Ryan Castellucci (they/them) Jun 25, 2024

Ryan's guide to determining whether your password is secure:

1) Did you pick it yourself? If yes, it is not secure.

2) Is it unique? If no, it is not secure.

3) Is it part of a "password system"? If yes, it is not secure.

4) Is created using a deterministic password generator? If yes, it's part of a "password system" and therefore not secure.

5) Did your password manager randomly generate it for you? If yes, it's probably fine.

6) Did you generate it with dice? If yes, it's probably fine.

7) Did you create your password in some other way? It's probably fucked.

Show threadyetztJun 25, 2024
@ryanc 8) can the system understand or deal with the encoding your password uses? (yes, there are passwords that happen to consist entirely of unicode replacement characters because of issues like that)
Show threadRyan Castellucci (they/them) Jun 25, 2024

@yetzt I built a CTF challenge involving a password generator that had unicode replacement character problems.

Something like generate N random bytes, base64 encode them, oops they were treated as utf8 before base64 happened.

Show threadyetzt

@ryanc neat! i used the passwords from the "collection leaks" to (amongst other things) build an autocomplete: https://passwords.yetzt.me/

it's quite an interesting dataset, i discovered many interesting encoding issues and some brave people even used emoji containing zero width joiners in their password.

Password

Jun 25, 2024 at 7:28pmWeb