/tech/ - Technology★

>>1019113 (OP)

Shut up you fucking nigger

kys fag

I'd cyberbully a kid. Hell, I'd cyberbully a kid right now. Little fuckers don't get bullied enough.

you know what's a good passwort manager? A small book lying besides your computer. It's operated with a pen. That's only for the important passwords. For throwaway passwords of some random forum, a password manager is fine.

TuppleHash((masterpassword, "facebook.com", "Goodest Goy"), 128, "")

TuppleHash specification: https://csrc.nist.gov/publications/detail/sp/800-185/final

>>1019123

>reddit spacing

wtf? I didn't even reddit space

Is keepassxc safe?

Any better alternatives?

>>1019125

>Is keepassxc safe?

C++ 96.1% CMake 1.6% C 1.2% Shell 0.6% Objective-C++ 0.2% Dockerfile 0.1% Other 0.2%

>>1019113 (OP)

Password managers are for fags like you.

(((33)))

OP is a Freemason

>>1019142

What do unfriendly Jews like you use for the n-billion needed logins in todays life then?

>your brain, bruh

>>1019125

pass (bash+gpg) with a smartcard like yubikey

>>1019113 (OP)

>>1019125

>using a password manager

>having to sync passwords between devices

>not being able to access your password if you don't have access to any of your machines

>potential security risks

I don't see why everyone doesn't just use a script something like this:

echo "[website][master password]" | sha256sum | cut -c-12

>>1019163

i do: >>1019123

>>1019163

Get on the next level:

printf '%s%s' "$WEBSITE" "`printf '%s' "$MASTER" | sha512sum`" | sha512sum | cut -d\  -f1 | xclip -l 1 -selection c

The best password manager is your brain.

>>1019163

>>1019123

>>1019180

That's all nice and cool my dudes but what if for some reason you need to log in using a machine without a command line able to do all these funk and dunk hashing maymays?

>>1019181

Well, install it, obviously. :^)

>>1019161

>not using a 64 character mixed case alphanumeric password

I used to actually remember a password like that

>>1019183

Use your phone

use Keepass2 or KeepassXC

both run on linux, but KeepassXC runs better because it doesn't use mono.

>>1019163

>>not being able to access your password if you don't have access to any of your machines

How are you going to run that script if you don't have access to your machine, huh?

>>1019163

>I don't see why everyone doesn't just use a script something like this

Because that's a single level above "reusing the same password everywhere", if an attacker sees that command they know all of your passwords.

>>1019181

###### Option 1: Password store

Linux (and Windows): https://www.passwordstore.org/

Firefox: https://addons.mozilla.org/en-US/firefox/addon/passff/

Chromium: https://chrome.google.com/webstore/detail/chrome-pass-zx2c4/

Android: https://f-droid.org/en/packages/com.zeapo.pwdstore/

###### Option 2: Keepass

Linux (and Windows): https://keepass.info/

Firefox: https://addons.mozilla.org/en-US/firefox/addon/keefox/

chromium: https://chrome.google.com/webstore/detail/chromeipass/

Android: https://f-droid.org/en/packages/com.android.keepass/

just put them in a txt file and attach them to a post in this thread, I'll watch after your passwords, I promise

>>1019434

And logged in ~/.bash_history or equivalent.

>>1019522

The typical UNIX weenie response is for the user to always remember to proceed the command with a space, so that it doesn't get logged.

Use pass

>>1019522

>>1019434

>>1019548

What about a script like this one?

#!/bin/bash
read -p "Enter website: " website
read -p "Enter master password: " password
echo "[$website][$password]" | sha256sum | cut -c-18

Is it safe?

>>1019664

Seems ok as long as those variables don't get written to disk and don't know any reason they should. I unironically use a password manager myself.

>>1019548

space doesn't prevent it getting put in bash_history on my machine. Is this a new feature?

Also, what is the LISP weenie's response? Never keep history of anything?

>>1019664

maybe give read -s for the password.

>>1019664

Not really. All the attacker will need is your password and this "recipe". Not much safer from having a database of passwords, like with KeePassX.

>>1019688

>Not really. All the attacker will need is your password and this "recipe".

How would the attacker get the password though????

Kek, so let me tell you a little family story. My family are all pretty good with computers for normie tier folks. However, recently my sister (who lives with my mom) has gotten her shit hacked, and it spread to my mom, and then their Orbee or whatever the fuck got hacked too. So I had them go down to the Apple store (hate them myself but they are the best thing for normies) and get their shit reset. That worked great but even though I told them both to write down their passwords they didn't, and instead used their old password manager accounts and simply updated them with the new passwords. Whoops! They both got hacked again.

So now I'm stuck with these irate women who because of family duty I have decided to help even though it's EXCRUCIATING and trying to convince them that the old way of sticking a post-it note to the computer is actually more secure if that's how it has to be.

GWAAHHHHhhh it's crazy. I still think their phones or computers are rooted and shit but I'm like 3000 miles away so there's nothing I can do physically and they're not quite hip enough to get port forwarding going so I can't do VNC and SSH yet. Some fucking Pajeet or Chaim is going to feel red hot lead in his skull because of this, another couple weeks of these phone calls and I'm calling Blackwater or whatever it's called now and sending a hit team.

>>1019690

>Some fucking Pajeet or Chaim is going to feel red hot lead in his skull because of this

Nah. He is going to feel all the nudes of your sister though. Btw post pics of her feet.

You cannot be cyberbullied if you have no cyber accounts. This way, you can only be bullied by face.

>>1019693

>black man head tap dot jpg

>>1019664

>sha256

Kek

>>1019704

Better suggestions?

>>1019669

Thanks! This is more portable. You can always recreate it from memory.

>>1019672

Good idea!

   -s        Silent mode. If input is coming from a terminal, characters are not echoed.

>>1019688

>Hitler dubs checked

This is more portable, no need for KeepassX on usb, just type it up if you're using a new system. Right?

>You cannot be cyberbullied if you have no cyber accounts. This way, you can only be bullied by face.

U R A Russian.

>>1019664

What happens if the website changes its domain name?

If you write down the specific names you've decided to use, that's just as bad as writing down your passwords.

If you memorize them, why not simply append the master password? You don't need a shell to do that, and it's just as safe.

>>1019752

>What happens if the website changes its domain name?

How do you find the new domain name? Hmmmmmmmmm...

>If you write down the specific names you've decided to use, that's just as bad as writing down your passwords.

wrong

>If you memorize them

Are you retarded? If you want to login to goybook you run the script and get your password. You only have to memorise your masterpassword.

>why not simply append the master password? You don't need a shell to do that, and it's just as safe.

Most websites don't hash the passwords though. So when the password db gets leaked the attacker need only look at your password and can login to all your other accounts.

>>1019754

Think before replying.

If I create the password when the website is named memesite.com, but then the domain changes to meme.site.net or whatever, how do I remember what website name I used to first create the password? Was it "memesite.com", "memesite", an even older domain, "meme site" or "Meme site"?

Writing them down reveals which sites I have logins for, sugggests that I am using site names to create passwords, and if an attacker can see the list they probably can see the password script too.

If you don't write down the site names, you need to memorize them so as to use the right one in case of domain change and such.

Most websites absolutely hash passwords, even the shitty ones, it's still unsafe to append but so is building all your passwords from a master password.

Just use passphrases with uncommon words, if possible, of different languages. It's easier to remember and it's harder then any shit an algorithm can come up with.

>>1019761

>If I create the password when the website is named memesite.com, but then the domain changes to meme.site.net or whatever

How often does that happen? Just change the password then.

>Writing them down reveals which sites I have logins for

Then don't write it down.

>sugggests that I am using site names to create passwords, and if an attacker can see the list they probably can see the password script too.

Which is not a problem at all because you keep your master password secret.

>If you don't write down the site names, you need to memorize them so as to use the right one in case of domain change and such.

Then don't use domain names. If you have a website named Meme Site just use the name of the website to derive your password.

>Most websites absolutely hash passwords

lol

>but so is building all your passwords from a master password.

lol. read this https://en.wikipedia.org/wiki/Cryptographic_hash_function and this https://en.wikipedia.org/wiki/Key_derivation_function

Protip: KDFs are everywhere. Are you saying that they are insecure?

>>1019764

>How often does that happen? Just change the password then.

At that point, why not use a password manager instead?

Strictly better as you wouldn't have to change the password then.

>Then don't write it down.

>Which is not a problem at all because you keep your master password secret.

Why not a password manager then?

If you trust the master password will remain secure, a password manager is just as protected on that front and doesn't leak the sites you have a password for.

>lol

Even the lazies, shittiest, shadiest sites I've seen did it.

Fucking furaffinity does it, and that's basically "How not to make a site: the example"

>lol. read this

You didn't think before replying: hashing on your terminal is one more place the attacker can look at, and it's much more accessible than the average password db.

Appending is equally stupid, because it's only worse if your password gets leaked by the site you're using it on and it's better if you have an attacker looking at your machine.

>>1019766

>At that point, why not use a password manager instead?

>Strictly better as you wouldn't have to change the password then.

But a password manager is basically just a key value database where the value is a randomly generated password and the key...

Hmmm what is the key? Maybe the domain? You have the same problem with a password manager too.

>Why not a password manager then?

Because you have to keep the password db up to date on all devices. Also what happens should you lose the db? Deriving your passwords is strictly better.

>Even the lazies, shittiest, shadiest sites I've seen did it.

Like adobe? Or those? https://duckduckgo.com/?q=plaintext+password+leak&t=ffab&ia=web

>hashing on your terminal is one more place the attacker can look at

When you're using a password manager you have to enter the master password somewhere too. Also the passwords could be extracted from memory.

>>1019766

vast majority of websites never change their names. Those that do either do it very early, before many people joined (eg thefacebook), or they change it as a desperate attempt before dying (eg gittip).

>>1019767

>You have the same problem with a password manager too.

A password manager is harder to hack than plain, readable code.

It's certainly possible, but it takes significantly more access than simply looking at terminal logs.

>>1019689

Well, gee, might as well just keep all your passwords in a encrypted ZIP file, am I right?

>>1019161

hit or miss, I guess they never miss, huh?

If your system is compromised in any way by an attacker that targets you, it's game over anyways, none of that matters anymore. Might as well keep your passwords in a file called passwords.txt in that case. I wouldn't even be surprised if some automated exploit scripts actively target the more common password managers. (and their databases)

>>1019849

You go right ahead, buddy. I'll keep my passwords encrypted.

>>1019113 (OP)

>not using mnemonics to memorize all your passwords

>>1019824

So what you are saying is that having access to the source code is a security risk?

>>1019849

>Might as well keep your passwords in a file called passwords.txt in that case. I wouldn't even be surprised if some automated exploit scripts actively target the more common password managers. (and their databases)

THIS

passwords.txt file is actually safer than password manager, because automated exploits will check your PC for any installed or running password managers and steal passwords from them. to get passwords.txt exploit would need to search for all files on your PC (which would be suspicious as you could see a lot of HDD activity)

and if you name your passwords file in different way, like cocks.txt, niggers.txt etc, it would be very hard for automatic malware to steal your passwords file

>>1020067

How can you even claim to know what a malware is going to do, unless you wrote it? Anyway there's no guaranty an encrypted file is going to be named something obvious or be in a default location. You can just as well uuencode the encrypted password file and make it text if you really want to, or append it to an image file or something. But doing away with the encryption means anyone who opens that file has all your fucking passwords, so that's fucking stupid, and only a cianigger would advocate this.

If you run internet-facing applications as your privileged main user account you are dumb anyways. Optimally the account who runs your browser for example shouldn't even be able to access your passwords.txt or passwords.gpg or whatever. Those files/database/whatever should be completely out if it's scope. Now the attacker doesn't need only an exploit for your browser, but also a privilege escalation exploit, which are harder to come by.

On top of that, mandatory access control that won't even allow the potentially compromised process to do anything interesting if it's compromised. Now the attacker doesn't only need an exploit for your browser, but also a privilege escalation exploit AND an exploit in your linux kernel. This is completely out of scope for most drive-by malware.

Even better would be to run the apps that run code off the web (as any browser technically does) on a physically different machine. Now you don't have to worry about your main working station or VM/sandbox breakout exploits anymore at all. The extra step would be to isolate that machine from your home network physically.

As you can see, the more layers you introduce, the more complicated it gets, the first ones are reasonable. There's no such thing as 100% security for any use case anyways. Always think about your attack vectors and what's reasonable as defense. It's all you can do. I would never say that password managers are automatically safer for what it is to do. They might, or they might do absolutely nothing in regards to additional security. The anon who said to just write them down on paper is actually right, as paper is 100% unhackable and also very easy to keep safe. You also won't run into technical difficulties that plague digital solutions by design. Such a password store is also very easy to destroy quickly effectively if you have to. If you really actually have CIA spooks after you and have to worry about them breaking in and stealing your password-book, you have bigger problems. You're not some kind of James Bond-esque suave character. They'll just punch you in the mouth until you tell them everything they want you to.

But as most people here are larping anyways and running Win10 I don't even know why I took my time writing all that. Carry on.

>>1020079

based

>>1019690

imagine what your sister was doing to pick up a computer STD this bad. do you think she has watched porn? just imagine haha

Hash your hash for N times, where N = characters in $website:

#!/bin/bash
read -ps "Enter website: " website
read -ps "Enter master password: " password
FOO=$(echo "[$website][$password]" | sha512sum)
LOOPS=$( echo $website | wc -c )
LOOPCOUNT=1
while  [ $LOOPCOUNT < $LOOPS ]
do
  BAR=$( echo $FOO | sha512sum )
  FOO=$BAR
  $(( LOOPCOUNT++ ))
done
echo $FOO | cut -c-18

#cleanup (yes the variables may be internal to the script, but no harm done by doing this)
website=""
password=""
FOO=""
BAR=""

#Things to consider:
#Compressing it into a one liner/ function/ alias / something else
#The use of "wc -c" for counting the characters is preferred over ${#website} because wc isn't platform dependent, which could mess you up if using ${#website} and you get a different value for website.

Your password system loses some security the moment you tell others what you use, so shhhhh don't tell anyone ;^) ...and no, I don't use the script above.

>>1020199

>Hash your hash for N times, where N = characters in $website

why?

>>1020199

It's nice to see my humble bash script being improved upon.

>>1020207

I assume so that attackers don't know the algorithm that turns your master password into a website password. Pretty stupid way to go about doing it; better would be to use a secret salt of some sort:

#!/bin/bash
SALT='4cb0b66288a0b6f7f68c87ff6ed8c0f4'
read -p "enter website: " website
read -sp "enter master password: " password
echo
sha512sum <<< "$SALT:$website:$password" | cut -c-18

>>1020329

>secret salt

But the master password is already secret.

>>1020404

The master passord only contains as much entropy as you can memorize. ~32 bits wouldn't be uncommon. An attacker could bruteforce this password fairly quickly. By attaching a high entropy salt, you make this infeasible.

>>1020461

>he can't memorize more than 32 bits worth of entropy

>he doesn't know what a salt is

You're retarded. Why don't you leave out the password if it has a negligible amount of entropy and instead just use your "secret salt"?

Oh right. This means your password is know saved on disk and your algorithm is public. At this point it's better to just use a password.txt file.

Protip: Think up a random sentence. Congratulations! You now have a high entropy password.

>>1020463

>think up a random sequence

>never write down the random sequence

>oh shit I forgot one of the 32 alphanumeric characters

>oh shit I'm locked out of all my websites

here's a better protip: write down half of the password, memorize the other half. Now you have something that is useless to someone who finds it lying around, and also next to impossible to bruteforce.

>but muh algorithm

your algorithm has a certain amount of entropy as well nigger, and probably only a couple bits at that. Now you have something even harder to memorize and type in for no reason.

>>he doesn't know what a salt is

protect you from rainbow tables. Same difference though.

>>1020479

>being this retarded

i have no words

>>1020079

>what is a keylogger

>>1020461

>The master passord only contains as much entropy as you can memorize. ~32 bits wouldn't be uncommon. An attacker could bruteforce this password fairly quickly.

you can easily memorize password that is impossible to bruteforce, unless you are a nigger. just select 6-7 random words from english dictionary.

>>1020479

>think up a random sequence

>never write down the random sequence

>oh shit I forgot one of the 32 alphanumeric characters

what are you posting, CIA nigger?

he clearly said "random SENTENCE", why are you manipulating that he said SEQUENCE?

if there is 5000 commonly used english words, if you select 6 random words, that gives us 5000*5000*5000*5000*5000*5000 = 15625000000000000000000 combinations.

it's very easy to remember 6 words. you can even use more words than 6. it is impossible to brute force by CIA or even by aliens.

if you cannot remember 6 words then your nigger brain is too damaged by drugs.

>here's a better protip: write down half of the password, memorize the other half. Now you have something that is useless to someone who finds it lying around, and also next to impossible to bruteforce.

fuck you CIA with your shit advice

it is hard to memorize 10-15 good passwords. instead, you should memorize 1-3 great master passwords, use them for your HDD encryption, password manager (or passwords.txt file), etc

>>1020569

example of strong password:

Dark nigger entered a room with yellow jews and gassed them they turned into special magical soap

even stronger password:

january obscure fag using and they cup technology of medical nerve mode options kids

the second one uses less words but they are randomly chosen. the first is also strong but it's easier to remember as it's sentence-like

you can even use less words, just 6-7 and it's already strong password. but the more words the stronger it is

Just use the script itself as salt. Changes to it will make it generate wrong results. Trying to copy it without copying it exactly (down to every space) will make it produce wrong results. There you go.

>>1020079

This guy is correct. Running network-based applications as a separate user is actually the simplest, most straightforward way to sandbox applications. If you use sudo, you don't even have to log out.

>>1020067

>>1019849

Even if someone gains access to your system, an encrypted database is still safer than a plain text file, as it has to be decrypted in some way. I don't see a reason to do away with encryption altogether, you gain nothing by doing this.

>>1020079

For comfort, you can also set up folders with appropriate owner and group permissions, for example let the browser-user and other sub-users read configuration files from a shared themes folder etc. the configuration files in their home directory are symlinked to but only let your main account write to those files. It's not even complicated, you can set that all up once and then write a script you start the programs via sudo with and then pretty much forget about it. This is also all stuff that has been in the *nixes since forever and is very simple. They were designed as and are multi-user operating systems. Use that feature.

My browser runs under it's own user but visually there's zero indication it does. The only problem is X which cannot isolate stuff fully. For example, your browser process could read all IDs and window titles of other processes running on the X-Server and also the keyboard and mosue events when you type something into a different window, for example a password. Everything is shared there, and by default every process is trusted.

You could use programs like Xephyr then to sandbox, or run the browser in it's own X-Server in a virtual framebuffer you VNC to. Granted it gets kinda complicated here and I don't bother with all that. X does have isolation in it's SECURITY extension with which it can make a difference between "trusted" and "untrusted" programs (which then don't get to read those resources) but most programs (mainly web browsers, -surprise surprise=running chrome untrusted makes it crash-) don't play nice with it since these features weren't taken into account.

Then in Linux there's also namespaces where you can isolate processes into their own virtual view of the system, for example don't let a running process see any other process on the system or put it into it's own network namespace that can't see the network connection to avoid it calling home. Or combine network namespaces with tor or openvpn so processes in the "tor" or "vpn" namespaces literally can't accidentally connect via your direct network connection because they cannot even see them. These are all simple features the kernel brings with it and only need a few lines of scripting to use. This actually helps securing your system. Encrypting a password into some database while all that other stuff isn't taken care of doesn't.

>>1022808

tl;dr fagg0t

Here's what I use to generate my passwords:

openssl rand -base64 32 (you can replace 32 with a bigger or smaller number)

Then I input my passwords into my HP 200LX which travels with me everywhere.

>>1022820

Nope. It means getting rid of everything written in an unsafe language.

Use a password manager on an airgapped phone/laptop/tablet

/thread

>>1022842

The brain it is then.

>>1022860

Shillbots don't have brains

>>1020079

I think you can achieve close to 100% security by storing your keys on an airgapped, networking-disabled machine. Paper is vulnerable to burglars and guests who might enter your home. This might matter if you use it to store important banking shit or cryptocurrency seeds.

Store your keys in your brain, and then blow your brains out with a shotgun.

Nobody will ever get your passwords, problen solved.

>>1022973

>Nobody will ever get your passwords, problen solved.

except for the fact that your passwords are probably really shit

>>1022831

"Everything" means the Linux kernel, C libraries, compilers, and most software packages. Frankly at that point you might as well just write an entirely new OS with its own dev tools, web browsers, etc. all from scratch. And don't do it on x86 full botnet hardware.

>>1020741

Better, salt it with the script contents and the script's full path concatenated somewhere. That way a perfect copy of the file would also have to be placed in the same directory structure to get the same salt.

>>1022988

That's exactly what I meant.

>>1020741

>>1022994

>LARPers doing cryptography

You're embarrassing yourselves,

nah the password manager will totally make it safe, it uses encryption and shit, like in the movies, no need to think about threat models and security concepts. That shit is for nerds.

I swear to god every time the word "encryption" drops, everyone's IQ just drops by ten points. Encryption by itself is not the end-all and by itself is absolutely meaningless. Not even only just for storing passwords.

This thread has really brought out all the hardnosed tech retards. Look knuckleheads, if encrypting passwords was so stupid, why do you use the /etc/shadow or /etc/master.passwd files for just this? Why do you use ssh passwords and/or keys that end up being stored one or several computers with network access? (yes even the private key gets stored on your disk, or the shit wouldn't work).

>>1019117

>cant memorize complex passwords

Why do you even try to be sneaky then?

>>1023235

Yeah dude, let's just do away with encryption altogether! Why not tell every single company in the world to store passwords in plaintext too, right? After all, if they get """hacked""", they are fucked anyway amirite?

>>1023544

>strawmanning this hard

doesnt most ((groups)) that are a problem already have cia backdoor programs anyway?

>>1023542

if youre so smart why do you need a computer? just do it all in your head

>>1019113 (OP)

I do

https://www.passwordstore.org/

>>1024318

>gpg2

dropped

How bad is seahorse?

>>1024691

very

>>1019113 (OP)

>password manager

what could possibly go wrong?

if someone is retarded enough for that, they desserve 100% of it.

it's like morons who get surprised about all the privacy breach, and creeping overreach, despite being warned, even tough they should even need to be warned.

naivete is consented stupidity, plain and simple.

if you fall for that shit, you'll get fucked, and we WILL laugh at you.

>>1025041

>this is what the average /tech/ LARPer thinks

>>1024748

>doesn't give any information, not even a link

fag

Reminder to store your passwords on the cloud like a good goy.

https://blog.mozilla.org/internetcitizen/2017/01/25/better-password-security/

>>1025041

Not everyone has to remember their PornHub password only, dear Mr. password123.

>>1019127

it's offline, it's open source, I don't see the flaw with it. I do not trust their random password generator tho, so I wrote my own.

>>1025119

>I don't see the flaw with it.

It is written in an unsafe langauge.

>>1025120

you're retarded, the sites you are logging into are written using unsafe languages and being stored in unsafe databases run on unsafe hardware.

keep you pw file on a USB drive and unplug it when not in use. this way, you can have 30+char unique passwords for every account. link your accounts to a email server you run that you coded in whatever "secure" language your want and whatever "secure" hardware you want.

Pfft. Just use iCloud Keychain. I don't even need to remember shit, just a glance on my phone camera authenticates my identity and autofills all my passwords!

>>1025041

Seeing some twitter furry tout password managers made kek, then the true stupidity hit me like yet another wave of suicidal depression.

>>1025367

rejoice in the knowledge of the following furfagocaust.

There is no sweeter words to utter than "I told you so".

>>1019155

>>1019125

You can use a yubikey with keepassxc. The unlock code changes each time you save the database.

i see recommendations for keepassxc...is keepass pozzed? should i migrate to xc?

>>1019117

>write it in a notepad and leave it on your desk

I did this after hacking the pentagon in 1990.

They raided while I was in the shower, didn't have enough time to tip the book into the shredder under the desk.

They found all the passwords for 7 machines, and I ended up having to work for them for 14 years until they were satisfied. Pay was shit and work was boring too. Mostly attaching trails to lower level hackers so they could be monitored.

>>1026516

Was the 14 years of work after you taught the computer the only winning move was not to play?

>>1019117

what if you just write the passwords in a memorised substitution cypher? easy enough to say "nah you fucked it those weren't passwords at all"

>>1026516

4/10 LARP

>>1020569

>if there is 5000 commonly used english words, if you select 6 random words, that gives us 5000*5000*5000*5000*5000*5000 = 15625000000000000000000 combinations.

>it's very easy to remember 6 words. you can even use more words than 6. it is impossible to brute force by CIA or even by aliens.

>if you cannot remember 6 words then your nigger brain is too damaged by drugs.

If those 5,000 words are in a common online-posted dictionary (like "DiceWare"), and you pick six entries as your password, dark glowers know your entropy is about 73 bits.

To reach 256 bits entropy (or more) using a 5,000 word dictionary, you need to select more than six words. In fact, you need to select twenty-one words.

>>1026588

Minimum bits of entropy:

Floor( ln( alphabetlen^passwordlen )/ln( 2 ) )

Needed passwordlen for a given number of bits entropy:

Ceiling( ln( 2^bits )/ln( alphabetlen ) )

Where Floor( ) is round down to nearest 1, Ceiling( ) is round up to nearest 1 (if the input isn't a Natural number), and ln( ) is the natural logarithm function.

>>1026588

>reddit spacing

>256 bits

opinion discarded

>>1026600

>reddit spacing

Gas yourself cuckchan juden!

>>1026767

ok kiddo

btw you should consider not trying to insult someone in a language you're not proficient in lest you embarrass yourself. it should be 'jude', not 'juden'.

>>1026516

if they raided your house you were shitfucked anyways. infosec stops mattering when they have physical access. At that point you need to either get a security guard, or git gud so they don't find you in the first place.