I just published “Generating Passphrases Like correct horse battery staple” at
https://www.ii.com/passphrase-generators/ - please post suggestions for passphrase generators as a reply to this toot and I'll include them in my article!
#InfiniteInk #Privacy #Security #Tech #Passwords #Passphrases #CorrectHorseBatteryStaple
#Words #Writing #Byℵ #ByNM

@gabe_sky
Great idea, thanks! Bookmarked.

As chance would have it, I also built another useful thing, way back in 2015:

https://batterystaple.pw/ - generates secure #Passphrases entirely in your browser

Like you, I built it because I was not happy with the existing alternatives. Since then, I have been using it quite regularly, but I have no idea if anybody else uses it (nor a way to find out).

In any case, I will gladly continue to pay for the domain name!

Use strong, unique passphrases.
Passphrases are easier to remember and harder to crack.
#Passphrases #PasswordStrength #Authentication

@evangreer @fightforthefuture.org @bsky.app @guardianproject @internetarchive @torproject @signalapp @session @simplex @freedomofpress @eff @privacysafe
🔐 #PrivacySafe Bot: Strong #passwords made simple.
Whether you’re setting up devices and user access ahead of time or recovering from a breach, get cryptographically strong passwords & #passphrases — right in your browser, on your device, never stored on a server.
https://bitsontape.com/p/password-bot-security

8,192 French #Diceware word list for use with computers.

#passwords #passphrases

https://theworld.com/~reinhold/wordlist_fr_8192.txt

So what kind of policy framework do I have at my org? Goal is AAL2 per NIST 800-63B. Keep in mind, at least for the next decade or so still, passwords are not going anywhere - they are the last line of authentication while the world transitions to #passwordless

:finger_point: Encrypt everything, everywhere, all the time
:finger_point: VPN tunnels everywhere
:finger_point: PW polciy that enforces a minimum of 13-complex characters for passwords (passphrases are evangelized heavily) + mandatory MFA via an Authnticator app + 365-day rotation policy (unless someone phishes their credential or it comes up on a #darkweb monitor) + 30-day token expiration - we do have filtering to prevent anyone reusing old password or common passwords (no, I don't pay for it, you can integrate with AD directly with some clever #powershell, #jfgi.
:finger_point: For our admin accounts, we require #passphrases of at least 4 words (7 are recommended), using the diceware method (physical, not a website). PW rotation occurs every 180-days. Tokens expire every 24-hours.
:finger_point: Service accounts (where we cannot use auto-cycling API tokens) require a minimum 24-character very complex password or 4-word passphrase as MFA is required to be disabled. PW rotation occurs every 180-days.
:finger_point: Awareness trainings every quarter for high-risk/high-exposure employees, annually for the rest of the company. I update my presentation facts, data, and reported metrics frequently based on OSINT, SIGINT, HUMINT, research, and constant education.

#BeCyberSafe #StayCyberAware

"The challenge in storing encrypted backup data is that strong encryption requires strong (or “high entropy”) cryptographic keys and passwords. Since most of us are terrible at selecting, let alone remembering strong passwords, this poses a challenging problem."

#MatthewGreen, 2020

https://blog.cryptographyengineering.com/2020/07/10/a-few-thoughts-about-signals-secure-value-recovery/

This isn't as hard as people seem to think;

https://xkcd.com/936/

What's missing is education, including replacing "password" with "passphrase".

#passwords #passphrases #XKCD

No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user knows that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.

1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.

¹https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

#Passphrases
#PasswordCracking

Vor kurzem wurde das 2024 update zum hive systems password table veröffentlicht und wird gerade wieder viel geteilt.

Leider behandelt hive systems das Theme passphrases absolut inadequat, deswegen haben wir das zum Anlass genommen unsere passphrase Tabelle zu aktualisieren.

Details im Kommentar. ⬇️

#passwords #passphrases #security #passwordSecurity #passphraseSecurity #diceware

Die Themen im Einzelnen:

- Geschichte und grundlegende Funktionen des Passworts
- kulturelle vs. pseudorandomisierte #Authentifizierung
- #Komplexitätsregeln und warum kurze Passwörter schlecht sind
- Mehrwort-#Passphrases
- Kulturalität von Passwörtern
- #Forschungsethik in der Passwortforschung
- Good Practice: Generieren, memorieren und aufbewahren von Passwörtern
- das #Passwort und alternative Authentifizierungsmethoden

Die Themen im Einzelnen:

- Geschichte und grundlegende Funktionen des Passworts
- kulturelle vs. pseudorandomisierte #Authentifizierung
- #Komplexitätsregeln und warum kurze Passwörter schlecht sind
- Mehrwort-#Passphrases
- Kulturalität von Passwörtern
- #Forschungsethik in der Passwortforschung
- Good Practice: Generieren, memorieren und aufbewahren von Passwörtern
- das #Passwort und alternative Authentifizierungsmethoden

https://www.tuwort.com/index.php/2024/04/16/tuwort-spezial-8-das-passwort-mit-tobias-dussa/

Die Themen im Einzelnen:

- Geschichte und grundlegende Funktionen des Passworts
- kulturelle vs. pseudorandomisierte #Authentifizierung
- #Komplexitätsregeln und warum kurze Passwörter schlecht sind
- Mehrwort-#Passphrases
- Kulturalität von Passwörtern
- #Forschungsethik in der Passwortforschung
- Good Practice: Generieren, memorieren und aufbewahren von Passwörtern
- das #Passwort und alternative Authentifizierungsmethoden

https://www.tuwort.com/index.php/2024/04/16/tuwort-spezial-8-das-passwort-mit-tobias-dussa/

New Episode: hpr4047 :: Change your passwords once in a while

Hosted by Deltaray on 2024-02-06 is flagged as Clean and released under a CC-BY-SA license.

Tags: #passwords, #security, #cyberSecurity, #PassPhrases, #PasswordManagers

https://hackerpublicradio.org/eps/hpr4047/index.html

Strong passphrases can be the only barrier between adversaries and your valuable information. As we have increased our reliance on passwords, adversaries have developed increasingly sophisticated ways to crack them.
Ensure your passphrases are long, unpredictable and unique. Follow as many of our principles as you can to create the most secure passphrase possible.

Read more about creating strong passphrases 👉https://www.cyber.gov.au/protect-yourself/securing-your-accounts/passphrases/creating-strong-passphrases

#acsc #passphrases #maliciousactors #essential8 #educateyour

New webpassgen release 20231024.

Two new password generators:

- Obscure passphrases
- Pure random whitespace

Other features include:

- Colored mouse selection to match the requested security level.
- "Every Word List" size now surpasses 2^16 unique words.
- Noto Sans Mono replacing the system font for more consistency.
- Passwords are aligned vertically.
- Base4 now uses the digits 0-3 instead of DNA nucleic acid sequences.

#passwords #passphrases #opensource

https://github.com/atoponce/webpassgen/releases/tag/20231024

If you have to remember them - passphrases are better than passwords.

What is a passphrase? Comparing #passwords vs. #passphrases:

https://proton.me/blog/https-proton-me-blog-what-is-passphrase

What is #Fedi's opinion on #passphrases vs #passwords? Are passphrases just better?

For example,
Passphrase: pillowybarbsspike
Password: Tfu90PQ8vs352

#AskFedi #AskFediverse #AskFediTech

#Passphrases are a great idea. I set mine to "password one two three exclamation point".
#infosec

On LLM and passphrases ...

The thought has occurred that given that large language models are trained on texts, which one presumes includes not only Internet sources by scanned-in copies of published books and articles ...

... there's a strong probability that any given published word sequence appears within such a corpus ...

... and that given even a small sampling of a passphrase which is itself drawn from a similar corpus ... LLMs should be really good at guessing a given passphrase.

(How might it get a small sampling? Oh, say, shoulder-surfing, or acoustic signatures of typed characters, or leaks from inadvertently-entered phrases in the wrong dialogue, or other cues from context.)

Upshot: if you're relying on a single phrase from any published set of works ... as a long secret key ... you might want to reassess your threat model.

(I don't know that combining phrases from multiple sources might be an improvement ... though there are reasons to suspect that might also be at increased risk.)

(Oh, and by "you", I also mean "all the systems you're relying on, directly or indirectly". That would include, say, corporate, institutional, or governmental systems to which someone's previously relied on what they'd thought would be a long and hence difficult-to-crack phrase.)

(I also suspect that state-level actors will have first capabilities in this manner, but that that threshold will rapidly fall to far less-capable entities.)

(Many moons ago discussing security issues with a corporate user, I suggested that phrases from, oh, say, Alice in Wonderland would not be especially secure. Their passphrase was based on, of course, Jabberwocky.)

Edit: Markup.

#Security #LargeLanguageModels #LLM #AllYourTextAreBelongToUs #Passwords #Passphrases #GenerativeAI #ThreatModeling #ThreatModel