Three months have passed and it's time to change all my passwords again. Let's talk about passwords!

I think you might qualify as an autist if you can remember 20+ passwords that each consist of 16 digit alphanumeric characters or random 7-word passphrases and change every 3 months as well as the associated distinct user names and sites.

>1/1000
Why would the chance be so low? Do you publically announce that all your passwords are 3 numbers in a row with nothing else?
Bruteforcing means that the first attempt is infinitely low chance, second is too, third too.

I have to interject here given the password rage I had today.

I had to log in to a secure company program only my coworker had access to. Asked them for the password as I needed access to do my job, and it was an authored use. Coworker says I don't need that, just type the first three letters of the user and everything auto populates. So I type "man" just to see what happens and sure enough it auto populates Manager John Smith along with their password and opens screen to web portal and email without any addition prompts after hitting enter. Four F*#K keys, grants full facility access!

I complain that this is beyond stupid and the least secure setup I have ever seen. I was then ridiculed as the password is very long and complex, but is also very convenient as you never have to type it. Thus the "genius" of getting everything at once.

I nearly stabbed someone today.

Is it your job to secure it? If not, who cares. If the company goes bankrupt because it's "hacked", then it could become your problem. So do your job and try to get as many company funded courses.

Both parties, you the password holder and the bruteforcer, are working independently and quite likely are unaware or each other or who is doing what when. It's impossible to know if the new password will be in the previously brute forced stack so the user can still be under danger. Have you made any calculations to prove that 3 months is sufficient duration for your passwords before the danger rises too much? If calculations show that the danger of brute forcing is outside of human lifespan then what's the point?

>infinitely
You're right, I should really choose my passwords from a list of infinitely many symbols. Fucking retard. I just picked a simple password for the purposes of demonstrating the principle of the thing: the chance of him guessing correctly the next time increase as possible options are taken out of the equation, and changing your password puts them back in, therefore resetting the chances to 1/however many passwords can be formed with the symbols you chose.

It might still be secure against outside intruders if the auto population is handled by an offline service that is only available on the work pcs (therefore neccessitating physical access), or might only be available for users on the work network etc.
It's like saying your home PC is compromised if you set up SSH for passwordless login on your phone that intruders don't have physical access to.

>It's impossible to know if the new password will be in the previously brute forced stack
So you're saying the brute forcer will always try a random key on every single try? Which implies that there exists a scenario where the brute forcer is just trying "666" over and over again in the hopes that you eventually change your password to that? That's fucking retarded.
>calculations to prove that 3 months is sufficient
It would require knowledge about the frequency of guesses that a brute force attacker uses. Do it the other way around: calculate how many guesses per second an attacker would have to take before the chance of getting it right within x months rises above y%.
I'll do that right now, feel free to go over it yourself. I use three kinds of passwords: 16 random alphanumeric characters for online logins, 4 randomly selected words from a diceware list for device logins and 7 randomly selected words from a diceware list for the password database. We'll assume the attacker knows that much about my passwords.
Will post calculations in a sec.

I also use KeePassX and KeePassDroid. I aim for around 80 bits of entropy, using a different password for everything of course. I use the same or similar usernames most places, and a semi-throwaway email for most things. If it's something I actually don't care about and am really sure they'll send me spam I use a temporary email.

So I only have to remember a few passwords. One each for my computer, laptop, and phone, and one for my password database. I also use a keyfile for the database that's local storage only.

My job is inventory purchasing, not security.
I basically buy things we sell. The program is used to send e-checks to people. But I am told even if it is hacked we can't lose as it limits each transaction to $10,000 dollars. Yet it had no issue with me sending 3 e-checks to the same vendor in just a few minutes, as the person who should have sent them didn't thus I had to deal with the backlog and a lot of angry phone calls. And yes, I check to make sure we owed them before sending them the money.

Yes, it is stored locally so one needs to physically access that terminal.
However the terminal room and the public bathroom are right next to each other and poorly labeled. In the sort time I have been here I found a number of people accidentally walk in to that "secure" room, which has a lock people never use. Joggers, truck driver, homeless folks, you name it I have probably had them yelling at me that that a computer not a toilet as they fidget about needing to relieve themselves.

>So you're saying the brute forcer will always try a random key on every single try?

I'm not saying that, but what makes you sure the password that you newly enter will be in the passwod list that the bruteforcer tried unsucessfully before? It might well still be generated in the future. I'm still partly going by your example.

>feel free to go over it yourself
Thanks but no. I don't buy into password changing strategies, unless when actually exposed and that more often happens with company database leaks and keyloggers, not bruteforcing.

I hate combinatorics by the way.

> 16 random alphanumeric characters
alphabet size = 26 letters + 10 numbers = 36 symbols
password length = 16
number of possible passwords: 26^16 ~ 4.4e22
chance to guess correctly on first try: p(1) = 1/4.4e22
chance to guess incorrectly on first try: p(0) = 1-p(1)
chance to guess incorrectly on first, then correctly on second try: p(1)*p(0)
chance to guess incorrectly on 1st, 2nd try, correctly on third: p(1)*p(0)^2
chance to guess incorrectly on 1st, 2nd, ... (n-1)th try, correctly on nth try: p(1)*p(0)^n
total time until password is reset: Tmax = 3 months
time between two guesses: Tguess
chance to guess correctly within Tmax, making one guess every Tguess months: P = p(1) + p(1)*p(0) + p(1)*p(0)^2 + p(1)*p(0)^3 ... + p(1)*p(0)^(Tmax/Tguess) = p(1) * sum from n=0 to (Tmax/Tguess) of p(0)^n

Right, I don't know how to get at Tguess in that equation. I'll just assume something ridiculous like 200 ps (so he's guessing and checking whether that guess was correct at an unrealistic rate of 5 GHz).
So, the chance of guessing a random 16 character alphanumeric password within 3 months, guessing 5 billion per second, is around 8.8e-10, or 0.000000088% (see pic). I fiddled with Tmax and found that it would take around 10 billion years to have a 3.6% chance to guess it.

>what makes you sure the password that you newly enter will be in the passwod list that the bruteforcer tried unsucessfully before
It just needs to be _possible_, not necessary. Remember, we're not talking about when he _surely_ guesses it right (chance = 100% because all other options are exhausted), but when the chance exceeds a certain threshold.

Would help if I attached the picture.

That is not how it works.

Then how does it work? If the brute forcer doesn't discard passwords he's already tried (at least until he's partway through the possible combinations), he has to try a random combination every time. Which includes, theoretically, the possibility of him guessing the same password every time, in a row. Which would be fucking retarded.

yes it is you fucking retard

You're assuming that an attacker would try to bruteforce for a long time (3+ months). Any decent site should already have blocked the attacker from trying to login and also the tries would be so slow that it would take years to even crack simple passwords.
So it is only really a protection against password data being stolen. But it does not inherently make your password more secure.

>Which includes, theoretically, the possibility of him guessing the same password every time, in a row. Which would be fucking retarded.
Just saying, chance of that is extremely low. This is hardly a counter-argument.

no it is not you fucking retard

Okay, look at it this way: The chance of you changing your password between guesses is incredibly low, considering most people never change theirs at all, or maybe once a year or something like that. Improving your brute force algorithm in this simple way will increase your chances as you keep at it. It would be silly not to at least reduce the chance of choosing previously used values for a certain time because the chances of someone switching their password to one of the passwords you already tried is incredibly low.

Well, of course I am assuming that because that's the point of choosing passwords of length x with characters from set Y in the first place. He's not doing a dictionary attack on random character strings (and even if he was, it's again just brute forcing on a reduced set of possible values) and social engineering, phishing, keylogging and other such nonsense is a threat regardless of your password. That's why you don't type them on untrusted devices, keep them out of plain sight, store them in an encrypted file with a very strong password etc. All that has nothing to do with frequently changing your passwords, or even what kind of password you use beyond very common shit like 12345.

KILL YOURSELF

I don't get what you're trying to say.
Again, frequently changing your passwords only helps protect you in case your hashed password data got stolen. Because otherwise nobody will try to bruteforce your password for such a long time. So changing your password frequently does NOT "keep the _chances_ of someone stumbling across the correct password low". (If that is what keeps it low, you're using a too weak password.) It just means that if they were able to bruteforce it (in which case you should have used a stronger password anyway), it might not matter because you are likely not using that password anymore.

KILL YOURSELF

>In my head cause I'm not an autist
Top kek. You have egg on your face.

>nobody will try to bruteforce your password for such a long time
a) Depends on the type of password. Password for your Brazzers account? Yeah, they'll get locked out long before cracking that (probably). Password to your password database file? If they manage to get a copy (maybe because you were a retard and put it in a Dropbox, or because they managed to intercept it when you sent it to your phone via FTP), then they can try to crack it as long as they want. Realistically you and me are probably not high enough on anyone's list that they'll really try to crack your passwords for years. However...
b) Remember that we're talking about someone having a certain CHANCE to crack your password in a given amount of time. There's roughly a 1 in 1 billion chance (1 / 8.8e-10) someone might crack a 16 digit alphanumeric password in 3 months, but remember that the chance he might guess it earlier is also nonzero. The odds of someone guessing your password in a short time are incredibly low, but there's still a CHANCE they're lucky. By changing your passwords frequently, you keep the cracker's odds from increasing.
>If that is what keeps it low, you're using a too weak password
Wrong, changing your password frequently keeps the odds lower than if you're not changing it, no matter how secure your password. Whether you're decreasing the odds significantly is another question entirely; only you know whether the marginal increase in security is worth the hassle of changing your passwords to you.
>if they were able to bruteforce it (in which case you should have used a stronger password anyway
No password is 100% secure from brute forcing unless we're talking about really REALLY advanced encryption. That's the whole point of doing it -- brute forcing is slow but if you have enough time, you're guaranteed to guess the right password eventually, given enough time. With limited time, there's still a chance (small but nonzero) to guess correctly.

>caring about infosec
hahaha you were too stupid to become a programmer

???

infosec is fucking boring as shit only spergs care about it to the extent you care about it

and infosec is generally not every profitable i bet you work as sysadmins or you're straight up NEETs

>If they manage to get a copy (maybe because you were a retard and put it in a Dropbox, or because they managed to intercept it when you sent it to your phone via FTP), then they can try to crack it as long as they want.
Exactly. It only helps if they stole your password data.

> Whether you're decreasing the odds significantly is another question entirely
It was said that frequent changes is what kept the chances low. That is not correct. They should be low beforehand.

>No password is 100% secure from brute forcing unless we're talking about really REALLY advanced encryption
The maths is easy. Checking all 12 digit alphanumeric (case-insensitive) passwords at 1,000,000,000 guesses per second still takes
150 years. Sure, you might be real unlucky, but realistically, it is not going to happen.

The thing is adding a single random alphanumeric character multiples cracking time by 36.
You'd have to change your password 36 times during the attack to get similiar protection.

see
this is just theoretical wankery, completely impractical as adding random characters is a lot more effective against bruteforcing than changing passwords frequently. However you should still change them frequently as it helps greatly against leaks.

>stole your password data
You misunderstand. By password database I don't mean a fucking plaintext file, but an encrypted file they would need to decrypt first (brute-forcing passphrases until they get readable data).

>They should be low beforehand.
They are. They increase because that's the principle upon which brute forcing works. Frequent changes keep the chances low, regardless of whether they were low to begin with or not.

>still takes 150 years
First, that number is incorrect. Second, you can only say "brute forcing takes X years" if you're talking about the best-case scenario: the cracker guesses wrong every single time until only one possible password remains. You would have to say "brute forcing until the cracker's odds increase to p% takes X years". Third, if you're so confident about not being unlucky, you should try gambling as a hobby. I suggest Russian roulette.
I seriously hope you're baiting because it's working and I refuse to believe I'm sharing not only a planet but also a technology enthusiast forum with people this dumb.

>You misunderstand.
The bruteforcer has your password stored locally, which is the only viable way to bruteforce non-weak passwords.

>Frequent changes keep the chances low
They help lowering the chances (a bit). But they do not solely keep ´them low.

>First, that number is incorrect.
???
>if you're talking about the best-case scenario
Which is what I did to make a point. Even just a few percent of that time are multiple years. And that is just assuming a case-insensitive, alphanumeric password.
> Third, if you're so confident about not being unlucky, you should try gambling as a hobby. I suggest Russian roulette.
You should really learn how to assess and interpret chances.

>But they do not solely keep ´them low.
What "keeps" the chances low then? Because you choosing a strong password only determines the cracker's initial chances, and what they are reset to on changing the password.

>???
You're using 12 characters all of a sudden, which decreases the number of available passwords by a factor of almost 50,000. So it would take several million years to have a 100% chance of cracking a 16 digit alphanumeric password. That sounds like it's even better, but...
>You should really learn how to assess and interpret chances.
Alright, champ. Get a six-shooter. Put one bullet in the drum. Spin that fucker up. Don't look at it. Point it at your temple and pull the trigger. You have a 16% chance of hitting the bullet, that's low enough right? 84% chance of survival, not bad.
Now repeat that every 20 years. Don't look at or use the revolver in the meantime. By your logic you should be perfectly safe since it would take longer than your lifespan to have a 100% chance of shooting yourself.

>Frequent changes keep the chances low, regardless of whether they were low to begin with or not.
no, that's bullshit. random characters in passwords keep the chances low. frequent changes. adding 2 random chracters is equivalent to changing your password 1000 times during the attack. The latter is infeasible, the prior is easy.
IoW changing a 8 random character password 20 times during an attack is weaker than a 9 random characters password that never gets changed. It's just not economical.
You could add a single random character to your password or change it 36 times. 15 random alphanumeric is 75 bits of entropy, that's not realistically getting cracked regardless of whether or not you change it.

>84% chance of survival, not bad.
that's terrible, why are you so angry at him?

the point is that even after years you will never hit even a single digit % of the search space with a sufficiently long password. say 20 random characters. it doesn't matter wether you change it or not, sure changing it makes it theoretically more unlikely but practically it doesn't matter.

I wrote all of them down and they are in a safe in a hidden spot, but they aren't written down word for word, I made a math equation to solve the passwords. Not all of them follow the same equation I created, as I have 10 different formulas.

alright, so let's say you have a 10 character password.
memorizing long passwords is hard so you use the 10 characters initally
then you add 1 character every week or day or whatever, till you have 20. Then you never change it again because 20 random characters simply cannot be bruteforced in a lifetime, even if you do get reasonably lucky