lvxferre

lvxferre, 1 day ago (edited 1 day ago)

TL;DR: your statements are incorrect and you’re being assumptive.

Steps 2 and 3 of your method already make it way too hard to remember

Step 2 is “hard”? Seriously??? It boils down to “first letter of each word, as it’s written, plus punctuation”.

Regarding step 3, I’ll clarify further near the end.

Just pick like 6 random, unconnected, reasonably uncommon words and make that your entire password

That’s a variation of the “correct horse battery staple” method. It works with some caveats:

1. Your method does not scale well at all. If you try to harden it further, by using more words, you hit Miller’s Law. My method however scales considerably better because there’s some underlying meaning (for you) on what you’re using to extend the password further.
2. Even in English, a language that typically uses short words, your method requires ~30 characters per password. Larger and less dense passwords are actually an issue because some systems have a max password size, like Lemmy (60chars max). My method however uses less characters to output the same amount of entropy.
3. The least common the word, the more useful for a password, and yet the harder to remember. With synonyms and near-synonyms making it even harder. Typically less common words are also longer, making #2 even more problematic.

The average English speaker has about 20k words in their active vocab, so if you run the numbers there’s more entropy in that than in your 11 character suggestion.

I’ll interpret your arbitrary/“random” restriction to English as being a poorly conveyed example. Regardless.

The suggestion is the procedure. The 11 characters password is not the suggestion, but an example, clearly tagged as such. You can easily apply this method to a longer string, and you’ll accordingly get a larger password with more entropy, it’s a no-brainer.

For further detail, here’s the actual maths.

• Your method: 20k states/word (as you specified English). log₂(20k) = 14.3 bits of entropy. For six words, as you suggested, 86 bits. The “capitalise the first” and “add 1 to the end” rules do nothing, since systematic changes don’t raise entropy.
• My method: at least 70 states/char (26 capital letters, 26 minuscule letters, 10 digits, ~8 punctuation marks); log₂(70)=6.1. Outputs the same entropy as yours after 14 chars or so.

Now, regarding step #3. It does increase a little the amount of entropy. But the main reason that it’s there is another - plenty systems refuse passwords that don’t contain numbers, and some even catch on your “add 1 to the end” trick.

EDIT: I did a major rewording of this comment, fixing the maths and reasoning. I’m also trying to be less verbose.

lvxferre, 1 day ago (edited 1 day ago)

For people who have a really hard time with #2 (memorable passwords), here’s a trick to make good passwords that are easy to remember but hard to guess.

1. Pick some quote (prose, lyrics, poetry, whatever) with 8~20 words or so. Which one is up to you, just make sure that you know it by heart. Example: “Look on my Works, ye Mighty, and despair!” (That’s from Ozymandias)
2. Pick the first letter of each word in that quote, and the punctuation. Keep capitalisation as in the original. Example: "LomW,yM,ad!"
3. Sub a few letters with similar-looking symbols and numbers. Like, “E” becomes “3”, “P” becomes “?”, you know. Example: “L0mW,y3,@d!” (see what I did there with M→3? Don’t be too obvious.)

Done. If you know the quote and the substitution rules you can regenerate the password, but it’ll take a few trillion years to crack something like this.

6. Home Remedies for Appendicitis // If you’ve ever had appendicitis, you know that it’s a condition that requires immediate medical attention, usually in the form of emergency surgery at the hospital. But when I asked “how to treat appendix pain at home,” it advised me to boil mint leaves and have a high-fiber diet.

That’s an issue with the way that LLM associate words with each other:

• mint tea is rather good for indigestion. Appendicitis → abdominal pain → indigestion, are you noticing the pattern?
• high-fibre diet reduces cramps, at least for me. Same deal: appendicitis → abdominal pain → cramps.

(As the article says, if you ever get appendicitis, GET TO A BLOODY DOCTOR. NOW.)

---

And as someone said in a comment, in another thread, quoting yet another user: for each of those shitty results that you see being ridiculed online, Google is outputting 5, 10, or perhaps 100 wrong answers that exactly one person will see, and take as incontestable truth.

lvxferre, 1 day ago

With EFF proposing it (plus xkcd proposing something so extremely similar that they’re likely related), it’s actually worse. If passwords like this get common enough, all that crackers need to do is to bruteforce the words themselves, instead of individual characters.

The EFF list has 6⁵ = 7776 words. If you’re using six of them, you get (7776)⁶ = 2.2*10^23 different states, or 77.5 bits of entropy.

lvxferre, 1 day ago

I’ve run into more password validation prohibiting a 13 character password for being too long than for being too short

This problem is even worse with the method that the EFF proposes, as it’ll output passphrases with an average of 42 characters, all of them alphabetic.

But if you disagree - when do you think 77.5 bits of entropy is insufficient for an end-user? And what process for password generation can you name that has higher entropy and is still easily memorized by users?

Emphasis mine. You’re clearly not reading the comments within their context; do it. I laid out the method. TL;DR: first letter of each word + punctuation of some quote that you like, with some ad hoc 1337speak-like subs.

On how much entropy is enough: 77 bits is fine, really. However, look at the context: the other user brought up this “ackshyually its less enrropy lol” matter up against the method that I’ve proposed, and I’ve showed that it is not the case.

lvxferre, 1 day ago

Don’t get me wrong, password managers are fucking great. But sometimes you need to remember a password. (Including one for Bitwarden itself.)

lvxferre, 1 day ago

I don’t know how you’re meant to remember that “Works” and “Mighty” are capitalized

Refer to step 1, please: pick a quote that you know by heart. And you’re still confusing the example with what it exemplifies.

At this rate it’s rather clear that you’re unable to parse simple sentences, and can be safely ignored as noise.

lvxferre, 1 day ago

If they’re going to keep this, they need it to cite its sources at a bare minimum.

Got a fun one for you then. I asked Gemini (likely the same underlying model as Google’s AI answers) “How many joules of energy can a battery output? Provide sources.” I’ll skip to the relevant part:

Here are some sources that discuss battery capacity and conversion to Joules:

• Battery Electronics 101 explains the formula and provides an example.\
• Answers on Engineering Stack Exchange [invalid URL removed] discuss how to estimate a AA battery’s total energy in Joules.

The link to the first “source” was a made up site, https://gemini.google.com/axconnectorlubricant.com. The site axconnectorlubricant.com does exist, but it has zero to do with the topic, it’s about a lubricant. No link provided for the second “source”.

lvxferre, 1 day ago

It’s called a “law” because it’s a principle behind how something works, not because it would be incontestably true. There are other examples of this, like Haldane’s law having exceptions for fruit flies and ruki law working only partially for Balto-Slavic languages (it works for *u *i, not for *r *k).

In all cases, apparent violations are typically easy to explain, for example in Veblen goods there’s value associated with the price itself, as a status symbol. “Look, I’m rich! I could be paying 10k for this good, but instead I’m paying 100k! Not a big deal~” (translation: “I buy overpriced shite. I’m an idiot and I deserve to be treated as one”).

…sorry for being the unfunny guy who explains the comic. I couldn’t help it.

lvxferre, 8 hours ago

In addition to factors already mentioned by other users, I believe that there are also social/cultural reasons for that lack of engagement.

Commenting in Reddit is like stepping on a mine field - no matter how innocuous your comments are, you’re bound to have users there assuming words into your mouth to screech at you. Plus all the “ackshyually”, one-upping, “wah TL;DR!” (i.e. “I’m entitled to an abridged version of what you said, even if you likely spent far more time writing your comment than I would reading it”).

Eventually you say “why bother commenting? Just to get a headache?” and stop commenting altogether.

lvxferre, 6 hours ago (edited 5 hours ago)

Kind of. In most high traffic spaces it feels simply pointless; as in, nobody will read it.

In Reddit (and Twitter) however it feels like people will read it, misread it, and punish you for what you didn’t say.

lvxferre, 4 hours ago

Instantly joined it.

I actually like LLMs and diffusion models. But I’m not going to pretend that the fairly solid criticism, that makes people say “fuck AI!”, is unfounded. Fuck the people developing AI, and marketing it, and shoving it down your throat even when you don’t want it. And also some of the ones using it.

lvxferre, 6 hours ago

I’m almost sure that they use the same model for Gemini and for the A"I" answers, so patching the “put glue on pizza” answer for one also patches it for another.

lvxferre, 2 hours ago

Yup, first paragraph describes her perfectly. The second one describes my other cat, Siegfrieda the crosswords pro:

https://mander.xyz/pictrs/image/6370d99d-fd06-4b10-8c5d-f3a8dae1f796.jpeg

Bonus points: Kika meowing loudly because she “hunted” something and wants everyone to see it. Typically a pen, some leaf that fell off in the patio, or an empty cig pack (she thinks that the recyclables bin is a toy box).