Be part of this game-changing moment in Bitcoin's history! Join the revolution and learn more at https://bitcoinprediction.info/

One way to mitigate the risk of a Password breach is to stop using passwords and start using randomly generated passphrases. A passphrase is a combination of words. A good example can be found on the [EFF dice words website](https://www.eff.org/dice). For most applications, they suggest using 6 words randomly chosen by rolling 5 dice. Each word has a corresponding combination of 5 numbers from. 1-6. In other words, they are generated by dice(That's D6 dice for all the nerds out there)Here is an example of a strong passphrase that is easy to memorize.

pacifist-area-unfiled-demeaning-rundown-oblivion

It would take a computer about 200 ocrodecillion years to brute force this passphrase so it is highly unlikely to get cracked before the sun goes all supernova.

Here's how it works:

- Step 1: roll 5 dice

![dice]()

- Step 2: Find the coresponding word:

In this example, our dice rolls are 2-6-1-3-1

- Step 3: Find the coresponding word in the eff dice roll list:

![exceeding]()

- Repeat this 6 times.

- Step 4: Write this down on paper. I like waterproof paper made by [Rite in the Rain](https://www.riteintherain.com/). This is not an affiliate link. I don't make any money off of them. I just like them because they are waterproof and easy to hide. You can also etch the password on military grade steel.

- Step 5: Use this password password for your passphrase manager like Vaultwarden.

Each character is really a binary number so your passphrase is just a big random number to the computer. This number is hashed with SHA256 or something. If you're really smart, you can calculate this with a pencil and paper, but I use computers and calculators. [Xorbin](https://xorbin.com/tools/sha256-hash-calculator) is one of the easier tools, but this can be done in bash using the hash library too. Be aware, typing an actual passphrase you use into any website might be a [phishing](https://en.wikipedia.org/wiki/Phishing) scam. Don't try to use this for anything you are worried about losing.

Here is the hash we get from the 6 words above:

a41c5312e2957462f9f81597088c1c943c11e864b462cddf49dc55145707b69a

## Sweet, Sweet Salt

![salt](

This hash is stored on a server, and most passwords add salt these days, at least I hope they do. If we add the word salt at the end. We get this hash:

4a66e2aa58a54d10dd8121bc3e044f57535ed29155115ad75267cca05fb749a2

This is because changing one character in a hash drastically alters the output. If you `sha256sum` my full name, you'll get this hash:

`

'0024f0a28bf81851ed8490c4e87173f8790bd9d8ea9423442114d25ad7137f51'

Check out those two [hashcash](http://hashcash.org/) like leading zeros!

If we append my name with 1, the hash becomes:

e418ca6ef08c88613da1a131d1991de10982249df94081dabce2b4d2ab72cbb2

It's totally different! I wish math in high school was this fun.

The actual passphrase or password is not actually stored on the server. That would be a [honeypot](https://en.wikipedia.org/wiki/Honeypot_(computing)). There are lists of hashs of pwned passwords. So if your password is `Password123`

Any hacker worth his salt would know if they had access to the hash of that passwo4rd:

`008c70392e3abfbd0fa47bbc2ed96aa99bd49e159727fcba0f2e6abeb3a9d601`

*See those sexy leading hex zeros again?*

The server added some salt to this password, a black hat hacker wouldn't easily recognize the horrible password, "Password123". It offers a little protection, but this is still very easy to [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) so you still don't want to use it.

### I'm Too Lazy To Roll Dice And Can't Remember 10,000 Passphrases?

I don't roll dice for every passphrase. *Ain't nobody got time for that*. I also don't remember the passphrase to every website I sign up for. That's why I recomend usin a use a **password manager** like vaultwarden [VaultWarden](https://vaultwarden.us/)). If you don't want to hassle with running your own server, bitwarden does the same thing. Last I checked, they only charged $10.00 a year for the premium plan, but it might have changed. They both allow you to:

- Create passwords and passphrases.

- Add special characters, numbers and capital letters.

- Check if your password was [pwned](https://www.merriam-webster.com/dictionary/pwn).

For example, "password1" was breached 3,339,722 times. If this is your password, you might want to change it.

"Blink-182" was breached 1,810 times. This password would meet most policies. It has a capital letter, special character and a 3 numbers. Where did we go wrong? Blink 182 is a popular punk band. Of course 1,810 people and one hacker thought of this. Think your safe if you change a number? Think again. "Blink-183" was pwned 16 times. Changing the numbers are also not a good idea due to possible dictionary [attacks](https://www.kaspersky.com/resource-center/definitions/what-is-a-dictionary-attack).

I run my VaultWarden using [Start9](https://start9.com/) and it is also available on [Umbrel](https://umbrel.com/) and [Yunohost](https://apps.yunohost.org/catalog)

Let's try our six word passphrase we created earlier.

"pacifist-area-unfiled-demeaning-rundown-oblivion"

This password was not found in any breaches. It should be safe to use. Well...except I put it on the [clear net](https://en.m.wikipedia.org/wiki/Clearnet_(networking)), but you get the idea.

##### Other Risks

Okay, we have a strong password, but that's not the only threat. A bad guy could trick us with a [spear phishing attack](https://www.csoonline.com/article/566789/what-is-spear-phishing-examples-tactics-and-techniques.html) or someone installs a [keylogger](https://www.malwarebytes.com/keylogger) onto our computer. Now what do we do? **Be prepared like a boyscout**. This is where it's a good idea to use 2fa or two-factor authentication. I like [Aegis](https://getaegis.app/) There are others like Google Authenticator or physical devices like YubiKeys, but I like Aegis becauseyou can create backups. YubiKeys were cool, but [this](https://www.msn.com/en-us/news/technology/yubikey-fido-authenticators-could-be-abused-through-unpatchable-cryptographic-flaw/ar-AA1q03kR) happened and I'm not sure if that's been resolved yet.

Securing your login with 2fa means one password us an insufficient amount of information to gain access to your account. The attacker would need to pwn the password and your phone to gain access. While not impossible, this is much more difficult.

Here's a Dad joke created by the Duck Duck Go's free AI chatbot.

`Why did the password go to therapy?

Because it was feeling a little "insecure".`

✌️

https://marcleon.work/pgp

862,887

The corporate press wouldn’t ever tell the good parts of nostr:npub1exv22uulqnmlluszc4yk92jhs2e5ajcs6mu3t00a6avzjcalj9csm7d828

I use Simplex to speak with survivors of human trafficking, DV and SA for work. I don’t particularly trust many other ways of communicating with survivors privately. There are many abusers in positions of power, law enforcement, governments, entertainment, intelligence agencies, gangs etc. I use Simplex to protect the survivors as much as possible and myself. I had to learn the hard way while serving multiple survivors of Epstein-Maxwell as an advocate how important tools like Simplex can be. I’m sure that you can imagine given the news as of late that survivors need tools like Simplex right now more than ever. Survivors are often hacked, stalked, threatened into silence and harassed. Survivors deserve privacy and strong encryption.

I don’t know who else uses the app but I wanted to share how I use it and why.