You have to balance security with resiliency... a phrase you're likely to remember is better than one you will forget... most people are likely to lose or forget their passphrase vs getting brute forced by a common thief who probably doesn't even know what the device is. not to mention you have to put this passphrase in every time you want to make a transaction
@JollyBuhay Tip: I always have my passwords (about 10) saved in iPhone “Notes” which I can access easily, and also I carry a hard copy with me for ease of use when I travel. I have no need for encrypted password services. My password system works like this: It must be at least 15 digits, starts with a capital letter ie “F” using two easy to remember words ie “Go dog” (the second word encompassed by symbols, folleowed by four digits ie “1234”, and ending with two digits (a letter and number) ie t2. The security you have is that the four digit easy to remember numbers and the last two security digits that are never written down or saved in iPhone “Notes”. Example: “Easy pay” would be Easy#pay#1122g9 This method allows you to remember any password, and take centuries to crack.
C(n, r) is for no repetition, and where order doesn't matter. The formula you want to use is permutation with repetition -- n^r, which is a bit larger of a value.
@@CyberMedics It's the same as passwords or a combination lock. The order of the words matters. Having 'aab' is different than 'baa' and are counted as different. C(n,r) counts them as one.
Hey! Great video. As requested, here are my comments regarding entropy if you use (random) capitalization: As you rightly say, the dictionaries need to be much larger, thus impacting the entropy considerably; we can do the math quickly: For example, "refined" has 7 letters, each can be written either upper or lower case: that is 2^7=128 possible writings. Estimating that for all words means the dictionary used is not 7776 words, but at least 7776 * 128 words. Lets be generous and assume a wordlist of now 2 million words (2M). ld(2M)=21. That means each word has 21 bits, meaning the password as a whole has 84 bits. This is actually pretty secure. At 100 billion tries a second it'll take 5 million years to crack it. At 1 Million words it would still be 317,000 years. However, it runs against the whole idea of creating an easy to remember password, as you now again have to remember what letters are capitalized and what are lower case! As you say in the beginning of the video: using a password generator is probably the way forward.
Much appreciate your analysis/feedback on the entropy. As you confirmed, adding random capitalization does significantly increase the entropy at the expense of remembering the passphrase. Thank you for the constructive feedback. We've produced many videos on device account hardening, but unfortunately the only ones that seem to gain traction are after the fact account hacked & can't gain access. Would welcome any suggestions for "end users" account protection video ideas. Thanks again!
@SecPrivAca Tip: I always have my passwords (about 10) saved in iPhone “Notes” which I can access easily, and also I carry a hard copy with me for ease of use when I travel. I have no need for encrypted password services. My password system works like this: It must be at least 15 digits, starts with a capital letter ie “F” using two easy to remember words ie “Go dog” (the second word encompassed by symbols, folleowed by four digits ie “1234”, and ending with two digits (a letter and number) ie t2. The security you have is that the four digit easy to remember numbers and the last two security digits that are never written down or saved in iPhone “Notes”. Example: “Easy pay” would be Easy#pay#1122g9 This method allows you to remember any password, and take centuries to crack.
@@AMC-eq3jr So if the actual password is Easy#pay#1122g9, your Notes would just say "Easy pay" and you remember the rest? I don't think I could handle the mental load of that. Please clarify, if I misunderstood your concept.
You have to balance security with resiliency... a phrase you're likely to remember is better than one you will forget... most people are likely to lose or forget their passphrase vs getting brute forced by a common thief who probably doesn't even know what the device is. not to mention you have to put this passphrase in every time you want to make a transaction
Good perspective! Everything is a balance. What are your thoughts on a password manager?
I have not used a passphrase,but I found the video informative and educational.
Wow...thank you for the kind feedback
@JollyBuhay Tip: I always have my passwords (about 10) saved in iPhone “Notes” which I can access easily, and also I carry a hard copy with me for ease of use when I travel. I have no need for encrypted password services. My password system works like this: It must be at least 15 digits, starts with a capital letter ie “F” using two easy to remember words ie “Go dog” (the second word encompassed by symbols, folleowed by four digits ie “1234”, and ending with two digits (a letter and number) ie t2. The security you have is that the four digit easy to remember numbers and the last two security digits that are never written down or saved in iPhone “Notes”.
Example: “Easy pay” would be Easy#pay#1122g9 This method allows you to remember any password, and take centuries to crack.
Thank you
C(n, r) is for no repetition, and where order doesn't matter. The formula you want to use is permutation with repetition -- n^r, which is a bit larger of a value.
Thank you for commenting and subscribing to the channel. Wouldn't no order and lack of repetition be appropriate for in the pass phrase generation?
@@CyberMedics It's the same as passwords or a combination lock. The order of the words matters. Having 'aab' is different than 'baa' and are counted as different. C(n,r) counts them as one.
@@Ken.- got it. Thank you for clarifying!
Hey! Great video. As requested, here are my comments regarding entropy if you use (random) capitalization:
As you rightly say, the dictionaries need to be much larger, thus impacting the entropy considerably; we can do the math quickly: For example, "refined" has 7 letters, each can be written either upper or lower case: that is 2^7=128 possible writings. Estimating that for all words means the dictionary used is not 7776 words, but at least 7776 * 128 words. Lets be generous and assume a wordlist of now 2 million words (2M).
ld(2M)=21. That means each word has 21 bits, meaning the password as a whole has 84 bits. This is actually pretty secure. At 100 billion tries a second it'll take 5 million years to crack it. At 1 Million words it would still be 317,000 years.
However, it runs against the whole idea of creating an easy to remember password, as you now again have to remember what letters are capitalized and what are lower case! As you say in the beginning of the video: using a password generator is probably the way forward.
Much appreciate your analysis/feedback on the entropy. As you confirmed, adding random capitalization does significantly increase the entropy at the expense of remembering the passphrase. Thank you for the constructive feedback. We've produced many videos on device account hardening, but unfortunately the only ones that seem to gain traction are after the fact account hacked & can't gain access. Would welcome any suggestions for "end users" account protection video ideas. Thanks again!
@SecPrivAca Tip: I always have my passwords (about 10) saved in iPhone “Notes” which I can access easily, and also I carry a hard copy with me for ease of use when I travel. I have no need for encrypted password services. My password system works like this: It must be at least 15 digits, starts with a capital letter ie “F” using two easy to remember words ie “Go dog” (the second word encompassed by symbols, folleowed by four digits ie “1234”, and ending with two digits (a letter and number) ie t2. The security you have is that the four digit easy to remember numbers and the last two security digits that are never written down or saved in iPhone “Notes”.
Example: “Easy pay” would be Easy#pay#1122g9 This method allows you to remember any password, and take centuries to crack.
These are fabulous suggestions. Thank you
@@AMC-eq3jr So if the actual password is Easy#pay#1122g9, your Notes would just say "Easy pay" and you remember the rest? I don't think I could handle the mental load of that. Please clarify, if I misunderstood your concept.
@@AMC-eq3jr Not sure I followed your method either. Care to further explain?
What is your experience with passphrases?
don't copy paste your passphrase into a website ever please! or key log it at all for that matter!
Great point. Thank you