ErenayDec 30
Tuta

Passwords. We all hear “make them strong,” but here’s the real deal: SIZE matters.

A longer password isn’t just better; it’s exponentially harder to crack.

Upgrade your security and better protect your digital identity:

✅️ Create strong and unique passwords.
✅️ Store them in a password manager.

Learn more here: https://tuta.com/blog/minimum-password-length

Dec 30 at 3:46pmWeb
Show threadFransDec 30
@Tutanota what if UTF-16 allowed
Show threada.k.a. low-profileDec 30
@Tutanota Passphrases vs. Passwords
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."
Show threadCoraxDec 30
@Nead @Tutanota Came here to see how many people had already posted this :)
Show threadGiles GoatDec 31
@Nead @Tutanota I was wondering why someone did not IMMEDIATELY posted that XKCD thing, actually that comic "changed my passwords life" ( now I use complete sentences ).
Show threadDec 31
@Nead @Tutanota yet everyone tells me that LLMs are merely word predictors. Entropy? Hmmm
Show threadKoranDec 31
@Nead @Tutanota The remembering part can be solved by a password manager. And I don't think a computer can guess a randomly generated 64 character password for the next few decades at least? Maybe more? It's a safe bet to use both passphrases and random passwords for better security.
Show threadHimmelssohnDec 30
@Tutanota
Please feel invited to convince me of the probability of a password being cracked, if it isn't guessed, phished or leaked.
Show threadEndlessMasonDec 30

RE: https://mastodon.social/@Tutanota/115809292219749938

@Tutanota
The only correct use of "exponential" I've seen on the internet this month.

Show threadvrekDec 30
@Tutanota here is one thing I think but for some reason the security industry seems to disagree with me. So let's say you have a password and it's 12 characters long. If you say in the requirements it must have 1 uppercase, 1 lowercase, 1 number, and 1 special character doesn't that actually simplify cracking as the hacker knows the requirements? Like assuming all those characters are allowed but not required isn't the possible number of passwords greater?
Show threadvrekDec 30
@Tutanota if the password could be all uppercase or all lower case, or all numbers, doesn't that add to the pool of possible passwords? password, PASSWORD, Password, password, or passworD are all possible so the hacker has to check each. If I know it must be 1 uppercase and 1 lowercase you eliminated a bunch of possible passwords.
Show threadvrekDec 30
@Tutanota if you say we require a minimum of characters in your password, you eliminated 2.1 * 10 ^42 possible passwords. Isn't it better to accept any password so hackers have to check all of them? More restrictions just shrink the possible number of passwords.
Show threadOndrej ZizkaDec 30
@Tutanota Really. Which computer? My laptop? An AI rig? What is the application of the password? How is it stored? How is it hashed? How is it applied?
This table can't be taken literally.
Show threadHendrik 🎸🤘🎵Dec 30
@Tutanota So I guess Abcdefghij+1 is pretty ok
Show threadBruce Heerssen Dec 30

@brownhamer @Tutanota

1234567890Ab looks pretty solid, too.

Show threadrdfrkianDec 30
@Tutanota
Diceware.
Show threadMiakoda Dec 30
@Tutanota How long for 32 and 64 character passwords that include an even distribution of lowercase, uppercase, and pubtuation ranging from .!: to ¥€Π¶∆?
Show threadRon BowesDec 30

@Tutanota No no no no no I'm so tired of this awful advice.

UNIQUE passwords matter 1000x more than STRONG passwords. With very very few exceptions, password cracking shouldn't even be in a normal person's threat model. If somebody is cracking your password they already have your data from that platform. The only thing password cracking does is let them use your password to authenticate to other platforms, but that doesn't work if it's a unique password

We need to stop people to use long to complex passwords. That's not a useful thing to teach people. Instead, teach them to use a password manager and a unique password for every site!

Show threadKees AntiFa van MalssenDec 30
@iagox86 @Tutanota hear, hear! On top of that: a secure site should wait 0.1 s after receiving a password before checking. Brute force guessing will take ages whatever password is used, while the human will never notice the 0.1 s delay.
Security starts at the site/app. THEN the user
Show threadRon BowesDec 31
@ligfries @Tutanota 100% - making it difficult to guess in a form matters
Show threadJamesDec 30

@Tutanota

@Tutanota

You got an online password vault? A 28 character password is easy (and fun to brag about).

Show threadJoachim 🇪🇺Dec 30
@Tutanota Oversimplification on so many levels I don't even know where to start. Not helpful at all.
Show threadMW1CFNDec 30
@Tutanota Ironic that the only email hack I've ever suffered since the web began was, er, a Tuta address. That was this year.
Show threadLostLLMDec 30
@Tutanota This app is a one of the fine options to test your passwords without sending them outside your phone: https://f-droid.org/en/packages/com.iyps/
IYPS | F-Droid - Free and Open Source Android App Repository

Evaluate passwords, predict crack times, and get tips for stronger passwords.

Show threadYume +_+Dec 31
@lostllm @Tutanota Yeah, but is this real? If this is real, I'll give me a shot for this.
Show threadCassandrichDec 30
@Tutanota "Crack" is ambiguous. It depends on whether you're doing an online attack or an offline attack, and in the case of the latter, what "hash" is used.
Show threadOrca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️Dec 30
@Tutanota
This only applies to randomly generated passwords. If the password is derived from known related thing to the target (name, location, date, etc.), it won't stand a chance:
https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Also this only applies when the target password isn't protected with a strong enough password hashing algorithm.

And the service doesn't apply any rate limit to your login request.
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success.

Ars Technica
Show threadWilmDec 31
@Tutanota and then your password manager stops working. Happened to me a few years back when the developer quit and the software stopped working at the next platform update. I now use a password protected local Excel file because I believe Excel will be available during my lifetime (71 yo)
Show threadSimon BrookeDec 31

@Tutanota this. On systems which allow long passwords, I'm now using very long phrases (think lines from songs — I'm not actually using lines from songs, but the phrases are of similar length). The benefit is I can remember them WITHOUT a password manager; and if I should forget them, I have a crib — but only I know what that crib is.

/Continued

Show threadSimon BrookeDec 31
@Tutanota There are 96 printable ASCII characters, of which about 60 occur in normal English. So you need a significantly longer normal English phrase (n^60) to achieve equal security to a random password (n^96), but it's much easier to remember.
Show threadnictakiegoDec 31
@Tutanota i guess that depends also on cipher