If you live in some tiny EU city then sure or a small US town then sure. It's unrealistic for 99% of Americans. My girlfriend lives 17 miles away. My job is 12. I rode a bike when I lived in a town small enough that I could ride a bike across it and most of the roads were residential.
If the ai doomers win then Nvidia will become nationalized and compute power will be heavily regulated, preventing any individual from having local ai.
That's a huge bit of stretch, US congress doesn't control the rest of the world. General US public will either be left behind or VPN subscriptions will rise.
So it’s okay to take away the creators income and replace it with your own just because your project “makes the internet a better place” whatever that subjective tagline means?
The criticism is well deserved imo. It’s a sleazy move from Brave.
Out of genuine curiosity, I decided to run a few numbers to really find out what it would take for ads alone to support a website and the single developer (no family, no debts, just rent, food, utilities, and hosting).
Hosting: $20/month
Rent: $800/month (single room studio, if lucky enough to find one)
Food: $200/month (likely should be higher due to recent inflation)
Utilities: $150/month
Total: $1370/month
Typical PPM (Price Per Mille) for ads: $6/1000 ads = $0.006
$1370/$0.006 = ~228,333 ad impressions per month.
You could reduce the number of required visitors by shoving more ads into the page (3 or more), but even with 3 ad impressions per visit, you'd still need about 76,166 visits each month. That's over 7,600 visits every single day!
But what if you need to enter it somewhere that doesn't support it? A physical device, a VM that doesn't allow copy and paste, a mobile app without support for copy/paste or password managers...
All those scenarios happen for me every couple of weeks and it's what's keeping me from using really long passwords with high complexity.
Popular movie quotes or lines from books with minor iterations are bad choices. They are somewhere out there and not as safe as one might think. Completely random choice of words is good, but it is not feasible to remember random passphrases for all of your accounts.
Other common methods include appending a particular character to each word or alternate words...creating a pattern of sort, but this again makes it difficult to remember, which was the reason why we preferred passphrases instead of passwords in first place.
> Not all books in all languages ever published are "somewhere out there".
I mean, they mostly are or can be. What's the point on relying on "nobody happened to catalog the book I copied my passphrase from"? Are you going to check every week that nobody uploaded it to an archive site?
For smaller languages the steps would be:
- Somebody would have to digitize an old book without mistakes.
- Somebody would have to publish it online.
- Somebody would have to scrape and archive that.
- Somebody would have to transliterate it to Latin script.
- That transliteration would also have be the same transliteration I'm using.
It's unlikely it will be done for a lot of languages.
> There's easier schemes that don't rely on that.
Remembering random words is hard. This is how we got into this in the first place.
> Remembering random words is hard. This is how we got into this in the first place.
It's really not. You just make a story out of it. My memory is quite crap, I'm still able to remember the ~3 passphrases I actually need, and I'm able to rotate them as required.
There's some things that are obviously bad: popular movie quotes, slightly less bad (but still bad): any quote from anything ever produced in any medium.
Some things that are obviously good (you can calculate the entropy easily): diceware style schemes, generated with dice or a secure random generator.
Anything in the middle it's quite hard to say. Humans are really bad at being random, so words you pick out of your head I'd be fairly suspicious of. But it's hard to prove it's a bad idea.
Considering length is key in computing “strength” I’m curious how using a long dialog from a movie might make it bad? Presuming you account for the full 95 entropy set (numbers, upper/lower letters, special characters) and padding¹ then how would an attacker know that a failed phrase failed because it was the wrong phase or because they forget to add some padding that is still unknown.
From a dictionary/rainbow table perspective I'm curious how they would know to include the following in their lookup tables before going fill number crunching mode:
TO be or NOT two be - that is the question!!!!!!!!!!7872665398
Bitwarden suggests this is strong as does GRC Haystacks¹ thoughts?
1) the choice of quote. Say that's in the top ten quotes ever, so something like 3 or so bits of entropy.
2) the modifications and additions to the quote. Really depends what the scheme is, but few bits for which words are capitalized (~4), few bits for where the hyphen is (~3), few bits for how many bangs (~4), and a bunch of bits for which number goes on the end, (~30ish). Some bits to account for the scheme itself and its choices too, but I don't know how to put a number on that.
Do you see how little is actually coming from the quote? Your passphrase might as well just be "95!!!!78726653980" and if anything that's _easier_ to remember.
Compare against something like a diceware passphrase. _All_ of the entropy comes from the passphrase part, the part that's easy to remember and trivial to calculate how secure it is.
So a quote is bad because you can _make_ it secure, but you making it secure is just throwing crap at it until it's no longer functionally a quote in any real way. It's secure the same way a blank password is.
what I don't get with this argument, why does the quote only give 3 bits of entropy?
Are the cracking algorithms so good that they know to try "or not to be" after they get to "to be". Also, as far as I remember you can't get a "you are partially there" result. Either you get the password or not.
So they wouldn't know that "to be" are the first five chars.
Even for badly pw parts which could traced back to me.
Let’s say I use my girlfriends name, surname and birthdate.
If someone targets me directly, definitely a bad idea. For a random bruteforcer or even a dictionary attack with rockyou.txt, as an example, it wouldn't change a thing.
> what I don't get with this argument, why does the quote only give 3 bits of entropy?
Good question. 3 bits is based on the part I mentioned where "to be or not to be" is one of the top 10 quotes. log(10) is about 3. The reasoning for this is that this quote is going to be in a "dictionary" your attacker has. 10 is probably a bit unfair on my part, because an attacker is probably really going to be guessing from a larger pool of quotes, but it ends up not mattering _too_ much. If their pool of quotes is 1000 long, that's more like 10 bits of entropy (still far, far too little on its own).
> Are the cracking algorithms so good that they know to try "or not to be" after they get to "to be". Also, as far as I remember you can't get a "you are partially there" result. Either you get the password or not. So they wouldn't know that "to be" are the first five chars.
Yeah, it's not based on anything like this. Assuming whoever implemented the password input (bitwarden in this case) isn't _maliciously_ incompetent, an attacker would get no information from a partially-correct password guess.
> Even for badly pw parts which could traced back to me. Let’s say I use my girlfriends name, surname and birthdate. If someone targets me directly, definitely a bad idea. For a random bruteforcer or even a dictionary attack with rockyou.txt, as an example, it wouldn't change a thing.
This is not completely wrong, but somewhat incomplete. Names and birthdates/years (or dates in general) are both really common parts of passwords. So an attacker will have a dictionary of common names (or ~all names, there's not that many of us), and every date that's possible to be important to someone.
So that already reduces the entropy a lot. And yeah it's bad enough if someone targets you directly that it's just a horrible idea.
The other problem with schemes like this: if you're using a password of that form, you're probably reusing it multiple places. This allows any site you have an account at to trivially access any _other_ place you have an account at. Really, really bad news.
Bitwarden also allows you to generate a random passphrase, which is pretty nice for those situations where you want to be able to manually type in the password.
I asked just now the same question. The first word it listed was lunar. It's listed 4 other words that end in "ar" that were all 5 letters, but did not have an N
