–] CanadaPlus@lemmy.sdf.org 1 points 1 year ago* (last edited 1 year ago)

That's where I got derailed on my best run. Chess was easy the first time and maddening the next two.

[–] otter@lemmy.ca 7 points 1 year ago* (last edited 1 year ago) (1 children)

Ah I was just copying the URL to post the same thing. It's such a fun game to go through, although I gave up pretty quickly

Tried it again, made it to the chess step

[–] Trainguyrom@reddthat.com 6 points 1 year ago

One of my coworkers got super into it and got into the high 20s I made an off-hand comment about wondering what it does for rule 34 and he responded "gasp I must know!" Then a couple days later messages me a screenshot on teams. Spoiler: it goes "ehhh let's just skip this rule"

[–] Sonotsugipaa@lemmy.dbzer0.com 24 points 1 year ago (5 children)

Infuriating fact: if a service has maximum password length limits (lower than 1000 characters), they're reversibly storing your password and if they're that lazy it's probably plain text

[–] Xandris@kbin.social 5 points 1 year ago (1 children)

reversibly?

[–] Gurfaild@feddit.de 8 points 1 year ago

In the least bad case, they encrypt the password instead of hashing it, making it possible to decrypt the password.

In the most common case, they store the password in plaintext, so there isn't even any encryption to be reversed.

[–] Sibbo@sopuli.xyz 3 points 1 year ago (1 children)

They may just base their limit on one or a few block sizes of the hash function.

[–] kevincox@lemmy.ml 7 points 1 year ago

That sounds incredibly unlikely. I would be good money that 99% of password length limits are not based on concrete limits. Things like "100 should be enough 🤷" must be way more common.

I doubt 1% of programmers are away of their hashes block size. It is also probably irrelevant since after the first round everything is fixed size anyways.

[–] argv_minus_one 1 points 1 year ago

Not necessarily. There is another reason. Password hash functions like PBKDF2 are, by design, slow. Allowing extremely long passwords while using such a hash function creates a denial-of-service vulnerability.

Assuming the hash function takes proportionally more time to compute the hash of a longer password, of course. I believe they do, but I'm not certain.

[–] rubythulhu 1 points 1 year ago (1 children)

Fun fact: Lemmy instances cap at 60. they’re not storing reversibly, they’re just using bcrypt and rather than pre-hashing the pw before bcrypt like most bcrypt users do, they just truncate to 60.

[–] Sonotsugipaa@lemmy.dbzer0.com 1 points 1 year ago

60 makes sense, 14 does not

load more comments (1 replies)

[–] rog@lemmy.one 21 points 1 year ago* (last edited 1 year ago) (3 children)

Best practice in 2023 is a simple, sufficiently long but memorable passphrase. Excessive requirements mean users just create weak passwords with patterns. [Capital letter]basic word(number){special character}

Enforcing password changes doesnt help either. It just creates further patterns. The vast majority of compromised credentials are used immediately or within a short time frame anyway. Changing the password 2 months later isnt going to help and passwords like July2023!, which are common, are weak to begin with.

A non expiring, long, easily remembered passphase like forgetting-spaghetti-toad-box Is much more secure than a short password with enforced complexity requirements.

[–] kevincox@lemmy.ml 26 points 1 year ago (1 children)

Drop "memorable". 99.9% of your passwords should be managed by your password manager and don't need to be memorized. On one or two passwords that you actually need to type (like your computer login) need to be memorable.

[–] user224@lemmy.sdf.org 7 points 1 year ago (6 children)

I am kinda paranoid about password managers. My passwords are stored somewhere on the computer, all of them, and I don't like that idea. I can exercise my brain.

[–] gamma@programming.dev 11 points 1 year ago

I have 350 items in my BW vault. I am not memorizing that many passwords, I'd rather use my brain for something else.

[–] kevincox@lemmy.ml 10 points 1 year ago

I encourage you to think critically about this and re-evaluate your decision. I would say that for at least 99.99% of people a password manager is significantly more secure overall.

Browser-integrated password managers will avoid filling your password into the wrong site. This is a great barrier to phishing.
Allows a unique password per-site which greatly mitigates the problem of password leaks which are fairly common.
Allows you to use much stronger passwords than you can memorize.
It's quite convenient to just click "login".

For most people phishing is a far bigger risk than some malware stealing their local password databases. To make database theft even less of a concern most password managers have the option to encrypt the local database file. This means that to steal your passwords the malware will need to extract the encryption key from the password manager process which can often be configured to forget the key quickly after the last use.

Also consider that if you have malware that can steal your password database and the encryption key it can probably just keylog all your passwords or steal your browser's cookie jar. So the extra barrier here is minimal.

I think you are right to be suspicious of having a vault of passwords "ready to steal" but in practice the upsides far outweigh the downsides, especially if you make a security-focused choice of password manager.

[–] Scraft161@iusearchlinux.fyi 9 points 1 year ago (1 children)

I've been using keepassxc for a while now and it's better than most other options, everything is stored locally and encrypted behind a master password.

All you micht want to do is make a backup of your vault onto an external drive (best practice would be encrypted via the options you have, I use luks because I'm a Linux nerd).

[–] livendie 1 points 1 year ago

Agreed. Have my password database backed up over multiple places, GPG encrypted of-coarse, you can never be too safe.

[–] CanadaPlus@lemmy.sdf.org 2 points 1 year ago

I'm in the same boat at this point, partly just because I'm not sure how I want to partition things and if the software will work together the way I want.

I assume password managers themselves store things encrypted until you unlock them with whatever master password.

[–] argv_minus_one 1 points 1 year ago* (last edited 1 year ago)

If your computer is compromised to the extent that bad guys can read memory allocated to your password manager in order to discover the key to your password database, then they can also read memory allocated to your browser, which temporarily stores your passwords when you type them into websites, and steal the passwords from there.

Even storing passwords in unencrypted text files only reveals them to bad guys if they have compromised your computer to the extent that they can read arbitrary files, in which case the bad guys can also read all the other sensitive information stored on your computer. Depending on what you do for a living, your porn preferences, etc, that may be even worse than your passwords being stolen.

And that sort of security breach isn't terribly common anyway. As long as you don't run any shady software on your computer, it will most likely never happen. Using weak passwords, on the other hand, will result in the compromise of whatever they protect, because cybercriminals are constantly, relentlessly trying to guess people's passwords.

[–] dan@upvote.au 0 points 1 year ago

I've got 1601 logins and 86 secure notes in my Bitwarden vault... no way I'm memorizing all of that lol

[–] argv_minus_one 2 points 1 year ago

Best practice in 2023 is a cryptographically secure random password generator. Generate a password any other way, and some machine is going to guess it.

[–] geissi@feddit.de 1 points 1 year ago (1 children)

forgetting-spaghetti-toad-box

I don't know much about PW security but would a passphrase of common words not be more susceptible to dictionary attacks?

[–] CanadaPlus@lemmy.sdf.org 5 points 1 year ago* (last edited 1 year ago) (2 children)

The idea is that entropy is measured with possible words instead of possible characters. It turns out 7 7-bit ascii characters have less entropy than 4 14-bit equivalent words (that is, the 16,384 most common ones). And that's in the ideal case it's a totally random 7 characters.

Every attack is technically a dictionary attack here, but it doesn't help enough because the password to a computer is still 30 characters long. To a human it seems a lot easier than ")f1:.{yJCzNv]@R=S K$~=", though.

PS. Turning /dev/random output into 7-bit ascii characters is surprisingly involved in Haskell. C would have been easier. This was the world's slowest ninja edit.

[–] argv_minus_one 2 points 1 year ago

Schneier disagrees.

[–] geissi@feddit.de 1 points 1 year ago

Thanks for the explanation, I remember the explanation in https://xkcd.com/936/ but wasn't sure how that held up for different attack methods.

[–] HurlingDurling@lemm.ee 6 points 1 year ago

Then, please give us your phone number for 2fa, instead of letting you use a more secure app

[–] abbadon420@lemm.ee 4 points 1 year ago (3 children)

This is a repost :)

[–] rog@lemmy.one 6 points 1 year ago (1 children)

Are we really starting this shit here?

Everything on the internet is a repost. Calling it out adds nothing worthwhile to the conversation and just derails any conversation.

[–] peter@feddit.uk 6 points 1 year ago* (last edited 1 year ago) (1 children)

Yeah but when you see the same 5 posts every month it gets tiring. If the other post was in a different place though, then it's not a repost

[–] Lumidaub@feddit.de 1 points 1 year ago

If I've ever seen the same post 5 times, it was in a day or two and it was a new and exciting thing for some people so everybody would post it and the same time.

[–] likeaduck@programming.dev 3 points 1 year ago

I dont know how to make a crosspost in the app

[–] ReCursing@kbin.social 1 points 1 year ago

And?

[–] Bandicoot_Academic@lemmy.one 4 points 1 year ago (1 children)

Remides me of https://neal.fun/password-game/

[–] triprotic 1 points 1 year ago

That was my immediate though too!

[–] wolo@lemmy.blahaj.zone 2 points 1 year ago

"password must contain a PUA codepoint"

[–] Goun@lemmy.ml 2 points 1 year ago

Fuck that shit, just give me the password