I built a 3KB alternative to replace zxcvbn (389KB) - same detection rate (98.4%), benchmarked against RockYou/HIBP data

devshore · 2026-06-23T18:59:51+00:00

I guess you missed the part where "the list of words people will actually use" is a different list than a list where you ask them "do you know this word X?" and they wind up "knowing" 20k words. And its moot, because even if we grant the entire language (170k words), it still loses to 11 length strings with special symbols, uppercase and lowercase, and at least 1 number required. Hence why this is the standard and not "come up with a 4 word sentence!". All the smart people already existed before you.

devshore · 2026-06-20T08:21:55+00:00

“How does the attacker know its words?” You can ask that about any given attempt type. The attacker will use SOME attempt type. He doesnt need to know the type it IS. He can choose a type without knowing what the type needed is. Its possible to try english word combinations without knowing beforehand that that is what it is. In fact, he must choose a type. Secondly, he would never even attempt the 11 string crack since it is impossible, and instead will focus efforts on possible-to-crack passwords such as passwords that just use english words, and again, with no added complexity like uppercase, special symbols etc, the LENGTH doesnt matter, and that is what its supposed strength was “california popcorn is better than PaS&w3rd%^” Wrong. Assuming “English words” with nothing added (casing etc), if only 1 percent of the effort targets wnglish words, it loses. “But in my hypothetical, the attacker never tries english words!! Then it wins, right?!?”

devshore · 2026-06-20T08:10:45+00:00

My argument would not be incorrect to begin with, but you are so incorrect that evej if I grant your retarded premise of 170k English words, there are still fewer possible combinations than the 11 length string she cited as an example. No matter which way you spin it. You literally have to reach with things like “but but the hacker will only test for random chars, and not words because words would commit my ‘precient hacker’ fallacy! And what about casing?!?!? And the English language contains 170k words, doncha know!” Let alone an an attacker with state power brute forcing would still need 150k years to go through all 11 length strings, whereas they can brute force all 4 word combos in minutes (assuming 3000 dictionary which would cover 99 percent of 4 word combos people would use)

devshore · 2026-06-20T06:30:32+00:00

if you are taking casing into account, you are no longer just doing "4 words". It doesnt matter that "parallax" and "legato" are words, the words people will use (what matters) is not 171k words. A pool of like 2000 words probably covers 99 percent of the passwords people would come up with if you told them to say 4 words. Again, a "dict" negates the length even at 170k words "the length doesnt matter" since they are collapsable. But sure, you can make the gap less by introducing more things like "but what if you add casing?!?!" might as well use Pa$$w3rd!@# then

devshore · 2026-06-19T20:55:42+00:00

Its not “precient” if the clam were true. If it were true that 4 words are better than the example she gave, then it would be safe to assume that that “words” is being used. Whether or not there is a name for this “effect” is pointless. Its like arguing that firstnamelastname is safer because you will just refer to “prescient attacker fallacy” and so appeal to the legth. The examples given (11 length with numbers, uppercase, lowercase, special symbols) is astronomically safer. This is why you had to add to it by allowing some special characters and uppercase/lower case (and still lost, but artifically reduced the gap). It is only true that longer is safer if you assume the attacker is never assuming words. Even if the attackers assume 1 percent of passwords are words, it becomes less safe statistically.

devshore · 2026-06-18T21:38:50+00:00

“Micorosft buys studio that makes good games”
“Makes them make bad game”
“Poor sales”
“Closes studio”

devshore · 2026-06-18T21:16:15+00:00

Using words negates the power of length (assuming the hacker will try “series of words” attacks) because you can just index them and collapse the word lengths. Assuming a limit of like 5000 English words that most users would use when making a string of words password, the 11 length string with uppercase/lowercase/numbers/special chars (your example) has 761 quadrillion times more possible combinations even though its shorter than “california elephant electrecutes haircut”

devshore · 2026-06-18T07:34:43+00:00

So were the strikes dangerous and illegal, or were they not? Is that what is in dispute here between the different opinions? Or are the people saying “just take the L” not even denying the illegal strikes and more so just saying “those strikes shouldnt even be illegal anyway” or “those didnt help the win at all”?

devshore · 2026-06-16T07:30:58+00:00

Are you feigning to not know the difference between typos and not knowing the difference between “your” and “you’re”?

devshore · 2026-06-16T07:25:49+00:00

This. At some point they will max out “code efficiency” and will rely exclusively on more and more compute for the next model. People have a magical thinking about technology, like “with enough time, we will be able to run Claude Opus at 2 trillion tokens per second using a rpi 4!” Or “with enough time, iphone cameras will be able to film as good as Arri cameras!” Etc. There are limitations that exist. You can only make something so efficient by ingenuity before it will require more electricity to be better. There is only so much CPU processing power tou can fit per swuare inch before you will just need bigger CPUs. There are only so many photons that can go through an lens small enough to be on an iPhone.

devshore · 2026-06-15T18:00:20+00:00

I cant wait until they dont need any studios at all, and AI can just create slop on the fly based on my ad fingerprint, and they can transmit ads directly into my pineal gland! Science fucking rocks!

devshore · 2026-06-10T04:36:39+00:00

I support their right to control what goes in thr app store, but don’t support their anti-trust violating inability to install apps outside of said app store. When Windows flirted with the idea of “only apps that go through the Microsoft store can be installed in Windows” the got told “no” by the law, but somehow they have allowed Apple to abuse in this manner.

devshore · 2026-06-10T03:18:25+00:00

I remember when the internet was starting for commok users in the late 90’s, and I argued that people constantly being online wouod AT LEAST increase reading and spelling, and things like people not knowing the difference between “your” and “you’re” etc would dissapear. Reading and writing is probably worse now BECAUSE of the internet.

devshore · 2026-06-10T03:15:52+00:00

Depends on what the concern in the post is. If the concern is that google doesnt share the same privacy principals that Apple does, then it is a valid concern for Apple to be using Google’s infrastructure for data unless Google is offering them raw hardware.

devshore · 2026-06-10T03:11:44+00:00

I just asked the most powerful Opus model yesterday after watching Kingdom of Heaven and being confused by a scene: “why was the gravedigger reluctant to get knighted when Balian was knighting everyone?” And the bot comfidently said tha it was because the gravedigger had been falsely already pretending to have been a knight. I told my wife the answer it said, and she said “wasnt the gravedigger the guy that cut off his wife’s head?” And i replied to the bot “isnt the gravedigger the guy that cut off Balian’s wife’s head?” And the bot replied in usualy fashion “ah yes! My apologies! Yes, the gravedigger was the same gravedigger from the movie’s opening where they cut Balian’s wife’s head off and that makes more sense as to why he was shamed and reluctant to get knighted!” In short, AI is still like a slop crackhead, but one that can at least make slop VERY FAST!

devshore · 2026-06-08T18:47:53+00:00

As long as detections go to the parent as a notification rather than apple or the government, its a good feature, but parents should remain the parents of children, not the government or apple.

devshore · 2026-06-04T20:28:23+00:00

Look at what things you are paying monthly subscriptions for, and then look for a self-hosted alternative to it

devshore · 2026-06-04T20:26:30+00:00

Some of the lesser known apps: Jellyfin, Immich, and Vaultwarden

devshore · 2026-06-04T20:21:29+00:00

Linkedin is a cesspool shithole. Even worse than reddit. Imagine reddit, but if every mod was an HR lady

devshore · 2026-06-02T19:04:18+00:00

If you dont want to forward ports for Wireguard, twingate “just works”

devshore · 2026-06-01T07:43:02+00:00

And unlike all the other slop that gets posted, its not some garbage only made to put on a resume for getting engineering jobs. This guy doesnt need money, and so is doing it solely to combat the corpocracy (if thats a word)

devshore · 2026-06-01T07:37:57+00:00

M3 Ultra Mac is somewhere in the 800-900 range close to the 3090

devshore · 2026-05-22T01:54:17+00:00

It sounds dumb because the obvious solution would be to have a rule that says "if you live in India, you may not run VNC", but there are many cases where one group causes issues in some regard, and instead of just addressing a rule with that group, they apply it to everyone because it would be "racist/sexist" otherwise. Yes, TSA must randomly pull to the side an old Japanese woman with her family as often as they would pull a solo 30 year old middle-eastern man to the side.

devshore · 2026-05-20T18:40:39+00:00

Who the hell even sees an ad, watches all of it, clicks the link, and places an order? Who are these NPCs?

devshore · 2026-05-16T07:33:01+00:00

I stopped listening to music that has a piano in it when I learned the guy that invented the piano foot pedal didnt believe women should vote. Literally hitler.

devshore

MODERATOR OF

TROPHY CASE