Requirements for reference
If you can get up to 15 chars I think it says your password is "strong" and above 25 is "very strong", though it doesn't seem to care how wide your keyspace is

i thinks that the entropy increase from 15 to 25 characters is way moar than going from 15 ascii characters to 15 UTF-8 characters, but im pulling it out my arse

>>6799

>>6804
That's not how that works, senpai
Should be (25^127 - 15^127) v. 15^BIG
// 15^BIG - 15^127, rather. You could also just compare 15^BIG to 25^127, but 10^127 + 15^126 =/= 25^127

what the hell is going on here, the entropy is 127^25 - 127^15 vs BIG^25 - BIG^15.
Don't believe me? How many configurations can a 2-digit ascii-password have? one digit is obviously 127. Two digits is 127 possible first characters, and then 127 possible second characters for each given choice of first character. If you did it your way, a one-character password would have 1^127 = ONE bit of entropy. And that's silly.

>>6950 Or think of it this way. One byte will get you up to 127. Two bytes will get you up to 65535. Because a byte is 8 bits. 2^8 - 1 = 255. YES, I REALIZED I MESSED UP BY SAYING IT WILL GET YOU UP TO 127, THANKS. Two bytes will get you up to 2^16 - 1 = 65535. Same principle

Can't recommend it highly enough, but the best password advice is to get a password manager and have it generate your obscenely long random passwords for you. If you want, take a piece of paper and write your password on it and keep it in your wallet. Once you burn it into muscle memory after a few days, dispose of the paper. Password managers move the burden from hacking the password to hacking your computer, at least in the sense that it's easier to get into your computer at this point than it is to crack 30 random characters. It also solves the problem of password reuse across sites which I suspect some of you bunch are guilty of.
Other than that, Google does 2-factor authentication and it's actually very convenient, and the Unity system also has 2FA now.

>>6950
You right. I fell for the trap of correcting one thing and missing a greater error.
Keep always a watchful mind, my friends

>>6952 but wut about the problem of accessing your account across multiple platforms?

>>6954
It's one of those cross-platform apps that kids keep yammering about

>>6959 but in order for the passwords to appear on multiple platforms they must be sent over teh internet tho, amirite?

>>6960
The most sane thing would be to transfer them after a secure handshake: HTTPS or something secure. Since they *are* a securuty company I hope they are doing something like that

I don't use the cross-platform cloud thingy, I just use my own computers. I think OnePass is one of those cloud ones? What they generally do is have some algorithm to derive a key from a passphrase, which usually involves hashing it a couple million times so that it takes a few seconds per password guess. Then your password database is encrypted with that key. The cloud provider holds and gives you the encrypted container for you to decrypt yourself. The problem with it being cross platform is that you either A) have to have a program to decrypt the container, in which case why don't you just use your own computer, or B) The program to decrypt the container is sent as a webapp every time you want to use it. If it's used as a webapp on another computer, then that means if someone compromises onepass, they can send you a malicious version that sends the key back to the hackers once you type in the passphrase, and bam, they have your passwords. This can again be solved by having a local program on your computer, but if you can do that, you can just use your own computer. Basically, cloud services require less trust than just giving them your passwords, but ultimately still place trust on the provider. Practically, this means that if you decrypt your database with a compromised web app, you lose, but this means you need to decrypt it _while the hack is happening_. A hacker can't just go into OnePass and steal all your passwords. They have to wait for you to decrypt (This is similar to the kind of 'trustless' system Lavabit had -- the USG couldn't retroactively steal encrypted emails unless the user typed in their passphrase while the site was compromised)