@kkarhan Interestingly enough, a #passphrase consisting of six random words (which they list as still secure) is what I have suggested for quite a while as being reasonably secure even against a determined adversary. With #Diceware, that gives a work factor of about 2^77, same as a 15-character single-case alphanumeric password (but much easier to remember).

Most of my #passwords are significantly longer than that minimum.

My password tips are here: https://michael.kjorling.se/password-tips/

@douginamug Well, for security, a rather low-hanging fruit is still to ensure that you install software updates promptly. I know, it's not sexy, but it helps a lot!

Next step up I do think is good #password hygiene, including use of a #PasswordManager and #passphrases, plus #MFA #2FA where possible. Should cover #Diceware.

If we can get the typical person on board with those two, that will do a LOT to improve #infosec #security #cybersecurity for both themselves as well as others around them.

@IchoTolot While I don't use #diceware myself, it is actually not bad.

I prefer tied-together, long and ridiculously weird looking chemical formulas that I'm actually able to memorize easily.

Just don't ask me to remember names of persons. More often than not I recognize someone, but can't remember their name... I hate that.

@kkarhan Quite frankly, over 64 characters is overkill for #passwords. For a simple randomly generated alphanumeric #password (lowercase letters and digits only) to provide a 128 bit work factor you need 25 characters; for 256 bits, 50 characters. Using uppercase, lowercase and digits, 22 and 43 characters respectively. (Shows how little security you gain by mixing character case.) With #Diceware #passphrases and no additional #passphrase complexity, approximately 10 and 20 words respectively.

@valen Yes, I use the #EFF #Diceware word list myself. And I can even say that, because for an attacker to know which word list I use does not materially change the security properties of my passphrases. 🙂

@valen I've been using a #PasswordManager for many years now, to help me manage the many, MANY unique #passwords for different services.

And I have encouraged others to use a password manager as well.

That, and #Diceware #passphrases for those few credentials that are difficult to put into a password manager.

@YesIKnowIT Or if you have a #Diceware (or similar) word list handy...

$ <wordlist.txt awk -F$'\t' '{print $2}' | shuf | head -n 6 | xargs echo

(That's not perfectly random because it won't repeat a word, which could happen with a perfectly random generator. However, for any reasonable-length passwords, you're unlikely to see repetition anyway.)

Example output with the EFF long word list:

smother stainable steadfast tackiness scrawny denatured

#password #passwords #passphrase #passphrases

@Signal3r @tarnkappeinfo Am sichersten sind die Passwörter, die Mensch nur im Kopf hat. Erstellt mit #DiceWare und einem individuellen Algorithmus, um für jede Seite/Anwendung ein anderes zu haben...

The US treasurydirect.gov site is finally getting rid of their shitty virtual keyboard. Right now you have to click an on-screen keyboard to enter your password, which is unfortunately *less* secure since it discourages people from using a more secure Diceware-style passphrase or more complex passwords. Progress! #security #diceware

@AnthonyCollette Well, sorry, but: DUH. Using #Diceware as a benchmark wordlist size, log2((6^5)^3) ~ 39, whereas log2((26+26+10+10)^19) ~ 117. (Uppercase letters, lowercase letters, digits, 10 symbols = 72 possible characters to choose from.)

So a 39 bits entropy #passphrase is easier (as in would cost less) to crack than a 117 bits entropy #password?

In other news, the Sun rose in the east this morning; planetary physicists were allegedly unsurprised.

The UK's National #Cybersecurity Centre now recommends that people use "three random words" to make a strong #password. I must admit, I flinch a little every time I read this, because even if you use #Diceware to randomly select words for you from a list of 7776 possibilities, three genuinely random words is only ~38 bits of entropy, which is about as strong as 6 random keyboard characters (and the usual, minimum recommendation for this is 8).

People are exceedingly unlikely to choose 3 truly, statistically random words as their password. To get nearer to this, I suggest people hop from one TV channel to the next -- or one radio show to the next -- and listen for the (let's say) fifth verb they hear on one, fifth noun they hear on the second, and fifth adjective they hear on the third.

Or, better still, use a password manager app or the #Diceware Passwords app (available on F-Droid: https://f-droid.org/en/packages/com.aptasystems.dicewarepasswordgenerator/) to generate strings of truly random words (using data from random.org, which is a pretty fun website in itself, if you like numbers) for you. Password manager apps will save them for you as well -- choose one like #KeePass that works completely offline, and back it up in several places.
Failing that, write it down and keep it somewhere hidden and safe.

Because my last one was pretty popular (and is deleted now that I've set my posts to expire after 3 months), here is another list of my favourite #FOSS #software :

#Cryptomator -- encrypts files saved in a sync folder before they get uploaded to the cloud; great if you use Google Drive, Dropbox or another provider that doesn't offer end-to-end encryption (or, even if you do - belt and braces)
#Syncthing -- peer-to-peer file syncing over your local wifi network
#ShareX -- similar to Syncthing, but does not have to use the internet. Use your phone's hotspot to connect with a peer and share files via a web browser interface. Lighter and simpler to set up than Syncthing.
#Picocrypt -- on-the-fly file encryption
#LibreOffice -- free office suite, an almost drop-in replacement for MS Office
#KeePassXC and #KeePassDX -- XC is for desktop and DX is for Android only; offline password manager, saves your credentials in a file to your device that you can decide to back up (or not) manually; compatible with Yubikeys, OnlyKeys and other #FIDO2 devices
#LessPass -- stateless password generator that uses what you input every time to generate the same random-looking password every time
#Diceware Passwords -- Android app that uses data from random.org (or Android's built-in pseudorandom number generator) to create passphrases
#RemoteKeyboard -- link with #PuTTY to type on your Android phone from your laptop over wifi
#GnomeBoxes -- run virtual machines, like VirtualBox

Debunking Cybersecurity Myths

Cybersecurity expert Eva Galperin -- @evacide -- helps debunk some common myths about cybersecurity.

☑️​ Is the government watching you through your computer camera?

☑️​ Does Google read all your Gmail?

☑️​ Does a strong password protect you from hackers?

☑️​ Will encryption keep my data safe?

☑️​ Are all hackers bad people?

Eva answers all these questions and much more using clear language that's easy to understand.

Eva Galperin is the Director of Cybersecurity at the Electronic Frontier Foundation -- @eff

Rathedr read than listen? A helpful transcript is available.

https://www.wired.com/video/watch/expert-debunks-cybersecurity-myths

#Infosec #Cybersecurity #BeCyberSmart
#MoreThanAPassword #InfosecTraining
#DiceWare #Encryption #Passwords
#PasswordManagers #PublicWiFi #VPN
#EFF #ElectronicFrontierFoundation

@ianhillmedia I agree with most of this (I still say SMS #2FA is less bad than no 2FA, but eg TOTP certainly is better) EXCEPT to regularly change passwords.

Better to use strong passwords unique per account.

#Diceware #passphrase is better than a traditional #password for memorability/security ratio. 6-8 words gives you solid security. Also good to consider a #PasswordManager. Even a low-tech small notebook in your wallet improves on reusing passwords (and you'll know if it's been breached).

Is it REAL or is it FAKE?

Did you know that the skills you need to recognize a real word are completely different from the skills you use to recognize a fake word?

How well would you do? Which one of your word-recognition superpowers is naturally stronger?

The Center for Reading Research provides an online Word Test to measure:

➡️​ How large your vocabulary is.

➡️​ How well you can distinguish between a FAKE word and a REAL word.

With this test you get a valid estimate of your English vocabulary size within 4 minutes and you help scientific research by advancing word knowledge.

These are the same folks at Ghent University in Belgium who conducted the readability research which led to major improvements in DiceWare.

http://vocabulary.ugent.be/

#RealOrFake
#WordTest
#DiceWare

Um... You ok #diceware

@Adman A #passphrase, like you can generate with #diceware.

@scottlougheed @dirkhh @jpgoldberg @zak also known as #diceware if you want to look for other ways to generate such.

Debunking Cybersecurity Myths

Cybersecurity expert Eva Galperin -- @evacide -- helps debunk (and confirm!) some common myths about cybersecurity.

☑️​ Is the government watching you through your computer camera?

☑️​ Does Google read all your Gmail?

☑️​ Does a strong password protect you from hackers?

☑️​ Will encryption keep my data safe?

☑️​ Are all hackers bad people?

Eva answers all these questions and much more using clear language that's easy to understand.

Eva Galperin is the Director of Cybersecurity at the Electronic Frontier Foundation -- @eff

A helpful transcript is available.

https://www.wired.com/video/watch/expert-debunks-cybersecurity-myths

#Infosec #Cybersecurity #BeCyberSmart
#MoreThanAPassword #InfosecTraining
#DiceWare #Encryption #Passwords
#PasswordManagers #PublicWiFi #VPN
#EFF #ElectronicFrontierFoundation

:boost_ok:​ Feel free to share (boost) this post with all those who follow you by clicking the cycled-arrow icon below.

:mastodon: ​Here on Mastodon, boosting doesn’t elevate a post through any algorithmic shenanigans. Everyone who follows you gets to see the post (“toot”) without the platform interfering.

Is it REAL or is it FAKE?

Did you know that the skills you need to recognize a real word are completely different from the skills you use to recognize a fake word?

How well would you do? Which one of your word-recognition superpowers is naturally stronger?

The Center for Reading Research provides an online Word Test to measure:

➡️​ How large your vocabulary is.

➡️​ How well you can distinguish between a FAKE word and a REAL word.

With this test you get a valid estimate of your English vocabulary size within 4 minutes and you help scientific research by advancing word knowledge.

These are the same folks at Ghent University in Belgium who conducted the readability research which led to major improvements in DiceWare.

http://vocabulary.ugent.be/

#WordTest
#DiceWare

:boost_ok:​ Feel free to share (boost) this post with all those who follow you by clicking the cycled-arrow icon below.

:mastodon: ​Here on Mastodon, boosting doesn’t elevate a post through any algorithmic shenanigans. Everyone who follows you gets to see the post (“toot”) without the platform interfering.