What will be the maximum number of characters allowed to create a password on the SAFE Network?
There should be no traditional passwords. It should be pass phrases/pass quotes. Take a quote from anywhere in a book and that is the best passphase as long as you know the quote and no one who knows you would know.
Even better, just choose some random words which are easy for you to remember but impossible for anyone to guess. You only need around 10 words and it’s uncrackable.
It does not have to include special characters, or multiple cases. So you don’t need to use ##$$%%^^ etc or 12345 etc, you just need something memorable but impossible to guess.
Example? Find some rare classic text in Latin, find some quote which is very obscure, or take something from another language and translate it into English from say Chinese.
The point is most password crackers use dictionaries. These dictionaries check each word and common passwords. If you use a combination of random words, or if you use a really weird phrase which is extremely obscure, it’s extremely secure.
Words seem easier for people to remember than characters.
You can use the diceware technique to generate random words. A list of random word is surprisingly easy to remember.
Thank you for the tips, but this does not answer my question. Let me rephrase, what will be the maximum number of characters allowed to create a password/pass phrase on the SAFE Network?
Passphrases only marginally more secure than passwords because of poor choices.
I prefer random number, letters, and special characters.
Edit: takes a little effort to remember but it is a pain in the ass to crack.
Best password ever!!!
Suggesting books and quotes for passphrases is a TERRIBLE mistake, as it is vulnerable to the same type of password cracking: dictionary attacks.
The safest way is to do diceware, which may be quite challenging to remember.
I have a better method that it makes it very simple to remember and it offers high security and uniqueness: personalize phrases to very specific events in your life, like right now, and be very observant and descriptive about it.
For example: I am currently typing this message on my phone, laying down on my bed with half my ass naked, wearing a black long sleeved shirt that is too small for my torso, with a terrible coughing, and a mosquito bit my index toe.
From this situation I could use all that as a passphrase AND/OR get inspired by this situation to generate one such as: “Phone on bed half ass out wearing tank top shirt coughing and mosquito on toe”
The only thing I have to remember is the situation I was in when I had the need of creating the passphrase. This uniqueness will destroy any attempt of dictionary/book/quote attacks.
There are no limits beyond the size of the string available, so essentially no limits. There is always debate about the PIN part of the credentials whether they should be limited to digits only, which they are at the moment.
So don’t make a poor choice.
It’s like complaining that 15-byte passwords aren’t effective when one chooses 123456123456123.
There’s no difference.
12-word passphrases randomly selected from a wide corpus of words are secure enough.
Could not agree more. Pass phrases only work when chosen correctly.
Using the above mentioned diceware-method is also secure and the phrases are a lot easier to remember.
The password cracker would have to check every book on planet earth in every possible order. Do you know how much computation that would require?
A random quote from some random spot in a book is essentially uncrackable because no one would know which book, or where in the book the quote is from. Of course you could have even more security if you have random words but a random quote from a book is damn good if it’s a long enough quote.
My current password is gibberish like that and longer than that. At least 30 characters.
The point is I’m able to memorize 30 random characters but I would not ask anyone to do that because it’s a gift most people don’t have. Also I have to worry that someday I could forget my own password.
If you’re talking about SAFE Network I think the risk of a person forgetting their own password is extremely high and if the stakes are also very high then the password should be something unforgettable. That means no gibberish characters.
Still, your method relies on security through obscurity. The passphrase is in the open, you just hope it will never be found.
Unfortunately humans are quite predictable, and people will tend towards a certain type of phrase or passage. Just grab an Amazon Kindle and buy a popular book, and you will realize instantly how predictable humans are when they end up highlighting the same group of words over and over (it allows you to see how many people highlighted a phrase).
Amazon itself could have an amazing real time passphrase database, and my bet is that it will be as successful as it is the dictionary attack for common passwords.
And how is that different from whatever you store in your brain? It’s hard to find where in the brain the thoughts containing the password is without spending an enormous amount of money. So a brain wallet is considered secure due to the difficultly or expense of trying to get it from your brain.
The same could be said about the difficulty to find a grain of sand on a beach or an indeterminate unspecific phase out of a random book out of any book ever written. It’s protected by mathematics not merely “obscurity”.
The math would say the probability that someone would be able to find some quote of exactly the right length in exactly the right book is infinitesimal just as it’s infinitesimal that they would find the right character combination.
A phrase is just a combination of words. It’s a structured combination of words but how many books exist in the entire world? 129,864,880 books exist in the world. So if you made an entire book your password they would have 1:129,864,880 chance which would mean they would have to store every book in existence to crack your password (which isn’t even feasible because every book that exists in the world probably isn’t digitized.
Now you’re talking about taking a quote from the book? The quote can be any length or size? Now it’s impossible to crack. If you think I don’t know what I’m talking about go ahead and ask your favorite cryptographer and see if you get the same answer perhaps with the detailed math formulas to prove it.
Luckybit, it is very different, and you still don’t get the point.
Let me tell you a real cautionary tale.
The roulette was designed as a perfect game that made probabilistically a rigged game in favor of the house. We all know this, math doesn’t lie, single zero gives a 2.7% edge to the house, a double zero gives 5.26%.
One day, early 90’s, Spanish casinos were suddenly bleeding money like crazy in their roulette tables, and nobody understood how.
How on Earth was it possible?
Introducing you the Pelayo family. The head of the family was a professor of statistics and had the insight: "nothing in life is really pure or perfect, not even a swiss watch, not even the NASA."
So he saw that those irregularities would be quite pronounced in real life roulette tables, which would make the ball to fall more frequently in certain sectors of the table veering way off from the theoretical odds of the Roulette Game.
So he went out to Casinos to test out his idea, writing down every single number that was coming out at the table, and at night he typed them up in his computer to analyze them… And the numbers were far from random. He consulted with a colleague and he confirmed it. The real world numbers didn’t lie.
Armed with this confirmation he trained his family to log all the numbers from all shifts from all the casinos in Spain, and eventually whole Europe.
Why am I telling you this?
Your perception that there are too many books in the world and that a human being will make a random selection is your pitfall.
It’s the same mechanism which secures the hashing algorithm of Bitcoin. It’s possible someone could make a guess and steal your coins in a key-pair collision attack too.
Is that obscurity security? No it’s just math. It’s so unlikely to happen that we treat it as secure. Security is a matter of the probability of a certain risk occurring.
If you’re worried humans are too stupid to choose a good quote okay that is possible but again its still statistically not likely you could guess it. Only a targeted attack could narrow down the books a person reads.
ex: “this is my favourite book whatisthisdoinghere? quote”.
It could be something easy to remember because it cannot be associated with the quote.
That’s where you get screwed and lose randomness.
There’s nothing (so far) that indicates that this is necessary. Long (12 words +) random pass phrases work fine.
By the way there was an article about new 2FA services that rely on the same technology as bitcoin wallets. I think there’s 2 of them, but so far they’re commercial and targeted at wallet providers (i.e. very centralized).
Let me break down what will happen if your method became the standard, think as in policymaking.
You are thinking: one obscure phrase in one obscure book out of hundred millions books.
The reality: the average user doesn’t live in a library, an average person will have at best 100 books in his bookshelf, most of them will be comprised between bestsellers and classics, which further reduces the sample.
From those limited number of books, most people will predictably select his favorite book, not the most obscure one. And from that favorite one will select a memorable quote.
Think as a normal bell curve, password crackers focus on the masses behavior, not on the ideal use cases. People are not stupid for doing this, people are just people. We are predictable beings, and our brains are designed to favor familiarity and patterns, we have a whole category of cognitive biases based on this.
That is why it is safer a event based approach, because we rely on life as random generation and human participation reduced to a mere observer of such events.