The online password analysis tool, Passphrase.Life, implements 8 alternate keyboard layouts, including Colemak. Not only can you securely check your online credentials, now you can do so using your favorite alternate keyboard mapping.
The online password analysis tool, Passphrase.Life, implements 8 alternate keyboard layouts, including Colemak. Not only can you securely check your online credentials, now you can do so using your favorite alternate keyboard mapping.
Probably not, unless it includes Colemak-ⲔⲰ[eD]! :-p
*** Learn Colemak in 2–5 steps with Tarmak! ***
*** Check out my Big Bag of Keyboard Tricks for Win/Linux/TMK... ***
on subject of passwords, it is possible to judiciously choose them to be the same on both qwerty and Colemak-ⲔⲰ[eD]
can be useful... I use just such a password for the LUKS full disk encryption on my laptop - just in case..
Just don't tell anyone you did that, as they'll be easier to brute-force then... oops... ^_^
*** Learn Colemak in 2–5 steps with Tarmak! ***
*** Check out my Big Bag of Keyboard Tricks for Win/Linux/TMK... ***
That tool seems overly pessimistic. Even something like the suggestion in the famous xkcd cartoon fails, supposedly crackable within 19 seconds.
Using Colemak-DH with Seniply.
... Why would anyone type a passphrase into a live website that doesn't let you save it locally and unplug your ethernet connection, then delete all the files completely, and clear your browser cache and history?
EDIT: My bad, didn't save it properly. Still a pretty terrible metric for this kind of thing. :P I have used algorithms that tell me some of my passwords will be cracked by the time of the heat death of the universe, but this seems to say that anything less than 64 characters (which many sites won't accept) is useless and cracked in seconds.
For the benefit of those who may not be aware of best security practices, NEVER enter a password you intend to use into a live website. Some would argue that the workaround I described is insufficient for total security, and they're right.
*Universe is in its death throes. Entropy everywhere, enthalpy hard to come by.*
...
"Ha! Finally we have the devious passwords of that fiend Azuvix cracked! Now, to..."
...
*Universe fizzles out. Acta est fabula, plaudite.*
*** Learn Colemak in 2–5 steps with Tarmak! ***
*** Check out my Big Bag of Keyboard Tricks for Win/Linux/TMK... ***
One has to wonder what I'll leave behind that could possibly be so important that it diverts attention from the impending doom of everything. ;)
Probably not, unless it includes Colemak-ⲔⲰ[eD]! :-p
Please forgive my ignorance--I didn't realize there was a popular mod to the layout. I'll add that to the analyzer. Thank you!
That tool seems overly pessimistic. Even something like the suggestion in famous xkcd cartoon fails, supposedly crackable within 19 seconds.
Overly pessimistic? Indeed it is (by default)! But you can always adjust the Uncertainty settings to reflect your own What-If scenario, using Verbose Mode. :-)
The only useful metric for measuring password/passphrase strength is entropy, which is the chaos or uncertainty it contains. Length may increase entropy (or may not). Complexity may increase entropy (or may not). Patterns in the credential will always dilute entropy, and make the passphrase weaker.
Entropy primarily results from how a password was created, not from what it contains--that's a close second. You mentioned Munroe's famous cartoon, so let's start with that.
Before he wrote the comic, if you used "correct horse battery staple" to secure your online accounts, you could expect the account to last about 13 months in an offline attack (full database breach), not 19 seconds. To see this in the analyzer, just ignore Patterns. (Yes, for those who know, I'm ignoring how the passphrase may be hashed to keep the conversation simple. But frankly, you probably don't know for certain what hash was used on your account anyway, if any.)
But that was then and this is now. Randall's phrase has gone viral, and everybody knows about it. That's why it's no good to use, and that's why Passphrase.Life gives it about 19 seconds to live (generous really, considering the speed of current GPU cracking rigs, advances in hashcat pattern attacks, and the overall forward march of technology).
Overlooking the fact his comic contains 4 simple dictionary words (patterns), easily targeted by hashcat password cracking utlities today, it has only 44 bits of entropy by his measurement. A Sagitta Brutalis rig, burning through an average 350,000,000,000 passwords per second, would kill 44 bits of entropy in 25 seconds! And that's low-end hardware; not a supercomputer, not AWS and not nation-state actors.
Recall that his comic has an attacker using a rate of 1000 guesses a second, not 350 billion! It makes all the difference in the world.
Bottom line: Passphrase.Life isn't as far off the mark as it may seem.
Excellent overview. That was a very knowledgeable post. :)
Now you've got me wondering how something like a diceware password would fare. On the one hand, it IS more random than simple randomizers that require a user-supplied seed and it can be done entirely offline, but it's also selecting from a known bank of words on a website. If nothing is done to augment that, a brute force attack could undo a generated password in no time at all, wouldn't you say?
... Why would anyone type a passphrase into a live website that doesn't let you save it locally and unplug your ethernet connection, then delete all the files completely, and clear your browser cache and history?
EDIT: My bad, didn't save it properly. Still a pretty terrible metric for this kind of thing. :P I have used algorithms that tell me some of my passwords will be cracked by the time of the heat death of the universe, but this seems to say that anything less than 64 characters (which many sites won't accept) is useless and cracked in seconds.
For the benefit of those who may not be aware of best security practices, NEVER enter a password you intend to use into a live website. Some would argue that the workaround I described is insufficient for total security, and they're right.
"Why would anyone type a passphrase into a live website..." This is an excellent question!
Passphrase.Life (PL) is a client-based analyzer, which means it runs in your browser and needs no server. You can hit the page, disconnect from the Internet, and analyze anything without a network connection. It doesn't log or track or record or send any analyzed data over the network. To see for yourself, open Chrome devtools and check out localStorage, cookies, and network connections, as you type. You'll see there is no activity.
Just as importantly, PL performs keystroke analysis, not word analysis as a whole. It has no way of knowing the actual credentials you are analyzing because it performs real time analysis as you type. (You could keep on typing 20 characters past your actual password and it wouldn't know the difference.)
All of this means you can safely analyze your real credentials using Passphrase.Life. And isn't that the point?
Excellent overview. That was a very knowledgeable post. :)
Now you've got me wondering how something like a diceware password would fare. On the one hand, it IS more random than simple randomizers that require a user-supplied seed and it can be done entirely offline, but it's also selecting from a known bank of words on a website. If nothing is done to augment that, a brute force attack could undo a generated password in no time at all, wouldn't you say?
In 2014, the diceware author himself suggested having no less than 6 words in your randomly-created passphrase. The chart below equates that to a 12-grapheme (character) password created entirely at random:
grapheme entropy & word list entropy & full unicode entropy
==============================================================================
grapheme entropy | diceware entropy | full entropy
count | count | unicode
log2(95) | log2(7776) | log2(277,021)
------------------------------------------------------------------------------
8 52.5592 4 51.6992
3 54.2283
9 59.1291
10 65.6990 5 64.6240
11 72.2689 4 72.3044
12 78.8388 6 77.5488
13 85.4087
14 91.9786 7 90.4736 5 90.3805
15 98.5485
8 103.3985
16 105.1184
6 108.4566
17 111.6883
9 116.3233
18 118.2582
19 124.8281 7 126.5327
10 129.2481
20 131.3980
21 137.9679
11 142.1729
22 144.5378 8 144.6088
==============================================================================
Let's just call it 80 bits. It would take a Sagitta Brutalis, at 350 billion guesses per second, roughly 54 millenia, on average, to discover 80-bits (either a passphrase or a password). Honestly, that's probably safe enough for most of us.
But to keep things in perspective, the Chinese TaihuLight Supercomputer, at 2.94 × 10²⁴ guesses per second, could cut through 80 bits in about 2 months 2 weeks, in theory. It just depends on who your attacker is.
NOTE: BY the chart you can easily see that once we begin to add full Unicode graphemes into our passwords, they don't have to be nearly as long to be just as secure. Sadly, the INFOSEC Industry is not on par with this yet. (And yes, Passphrase.Life accurately measures passwords containing full Unicode.)
Exceptional. :) Thank you for the further explanation and serious food for thought. It's a subject I can't get enough of!
Exceptional. :) Thank you for the further explanation and serious food for thought. It's a subject I can't get enough of!
You're most welcome!