1

Topic: The password in 25 characters is already at all a paranoia

Hello, fin_81, you wrote: _> Hello, sambl4, you wrote: _> Should be so _> _> Dialogue just: _> - At me on the server the long password, 25 characters! _> supporting shouts of all present: "the Muzhik!" And . _> - at you any complexes? _> Osvistyvanie and . From what? Present realities are that that   the 12-symbolical password with the salt, received by means of PBKDF2/scrypt/bcrypt with made number of iterations, will be  millions years, is possible hundred thousand. The magnification of length of the password gives exponential growth of time of direct search. Therefore owners of 25 character passwords do not deserve any approval. Here or in  either to learn . Or to learn  in ... <<RSDN@Home 1.0.0 alpha 5 rev. 0>> 28.11.16 22:52: the Branch is selected from a subject of 25 characters the Author: sambl4 Date: 28.11 11:02 kochetkov.vladimir

2

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: _>> Should be so KV> From what? Present realities are that that   the 12-symbolical password with the salt, received by means of PBKDF2/scrypt/bcrypt with made number of iterations, will be  millions years, is possible hundred thousand. The magnification of length of the password gives exponential growth of time of direct search. Therefore owners of 25 character passwords do not deserve any approval. Here or in  either to learn . Or to learn  in  And if ? In the conditions of such stress "conditional I" a maximum a word from 3 letters can tell, well at very big desire from 12. But 25 even if I am good for accustoming to drinking, I can not utter. Though "I" not the German.

3

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV>...   the 12-symbolical password with the salt, received by means of PBKDF2/scrypt/bcrypt with made number of iterations... The Muzhik! Who has more?

4

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV> From what? Present realities are that that   the 12-symbolical password with the salt, received by means of PBKDF2/scrypt/bcrypt with made number of iterations, will be  millions years, is possible hundred thousand. The magnification of length of the password gives exponential growth of time of direct search. Therefore owners of 25 character passwords do not deserve any approval. Here or in  either to learn . Or to learn  in  https://xkcd.com/936/

5

Re: The password in 25 characters is already at all a paranoia

Hello, aik, you wrote: aik> https://xkcd.com/936/https://diogomonic … orrect/... <<RSDN@Home 1.0.0 alpha 5 rev. 0>>

6

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV> https://diogomonica.com/2014/10/11/pass … t-correct/ Conclusion Users do not need password memorization schemes, they need to be incentivized to use a good password manager. We change trust to themselves, trust "good password manager". A hyperbola: billions flies  are more predicted, than is unique correct "good password manager".

7

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: aik>> https://xkcd.com/936/KV> https://diogomonica.com/2014/10/11/pass … t-correct/ to Advise to use the manager of passwords to the paranoiac with the password in 25 characters? A good joke.

8

Re: The password in 25 characters is already at all a paranoia

Hello, fin_81, you wrote: _> we Change trust to themselves, trust "good password manager". It is fine, at "good password manager" all the same there will be a master password.

9

Re: The password in 25 characters is already at all a paranoia

Hello, Ops, you wrote: _>> we Change trust to themselves, trust "good password manager". Ops> It is fine, at "good password manager" all the same there will be a master password. How you think, with what  I wrote the message (I write the messages), especially in subject ? That is more predicted: it is unique the correct manager of passwords or a method of storage of the password conditional  the monk got used to hieroglyphs.

10

Re: The password in 25 characters is already at all a paranoia

11

Re: The password in 25 characters is already at all a paranoia

Hello, fin_81, you wrote: _> we Change trust to themselves, trust "good password manager". That the trust to itself was justified, it is necessary to understand, as well as on the basis of what firmness  protection is added. It is obvious that considering the 25-symbolical password the adequate decision, it not quite understand. And limits of human storage are that, what even the ten passwords with comprehensible entropy there to contain extremely heavily. And consequently, passwords will be  at once on several sites. That is "faugh-faugh-faugh", even irrespectively to their firmness to search. _> a hyperbola: billions flies  are more predicted, than is unique correct "good password manager". About "it is unique correct" speech in article does not go - their tens. With usage  the manager the automatic machine solves problems of low entropy (for the account of automatic generation of casual passwords) and reusages of passwords (what difference to store in the manager of 10 passwords or 100?) . The master Password elementarily amplifies with the help 2FA which the overwhelming majority of modern  managers is able.... <<RSDN@Home 1.0.0 alpha 5 rev. 0>>

12

Re: The password in 25 characters is already at all a paranoia

Hello, B0FEE664, you wrote: BFE> Hello, kochetkov.vladimir, you wrote: aik>>> https://xkcd.com/936/KV>> https://diogomonica.com/2014/10/11/pass … t-correct/ BFE> to Advise to use the manager of passwords to the paranoiac with the password in 25 characters? A good joke. 25 characters are not a paranoia, and . Unless causes questions a level of development of the person who is putting on on building of 10 helmets, instead of one?... <<RSDN@Home 1.0.0 alpha 5 rev. 0>>

13

Re: The password in 25 characters is already at all a paranoia

Hello, fin_81, you wrote: _> Hello, B0FEE664, you wrote: BFE>> to Advise to use the manager of passwords to the paranoiac with the password in 25 characters? A good joke. _> as you concern to such who uses "  the 12-symbolical password with the salt, received by means of PBKDF2/scrypt/bcrypt with made number of iterations"? At all did not assume that at a forum of developers it is necessary to chew it Ok, to me it is not difficult: it was a question not of usage of it  as the password ultimate users, and about it is stored in what type on the server and can be attacked a brut-swagger in a case  a DB.... <<RSDN@Home 1.0.0 alpha 5 rev. 0>>

14

Re: The password in 25 characters is already at all a paranoia

Hello, Kondratsy, you wrote: "In the future can look not only only all!" Business can in it? Suddenly speed of search grows? Exponentially and suddenly, aha. From what?... <<RSDN@Home 1.0.0 alpha 5 rev. 0>>

15

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV> 25 characters are not a paranoia, and . Unless causes questions a level of development of the person who is putting on on building of 10 helmets, instead of one? If it generates password manager - that what difference.

16

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV> From what? Present realities are that that   the 12-symbolical password with the salt, received by means of PBKDF2/scrypt/bcrypt with made number of iterations, will be  millions years, is possible hundred thousand. The magnification of length of the password gives exponential growth of time of direct search. Therefore owners of 25 character passwords do not deserve any approval. Here or in  either to learn . Or to learn  in  I as the user I can not be assured that the developer of each specific site uses bcrypt instead of md5. And 12 characters now recommended minimum: https://blog.codinghorror.com/speed-hashing/ If you are a user: Make sure all your passwords are 12 characters or more, ideally a lot more. I recommend adopting pass phrases, which are not only a lot easier to remember than passwords (if not type) but also ridiculously secure against brute forcing purely due to their length.

17

Re: The password in 25 characters is already at all a paranoia

Hello, mogadanez, you wrote: M> I as the user cannot be assured that the developer of each specific site uses bcrypt instead of md5. If the site uses md5, the length of the password any more has no value. And if stores them in an open type, especially M> and 12 characters now recommended minimum: Well not now, and in 12th year and in realities of ubiquitous usage for hash coding of passwords of the functions which absolutely for this purpose have been not intended (family MD, SHA, etc.). With usage of the adaptive functions of hash coding (bcrypt, scrypt, PBKDF2, Argon2), 12 characters from the full alphabet will be more, than there is enough and in realities of 2016. Well, it is possible to finish about 16 characters that it was scratched nothing, if suddenly that. But in any way 25

18

Re: The password in 25 characters is already at all a paranoia

Hello, mogadanez, you wrote: M> Hello, kochetkov.vladimir, you wrote: KV>> 25 characters are not a paranoia, and . Unless causes questions a level of development of the person who is putting on on building of 10 helmets, instead of one? M> if it generates password manager - that what difference. And from what to the hero of the initial message to be praised by the 25-symbolical password if it generated and the manager saved ?

19

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV> Hello, fin_81, you wrote: _>> we Change trust to themselves, trust "good password manager". KV> That the trust to itself was justified, it is necessary to understand, as well as on the basis of what firmness  protection is added. It is obvious that considering the 25-symbolical password the adequate decision, it not quite understand. And limits of human storage are that, what even the ten passwords with comprehensible entropy there to contain extremely heavily. And consequently, passwords will be  at once on several sites. That is "faugh-faugh-faugh", even irrespectively to their firmness to search. _>> a hyperbola: billions flies  are more predicted, than is unique correct "good password manager". KV> About "it is unique correct" speech in article does not go - their tens. With usage  the manager the automatic machine solves problems of low entropy (for the account of automatic generation of casual passwords) and reusages of passwords (what difference to store in the manager of 10 passwords or 100?) . The master Password elementarily amplifies with the help 2FA which the overwhelming majority of modern  managers is able. To use 100 different passwords on 100 different sites the manager who puts the password and a site in correspondence is necessary. That is a bottleneck here the manager. It is possible to break a method of storage of passwords the person, or it is possible to break this manager of passwords. I am not assured that the manager of passwords who stores passwords in predicted files, encodes and decodes on predicted processors in predicted areas of storage, on predicted and easily lost devices, is more reliable, than a yet not probed human body. Entropy as firmness is a spherical vacuum in a game. How to tell a scientific method, show on experiments that the new trust relationships policy somehow influences percent  passwords. Complicating the protocol, correctness of application of the protocol becomes complicated. And in practice a policy when every month the new password in which should be a minimum of 11 characters of the Russian rouble, leads to appearance of the manager of passwords in the form of stickers on the monitor. And yes, tens managers it is infinite less amounts of flies. Firmness of the manager is a firmness of the manager, cracked the manager, cracked 100 sites. Firmness of 10 passwords on 100 sites is a firmness of 10 passwords on 100 sites.

20

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV> At all did not assume that at a forum of developers it is necessary to chew it Ok, to me it is not difficult: it was a question not of usage of it  as the password ultimate users, and about it is stored in what type on the server and can be attacked a brut-swagger in a case  a DB. As already wrote, the server does not report how it works with passwords. That that flowed away in a network, is not supervised any more by you. It not about firmness of the password, and about trust.

21

Re: The password in 25 characters is already at all a paranoia

Hello, fin_81, you wrote: _> That that flowed away in a network, is not supervised any more by you. It not about firmness of the password, and about trust. And  and not in course

22

Re: The password in 25 characters is already at all a paranoia

Hello, fin_81, you wrote: _> to use 100 different passwords on 100 different sites the manager who puts the password and a site in correspondence is necessary. That is a bottleneck here the manager. It is possible to break a method of storage of passwords the person, or it is possible to break this manager of passwords. I am not assured that the manager of passwords who stores passwords in predicted files, encodes and decodes on predicted processors in predicted areas of storage, on predicted and easily lost devices, is more reliable, than a yet not probed human body. And I am assured, as in course how in modern  managers these narrow and predicted places are leveled. And to crack a human body offers nobody. Here the specific approach offered in specific  is criticized. _> Entropy as firmness is a spherical vacuum in a game. https://rsdn.org/forum/humour/6623468.1 the Author: kochetkov.vladimir Date: 28.11 22:26 _> How to speak a scientific method, show on experiments that the new trust relationships policy somehow influences percent  passwords. Complicating the protocol, correctness of application of the protocol becomes complicated. Offer experiment, we consider. _> and in practice a policy when every month the new password in which should be a minimum of 11 characters of the Russian rouble, leads to appearance of the manager of passwords in the form of stickers on the monitor. Here anybody except you also does not speak about monthly change of the password _> And yes, tens managers it is infinite less amounts of flies. It is better for considering with entomologists. _> firmness of the manager is a firmness of the manager, cracked the manager, cracked 100 sites. Means, it is necessary to make so that breaking of the manager was more difficult than breaking of 10 passwords on 100 sites. Actually, this task in them also dares. _> firmness of 10 passwords on 100 sites is a firmness of 10 passwords on 100 sites. Cracked the password on one of a site-> cracked all 1/10 of used sites.

23

Re: The password in 25 characters is already at all a paranoia

Hello, fin_81, you wrote: _> Entropy as firmness is a spherical vacuum in a game. So, for an example, about an entropy role in cryptography: https://eprint.iacr.org/2004/219.pdf the Cryptography behind which the theory proved and checked up by time is not necessary, at all has no right to existence. The application-oriented aspect starts to play a role only when the theoretical played a role. There is no entropy - is not present  (if Shannon does not say lies to us). On it also lost, for example SSL when in it dug out FREAK, POODLE and similar to them attacks. Though to argue on flies unconditionally is easier.

24

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV> And I am assured, as in course how in modern  managers these narrow and predicted places are leveled. And to crack a human body offers nobody. Here the specific approach offered in specific  is criticized. What approach? To replace the illogical human logic, one of which billion consequences is shown in , on the manager of passwords whom someone invented the third? _>> entropy as firmness is a spherical vacuum in a game. KV> https://rsdn.org/forum/humour/6623468.1 the Author: kochetkov.vladimir Date: 28.11 22:26 I Will mix horses and people. What entropy at good pseudorandom number generators? And why they have a prefix "pseudo"? It about firmness or about a faith in hyperbolic straight lines. _>> how to speak a scientific method, show on experiments that the new trust relationships policy somehow influences percent  passwords. Complicating the protocol, correctness of application of the protocol becomes complicated. KV> offer experiment, we consider. There is no it you show that with introduction of new policies, protocols, managers of passwords and , the amount of the passwords merged in the Internet decreased. _>> and in practice a policy when every month the new password in which should be a minimum of 11 characters of the Russian rouble, leads to appearance of the manager of passwords in the form of stickers on the monitor. KV> here anybody except you also does not tell It about monthly change of the password one of examples (on me silly) trust relationships policies, as the recommendation to have 100 different passwords on 100 sites for what it is necessary to get the manager of passwords. _>> and yes, tens managers it is infinite less amounts of flies. KV> it is better for considering with entomologists. Yes,  entomologists to try to explain as well as what managers to use. _>> firmness of the manager is a firmness of the manager, cracked the manager, cracked 100 sites. KV> Means, it is necessary to make so that breaking of the manager was more difficult than breaking of 10 passwords on 100 sites. Actually, this task in them also dares. The task dares or these managers of passwords are built in browsers with millions lines of not verified code and synchronized with exterior servers? Because on another it is inconvenient and it is impractical, it is not meaningful. _>> Firmness of 10 passwords on 100 sites is a firmness of 10 passwords on 100 sites. KV> cracked the password on one of a site-> cracked all 1/10 of used sites. 10 % against 100 % in case of breaking.

25

Re: The password in 25 characters is already at all a paranoia

Hello, kochetkov.vladimir, you wrote: KV> https://diogomonica.com/2014/10/11/pass … t-correct/ * Users do not need password memorization schemes, they need to be incentivized to use a good password manager. Breaks in a dust a reality - far not everywhere it is possible to use  the manager. And some  data entry fields also are specially made that there it was impossible to make paste. To kill for such, of course, but these are realities. Therefore it is necessary that or that it is possible to type without damning all on light.... <<RSDN@Home 1.1.4 stable SR1 rev. 568>>