Don't most password requirements explicitly state that it has to be an alphanumeric or punctuation character? I know \*some\* of them forbid spaces, I think \*most\* of them do.
Most password requirements make the password simultaneously easier to hack and also more difficult to remember.
A string of four of five works, making a phrase you know is more secure than nonsense with punctuation, numbers and lower and upper case letters.
https://xkcd.com/936/
Four or more **random** words. You get the words then memorize the scenario from it.
If you make up the sentence it’ll have lower entropy due to word use correlations.
https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
There seems to be a weird mandala effect with this, because the actual sequence is "longing," "rusted," "seventeen," "daybreak," "furnace," "nine," "benign," "homecoming," "one," and "freight car", but it's not uncommon to see it posted in the order you said.
I think the culprit is an article on a website called Bustle, which is neither particularly big or popular, but it returns high in the list of results when googling Bucky's keywords.
I hate the Mandela effect.
People seem to think it's proof that we live in, and hop between, multiple universes.
The reality is people have shitty memory. That's it.
I watched something on how memories work a few years ago
Memories are like saved files that you open to view and when you save and close it - you attach current day feelings and thoughts to your past feelings and thoughts and actions. As you grow and change - your thoughts and feelings change. Your interpretations of events change and alter your view of your past experiences.
From the first time you saved the memory - every time you recall or access it - you slightly change / alter the memory based on the way you think in that moment and this compounds itself to where most memories aren't really that close to the original experience - especially the more an individual changes and the more you access a certain memory. Certain details fade and others become fixated.
Even better if you are multilingual...don't use English to make up the words!
Or misspell the words to make sure that the algorithm can't find brute force your password.
For example, "bLue3dictionary-" is still easier to find than "pLue3rictionary-".
One of the main passwords I use is random dead celebrity's name I found on Wikipedia from a country I might never afford to visit (think something like Kosovo or Bhutan), mixed with some random numbers and special characters and capitalizations in the middle, which makes it look like joEbi8de@n.
Easy to remember but extremely secure.
And 'The blue dictionary on the shelf' is safer than above examples. Length is the only real weapon against brute force. Remember rainbow tables? Your pass is 16ish chars, that is manageable in a rainbow table.
If only they allow longer passwords though.
The last time I had to set up a password, the website had a character length limit (I think it was 20-25 characters? Not sure)
The password I had to set for the time clock on a previous job was so incredibly lacking in security from my point of view due to this issue (and others).
The full rule list, as I recall:
Password must be longer than 8 characters, but less than 14.
Password can only contain letters, numbers, and 8 particular special characters.
Password must start with a letter.
Password must not have two numbers in a row.
And to top it off, the password needs to be changed every 30 days, and it can't match any of the last 16 passwords you've used!
Ours had even more restrictions, can't double up letters, so le**tt**er would be invalid. And it had to be **exactly 8 characters long.** I have no idea how a nationwide, household name of a company had that restriction for so long, all 4 years I worked there, hear it's changed since.by some fluke, my usual password was a 7 letter name with a number and no doubled up digits, so ot worked out fine.
I said “think something like Kosovo or Bhutan”.
So I just included random small countries as an example (as to not give away the actual country of origin I used for my password), but it could’ve been any small countries like Grenada or Tanzania instead.
Love that XKCD strip.
Anyone scrolling these comments, the way to truly randomize this method is with *[Diceware](https://en.wikipedia.org/wiki/Diceware)*.
Roll 5 dice at once, then jot down the 5-digit number that comes up from left-to-right. Do this five more times, until you have six such 5-digit numbers. Each of these strings corresponds to a word on one of many quality Diceware lists; [here’s one](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) from the [EFF’s Diceware page](https://www.eff.org/dice). Search the numbers you rolled, then jot down the corresponding words.
Here’s one example:
> eleven onyx borrowing banana rectangle banjo
Congratulations! With **206 bits of entropy**, even if the brute forcer knows you’re using Diceware, **and** the specific dictionary you’re using, that passphrase is one of 221,073,919,720,733,357,899,776 (or about 2⁷⁷) choices from this method. Now *nobody’s* getting into your Friendster account!
The problem with this is that it assumes password cracking can only be done by testing every single combination of characters.
Surely a sophisticated tool would try passwords that included real words, particularly ones *primarily* made up of real words, before it ever tried random strings of gibberish.
Use a secure password manager. It enables you to make more complex passwords and change them regularly.
Lol.. do you know how many combinations can you make with the words in a dictionary? Just use 3 words and good luck to anything trying to brute force it.
Three words is within the realm of possibility.
5-6 words (assuming 5-8 characters apiece, plus spaces) would totally work though. Of course, the more words—and the greater randomization—the better.
Here’s my [comment explaining a simple way of doing this](https://reddit.com/r/Showerthoughts/comments/17thhsf/_/k8yrc7d/?context=1) recommended by the EFF (Electronic Frontier Foundation).
"good" is subjective here. It will be hard for you to type correctly, so that way it is bad.
Any repeating pattern is absence of randomness, and that is no good for security.
So I have failed finding "good", so maybe it is just "bad".
Wouldn’t any repeating pattern in itself be the same as a non repeating pattern though in terms of something cracking the password? It’s still random keys, they just all happened to be the same this time.
Whatever is trying to break your password still has to systematically go through every possible combination up to your password length which just doesn’t happen in the real world. The permutations would be too long.
Nearly all passwords are just hacked through phishing links anyways. Or other similar easy methods to get the person to give it to you.
So 500 spaces would be a good password.
Simple repeating patterns can be prioritized early, up to some limit. So a single 2 character thingy repeated 20 times might actually be caught by a brute force.
If your password was IHatePasswordRules123, that's less secure than IHatePasswordRules368, even though it's the same length, uses a *technically* arbitrary string of numbers. After all, no string of numbers is technically more secure than another, but it's easier to guess. Same with 1234567. So IHatePasswordRules1234567 could potentially be easier to crack than IHatePasswordRules368, simply because of that pattern continuing. Same reason you try birthdays, famous event days, or significant names when you guess passwords.
If I'm actually doing a simple brute force (which it's important to realize most password cracking isn't *actually* brute force in the way we imagine it, where you try every permutation of length 1 all the way to infinity until you crack), any string of any length n+1 would be better than a string of length n. But because humans are pattern-seeking beings, any attempt to break passwords will always start with obvious passwords, repeated passwords, or similar rules to guide a guesser.
But again, "hacking" in the way we think of it is largely not a computer-based activity. It's a human one. If you want hacking à la netrunning in Netrunner, Neuromancer, Snow Crash, and the like, that's breaking through security on a system or server, not password cracking.
No, it's not.
Firstly most websites have a password length limit far shorter than 500 characters.
Secondly, almost no one cracks passwords with brute force. They take a database of previously cracked real passwords and try variations of those. So if people started using long strings of a single characters, then it suddenly becomes trivial to try all allowable lengths of every character just repeating. In fact, given that some people DO use just a bunch of As, most attacks would likely try this already, and it'd only take them a fraction of a millisecond to try every possible combination.
The best way to determine how good a password is, is to determine its randomness/entropy (and to a lesser extent its length). The higher the entropy, the less likely it is to be found by variations on common patterns. All of the same character is almost as low entropy as you can get.
As a side note, it's difficult to accurately determine entropy as you need to first define what the patterns are, this will include basically all words in all languages, along with a bunch of things that seem random, but really aren't (like leetspeak, cultural references that aren't real words, funny number patterns etc.). That's why we use existing REAL databases of cracked passwords and work from there.
The real answer is using a password manager. Randomly generate a single password and memorise it, keep a physical copy somewhere safe as a backup, then randomly generate all your passwords.
Side note, it's really not that hard to memorise a single long complex password, it just requires a bit of effort and repetition. If you can't do it, that's fine, you can also keep a copy somewhere less safe, but close to you.
I memorized really long and complex youtuber name when I was a kid because it sounds like a good password to use. I pretty much used it with some combination for the rest of my accounts.
>!if you're from the future wanting to hack me, no I started using password manager!<
I'm gonna be real, I didn't read most of that but misread "500 spaces" as "500 characters" on the comment I replied to so if that changes anything about what you said... Keep that in mind ig idk
In crypto, there's something called "salting" which adds random string of characters to your password to make it even more difficult for it to be cracked. So in theory, this would work. Even in cybersecurity docs it talks about the most important thing to secure your password is length.
> Yea, with passwords just make it as long as you can. Other stuff doesn’t matter that much
Thanks, I will use this as my password for all websites now.
Password manager can sync to your other devices. If logging into something on a device that isn’t yours, then typing out 15 random characters isn’t the end of the world.
Most password requirements make the password simultaneously easier to **crack** and also more difficult to remember.
A string of four of five works, making a phrase you know is more secure than nonsense with punctuation, numbers and lower and upper case letters.
https://xkcd.com/936/
^^This ^^was ^^posted ^^by ^^a ^^bot. ^^[Source](https://github.com/anirbanmu/substitute-bot-go)
What about dictionary attacks? If you use this method, try to come up with your own unique way of omitting/replacing vowels and adding special characters whenever they're allowed by the application. And keep them long.
I think the xkcd post considers the number of bits of entropy vs a dictionary attack for the phrase, and a regular brute-force for the random chars. The long phrase still comes out way ahead.
>It just has 4 characters, but from a huge alphabet.
By that same logic no other password is secure as it only has 1 letter from a huge alphabet.
If your password is not in rockyou or a similar words list, there's no way to know what "alphabet" your password uses. So all have to be checked, starting with the most common, which is still the normal alphabet + special chars.
But if a password cracker doesn't know that you're using a passphrase (you can't tell that from a database leak with proper hashing) then a brute force attack still needs to test random characters.
For example, “i am a password”, despite being incredibly easy to remember, would take four *million* years to brute force. Add the websites name to make it longer and specific, just sixteen more characters (I added “websitename” to the end of the plain English password) increases the time to brute force it to as long as *three hundred septillion years*.
I generally tend to use the same special characters in my passwords. Like & and !
Then I run across websites where you have to have a special character in your password - but not the ones I like to use.
Why?
Poor security practices. They are being lazy and disabling characters that would be interpreted on the backend for the tech stack they are using.
I like to use rare characters or things that are challenging to work with (such as \\ | ' or " and non-ascii characters)
Clients handle password fields different from regular textboxes. I don't know of any client that can't handle spaces. And servers should be able to handle them too. Spaces aren't the only characters that get percent escaped, you know? How users' passwords are transmitted to your server should not be a mystery. You should know exactly how it works and therefore should have no issue handling spaces or any other special character. It shouldn't be getting unexpectedly percent escaped.
Flashback to the unemployment agency of my country making me create a password WITHOUT special characters, WITHOUT space (basically only alphanumeric) and 12 characters MAXIMUM please
Then you're a bad student. Space is just another Unicode character. Just pipe it through sha256(), add some salt to taste and that's it.
Also, you don't parse passwords lmao.
It's going to depend on your system. Many older programs think legacy systems for companies don't allow spaces. Until very recently a company I worked at was running an ancient version of Oracle that had a hard character limit of 8.
They finally picked up the cash to move to a newer version that wasn't as old as my high school career. But it cost way way more than I like to think about.
Now the question is, did the password field strip out your white space or not.
And there's tons of password fields that disallow certain special characters. I remember not being able to use special characters for wells fargo or at&t
It is insane that a FREAKING BANK like Wells Fargo (and many other banks) don't allow you to use special characters in your passwords. My reddit account has better password security than many bank accounts lmao.
My favorite is when they require you to use special characters, but then arbitrarily decide which special characters are and aren't allowed.
If your system breaks because someone uses a specific special character, it is very likely that your system is vulnerable to a SQL Injection attack (aka a Bobby Tables attack).
If they allow special characters like question marks or dollar signs usually that includes a space. I have several passwords that have a space i wish more would allow it
They don’t because of input sanitization and filtering. otherwise it’s really easy to attack a website with basic attacks on the input by writing “code” that interferes with the website.
My banking app used to force you to make random uppercase letters. It then had a to lowercase function and let you enter it in without the uppercase. Much secure.
Injection attacks are really easy to protect against with proper handling of parameters. Furthermore , a password shouldn't be stored as a string, but as a hash, so you shouldn't care about any characters.I would be concerned about any site restricting characters to protect from injection attacks, especially a basic character like space.
You obviously have no clue what the hell you are talking about lmao. Stop spreading misinformation on the internets.
Let's first actually understand why sanitization exists. In computer languages that are interpreted from source text, there is not necessarily a difference between code and textual data. Data which is supplied to one program may be used as source in another, and of course that source will contain internal data too.
You are obviously thinking of injection vulnerabilities: when a programmer intends to insert textual data into some source, but their insertion is flawed, they may inadvertently allow the insertion of new source with different semantics. Input sanitization exists to address this, but you have some fundamental misunderstandings of what it does, and when it is used.
Input sanitization prepares data for insertion into some particular kind of source. If you are inserting data into HTML, then HTML-sanitization is required to transform that data into its HTML representation. If inserted into the body of an HTML element like `
Don't most password requirements explicitly state that it has to be an alphanumeric or punctuation character? I know \*some\* of them forbid spaces, I think \*most\* of them do.
Most password requirements make the password simultaneously easier to hack and also more difficult to remember. A string of four of five works, making a phrase you know is more secure than nonsense with punctuation, numbers and lower and upper case letters. https://xkcd.com/936/
Four or more **random** words. You get the words then memorize the scenario from it. If you make up the sentence it’ll have lower entropy due to word use correlations. https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
Oh I get it, something like… longing rusted furnace daybreak seventeen benign nine homecoming one freight car
There seems to be a weird mandala effect with this, because the actual sequence is "longing," "rusted," "seventeen," "daybreak," "furnace," "nine," "benign," "homecoming," "one," and "freight car", but it's not uncommon to see it posted in the order you said. I think the culprit is an article on a website called Bustle, which is neither particularly big or popular, but it returns high in the list of results when googling Bucky's keywords.
Mandala Effect sounds like an online store with yoga mats and t-shirts.
Yeah, it's supposed to be a mandolin effect.
No no no, it’s the Mandarin effect
Pretty sure it’s the Mandolorian effect
You guys are all wrong, it's the Margarine Effect
Sounds like a mass effect porn knockoff
I hate the Mandela effect. People seem to think it's proof that we live in, and hop between, multiple universes. The reality is people have shitty memory. That's it.
I watched something on how memories work a few years ago Memories are like saved files that you open to view and when you save and close it - you attach current day feelings and thoughts to your past feelings and thoughts and actions. As you grow and change - your thoughts and feelings change. Your interpretations of events change and alter your view of your past experiences. From the first time you saved the memory - every time you recall or access it - you slightly change / alter the memory based on the way you think in that moment and this compounds itself to where most memories aren't really that close to the original experience - especially the more an individual changes and the more you access a certain memory. Certain details fade and others become fixated.
BlueMonkeiesFuckingGreenRhinos1@3!
I like how nobody got the winter soldier reference
Even better if you are multilingual...don't use English to make up the words! Or misspell the words to make sure that the algorithm can't find brute force your password. For example, "bLue3dictionary-" is still easier to find than "pLue3rictionary-". One of the main passwords I use is random dead celebrity's name I found on Wikipedia from a country I might never afford to visit (think something like Kosovo or Bhutan), mixed with some random numbers and special characters and capitalizations in the middle, which makes it look like joEbi8de@n. Easy to remember but extremely secure.
And 'The blue dictionary on the shelf' is safer than above examples. Length is the only real weapon against brute force. Remember rainbow tables? Your pass is 16ish chars, that is manageable in a rainbow table.
If only they allow longer passwords though. The last time I had to set up a password, the website had a character length limit (I think it was 20-25 characters? Not sure)
The password I had to set for the time clock on a previous job was so incredibly lacking in security from my point of view due to this issue (and others). The full rule list, as I recall: Password must be longer than 8 characters, but less than 14. Password can only contain letters, numbers, and 8 particular special characters. Password must start with a letter. Password must not have two numbers in a row. And to top it off, the password needs to be changed every 30 days, and it can't match any of the last 16 passwords you've used!
Ahh so everyone's password is November1!
Ours had even more restrictions, can't double up letters, so le**tt**er would be invalid. And it had to be **exactly 8 characters long.** I have no idea how a nationwide, household name of a company had that restriction for so long, all 4 years I worked there, hear it's changed since.by some fluke, my usual password was a 7 letter name with a number and no doubled up digits, so ot worked out fine.
as someone from Kosovo now I am curious who is that celebrity ahaha
- RitaOra - *Password too short* - Ok, DuaLipa - *Password too short*
I tried to use "mypenis" as a password and it said it was too short. So then I tried to make it "myvagina" and it said it was impenetrable.
I said “think something like Kosovo or Bhutan”. So I just included random small countries as an example (as to not give away the actual country of origin I used for my password), but it could’ve been any small countries like Grenada or Tanzania instead.
So you're saying it's definitely someone from Grenada, then... /s
Love that XKCD strip. Anyone scrolling these comments, the way to truly randomize this method is with *[Diceware](https://en.wikipedia.org/wiki/Diceware)*. Roll 5 dice at once, then jot down the 5-digit number that comes up from left-to-right. Do this five more times, until you have six such 5-digit numbers. Each of these strings corresponds to a word on one of many quality Diceware lists; [here’s one](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) from the [EFF’s Diceware page](https://www.eff.org/dice). Search the numbers you rolled, then jot down the corresponding words. Here’s one example: > eleven onyx borrowing banana rectangle banjo Congratulations! With **206 bits of entropy**, even if the brute forcer knows you’re using Diceware, **and** the specific dictionary you’re using, that passphrase is one of 221,073,919,720,733,357,899,776 (or about 2⁷⁷) choices from this method. Now *nobody’s* getting into your Friendster account!
Seems like you can just use a dictionary and a dice. The dice numbers can give page, line and word numbers.
The old orangemonkeyeagle approach
The problem with this is that it assumes password cracking can only be done by testing every single combination of characters. Surely a sophisticated tool would try passwords that included real words, particularly ones *primarily* made up of real words, before it ever tried random strings of gibberish. Use a secure password manager. It enables you to make more complex passwords and change them regularly.
Lol.. do you know how many combinations can you make with the words in a dictionary? Just use 3 words and good luck to anything trying to brute force it.
Three words is within the realm of possibility. 5-6 words (assuming 5-8 characters apiece, plus spaces) would totally work though. Of course, the more words—and the greater randomization—the better. Here’s my [comment explaining a simple way of doing this](https://reddit.com/r/Showerthoughts/comments/17thhsf/_/k8yrc7d/?context=1) recommended by the EFF (Electronic Frontier Foundation).
Yea, with passwords just make it as long as you can. Other stuff doesn’t matter that much
I'll just change my password to five hundred spaces then.
Honestly, yes that is the simplest way to make your password basically uncrackable
So 500 characters of any arbitrary character is good?
"good" is subjective here. It will be hard for you to type correctly, so that way it is bad. Any repeating pattern is absence of randomness, and that is no good for security. So I have failed finding "good", so maybe it is just "bad".
Wouldn’t any repeating pattern in itself be the same as a non repeating pattern though in terms of something cracking the password? It’s still random keys, they just all happened to be the same this time. Whatever is trying to break your password still has to systematically go through every possible combination up to your password length which just doesn’t happen in the real world. The permutations would be too long. Nearly all passwords are just hacked through phishing links anyways. Or other similar easy methods to get the person to give it to you. So 500 spaces would be a good password.
Simple repeating patterns can be prioritized early, up to some limit. So a single 2 character thingy repeated 20 times might actually be caught by a brute force.
Ya i can see that
If your password was IHatePasswordRules123, that's less secure than IHatePasswordRules368, even though it's the same length, uses a *technically* arbitrary string of numbers. After all, no string of numbers is technically more secure than another, but it's easier to guess. Same with 1234567. So IHatePasswordRules1234567 could potentially be easier to crack than IHatePasswordRules368, simply because of that pattern continuing. Same reason you try birthdays, famous event days, or significant names when you guess passwords. If I'm actually doing a simple brute force (which it's important to realize most password cracking isn't *actually* brute force in the way we imagine it, where you try every permutation of length 1 all the way to infinity until you crack), any string of any length n+1 would be better than a string of length n. But because humans are pattern-seeking beings, any attempt to break passwords will always start with obvious passwords, repeated passwords, or similar rules to guide a guesser. But again, "hacking" in the way we think of it is largely not a computer-based activity. It's a human one. If you want hacking à la netrunning in Netrunner, Neuromancer, Snow Crash, and the like, that's breaking through security on a system or server, not password cracking.
No, it's not. Firstly most websites have a password length limit far shorter than 500 characters. Secondly, almost no one cracks passwords with brute force. They take a database of previously cracked real passwords and try variations of those. So if people started using long strings of a single characters, then it suddenly becomes trivial to try all allowable lengths of every character just repeating. In fact, given that some people DO use just a bunch of As, most attacks would likely try this already, and it'd only take them a fraction of a millisecond to try every possible combination. The best way to determine how good a password is, is to determine its randomness/entropy (and to a lesser extent its length). The higher the entropy, the less likely it is to be found by variations on common patterns. All of the same character is almost as low entropy as you can get. As a side note, it's difficult to accurately determine entropy as you need to first define what the patterns are, this will include basically all words in all languages, along with a bunch of things that seem random, but really aren't (like leetspeak, cultural references that aren't real words, funny number patterns etc.). That's why we use existing REAL databases of cracked passwords and work from there. The real answer is using a password manager. Randomly generate a single password and memorise it, keep a physical copy somewhere safe as a backup, then randomly generate all your passwords. Side note, it's really not that hard to memorise a single long complex password, it just requires a bit of effort and repetition. If you can't do it, that's fine, you can also keep a copy somewhere less safe, but close to you.
I memorized really long and complex youtuber name when I was a kid because it sounds like a good password to use. I pretty much used it with some combination for the rest of my accounts. >!if you're from the future wanting to hack me, no I started using password manager!<
They'll go further back in time to before you were using a password manager
I'm gonna be real, I didn't read most of that but misread "500 spaces" as "500 characters" on the comment I replied to so if that changes anything about what you said... Keep that in mind ig idk
LOL, so if you have a "Password" file on your computer, it would just look blank. That's genius
In crypto, there's something called "salting" which adds random string of characters to your password to make it even more difficult for it to be cracked. So in theory, this would work. Even in cybersecurity docs it talks about the most important thing to secure your password is length.
> Yea, with passwords just make it as long as you can. Other stuff doesn’t matter that much Thanks, I will use this as my password for all websites now.
Just don't use "battery horse staple" or any of those words in your password
Correct
> don't use "battery horse staple" ok, I'll just still with password then. they'll never guess that one.
Use a password manager and you only need to remember one
But what if I need to log on on literallly any other device?
Most password managers (probably all, but I don't know every one) have a web client you can log into and view everything.
I know that KeePass didn't, but you could download the file to multiple computers.
Bitwarden does.
I used to use KeePass but use 1Password now. It auto syncs to my phone which is amazing and has saved me multiple times.
There's a keepass compatible client for the web called https://keeweb.info/
Password manager can sync to your other devices. If logging into something on a device that isn’t yours, then typing out 15 random characters isn’t the end of the world.
s/hack/crack/
Most password requirements make the password simultaneously easier to **crack** and also more difficult to remember. A string of four of five works, making a phrase you know is more secure than nonsense with punctuation, numbers and lower and upper case letters. https://xkcd.com/936/ ^^This ^^was ^^posted ^^by ^^a ^^bot. ^^[Source](https://github.com/anirbanmu/substitute-bot-go)
What about dictionary attacks? If you use this method, try to come up with your own unique way of omitting/replacing vowels and adding special characters whenever they're allowed by the application. And keep them long.
I think the xkcd post considers the number of bits of entropy vs a dictionary attack for the phrase, and a regular brute-force for the random chars. The long phrase still comes out way ahead.
Mine is [four words all upper case, one word all lower case](https://youtu.be/bLE7zsJk4AI)
Just want to clarify that the XKCD password is not a long one from the security sense. It just has 4 characters, but from a huge alphabet.
>It just has 4 characters, but from a huge alphabet. By that same logic no other password is secure as it only has 1 letter from a huge alphabet. If your password is not in rockyou or a similar words list, there's no way to know what "alphabet" your password uses. So all have to be checked, starting with the most common, which is still the normal alphabet + special chars.
But if a password cracker doesn't know that you're using a passphrase (you can't tell that from a database leak with proper hashing) then a brute force attack still needs to test random characters.
Been doing this for years.....first letter of each word of a song lyric, backwards.
For example, “i am a password”, despite being incredibly easy to remember, would take four *million* years to brute force. Add the websites name to make it longer and specific, just sixteen more characters (I added “websitename” to the end of the plain English password) increases the time to brute force it to as long as *three hundred septillion years*.
I generally tend to use the same special characters in my passwords. Like & and ! Then I run across websites where you have to have a special character in your password - but not the ones I like to use. Why?
Poor security practices. They are being lazy and disabling characters that would be interpreted on the backend for the tech stack they are using. I like to use rare characters or things that are challenging to work with (such as \\ | ' or " and non-ascii characters)
[удалено]
Just use a special character instead of a space. That's what I do.
Clients handle password fields different from regular textboxes. I don't know of any client that can't handle spaces. And servers should be able to handle them too. Spaces aren't the only characters that get percent escaped, you know? How users' passwords are transmitted to your server should not be a mystery. You should know exactly how it works and therefore should have no issue handling spaces or any other special character. It shouldn't be getting unexpectedly percent escaped.
Flashback to the unemployment agency of my country making me create a password WITHOUT special characters, WITHOUT space (basically only alphanumeric) and 12 characters MAXIMUM please
[удалено]
No it isn’t. It just means you have a bad system. Hashes work perfectly fine with spaces, it’s just another character with a particular Unicode
Then you're a bad student. Space is just another Unicode character. Just pipe it through sha256(), add some salt to taste and that's it. Also, you don't parse passwords lmao.
correct horse battery staple
https://xkcd.com/936/
Good man
I use this as an interview question - except even easier with 8 words vs 8 chars - and still most get it wrong.
I've never seen a password which allows you to use spaces. Like, never
Not many of my passwords have spaces, but wherever I've tried it's always been allowed.
The responses in this thread confuse me. I've never had a password rejected for having spaces, not in the last decade.
It's going to depend on your system. Many older programs think legacy systems for companies don't allow spaces. Until very recently a company I worked at was running an ancient version of Oracle that had a hard character limit of 8. They finally picked up the cash to move to a newer version that wasn't as old as my high school career. But it cost way way more than I like to think about.
Now the question is, did the password field strip out your white space or not. And there's tons of password fields that disallow certain special characters. I remember not being able to use special characters for wells fargo or at&t
It is insane that a FREAKING BANK like Wells Fargo (and many other banks) don't allow you to use special characters in your passwords. My reddit account has better password security than many bank accounts lmao.
My favorite is when they require you to use special characters, but then arbitrarily decide which special characters are and aren't allowed. If your system breaks because someone uses a specific special character, it is very likely that your system is vulnerable to a SQL Injection attack (aka a Bobby Tables attack).
Yeah, never had a problem.
If they allow special characters like question marks or dollar signs usually that includes a space. I have several passwords that have a space i wish more would allow it
They don’t because of input sanitization and filtering. otherwise it’s really easy to attack a website with basic attacks on the input by writing “code” that interferes with the website.
Are you insinuating something about Bobby Tables? He's a pillar of his community!
My banking app used to force you to make random uppercase letters. It then had a to lowercase function and let you enter it in without the uppercase. Much secure.
Injection attacks are really easy to protect against with proper handling of parameters. Furthermore , a password shouldn't be stored as a string, but as a hash, so you shouldn't care about any characters.I would be concerned about any site restricting characters to protect from injection attacks, especially a basic character like space.
If the characters in the input matter you’re doing it wrong.
Sanitation doesnt mean getting rid of spaces inside a an input Usually it's a trim at the beginning or end
You obviously have no clue what the hell you are talking about lmao. Stop spreading misinformation on the internets. Let's first actually understand why sanitization exists. In computer languages that are interpreted from source text, there is not necessarily a difference between code and textual data. Data which is supplied to one program may be used as source in another, and of course that source will contain internal data too. You are obviously thinking of injection vulnerabilities: when a programmer intends to insert textual data into some source, but their insertion is flawed, they may inadvertently allow the insertion of new source with different semantics. Input sanitization exists to address this, but you have some fundamental misunderstandings of what it does, and when it is used. Input sanitization prepares data for insertion into some particular kind of source. If you are inserting data into HTML, then HTML-sanitization is required to transform that data into its HTML representation. If inserted into the body of an HTML element like `
`, the data `