Maybe there could be a section with good password examples.

Ziggy741 (talk | contribs) 21:08, 8 January 2017 (UTC)

- Yeah, or maybe a section explaining
*how to make*a good password.

**bigpuppy****talk****▪︎**21:52, 8 January 2017 (UTC)**contribs**

Should I add a section on how to change your password or will you (the creator) do it yourself?

Kenny2scratch (talk | contribs) 07:11, 26 January 2017 (UTC)

- I personally don't think one is needed, because there is already How can I reset my password?.

**bigpuppy****talk****▪︎**20:16, 5 February 2017 (UTC)**contribs**

## Merge

This shouldn't be merged because passwords aren't usernames.

Ziggy741 (talk | contribs) 02:15, 17 January 2017 (UTC)

- Yeah, and so we don't get them confused, I think we should keep them separate.

**bigpuppy****talk****▪︎**16:06, 17 January 2017 (UTC)**contribs**

## "Good passwords"

The section explaining how to write a good password doesn't actually help to make effective passwords. It only serves to make people think their account is secure without actually adding much security while at the same time making the passwords much harder to remember.

The strength of a password can be measured by the number of possible passwords you can have of a given format (this is basically entropy in information theory).

Substitutions, for example, only multiply the number of possible combinations by 2^{x} where x is the possible number of substitutions that could be made (for example, "microsoft" has four places where substitutions could be made to "m1cr0$0ft"). In that case, that would multiply the number of combinations by 2^{4}=16. While that may seem like a lot, let me give you two contrasting formats, one using techniques suggested in the article and one not:

**Case 1: The article's suggestions**
Format: Use an uncommon word, perform substitutions, possibly capitalize the first letter, add two symbols at the end (numbers or common symbols).
Here are the possible amount of combinations:

- Word: 171,476 (the number of words in the Oxford English Dictionary)
- Substitutions: 16 (assuming four possible substitutions in a word, which is a reasonable guess)
- Capitalized?: 2 (the first letter is either capitalized or not, which gives two combinations)
- Two symbols: 900 (this is assuming that 30 "symbols" are available, which is reasonably close to the amount a normal user would use, having 10 keys and about 20 other symbols)

The total number of combinations is 171,476*16*2*900=4.9*10^{9}

An example of this password would be **Lux3mb0urg%7**. That is difficult to remember.

**Case 2: The easier way to remember**
Format: Four common English words

- Word 1: 3,000 (according to the OED, 3,000 words account for 95% of all English usage)
- Word 2: 3,000
- Word 3: 3,000
- Word 4: 3,000

The total number of combinations is 3,000^{4}=8.1*10^{13}.

An example of this password would be **shoetrashwindowjacket**. That password is much easier to remember.

The second format results in a password that is approximately 10^{4} times stronger than the first, but at the same time is much easier to remember. We need to improve the article so that people stop making passwords that are hard to remember and easy for computers to guess simply based on the premise of making users think they're doing something for their security. The reason I'm posting this detailed explanation is that it's not intuitively obvious until you do the math, so I want to make sure everybody knows that I'm not making the guide less secure. Is everyone ok with improving the guide with this information?

jvvg (talk | contribs) 04:21, 21 February 2017 (UTC)

- You certainly have a good point.

Turkey3 (talk | contribs) 16:12, 21 February 2017 (UTC)- Do you think that it would be okay to have numbers at the end?

Ziggy741 (talk | contribs) 16:25, 21 February 2017 (UTC)- Adding numbers at the password does help some (each digit you add multiplies the number of combinations by 10), but it's still harder to remember numbers than words, and each word you add at the end multiplies the number of combinations by 3,000, so adding a common word is equivalent to about 3 digits but much easier to remember.

jvvg (talk | contribs) 20:05, 21 February 2017 (UTC)

- Adding numbers at the password does help some (each digit you add multiplies the number of combinations by 10), but it's still harder to remember numbers than words, and each word you add at the end multiplies the number of combinations by 3,000, so adding a common word is equivalent to about 3 digits but much easier to remember.

- Do you think that it would be okay to have numbers at the end?

- I put the inaccurate template on the section about making good passwords. So are we going to change the article?

Ziggy741 (talk | contribs) 15:59, 25 February 2017 (UTC)- I think we should change it but we need to find a simpler way to explain why the format I specified is good, as I don't think anybody wants to read through all of that, and it's not exactly obvious.

jvvg (talk | contribs) 21:55, 25 February 2017 (UTC)- This certainly is a good point. Go ahead and change it (though you really don't need my approval for that). I do understand what you mean... Change this article for the better! (Or, I can also change it myself if you want, of course.)

kenny2scratch Talk Contribs Directory 00:53, 1 June 2017 (UTC)

- This certainly is a good point. Go ahead and change it (though you really don't need my approval for that). I do understand what you mean... Change this article for the better! (Or, I can also change it myself if you want, of course.)

- I think we should change it but we need to find a simpler way to explain why the format I specified is good, as I don't think anybody wants to read through all of that, and it's not exactly obvious.

- I put the inaccurate template on the section about making good passwords. So are we going to change the article?

## I think this is inaccurate

Title. Proof: [1]

Lovecodeabc Links: talk page | scratch profile | contributions 17:46, 3 December 2020 (UTC)

- I think this article is inaccurate because according to https://blog.codinghorror.com/speed-hashing/, a 2012 computer could guess 16 000 000 000 (sixteen billion) times per second, and this article assumes a computer can only guess 1000 (one thousand) times per second. I think that the advice presented in this article still holds, however, because that [1] source is describing what would happen if someone got your password's hash value, and that might not ever happen.

Mlcreater (talk | contribs) 19:51, 3 December 2020 (UTC)- Another one. [2]. Yet another one. [3]

Lovecodeabc Links: talk page | scratch profile | contributions 01:50, 4 December 2020 (UTC) - If, as this article states, there are 3000 commonly used words (the vocabulary of a small child), there would be 81 000 000 000 000 4-word combinations, which would take a while at 1000 guesses/s, but only 1.5 hours at 16 000 000 000 guesses/s (rate guess from https://blog.codinghorror.com/speed-hashing/) and
**12 seconds**at 7 000 000 000 000 guesses/s (rate guess from https://www.pentestpartners.com/security-blog/correcthorsebatterystaple-isnt-a-good-password-heres-why/)

Mlcreater (talk | contribs) 02:13, 4 December 2020 (UTC)- Here's another analysis:

We assume

- That the hacker can guess at 1000 guessses/s

- That bits of entropy dosen't exist

- That the hacker is using a dictionary attack

- He is attacking using the correcthorsebatterystaple method

Okay. First there are 171,476 words in the Oxford English Dictionary [4]

Next, the math. The attacker will use 1 word, 2, 3, and 4. And the number of combinations increases by 171,476. So, the number of combinations is 685,904. At 1000 guesses/second it takes**at maximum**686 seconds to crack, or 11 minutes.

Lovecodeabc Links: talk page | scratch profile | contributions 14:04, 4 December 2020 (UTC)- What do you suggest the alternative will be?

Super_Scratch_Bros20 (talk | contribs) 4 December 2020, 13:00 (UTC) - Lovecodeabc, I think you have calculated the number of combinations by 171,476 + 171,476 + 171,476 + 171,476, but since there are 171,476 (n+1)-word combinations for every n-word combination, the number of combinations would be 171,476 x 171,476 x 171,476 x 171,476 = 864 600 000 000 000 000 000, taking twice the age of the universe at 1000 guesses/second, but only 3 years at most at 7 000 000 000 000 guesses/second.

Mlcreater (talk | contribs) 20:57, 4 December 2020 (UTC) - SSB20, this article could recommend that users maybe put spaces between their random words. This could make the attack take up to 8 times as long because there are eight times as many possible pass codes. There would be for every original correcthorsebatterystaple code, these 8:
- correcthorsebatterystaple
- correcthorsebattery staple
- correcthorse batterystaple
- correcthorse battery staple
- correct horsebatterystaple
- correct horsebattery staple
- correct horse batterystaple
- correct horse battery staple

Mlcreater (talk | contribs) 21:05, 4 December 2020 (UTC)- The article said that there are 3000 words that account for 95% of usage. Let's do a COMPLETE REANALYSIS and assume that the user only uses those 3000. Okay, I swear I made the mistake Mlcreater talked about. Lets assume that bits of entropy still dosen't exist. Mlcreater's method is 81000000000000 combinations. Assuming that a computer guesses @ 2.5 million a second (which is far less then present capacity) it would only take a about 38 days to guess.

Lovecodeabc Links: talk page | scratch profile | contributions 04:13, 5 December 2020 (UTC)

- The article said that there are 3000 words that account for 95% of usage. Let's do a COMPLETE REANALYSIS and assume that the user only uses those 3000. Okay, I swear I made the mistake Mlcreater talked about. Lets assume that bits of entropy still dosen't exist. Mlcreater's method is 81000000000000 combinations. Assuming that a computer guesses @ 2.5 million a second (which is far less then present capacity) it would only take a about 38 days to guess.

- What do you suggest the alternative will be?

- Here's another analysis:

- Another one. [2]. Yet another one. [3]

Now let's calculate at 10 BILLION guessses/s. **At maximum** it would only take 8100 seconds, OR 2 hours and 15 mins.

Lovecodeabc Links: talk page | scratch profile | contributions 14:30, 5 December 2020 (UTC)

- This article is recommending a very insecure password system with 10 G guess/s computers around. What should this article do about it? Maybe it should say that the comic is outdated so people should use 8-word passwords now?

Mlcreater (talk | contribs) 17:48, 5 December 2020 (UTC)- Yeah, 8 word is secure, it takes 20804794520 years to guess at 10 billion a secoond.

Lovecodeabc Links: talk page | scratch profile | contributions 19:09, 5 December 2020 (UTC)

- Yeah, 8 word is secure, it takes 20804794520 years to guess at 10 billion a secoond.