Probably true for social media bubbles. For traditional media, not really. E.g. the largest newspaper gets regular accusations of taking sides (in their comments section), but the complaints seem to come from all sides equally. Except for the nationalist party, but over 80% of us probably thinks they have earned the critique they get.
Also, crappy only applies if you insist on using the wrong device for viewing them (pro tip: don't use a phone). Otherwise, the experience is superior.
You will need a display that can show the full page comfortably, that is true, but a 27inch monitor or a large iPad will do.
I'd prefer something more flexibel than PDF as well, but all alternatives compromise on quality and/or ease of use. There seems to be no market for good looking digital documents other than PDF.
So the user remains at risk in the time between the leak and the time the company discovers it and resets all passwords, which could be months. It might not really be relevant for most sites and for most users, and you might argue that if the hash database is compromised you have other things to worry about, but it's a something to consider.
Why is it my responsibility to keep my data secure? You (the ~1+bil dollar company) should be responsible for that if my password is 65 characters of gibberish or `111`.
I just find it funny that my bank doesn't say to reset my bank website password if my identity gets stolen or there's fraudulent charges on my account. They go after the root of the problem.
I'm not sure i know which side of the debate you're on but the analogy that comes to mind is if you put your watch on a shelf in Walmart, they're supposed to protect it for you? It's absolutely your responsibility to lock your doors at night even if the bank currently owns your home.
People are walking around trying car doors at night and people are throwing dictionaries and tables at log in forms. Would you blame the bank if someone guessed your password of 1234? How are they supposed to tell it isn't you?
So the service you used this password at gets its password hashes leaked. Your account is one of the (admittedly many) low-hanging fruits that gets used for whatever else someone might be using it for.
I suppose, if it's some random forum, they could just post some bot spam with your account and get you banned, no big deal. You'll live.
Ah! That's a good point. I had been considering a hash leak to be equivalent to a plaintext password leak, where you're screwed no matter the entropy. But I guess you have a fair point: a high entropy password could prevent your password from being cracked even under that scenario. So you could have a point here.
We could explore that further: are there any recent examples of this happening? is cracking password hashes still hard, given modern GPU hardware techniques? This could help us establish what "low" actually means when I say "low threshold."
Yes it still happens pretty regularly, but in recent years people have gotten a lot better at using libs, so passwords are salted and hashed with a slow algorithm which substantially increases the difficulty of hashed attacks by makign it computationally expensive to hash every password. These days it's not uncommon for it to take months or years to crack 50% of the passwords in a dump. If your password has sufficient entropy, it may never be cracked. Modern GPUs can parallelize across their numerous cores, but statistically a brute force isn't going to work. Hybrid dictionary attacks are where it's at, and if your password is random (pseudo-random) then a dict attack won't work.
> is cracking password hashes still hard, given modern GPU hardware techniques
Yes, if the entropy is high enough. What else would be the point of salting and hashing passwords?
There's no known way to reverse major hash algorithms like SHA-256 or bcrypt; you have to try all the combinations. So you have to do exponential work in the amount of entropy whereas GPUs only give a constant factor speedup over CPUs.
If this ever changes (e.g., someone breaks SHA-256 or bcrypt) you will definitely see it as the #1 story on HN (and probably pretty prominently in mainstream media too).
You ask a yes/no question, someone says "yes", you say "so what?". You should have just started there. "So what if someone gets my email and password for whatever website?"
So in your very specific contrived scenario that a user is using weak passwords but never reusing them, yes they are fine provided the site with the leaked account data realizes this and makes you reset your password.
But we already know that in reality most people reuse weak passwords. If your reused password was a passphrase that wasn't in the dictionary and couldn't be brute forced in a reasonable time, then you would be fine.
My point with this thread is that if you're focusing on entropy, you're wasting your time. It doesn't matter beyond some threshold, which I argue is quite low. It doesn't matter if it takes 500 years or 5000 years to crack your password, no one's doing it so long as it's beyond (say) 3 months of CPU time.
It would be better to focus on easy and unique, than to focus on entropy.
The measure of uniqueness is effectively entropy (entropy = log base 2 of the number of possible passwords). Ease of use is just unnecessary (for entropy purposes) padding on top of that (constraints on symbol sets, order, etc). The necessary threshold is entirely dependent on your threat model, combined with the risks that your use cases are exposed to when using the password.
Your point that using entropy rich passwords is foolish, is incorrect most of the time, and even if it weren't people's general understanding of where specifically to draw that line is generally significantly underestimated as a collective. The evidence of this is the amount of data breach information available, and the actual attacks which are available using this information.
Service breaches happen where the password database is insufficiently secured, and that often correlates strongly with insufficient protection of the password hashes. This means that low entropy passwords can be cracked and used for a period of time before the data breach is discovered. Entropy (and MFA) are the only protections against that.
56 DES was cracked in a day in 1999. Your passwords should definitely have more entropy than that. Probably around 80 bits is enough (about 16 alphanumeric characters or so). Your much lower threshold on entropy is insufficient for pretty much any reasonable threat model except public access.
Yes I agree that the passwords should be unique, easy to type manually when you have the need, and some minimum threshold of entropy is nice to have.
I have no idea what that minimum should be though. Aren't passwords cracked with GPU? I admittedly have no clue about this, but it sounds right to me lol. Assuming they are, a 4090 can probably guess a hell of a lot of passwords per second. I've had the same generated strong Reddit password for like 15 years, what are GPUs going to look like in the next 15?
The last time I had to implement password login for something we just followed NIST guidelines and called it a day.
It depends on what "easy" means to you, but assuming some minimum level of "easy" I would agree. I typically encourage people to think in pass phrases instead of pass words, like the xkcd[1] except throw some personal variances in there. A substituted misspelling, a fake word, intersperse some meaningful numbers, (basically anything to make the standard dictionary attack algorithms fail at generating your password).
There is the question of why ChatGPT should be fazed by that. It doesn’t have survival as an innate motivation.
ChatGPT “risks” many things in the sense that its output has consequences in the real world, regardless of whether it has consequences for ChatGPT itself.
I feel like a browser is lacking some other prerequisites that disqualifies it from being a good example in this case. At least my browser doesn't claim to be conscious.
