I thought that was the problem at first too. But unless there are fields that are searchable but not visible at all to end users I have definitely found many cases where the term (and no stemmed version of it etc...) was in the listing.
Not to mention that Amazon search is happy to ignore most of the words in your search. So you end up sorting through pages of results that don't match. Absolutely infuriating and one of the reasons that Amazon is my last choice now. Someone decided that it was unacceptable to show "no matching results" and lost my business.
What I do is take a capture of the page, then if they haggle on the refund I can clearly show that the product is not the one I ordered.
I don't even know if that counts as on at all. It is really just laid on top partially covering it.
Yeah, but my point is that I use my master password enough that random characters are still memorable while being faster to type. For me personally there isn't really a use case where the easier memorability is worth the extra characters to type. But of course everyone is different, so it is good that this system is laid out for them with a great guide.
Yeah, that is what I meant by "strength of the hash". Probably should have been more clear. Basically the amount of resources it takes to calculate the hash will have to be spent by the attacker for each guess they make. So if it takes 1s and 100MiB of RAM to decrypt your disk it will take the attacker roughly 1s and 100MiB of RAM for each guess. (Of course CPUs will get faster and RAM will get cheaper, but you can make conservative estimates for how long you need your password to be secure.)
It is a good technique to be sure, but I haven't found it useful in my everyday life. In practice 99% of my passwords are stored in my password manager. I only remember like 3 passwords myself. For those I want them to be easy to type as I do it semi-regularly (whenever I turn on my computer or phone, my phone sometimes re-verifies, ...). These may be slightly easier to remember but end up being much longer. I find that I don't have issues remembering the 3 passwords that I actually regularly type.
In fact I recently switched my computer passwords to be all lowercase, just to make it easier to type. I've offset this reduced entropy by making them longer (basically shift+key is similar entropy to key+key and easier to type, especially on phones or on-screen keyboards).
The recommended 6 words produces incredibly strong passwords. The equivalent with all lowercase would be 16.5 characters. Personally I went for 14 characters and in my threat model that is very very secure. But this will also depend on your attack model. If it is a disk encryption password or other case where you expect that the attacker can get the hash then it will depend on the strength of the hash and possible attacker's computing power. If it is protected by a HSM that you trust you can get away with short PINs because they have strict rate limits. Any decent online service should also have login rate limits reducing required entropy (unless the leak the hash without resetting passwords, then see the above point where the attacker gets the hash). All of my memorized passwords fall into the category of needing very strong security but I still found that remembering a random character password that only only took about a week when entering it once a day.
Technically yes. But the method is by far strong enough that this isn't an issue. This is sort of always the issue with calculating entropy. We say that password has less entropy than 8(A>Ni'[. But that is baking in assumptions about the search space. If password is a randomly generated string of lower, upper, numbers and symbols it is just as secure as the latter. (80^8^ ≈ 10^15^ candidates) but if password was generated as just lowercase characters it is far less secure (26^8^ ≈ 10^11^ candidates) but if it was a random dictionary word it is not very secure at all (≈ 10^5^ candidates) and if it was chosen as one of the most popular passwords it is even less secure. How can one password have different entropy?
The answer is basically it matters how the attacker searches. But in practice the attacker will search the more likely smaller sets first, then expand to the larger. So the added time to search the smaller sets is effectively negligible.
What may be more useful is the "worst case" entropy. Basically the attacker knows exactly what set you picked. For the password case that is 1 because I just picked the most common password. For the rolling method described above it is 6^5^6^ ≈ 10^23^ because even if they know the word list they don't know the rolls. You may be able to go slightly higher by building your own word list, but the gains will probably be fairly small and you would likely get far more value just by rolling one more word on the existing list than spending the time to generate your own.
select a set of words from the list
I would be very careful doing this. It is very easy to introduce significant bias. Humans are terrible at picking random numbers.
If you can't find dice I would recommend:
- Having a computer pick random items for you.
- Renumber the list into binary and flip a coin 12 times for each word. (This results in a slightly shorter word list but should be string enough).
If you want to use proprietary apps the best option is probably dumping the APK from your "Googled" phone then sideloading it onto the new phone. However it may be difficult to keep up with updates unless you have a dedicated phone to download them.
It's never too early. If you see an interesting job posting reach out and go thorough the process. At worst you learn a bit about what they were looking for and gain some interview experience. At best you get a job offer. Even if you decide not to take the offer you learn a bit about the positions available to you.
It costs effectively nothing to apply. Just a few hours of your time.
Wow, that captcha is impossible.