[Culonavirus]

I use https://www.useapassphrase.com/ since forever and that uses client side generation (i.e. the password never leaves your browser). And speaking about passphrases... I find it borderline insulting that many sites still use the archaic "whateveR1@" format, like, dude, I just gave you sentence worth of words that will take a bazillion more years to crack than passworD1@ ... some people just learn something in school and then use it for 20 years, I swear.

[consp]

The [capital, number, special] scheme reminds me of the passwords at my uni. Everyone got a plaintext stored (you could recover and get the pw back, I doubt there was any encryption) 7 digit (yes digit, not alphanumeric) password for your account. After a while these were "upgraded" to 8 and must contain a letter. So the amount of [7 digits]+a passwords were massive. They then upgraded to "must contain a lower and upper case" and you got [7 digits]+a+A passwords, after which a special character must be included and the [7 digit]+a+A+! was born...

Security is no issue if you don't care. They did abolish unhashed storage after a while (and a while is really quite recent).

[losvedir]

Ha, pretty much exactly this stand up bit: https://youtu.be/aHaBH4LqGsI?si=Zs2IvRUqtIrn9KH8 .

[scubbo]

Good god I loathe that disgusting slime of a man. Even worse than James Corden, and that's saying something.

[maicro]

Reminds me of default passwords on wifi routers a decade ago - ATT especially had a very identifiable SSID format (ATT###), and a default 10-digit password. That leaves you with (9,999,999,999 + 1 =) 10 billion[1] passwords possible, which even at that time only took a couple hours to test all of them. That SSID pattern also left you with only 1,000 possible SSIDs, so a rainbow table was definitely reasonable.

[1] - though now that I think about it, that might not properly cover the case of leading zeroes in the password, so the total number of possible passwords might be larger than 10B; that's assuming a naïve password list generated just from numbers, not from treating the digits as characters, so I need to reason about this a bit more...

[amenhotep]

It's O(10 billion), so your intuition is good regardless :) passwords with ten 10-digits: 10x10x... = 10^10 = 10 billion, passwords with nine digits = 10^9, etc etc down to 11,111,111,110 (I don't think we should count the empty password). The full length password dominates the size of the keyspace so much that you more or less get truncations for free.

[brewdad]

Eh, that's still better than my days at Uni where my student ID was my Social Security Number and grades were posted outside the classroom as a sheet with everyone's SSN and their scores.

[lupusreal]

Do you vet the JS this site sends you every time you use if, or do you trust that because it was client side in the past it will always remain so? Also, picking four random words "meat side" is pretty easy in my experience, but using a client side (not browser) password manager neatly solves the "inane password complexity requirements" problem.

[codetrotter]

This is an opportune moment to plug my command-line passphrase generator.

Open source, runs on your machine.

It makes passwords like:

    tiptoeing saxophone wholesaler luxurious leftover codeword eruption gnarly skies taco username affidavit

I named it pgen

Get it from https://github.com/ctsrc/Pgen

[brookst]

If nothing else that would force me to finally learn to spell affidavit. Or just give on on whatever I locked behind that phrase.

[zoky]

Have you, uh… had a lot of opportunity to misspell “affidavit”?

If so, please let me know the name of your SaaS so I can steer well clear of it…

[brookst]

It’s one of those words I use just rarely enough to never learn how to spell, like supeena, deeposition, and perjery.

[kodis]

I occasionally use words that I have trouble spelling as part of a password. I learn 'em fast, let me tell you!

[thewakalix]

Sounds like "Word Disassociation".

https://genius.com/Lemon-demon-word-disassociation-lyrics

[jamesponddotco]

I'll go with the flow and plug mine too, called acopw (get it, Accio Password, I'm so funny):

https://git.sr.ht/~jamesponddotco/acopw-cli

It can generate diceware passwords, random passwords, PINs, and UUIDv4.

It uses my own Go module for this, which comes with a list of words with over 23 thousand words:

https://git.sr.ht/~jamesponddotco/acopw-go

[keybored]

I use a 1000-line word list, head(1), shuf(1) and then tr(1) to join the lines.

[yjftsjthsd-h]

I've just been using

    shuf -n 5 /usr/share/dict/words

and then manually typing them in, optionally adding any special characters or whatever the particular site requires. Changing 5 as needed, of course.

[codetrotter]

One of the neatest bonuses that you get from using pgen instead is that it can also tell you the amount of entropy of passphrases that each combination of settings (wordlist, number of words) will produce. This alone should ideally be reason enough to adopt pgen :)

[bmacho]

> Do you vet the JS this site sends you every time you use if,

Hit ctrl+s

Which you should do even if you fully trust the website owner anyway

[frizlab]

I use Safari’s password generation and keychain. Works great and has readable passwords.

[lsllc]

I do the same and it usually only takes a few days to a week to learn a 16 character pretty random looking password, which with an 6-monthly change-your-password-rule is no big deal.

[rokkitmensch]

Or just increment a token in the already-secure password you're being forced to rotate like a sane person.

[ciroduran]

Obligatory xkcd https://xkcd.com/936/

Great username btw

[jsjohnst]

It bothers me how much folks parrot this XKCD, especially using it to imply passphrases are superior. They are in fact not! Four common words are definitely easier to remember, but is it really feasible to remember hundreds (thousands?) of truly unique four word combinations easily? I would argue strongly it’s not for most people, so then you’re still using a password manager for the vast majority of passwords. Yes, you still need to remember a few, where then passcodes are ok. Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length) which may not allow for your passphrase as suggestingly formatted by XKCD, thus needing a password manager more.

If we are using a password manager as we should be, there is no real justification for using memorable passwords for the majority of passwords. Let’s use the example from XKCD:

correct horse battery staple = 2048^4 = 2^44

If instead we use the same length of 28 characters with the full range of characters allowed by most websites:

M4Uk@gQRU!JFgwlI6MV$VV39TEA. = 70^28 = ~2^172

Dunno about you, but I’ll gladly take significantly more entropy with zero extra cost any day.

[SushiHippie]

I don't remember all of them and I use a password manager, that's true.

But If I need to login on a device where my password manager is not installed, or you can't use a password manager (e.g. windows UAC prompt, linux tty), it will be way easier to open my password manager on my phone and type a password rather than a long random string.

I don't use a passphrase for every login, but for some logins where I think it could be benefitial to easily type it without using autofill I use them.

[NoGravitas]

Yep. For most logins, a password manager is the way. But there are some you are simply going to have to or want to remember (password manager key, workstation login), and for those, passphrases are better.

[jsjohnst]

> for some logins where I think it could be benefitial to easily type it

See my reply to sibling commenter, I had already covered this case in my original post.

[GoblinSlayer]

UAC supports clipboard, I use managed passwords with it.

[bookofjoe]

>I don't use a passphrase for every login, but for some logins...

>I don't always drink beer, but when I do...

[KoolKat23]

And if you were to add a few additional characters scattered within the passphrase?

[bigfudge]

What about your login password though? Or an email password which you occasionally need to access on a machine you don't control? Those are the passwords where I use a passphrase.

[jsjohnst]

> What about your login password though? Or an email password which you occasionally need to access on a machine you don't control?

>> using a password manager for

>> the /vast majority/ of passwords

Added emphasis to what I said previously to show I had answered that already.

[Tcepsa]

Doesn't the assertion that correct horse battery staple = 2048^4 require the attacker to know that you're using this pattern?

[joveian]

It might make a slight difference or it might not, but you can't know that it will so best to assume that it doesn't. In practice the amount of computing power actually available is going to make much more difference than the method used.

IMO, pass phrases only seem useful if you have a quite insecure password. It is ideal to aim for 115-128 bits of entropy, which is not that bad with just random lower case letters and numbers (24 characters is good) but turns into a long and complex passphrase. To learn a random password write it down (split into groups of 6ish characters) and copy it from the paper for 2-4 weeks (do not try to guess until you are almost certain your guess is correct).

[FabHK]

The XKCD is not arguing against password managers. It is arguing against websites mindlessly imposing silly rules on passwords, as you are.

[hn_acker]

Indeed, the XKCD comic Password Strength does not argue against password managers, but sometimes when someone posts that comic I wonder why they need to come up with a memorable password given that password managers exist.

Secondly, jsjohnst was not supporting silly password rules, merely pointing out that a password manager can make the password rules less of a hassle to comply with [https://news.ycombinator.com/item?id=39690528]:

> Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length)