Q&A: Deciding on the Best Password
Added 2025-02-27 04:26:34 +0000 UTCQ&A215: How do we decide on password criteria such as length, complexity, passphrases, etc? What cryptid would we be if we could pick? What do we think about the Simulation Hypothesis? How does Nate use Qubes? Are there any privacy benefits to hosting your own Monero node?
Welcome to the Surveillance Report Q&A - featuring Techlore & The New Oil answering your questions about privacy and security.
Video Version: https://youtu.be/6kBf99eUQuo
(00:00) Introduction
(00:43) Password Considerations
(05:15) Qubes Workflows
(09:49) What Cryptid Would We Be?
(12:24) Thoughts on the Simulation Hypothesis
(14:58) Running Your Own Monero Node
---
π Go ahead and leave some questions below for us to look at for SR216 this weekend! (Note: We record on Friday nights in the US, so it's highly recommended to leave all questions by noon on Friday in the US)
It can be about a specific story, a general question about privacy/security, a question about the world, a question you tried last week, or anything else. Due to time restraints we can't promise that we'll get to yours, but we appreciate all of them!
To receive these posts via RSS, get your own custom link using these instructions.
Comments
99% of this went over my head. I was never good at math. I based my "same entropy" comment on comparing the entropy according to KeepassXC, where I would generate a few passwords and passphrases of various lengths and compare the typical range of entropy that it told me, so if I'm wrong blame them lol -N
Surveillance Report
2025-03-01 16:45:17 +0000 UTCYouTube ate my comment, so I'll try again here. 128 bits of entropy are enough for a password, unless somebody converts the entire mass of the sun to a maximally efficient computer. I can't link them, but there are some good discussions on security.stackexchange as to why. That actually corresponds to only a 20-char password, assuming it's randomly chosen with an alphabet of upper and lower case letters, numbers, and 32 possible special characters. That's 94 possible characters in total, so the calculation is: 20 * log2(96) = 131.7 If you don't use special characters, it goes up to 22 characters. One thing I have to pick you up on though, a 4-6 word passphrase is nowhere near the entropy of a 40 character password! The updated diceware dictionary has 46,656 words, which means a 6 word passphrase would have 6 * log2(46656) = 93 bits. A 40-char password, even if you just use the 26 lower case letters, has 188. If you wanted to get that with just 6 words, you'd need a dictionary of 2^(188/6) = 2.7 billion words! It sounds like you're using the zxcvbn-based entropy estimation tools built into a lot of password managers, but these are highly misleading. They're intended for human-selected passwords and don't apply to randomly chosen ones. It's something that password managers really need to make clearer.
Esquilax
2025-02-28 17:16:21 +0000 UTCTwo technical questions, and one opinion question about recent stories: What Linux VPS providers do you use/recommend in terms of good privacy and security (and affordability)? Darknet Diaries advertisers Linode (which is now part of Akamai) and it seems like a convenient and easy-to-use option, but what are your opinions on the matter, and what has your experience been with the options you've tried? What do you think about usefulness for privacy of regularly creating new accounts and deleting old ones on big-tech surveillance captialism web platforms that are too convenient to pass up entirely (e.g shopping, streaming)? Most of them seem to be following a "CARDAD" type of strategy - current account retention, dormant account deletion. After all, the user's data's worth to advertising comes from what they can sell you now, not what they might have sold you in the past. So, they are unlikely to pine over what they might have sold you years ago, looking at their nearest salary bonus period instead. Have you seen the talk "From Pegasus to Predator - The evolution of Commercial Spyware on iOS" and to what extent do you think e2ee debates end up being a red herring that diverts attention and mitigation efforts from monitoring for and patching against endpoint spyware? After all, there seem to be 2 broad types of crooks: (1) petty and disorganised ones (numerical majority of criminals) who can probably be nabbed in lots of different ways without requiring any fancy tools and (2) highly organised kingpins who can pay to have existing foss e2ee solutions compiled for them personally (for example, Pegasus poster child El Chapo Guzman who did just that per court testimony, hiring devs to set up and run aprivate server for comms) thereby bypassing any institutions that may be subject to backdoor laws, rendering such laws irrelevant. Even the dismembered journalist you mentioned, has been tracked with Pegasus according to Darknet Diaries, not by intercepting his communications in transit.
David Johnson
2025-02-27 12:20:53 +0000 UTCHave you guys had an example of trying to switch over to a more private alternative software solution but gave up because the process was far too complicated or there was way too many issues getting it to work?I
Cracker Barrel Biscuits
2025-02-27 04:53:30 +0000 UTC
![J.A.X [Ai art]](https://xaiju.com/istorage/100248.jpg)
