Is he right?

explain it then. how did he come up with 44 bits?

Uhm. No.
Have you ever heald a dictionary? Do you know how many even common words there are? This quickly outweighs your 256 characters. Chaining arbitrary words arbitrarily to each other is much safer. The computer doesn't know when word 1 stops and word 2 starts. Even with a dictionary and chaining words that would take eons.

Yea but I use a passphrase with "-", capitals and a letter substitution in my native language.
I usually take some recent news or try to summarize a scene from a book or film, such as "Pablito'sfatherwaski11ed" in reference to Narcos. Hard to guess, piss easy to remember.

just use another language

Each word is 11 bits.

Because he was picking each word randomly from a list of 2048 words, thus giving each word 11 bits. That entropy calculation is the worst case and assumes that you know the list of words used to pick from. Dictionary attacks, which consist of guessing commonly used combinations of arbitrary length tokens (ie random combinations of four words from the list, in this case) can't get around that.

Maybe if you knew the size of the password in which case you will chain words that make up to that size. In general though the second approach is more secure.

"trobador" is not in the most common 60k lists here

wordandphrase.info/frequencyList.asp

also 3/4 of the words used in the example are in the top 5000 used words and you could probably even further reduce which words people go for when they are asked

If you pick the words randomly it works.

That means losing one of your passwords is equal to losing all of your passwords.

True. A wrench may always defeat your security.

No it's not.

Not really. If someone got his master password, they would still need to know he's using the website name and converting it through a SHA256 algorithm.

so to clear this up:

the first example simply uses an uncommon word for "poet" and then added 2 special characters.

The password looks good but it's shit. This is intentional.

I mean, gee, you pick a single non-personal word and then add a little bit of entropy? It's no wonder it's comparably weak. Just like when idiots use the same words all over again.

sha256 is easily brutable; getting one key and knowing the site's name they can get your master password
I'm certain even if they didn't know that it is still crackable fairly easy; sha256 + static seed is bad combination

That is the point. Most people would make longer, more-difficult-to-remember passwords if they were encouraged to string random words together rather than random letters. Most people would look at the first one and think it's strong and the second one weak.

A sixteen letter alphanumeric master password has 8 septillion possible values. Good luck cracking that.

it sort of is. but if those were random letters, it would have a similar strength. Unfortunately it was a non-personal word placed in the password form.

the second approach always uses words. The first one doesn't have to, but here it also does so.

True that. I was mistaken with sha1.

People wouldn't remember it, which defeats the point.

people can also forget the second one and it takes longer to type.

They are less likely to forget it. A pure length comparison is deceptive because a single meaningful word is more equivalent to a single character in how we remember it.

>I'm just gonna limit the number of characters to 8 for the password here
Who the fuck had this great idea and why are there still sites doing this?

so the second one has the same security, but it is easier to remember (because we are putting our brain to use while typing it out rather than hamster memory)

because """professionals""" (pic related) in the business think it's easier to store passwords in plain text

I guess it depends where you're going to use the password. A 12 symbol random alphanumeric password is fast to type if you do it often, in which case it's not difficult to have it memorized either. A long password like correcthorsebatterystaple takes considerably longer. An added benefit of random alphanumeric passwords is that it's much more difficult for someone looking at you typing it to see what your password is.

If you type at a reasonable speed there is not much of a difference, especially since symbols, capitalization and gibberish tend to slow you down.

Your passwords should be unique to each site, and that becomes harder when you're using random symbols.

Unless you look down at they keyboard and slowly go from character to character when you type, there is no reason anyone should be able to see what you type when you type.

The benefit of a passphrase is that you're using units from the English dictionary (400,000+) rather than units from ASCII (128). A password of n random units from the dictionary is both stronger and easier to remember than a password of n random units from ASCII.

That's why all of my passwords are the names of manufacturers and products, with random characters at the beginning or end.

The only thing that really matters is your accounts don't share passwords and you use a stupidly large random password for your main email

Placing a single underscore between 2 letters will make it entirely uncrackable

Literally asymptomatic of autism.

That comparison is flawed. You actually mean units from English (26) versus ASCII (128) since what you're saying is comparing full words to single symbols, which doesn't make sense.

Thought, really, how many password fields allow ALL ASCII? So it should be under 26 in most cases.

I just use completely random passwords with all character types with a password manager, so who cares.

>must be EXACTLY 8 characters
>must contain 2 numbers in the front
>must have an uppercase letter as last character
>no special characters
>the rest may only be lowercase latin characters

why 28 bits? wouldn't each character be 8 bits?

no, but mathematicians are notorious for taking too much liberty and not enough care in redefining words in "mathematical context"

And if someone ever breaks into your account they get spoiled

This is the best way to make passwords, think of a phrase and use the first letter of every word, it's incredibly easy to remember for you and almost impossible for someone else to remember or crack

e.g.

49na1dcctgbtsasftm

Are you retarded? Look at the fucking picture. The squares are bits. He estimates the entropy of the base word as 16 bits, then he adds entropy bits for substitutions etc, to account for all different passwords of the format. How is this not obvious? Do you need everything explained to you? Just fucking think before you blurt out your stupid fucking garbage.

No, I mean words from the dictionary, which I am treating as individual units. ASCII is a list of units (a-z,A-Z,0-9, various other symbols) and a dictionary is a list of units (words, which are symbols). A password that is a combination of 10 words randomly chosen from a list of 8000 words (like diceware) is easier to remember and stronger than a password that is a combination of 10 random characters. Understanding words as units is the whole idea of using passphrases over passwords.

>generate ridiculously strong passwords as long as you want with a single click
>unique passwords for every single one of your accounts
>dont have to remember any of them
>dont even have to type them out because of auto type

Why havent you started using a password manager?

So use a sentence and add a small salt at the end

correct horse battery staple!@#

good luck cracking that one buddy.