@Soli, maybe you didn't see the part righ below the calculator? It clearly says:
And
So nice try comparing the 25 character password with a 64 character password.
As he states further down "... the attacker is totally blind to the way your passwords look." Which means that brute-force attackers have to use the entire search space regardless.
@Soli, maybe you didn't see the part righ below the calculator? It clearly says:
And
So nice try comparing the 25 character password with a 64 character password.
As he states further down "... the attacker is totally blind to the way your passwords look." Which means that brute-force attackers have to use the entire search space regardless.
1a) So you read that and yet you still think 25 characters is harder to crack than the much longer 64 characters. 🤦♂️
1b) Don't ignore the word exhaustive, which only happens AFTER all shortcuts are exploited with no results, but keep in mind that they always refer to exhaustive cracks as well as telling you the time for all passcodes because it would be impossible to really estimate without knowing a specific passcode ahead of time. For example, the password 'Password' is 8 character and uses a BASE-52 complexity, but they aren't going to try all 52^8 combinations first. It may very likely be the first or second password they attempt, which isn't an issue for websites since they tend to weed those out as possibilities, but it can be used for consumer OS logins, self-encrypted files, like macOS' sparse bundles, and wireless routers.
2) I can’t even fathom how you believe that BASE-26 for a given length is just as easy to crack than BASE-210 for that same length.
I would never trust 3rd party password tools. Why would Apple not provide iCloud key chain solution out of the box for all password fields? Or is it already available in iOS 12?
The Apple iCloud autofill features don't work on my work PC. 1Password does.
1a) So you read that and yet you still think 25 characters is harder to crack than the much longer 64 characters. ߤ榺wj;♂️
Ah, now I can see where your misunderstanding is coming from. Nobody here said a shorter password is harder to crack.
What I am saying (and what the xkcd illustrates) is this: A longer password (even without special character combinations) is better than a shorter password with a more complex scheme. I think you also agree with that. But people wrongly assume that adding special characters to a shorter password somehow makes it more secure "because it is more complex."
"Ok," you say. "Make a longer password with complex characters." Sure, that will be harder to crack due to its length, not because of its complex scheme. But now it is also harder to remember. A much better approach (and what NIST recommends) is to use a password of the same longer length that is easier to remember. You won't give up anything in password strength and you can use word associations, phrases, etc. to recall them, without having to rely on risky autofill features.
I will leave the last word up to you if you so choose.
1a) So you read that and yet you still think 25 characters is harder to crack than the much longer 64 characters. ߤ榺wj;♂️
Ah, now I can see where your misunderstanding is coming from. Nobody here said a shorter password is harder to crack.
What I am saying (and what the xkcd illustrates) is this: A longer password (even without special character combinations) is better than a shorter password with a more complex scheme. I think you also agree with that. But people wrongly assume that adding special characters to a shorter password somehow makes it more secure "because it is more complex."
"Ok," you say. "Make a longer password with complex characters." Sure, that will be harder to crack due to its length, not because of its complex scheme. But now it is also harder to remember. A much better approach (and what NIST recommends) is to use a password of the same longer length that is easier to remember. You won't give up anything in password strength and you can use word associations, phrases, etc. to recall them, without having to rely on risky autofill features.
I will leave the last word up to you if you so choose.
Again, and for the final time, that basic solution is only good for the few memorized passwords you may have, and even then it's still very limited and easy to crack if you're only using basic dictionary words with lower case letters.
Sure, that will be harder to crack due to its length
Again, no. Accoriding to you the 8 character password 'password' will be cracked in the same amount of unintelligent, non-repeating attempts as 'blahgork'. Sure, they're both 26^8 if you count up all possibilities, but, again, that's not how crackers approach this.
Even the 7 character 'fuçkyou' would take longer to crack because the cracker will have to realize that you must be using 210 possible options per character, which means that they'd likely have gone though all the commonly used passwords, then the lower case dictionary words, then the dictionary words using a capital letter, then repeat those last two cycles with a one or more digits afterwards, then all the viable variations of multiple lower case words from the dictionary, then all the viable variations of multiple words from the dictionary with a capital letter, and then, finally, an exhaustive search of all upper and lower case letters and numbers (with or without special characters), and then all the all upper and lower case letters, numbers, and special characters before they realize that since the know their system checked every possible combination through whatever reasonable length is (which is probably under 80 for a system passphrase, but what I think the useable max is 480 characters for macOS), then they have to assume it's longer than the max limit they set or you're using very special characters and still think it's worth the time and effort.
That said, for all I know 'fuçkyou' has been encoding as one of the permeations that it's predicting even though I've never seen anyone else use very special characters for password, but it'll still be harder to guess than your 'password' because it wouldn't be the first couple options that someone tries.
For the final time, the shorter 210^7 is considerably more secure than your 26^8 and the only reason that comic makes sense is that the lower case passcode is substantially longer than the hard to type and remember passcode he used as an example, so your belief that the same size are identically strong and that a longer passcode (regardless of how much longer it is) is inherently stronger is simple false.
Yep. The long passphrase model with upper and lower case, numbers, and special (and very special) characters arranged in an easy to type manner is the same model I've been using for countless years for my memorized passcodes. Frankly, that's still hella short for accessing my iPhone, Mac, and 1Password vault since I have a biometric that means I usually only have to do it after a restart. Even my Apple Watch doesn't use the stand 4-digit PIN since that default option doesn't require hitting 'OK" to submit, but any other PIN lengths do, and since it can be used to unlock my Mac I make sure it's secure.
That example he gave on Last Week Tonight on John Oliver is 26 characters, but requires a cracker to look at 95 options per character. That means a total of 2.66 x 10^51 combinations, while an all lowercase passcode would have to be 37 characters long before it's would surpass that passcode in the number of possible combinations.
I must be in the minority, but i never use password autofill or understand why people use it. So if someone is able to get into my device, suddenly they have access to ALL my logins? It Seems like such a breach of security protocol.
Before allowing access to your passwords, you need to login using either a password, TouchID or FaceID.
So no, getting access to your device does not mean they have access to your logins, since the information is stored on your device using encryption.
It’s certainly a lot safer than sharing a single password between several services and/or using short passwords that are easy to remember.
I have iOS 12 installed but I have this image on my phone which lists email account rather than password applications. I have 1password installed.
Thanks Bruce
[image]
I had iOS 12 GM and 1P v7.11 installed with something similar. Toggling the AutoFill Passwords switch did nothing. I resolved it by deleting the 1P app and reinstalling it from the App Store. After I installed it that screen looked like the one's listed by AI.
Note: I did have to go though the 1P setup process again and point to the location of my vault to get my items back in the app's vault.
Comments
1b) Don't ignore the word exhaustive, which only happens AFTER all shortcuts are exploited with no results, but keep in mind that they always refer to exhaustive cracks as well as telling you the time for all passcodes because it would be impossible to really estimate without knowing a specific passcode ahead of time. For example, the password 'Password' is 8 character and uses a BASE-52 complexity, but they aren't going to try all 52^8 combinations first. It may very likely be the first or second password they attempt, which isn't an issue for websites since they tend to weed those out as possibilities, but it can be used for consumer OS logins, self-encrypted files, like macOS' sparse bundles, and wireless routers.
2) I can’t even fathom how you believe that BASE-26 for a given length is just as easy to crack than BASE-210 for that same length.
Ah, now I can see where your misunderstanding is coming from. Nobody here said a shorter password is harder to crack.
What I am saying (and what the xkcd illustrates) is this: A longer password (even without special character combinations) is better than a shorter password with a more complex scheme. I think you also agree with that. But people wrongly assume that adding special characters to a shorter password somehow makes it more secure "because it is more complex."
"Ok," you say. "Make a longer password with complex characters." Sure, that will be harder to crack due to its length, not because of its complex scheme. But now it is also harder to remember. A much better approach (and what NIST recommends) is to use a password of the same longer length that is easier to remember. You won't give up anything in password strength and you can use word associations, phrases, etc. to recall them, without having to rely on risky autofill features.
I will leave the last word up to you if you so choose.
Again, no. Accoriding to you the 8 character password 'password' will be cracked in the same amount of unintelligent, non-repeating attempts as 'blahgork'. Sure, they're both 26^8 if you count up all possibilities, but, again, that's not how crackers approach this.
Even the 7 character 'fuçkyou' would take longer to crack because the cracker will have to realize that you must be using 210 possible options per character, which means that they'd likely have gone though all the commonly used passwords, then the lower case dictionary words, then the dictionary words using a capital letter, then repeat those last two cycles with a one or more digits afterwards, then all the viable variations of multiple lower case words from the dictionary, then all the viable variations of multiple words from the dictionary with a capital letter, and then, finally, an exhaustive search of all upper and lower case letters and numbers (with or without special characters), and then all the all upper and lower case letters, numbers, and special characters before they realize that since the know their system checked every possible combination through whatever reasonable length is (which is probably under 80 for a system passphrase, but what I think the useable max is 480 characters for macOS), then they have to assume it's longer than the max limit they set or you're using very special characters and still think it's worth the time and effort.
That said, for all I know 'fuçkyou' has been encoding as one of the permeations that it's predicting even though I've never seen anyone else use very special characters for password, but it'll still be harder to guess than your 'password' because it wouldn't be the first couple options that someone tries.
For the final time, the shorter 210^7 is considerably more secure than your 26^8 and the only reason that comic makes sense is that the lower case passcode is substantially longer than the hard to type and remember passcode he used as an example, so your belief that the same size are identically strong and that a longer passcode (regardless of how much longer it is) is inherently stronger is simple false.
That example he gave on Last Week Tonight on John Oliver is 26 characters, but requires a cracker to look at 95 options per character. That means a total of 2.66 x 10^51 combinations, while an all lowercase passcode would have to be 37 characters long before it's would surpass that passcode in the number of possible combinations.
So no, getting access to your device does not mean they have access to your logins, since the information is stored on your device using encryption.
It’s certainly a lot safer than sharing a single password between several services and/or using short passwords that are easy to remember.
Thanks
Bruce
Note: I did have to go though the 1P setup process again and point to the location of my vault to get my items back in the app's vault.