What do you imagine is the most used dictionary for dictionary attack?

Klingon, obviously. Every hacker who ever wants to become famous must be fluent in Klingon first, as we all know.

Oh I meant the lock screen, sorry. As far as I know it works everywhere except the lock screen.

You’re not wrong, but some systems, especially smaller ones are intended for English-only situations (or originally were) so non-English language situations might not be as well tested and/or may cause things to break.

Remember there are some sites that still refuse service if you put a " in your password. I’m not saying it’s right, but it’s a definite possibility.

That is very much not a 90s problem. Especially if the company has a website and an app or is a small company not thinking about these things.

In theory this shouldn’t be an issue but it definitely could be an issue on certain services.

That’s not how any of this works.

First of all, stripping passwords is never okay. You can reject the password and let the user choose a new one, but never just modify it on your own.

Then, if your system is at risk of code injection by certain characters in user input, please just shut it down and never turn it on again.

Doing that is actually a great way to tell attackers that you’re vulnerable to that type of attack.

Bypassing those front end restrictions is super easy, and the attackers don’t need an account or a password to attack you.

It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.

Learn how to sanitise your database inputs first, damnit!

xkcd.com/327/

UTF-8 and UTF-16 pretty much do everything, but if you have a UTF-16 emoji in a UTF-8 system, you’ll have a bad day. :(

Preganant?

If you’re using a password manager you don’t need phrases you can remember, you can generate even more secure passwords. Or start using passkeys.

I am, and I’m not jumping through hoops of making up a password sentence for every new website. I let Bitwarden take care of that for me.

I want cross-device

That’s not what security by obscurity means. And going by your definition, all passwords are security by obscurity.

You can even make a complete sentence that makes sense with symbols and numbers.

“Ronaldo doesn’t grill 76 Canadian Tacos.”

Or whatever

And requirements like that are why my password strengths are completely out of whack:

• Random websites get 24 randomly generated printable characters stored in my password manager. This is essentially unbreakable with conventional methods and can easily be adapted to fit whichever counterproductive rules the website enforces.
• My password manager and my home computers get memorable but long phrases. A particular favorite is to start in the middle of a line from a song and continue from there. Nobody’s going to guess “make you swear and curse when you′re chewing on” but it’s easy to memorize of you already know the song. Even a dictionary attack is going to have trouble with that many words.
• My work accounts get the bare minimum that complies with whichever rules the admins came up with. Numbers, special characters and mixed capitalization? No thirty letter phrase for you, then; you’ll get the minimum eight characters so I have a chance of memorizing the thing. Regular password changes? Great, now the last two chargers are going to be incrementing digits, just like for everyone else.

There’s a reason why experts these days argue against anything but minimum length restrictions.

Like someone else said on this thread; that’s just security by obscurity, which is bad. Dictionary attacks will be one of the first (brute force related) attacks attackers will use because word passwords are incredibly popular (though admittedly of fewer words: VeryBigDog34 etc…), and relatively easy to do. I agree that having the password across different devices is somewhat of a challenge with a password manager, but not impossible. My very long and complex password is all down to muscle memory by this point, I couldn’t tell you what it is from memory.

Also you shouldn’t use the same password on multiple things and if you don’t use a password manager you will need to memorize a lot of different passwords.

Dictionary attacks are definitely not a magic bullet, they require a lot of processing power, just like any other brute-force attack, but not more because of their longer length, as has been implied.

True, there are a lot of english words, but the amount of common words is relatively small. Most people aren’t going to choose a password like “MachicolationRemonstranceCircumambulationSchadenfreude”, even if it were generated for them (which is unlikely).

Sure, it is comparable to a standard 8 characters passward, but even that kind of password is verging on the insecure (it is the absolute minimum, which should be avoided when possible).

There are also a lot of symbols when you count emojies and the entire Unicode standard.

Sure, but the average English speaker knows way more than 2048 words. Let’s not forget about case sensitivity, made-up or “inside joke” words, names, and specific industry vocabulary.

Might be too late for that, but BOY do I have a bridge to sell you!

The advantage - from my very incomplete understanding - is that your passkeys cannot be phished or stolen from you. So only you from your device can log-in to the site. Which leaves me with the question, how cross-device passkeys work.

There are lots of advantages:

• No need to worry about password encoding, like this emoji debacle for example. Actually there’s no need to worry about passwords in general anymore, no more worries about lenghts, encoding, character space, remembering them etc.
• It eliminates that scam where attackers set up a site on a domain that looks like the correct one, because the domain is part of the protocol.
• It eliminates phishing for 2FA because login only works on your device anyway and there’s nothing you can be tricked into giving away to an attacker.
• If attackers break into a site and steal the public keys they can’t use them for anything.
• Since the whole process is automated between servers and browsers and also standardized, it can be upgraded seamlessly and continously, you can upgrade the protocol, the key lengths, the encryption cyphers etc. with zero impact for the user. New upgraded versions can be distributed to both servers and browsers and they’ll just use the highest version they both have.
• 2FA is a core part of the protocol, but again in a way that eliminates phishing: it’s basically a way to unlock access temporarily to one specific key in your key vault. You can use a master password, or an USB key, or TOTP codes, or biometrics (fingerprint or face) etc., but NOT cellular texts (SMS) anymore because the vault stays on your devices, no need for another party to send you anything.
• Syncing your vault online and over multiple devices, as well as backup, are also a core part of the approach and will eliminate the worry that you drop your phone and you’re screwed forever.

The downside is that there’s been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.

There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an “offline” backup in case of untimely death and so on, it’s going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.

Passkeys, under the hood, use a way of proving your identity that doesn’t require you to actually send your password, and also doesn’t require you to send your username either.
Because of how it’s implemented, the system managing the passkeys also gets to authenticate that the website is who it says it is.

So no private data actually gets sent anywhere, but you can prove your identity while also checking the identity of the site you’re talking to, like the SSL lock icon but automated. It’s often implemented such that the device that holds they keys can’t actually have them stolen from it, and it’s integrated with a biometric sensor.
This means it’s possible to have a high degree of confidence that the person logging in is physically the same person who created the credential, and not just someone who had their password stolen.

The final perk, is that if you’re using something like a phone with a fingerprint scanner, passkeys work as two factors of authentication, despite only feeling like one.
Because the phone verifies your identity via fingerprint (something you are), it can then unlock the key that is uniquely available to the phone (something you have).

Combine that with being generally easier to use, and it’s pretty clear why most security experts are pushing them. Security that users will use is better than security they won’t, and finally we have easier to use security that’s also better than the more difficult options.

Emojis are standardized. They may look different in different devices, but the code of a “raised hands” emoji will always be the same, just like the code for A is always the same.

Removing old ones could be a problem, though.

I can agree with you. I’m curious what these reasons are, though?

Oh they do. They come to tell you that the safety protocols you’ve implemented are interfering with their design.

They’d prefer it if it looked pretty and then just fell down and light breeze thank you very much

It seems like the designer didn’t notice the error

For 6 characters is 5 seconds. I like the idea of using passphrases that mix casing with symbols but still they look like like real words, it make easier to write them down when you need them and they can be very long, so they are quite secure, of course using a password manager to be able to manage them.

Well, the rate passwords can be tested at now may not always be the rate passwords can be tested at later. Computers were, at one point, growing exponentially faster in terms of processing power. There are still several emerging technologies out there that could cause significant speed-ups.

It’s certainly better to future-proof your passwords.

In EVE Online that’s called ‘getting underneath the guns’. 🎓

Many security keys have NFC, or if you’re on a modern phone, you can use USB type C (Yubikey 5C)

Authentication app is another option. I believe some password managers can be set up to take the master password once per device and then accept authenticator codes to unlock for each subsequent time.

Or, since your phone is probably a lot more locked down than your computer, almost every modern phone since like the days of the iPhone 5S has a cryptographic TPM/secure enclave in the processor while the fact that not every computer has one was a major sore spot in Windows 11 compatibility, it might also be acceptable to just leave the password manager unlocked on your phone all the time, depending on your threat model. Assuming your phone is both encrypted and password protected and you trust the OS to implement both securely, the pin on your phone works more like the pin on your credit card than a traditional password login on a non-encrypted non-TPM computer, so even if a bad actor physically had your phone, it would be very hard to actually extract data out of it without the passcode (assuming it’s just your garden variety cybercriminal and not the CIA or something), which would serve as your master password in that case. Hardware security features can also resist brute force attacks where someone clones your hard drive and hooks it up to their own computer to try and guess the encryption password without the wrong entry time delays slowing them down, a secure enclave will actually enforce the time delays with no easy bypass and can also be set to wipe the phone if you get the passcode wrong too many times.

Phone apps are also almost entirely sandboxed from each other and can’t directly access other apps’ data, so the risk of a malicious program reading the password manager’s cache or database is also far lower than most desktop operating systems.

As it said in the document: With a little help from your OS. So I want to log into lemm.ee from another persons computer. I do have not my own keyboard, I neither have my additional drivers or extensions or whatever. Oops. No login.

I didn’t realize NYC has a physical Juneshine location. So I got a flight… and a Juneshine cocktail…