Use password manager
Or this 
this post was submitted on 12 Oct 2025
34 points (94.7% liked)
technology
24153 readers
266 users here now
On the road to fully automated luxury gay space communism.
Spreading Linux propaganda since 2020
- Ways to run Microsoft/Adobe and more on Linux
- The Ultimate FOSS Guide For Android
- Great libre software on Windows
- Hey you, the lib still using Chrome. Read this post!
Rules:
- 1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
- 2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
- 3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
- 4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
- 5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
- 6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
- 7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.
founded 5 years ago
MODERATORS
Weak to dictionary attacks. better make it six words
Ya know that's what they say, but I'm not so sure - is your dictionary-based brute-forcer doing strings of three words together? Allowing for interspersed special characters between? The sheer character length of three truly random dictionary words in a row is already staggeringly high amounts of entropy - I'm not sure I need to be worried about an attacker capable of that kind of sheer number-buggery.
I'm sure they are ever since this comic came out. It is a very large amount of entropy, but it is still far, far less than an equivalent amount of random characters. Honestly, you do you. If passwords are properly hashed and password attempts are not unlimited and as fast as possible, you're basically fine.
It's about combinatorics.
On your bikelock you have a 3 character code with and alphabet of 0-9. So 10^3 = 1000 possible combinations.
If you pick 3 random words out of a dictionary with 40k words, there are 40000^3 possible combinations. (64 000 000 000 000).
Depending on how the password is hashed a 1000$ machine might be able to test anywhere from like 10 to 10 000 000 000 000 hashes per second. (100 billion hashes per second are more realistic)
So a 3 word password might be safe for a very very long time or cracked in seconds.
A 4 word password will take 40000 times as long.
What if you just add a letter after each word. Like correct a horse b battery c staple d.
I imagine single letters are in the dictionary, but that would double the amount of words
or proper nouns that arent in dictionaries
What if you mix languages or do they brute force multiple languages at the same time?
I'll be real I tried looking up dictionaries used in attacks, ran into the slightest amount of resistance, and immediately stopped caring. Wikipedia has a list of attacks with links if you want to find out yourself
What if I add Tr0ub4dor&3 to my dictionary?
even 4 words with one common substitution fucks up dictionary attack, cause you expand the search space 3-10 fold per word. although one have to have at least one relatively uncommon word (from 20k vocabulary, not 2k vocabulary)
Congratulations, everyone who didn't say "password manager" just cut down the search space to crack their hexbear.net account password by a huge amount.
I'm p sure hunter2 isn't in the dictionary
This is a nonsensical criticism. A password of six random words has 2^77 possibilities. This means, even if they knew you were using this method, then with state of the art computing, we're talking like the age of the universe to crack one. If they didn't know, then we're talking like 10^70 times that. A password of just a few words would be more than secure enough.
Search space for cracking passwords, if Hexbear.net is doing any sort of half-decent hashing method, isn't a very big deal beyond having more than like, 8 characters. If anything, having a common attack vector like a password manager could mean you're even more likely to be done in.
In a previous life I did a lot of MD5 password cracking, the problem has since been all but solved.
I admit it was a snarky joke from me, and more trying to be provocative about building a security culture than a proper criticism. You're correct.
(Neat to hear you've done some hash cracking in the past!)
I use a password manager. Most of them have a built in generator that allows you to specify length, type of characters, etc...
I preface this by saying im a tech barbarian and shouldnt be relied on as a reliable source of info on tech topics.
The only bit of advice I remember on password security comes from someone critiquing snowden's suggestion in some interview where he said the best kind of passwords are pass-phrases like "MargaretThatcheris110%sexy" or some shit and basically said
"MergaretThatcher+is110%PiSSTA" is a whole lot better because it adds more randomness to the mix and makes it harder for the cumputer demons to crack your tough nut of a password open to feast upon its tender innards.
I ask my password manager to come up with something. I only have a small number of passwords I actually know, the rest are stored in keepass. I used keepass to come up with my keepass passphrase and the handful of other passwords that I keep in my head.
I dont, password manager makes a real password and remembers it for me
I don't use passwords that are possible to remember, I use a password manager instead. That's both easier and more secure at the same time, a hard to beat combo.
Regulatory information off the packaging of something you use and buy frequently.
The caps and punctuation respecting initialization of an article title, publication name and publication date of some bullshit written in a magazine.
The output of a two digit page number, one digit line number, one digit first letter of word number cypher using the isbn of a book multiple times with a one or two digit salt.
Just ask Bitwarden for one and practice it a million times till its muscle memory
Combination of the first letters of road signs and mile markers driving from your home to the nearest state park.
Regulatory information off the packaging of something you use and buy frequently.
WARNING:ThisPasswordContainsChemicalsKnownToTheStateOfCaliforniaToCauseCancer
Memorize a long sentence, music lyrics, or something 20ish words long, and include punctuation and spaces.
Then if you want to get it extra secure replace some letters with numbers,
One thing I find useful with regards to special character requirements: it’s hard to remember a string of special characters, it’s easy to remember a number sequence with the shift key held down.
Password manager.
Then you just have remember one.
Use this as a main password (at least 6 words) and then get a password manager (Bitwarden or KeePassXC) to generate the rest.
Don't come up with the words yourself, roll the dice till you find one you can remember.
Come up with a handful of important main password as a series of very specific words that would be hard to guess. Throw a proper noun in there and don't make it a well-known phrase.
Important main passwords are those you need to personally remember for important accounts. Like a password manager's master passwoed, an encrypted document or backup password, or an email account.
For every other password, use an open source password manager where you control the vault. Use the built-in generator to make strong passwords that conform to whatever requirements the service has. If you don't have the capacity to control your own vault, use bitwarden and work on getting that capacity, then run your own bitwarden or vaultwarden later.
I'd also add that intentional misspellings of words can slow down dictionary attacks, particularly if you use uncommon letter pairings, like HamsterDance -> Hamqter Dpnce.
Another nugget I've heard, is if you include some random chunk in all of your passwords, like "*****" or something, even if it's predictable, just the sheer character count it adds already gives you a huge boost to entropy. At the end of the day, character count is king. (And the best way to remember long character count strings, especially when they are all unique per service, is a password manager. That's the actual real secret.)
my master password is a long sentence with a few non-dictonary words in it that mean something to me (one is a compound word one is sci-fi shit). i mix it up sometimes (about every year).
Unless the attacker knows you do that.
Just do a web search for password generator, here is one from bitwarden: https://bitwarden.com/password-generator
you can make a password like vjL56q&MVNp7%5 or a passphrase like Confess-Overtime5-Scientist-Rocker-Tanning.
Either is very difficult to memorize so really you need a password manager. I don't think strong passwords and brains are compatible.
I slam my face into the keyboard until the pain goes away
Use a random word generator to generate 3-4 random words. Punctuate them with special characters and capitalize as inappropriately as you think you can remember, and there you go. My current password is between 20-30 characters and virtually uncrackable without a back door, and I have absolutely no relation to the words outside of their use as my passcode.
I took a long phrase I'm familiar with, peppered it with special characters and used it as the password for a Keepass database, that way I only have to remember one. That DB is synced between my devices with Syncthing. If you're tech savvy enough to use Lemmy I'd wager you're tech savvy enough to set that up.
Use KeePass XC. Come up with a unique but hard to crack master password as others have shared and which you never use for anything else other than KeePass.
Then KeePass lets you generate random password strings with settings for changing the kinds of included characters, the password length, uppercase or lowercase, etc.
I use 12345 on everything from my luggage to Planet Druidia’s planetary airlock.
I use the so obvious it surely can't be method. I've used hunter2 for at least a decade now and have never been had
uuidgen
xkcdpass
pass generate
Password Store on Android
I can't remember more than a handful of secure passwords. Put everything into your password manager other than stuff you need to type in every day. Not reusing passwords is really important.
football123
One time I got my password found and used by some group (was young and thought it'd never happen to me). Luckily I had thought of a slight variations for important passwords, but I went on a long all-night password change extravaganza.
After that I was scared to use any repeated one so I came up with a whole idea that night for how I could change them all to be entirely unique but have a process to determine it that I could remember. It mixes shifts in the alphabet, shifts on the keyboard, and a changing set of words plus big number and has symbols in the middle. I can always guess my own password within 2 or 3 guesses now.
I think it's pretty useless now, because I've learned enough to know how password managers are just much better. But I'm too lazy to fix it right now. Probably should though. But I'm also definitely convinced my method is robust enough that it would take a team working really hard to figure it all out. I'm sure someone could figure out one portion, but figuring out all of them and how to use it for other accounts would be a full time job. I don't have enough money or important stuff to steal for anyone to care enough I think lol
Memorisation, keep it written someone, check it each time you want to write it, you eventually memorize it
Creating patterns, make abstract rules that only you will remember, make passwords with that in mind (for example, left three keys of your keyboard is a numpad and every fourth letter is capitalized)
Plagiarism, just use the product codes of some random item lying around, they're long and random enough to be a good password