How to Devise Passwords That Drive Hackers Away

By Hum
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

Hum

Posted
Posted

FORGET THE DICTIONARY If your password can be found in a dictionary, you might as well not have one. ?The worst passwords are dictionary words or a small number of insertions or changes to words that are in the dictionary,? said Mr. Kocher. Hackers will often test passwords from a dictionary or aggregated from breaches. If your password is not in that set, hackers will typically move on.

NEVER USE THE SAME PASSWORD TWICE People tend to use the same password across multiple sites, a fact hackers regularly exploit. While cracking into someone?s professional profile on LinkedIn might not have dire consequences, hackers will use that password to crack into, say, someone?s e-mail, bank, or brokerage account where more valuable financial and personal data is stored.

COME UP WITH A PASSPHRASE The longer your password, the longer it will take to crack. A password should ideally be 14 characters or more in length if you want to make it uncrackable by an attacker in less than 24 hours. Because longer passwords tend to be harder to remember, consider a passphrase, such as a favorite movie quote, song lyric, or poem, and string together only the first one or two letters of each word in the sentence.

OR JUST JAM ON YOUR KEYBOARD For sensitive accounts, Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. ?That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don?t know it.?

STORE YOUR PASSWORDS SECURELY Do not store your passwords in your in-box or on your desktop. If malware infects your computer, you?re toast. Mr. Grossman stores his password file on an encrypted USB drive for which he has a long, complex password that he has memorized. He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password. Mr. Kocher takes a more old-fashioned approach: He keeps password hints, not the actual passwords, on a scrap of paper in his wallet. ?I try to keep my most sensitive information off the Internet completely,? Mr. Kocher said.

A PASSWORD MANAGER? MAYBE Password-protection software lets you store all your usernames and passwords in one place. Some programs will even create strong passwords for you and automatically log you in to sites as long as you provide one master password. LastPass, SplashData and AgileBits offer password management software for Windows, Macs and mobile devices. But consider yourself warned: Mr. Kocher said he did not use the software because even with encryption, it still lived on the computer itself. ?If someone steals my computer, I?ve lost my passwords.? Mr. Grossman said he did not trust the software because he didn?t write it. Indeed, at a security conference in Amsterdam earlier this year, hackers demonstrated how easily the cryptography used by many popular mobile password managers could be cracked.

IGNORE SECURITY QUESTIONS There is a limited set of answers to questions like ?What is your favorite color?? and most answers to questions like ?What middle school did you attend?? can be found on the Internet. Hackers use that information to reset your password and take control of your account. Earlier this year, a hacker claimed he was able to crack into Mitt Romney?s Hotmail and Dropbox accounts using the name of his favorite pet. A better approach would be to enter a password hint that has nothing to do with the question itself. For example, if the security question asks for the name of the hospital in which you were born, your answer might be: ?Your favorite song lyric.?

USE DIFFERENT BROWSERS Mr. Grossman makes a point of using different Web browsers for different activities. ?Pick one browser for ?promiscuous? browsing: online forums, news sites, blogs ? anything you don?t consider important,? he said. ?When you?re online banking or checking e-mail, fire up a secondary Web browser, then shut it down.? That way, if your browser catches an infection when you accidentally stumble on an X-rated site, your bank account is not necessarily compromised. As for which browser to use for which activities, a study last year by Accuvant Labs of Web browsers ? including Mozilla Firefox, Google Chrome and Microsoft Internet Explorer ? found that Chrome was the least susceptible to attacks.

SHARE CAUTIOUSLY ?You are your e-mail address and your password,? Mr. Kocher emphasized. Whenever possible, he will not register for online accounts using his real e-mail address. Instead he will use ?throwaway? e-mail addresses, like those offered by 10minutemail.com. Users register and confirm an online account, which self-destructs 10 minutes later. Mr. Grossman said he often warned people to treat anything they typed or shared online as public record.

?At some point, you will get hacked ? it?s only a matter of time,? warned Mr. Grossman. ?If that?s unacceptable to you, don?t put it online.?

more

Grand Master

The Evil Overlord

Posted
Posted

A good one I've found is to use a word from another language, and eastern european, asian etc... something that can be spelled out on an english keyboard, then using numbers to replace certain letters... but alas, xendrome does also make a good point

  • Draconian Guppy
  • Like 1
Mentor

MDboyz

Posted
Posted

The problem is that most people have too many accounts and hard to remember all the passwords. They choose the easy way is to have the same password for pretty much all accounts. The way I have all passwords different for each account, but it's still easy to remember all.

Just create one complex password (mix lower case, upper case, numbers, special character ... etc...). Then you can add the last two letters (or 3 up to you) based on the account. Pick one logic, so you won't forget.

Eg. my password is sAmpL3pa55.

So if I have account with Hotmail, and I pick the first and last letter, so my password now is sAmpL3pa55hl

For newegg, I have sAmpL3pa55ng

... and so on.

This is the easy logic to have different password for each account you own, and you still have the strong passwords.

Grand Master

Japlabot

Posted
Posted

?That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don?t know it.?

I think that in this situation it would be probably better to give them the password and have the chance to live. You might end up dead anyway, but at least it's a chance.

Grand Master

Ambroos

Posted
Posted

This:

password_strength.png

If you REALLY want to test your password strength (all client-side javascript), try this one, it's amazing at analyzing password strength: https://dl.dropbox.com/u/209/zxcvbn/test/index.html

  • Phouchg and djdanster
  • Like 2
Rookie

VerletzerCR

Posted
Posted

OR JUST JAM ON YOUR KEYBOARD For sensitive accounts, Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. ?That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don?t know it.?

That's a great way to get yourself killed; assuming you're ever in a situation like that. Nobody in this day and age has an excuse to make a password based off a word that can be found in a dictionary are something such as "12345." People that do this honestly deserve to be hacked.

Grand Master

primexx

Posted
Posted

password_strength.png

This is the most widely repeated advice on passwords, and it's completely wrong. "correct horse battery staple" is about as secure as "xkcd" because - guess what - crackers use this newfangled thing called a dictionary.

The best password advice I've seen to-date is this https://www.grc.com/haystack.htm

The problem is that most people have too many accounts and hard to remember all the passwords. They choose the easy way is to have the same password for pretty much all accounts. The way I have all passwords different for each account, but it's still easy to remember all.

Just create one complex password (mix lower case, upper case, numbers, special character ... etc...). Then you can add the last two letters (or 3 up to you) based on the account. Pick one logic, so you won't forget.

Eg. my password is sAmpL3pa55.

So if I have account with Hotmail, and I pick the first and last letter, so my password now is sAmpL3pa55hl

For newegg, I have sAmpL3pa55ng

... and so on.

This is the easy logic to have different password for each account you own, and you still have the strong passwords.

the problem with that is that attackers actually take this into account as well, and if you look at the recent high profile cracks a lot of users do append the site's name (or a derivative thereof) onto a "general" password and it's no better because the pattern is trivial to figure out. now, part of it could be mitigated if everyone actually used sane password storage practices, but that seems to be quite a rarity.

  • ThatOne6uy, djdanster and FiB3R
  • Like 3
Mentor

MDboyz

Posted
Posted

Not really. They still have to figure out the complex password that you create. My logic is the easy way to have diff passwords for each account. I don't recommend people to create a simple one and attach the site name after like 123newegg.

the problem with that is that attackers actually take this into account as well, and if you look at the recent high profile cracks a lot of users do append the site's name (or a derivative thereof) onto a "general" password and it's no better because the pattern is trivial to figure out. now, part of it could be mitigated if everyone actually used sane password storage practices, but that seems to be quite a rarity.

Grand Master

DPyro

Posted
Posted

I think people are being a little paranoid here. There are over 6 billion people in the world. There is security in just the shear number of people who use computers. No one cares about an individual person unless your really important. As long as you make your passwords reasonably hard to guess there should be nothing to worry about.

Grand Master

primexx

Posted
Posted

I think people are being a little paranoid here. There are over 6 billion people in the world. There is security in just the shear number of people who use computers. No one cares about an individual person unless your really important. As long as you make your passwords reasonably hard to guess there should be nothing to worry about.

sure it's unlikely that someone would individually target you, but when a huge corp's databases leak and you have a weak/non-unique password, you bet the attackers will take advantage of that. they won't care who you are, but they will care about your bank account.

Grand Master

the evn show

Posted
Posted

This is the most widely repeated advice on passwords, and it's completely wrong. "correct horse battery staple" is about as secure as "xkcd" because - guess what - crackers use this newfangled thing called a dictionary.

The math is easy. Can you explain why he's wrong?

Assume I use diceware and assume I give you the dictionary that I used to generate passwords (7776 words). Assume I tell you my password is at most 6 words long. Calculate the key space taking into account what you know:

7776^6 = 2.2E23

Compare to a 12 character "random, but easily typed character" password: a-zA-Z0-9 and all of the typical symbols: !@#$[];',. etc. Let's just call it 80 characters.

Sigma(n=1,12) 80^n = 7.0E22

So 6 random words form a dictionary that the attacker knows is an order of magnitude larger search space than 12 random characters.

My comparison assumes the 'best case' for random passwords: brute force search of the entire key space. I also assumed the worst case for diceware passwords (the attacker knows exactly which words are valid in my password, that I used only lower case letters to type them, that it's exactly 6 words long - not 4, not 7) and still diceware is better than 12 random digits by a large amount. Bumping it to 16 random characters vs 6 random words does not erase the advantage diceware ware if you allow me a minor change like "maybe I don't use spaces" or "maybe I capitalize some words".

The XKCD comic restricted the comparison space - he assumed the attacker knew the strategies in both cases and tuned his algorithm accordingly. He was also considering the common advice to start with a random word and modify it some way - that ends up in a much smaller amount of entropy than a purely random password. I tried to correct for these short comings in my example just to show that his advice still holds.

In his example and looking at his concerns (how hard is it to generate and memorize a strong password) things favour the random words approach even more. If the attacker doesn't have information about what passwords should look like and they resort to brute forcing the entire a-z0-9+symbols search space then the longer password will be stronger - that tends to favour diceware for the reason he highlighted.

The best password advice I've seen to-date is this https://www.grc.com/haystack.htm

Using your recommended site to evaluate passwords:

First I used diceware to make a 6 random word (The minimum recommended length) password:

  • Password: cash party island beset waxen coil
  • Search Space: 1.65E60
  • Massive Cracking Array Scenario: 5.23 trillion trillion trillion centuries

Note that the advantage calculated here is much higher than in my example because here he's assuming the attacker only knows that he has to search a-z+spaces, not that he can restrict his key space to combinations of a specific list of 7776 words.

Using keychain to generate a 12 character random password:

  • Password: zXn6(iy77&:r
  • Search space: 5.23E23
  • Massive Cracking Array Scenario: 1.74 centuries

Assuming compute speed doubles ever year and that 1.74 centuries starts looking pretty damn small. If you're sending 'sexy pictures' with a 12 character password to a mistress now - they'll be pretty easy to crack (1 month) in 10 years when your wife is looking to divorce for a history of cheating. What are the odds those files end up laying about on a gmail account waiting for a sopena?

In order to reach the same "durability" as I had with diceware I had to use a 30 character random character password. That seems to demonstrate exactly the point Randal was making: a few random words is just as strong and infinitely easier to memorize than random passwords or using a common strategy of mangling an uncommon word in predictable ways.

Grand Master

primexx

Posted
Posted

The math is easy. Can you explain why he's wrong?

Assume I use diceware and assume I give you the dictionary that I used to generate passwords (7776 words). Assume I tell you my password is at most 6 words long. Calculate the key space taking into account what you know:

7776^6 = 2.2E23

Compare to a 12 character "random, but easily typed character" password: a-zA-Z0-9 and all of the typical symbols: !@#$[];',. etc. Let's just call it 80 characters.

Sigma(n=1,12) 80^n = 7.0E22

So 6 random words form a dictionary that the attacker knows is an order of magnitude larger search space than 12 random characters.

My comparison assumes the 'best case' for random passwords: brute force search of the entire key space. I also assumed the worst case for diceware passwords (the attacker knows exactly which words are valid in my password, that I used only lower case letters to type them, that it's exactly 6 words long - not 4, not 7) and still diceware is better than 12 random digits by a large amount. Bumping it to 16 random characters vs 6 random words does not erase the advantage diceware ware if you allow me a minor change like "maybe I don't use spaces" or "maybe I capitalize some words".

The XKCD comic restricted the comparison space - he assumed the attacker knew the strategies in both cases and tuned his algorithm accordingly. He was also considering the common advice to start with a random word and modify it some way - that ends up in a much smaller amount of entropy than a purely random password. I tried to correct for these short comings in my example just to show that his advice still holds.

In his example and looking at his concerns (how hard is it to generate and memorize a strong password) things favour the random words approach even more. If the attacker doesn't have information about what passwords should look like and they resort to brute forcing the entire a-z0-9+symbols search space then the longer password will be stronger - that tends to favour diceware for the reason he highlighted.

Using your recommended site to evaluate passwords:

First I used diceware to make a 6 random word (The minimum recommended length) password:

  • Password: cash party island beset waxen coil
  • Search Space: 1.65E60
  • Massive Cracking Array Scenario: 5.23 trillion trillion trillion centuries

Note that the advantage calculated here is much higher than in my example because here he's assuming the attacker only knows that he has to search a-z+spaces, not that he can restrict his key space to combinations of a specific list of 7776 words.

Using keychain to generate a 12 character random password:

  • Password: zXn6(iy77&:r
  • Search space: 5.23E23
  • Massive Cracking Array Scenario: 1.74 centuries

Assuming compute speed doubles ever year and that 1.74 centuries starts looking pretty damn small. If you're sending 'sexy pictures' with a 12 character password to a mistress now - they'll be pretty easy to crack (1 month) in 10 years when your wife is looking to divorce for a history of cheating. What are the odds those files end up laying about on a gmail account waiting for a sopena?

In order to reach the same "durability" as I had with diceware I had to use a 30 character random character password. That seems to demonstrate exactly the point Randal was making: a few random words is just as strong and infinitely easier to memorize than random passwords or using a common strategy of mangling an uncommon word in predictable ways.

you're right, it's not completely the same, but the fact that it's using real words from a dictionary means it's not all that strong either. essentially the difference is between a 4 character password where each character can be one of ~70 choices and a 4 character password where each character can be one of ~10,000 choices (arbitrary example), while yes, it is stronger, it still takes a sane amount of time to crack. an order of magnitute, as you have calculated, is not really that much stronger in terms of passwords. The mistake that Randall made is exactly the one that you pointed out in the haystack calculator that I linked - it doesn't take into account dictionary attacks. Steve Gibson's method, on the other hand, is not vulnerable to a dictionary attack (of course, it might have other weaknesses of its own).

Grand Master

the evn show

Posted
Posted

essentially the difference is between a 4 character password where each character can be one of ~70 choices and a 4 character password where each character can be one of ~10,000 choices (arbitrary example), while yes, it is stronger, it still takes a sane amount of time to crack.

What are you talking about - it's like you didn't even read the post.

an order of magnitute, as you have calculated, is not really that much stronger in terms of passwords.

It's the difference between a year and a decade. An order of magnitude is the difference between minimum wage and 1%. Between failing a math class and having the top score.

A 'six word' password is 30,000,000,000,000,000,000,000,000,000x times stronger than a 12 random character password when it comes to resisting brute force attacks 10x stronger when I give you the dictionary I used, the number of words, I used, and the combination method (spaces,all lower case, etc).

If you're not seeing how this is true the you're literally struggling with the concept that 23 > 22.

The mistake that Randall made is exactly the one that you pointed out in the haystack calculator that I linked - it doesn't take into account dictionary attacks.

I pointed out that issue, then did the math for you to show that even if you correct for that mistake you still don't eliminate the advantage of 6-word passwords.

Once again: show the math. Given your difficultly with inequality I can see why your hesitant to trundle into the lofty world of exponents but I believe in you! You can do it if you try!

Steve Gibson's method, on the other hand, is not vulnerable to a dictionary attack (of course, it might have other weaknesses of its own).

Diceware passwords aren't vulnerable to dictionary attacks in any meaningful sense either. I get the feeling you don't actually know what that term means or how it actually works in practice.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • The official Funny Pictures thread

      By +Edouard · Posted

    • The Trump administration doesn't want you to use OpenAI's GPT-5.6 without its approval

      By excalpius · Posted

      I notice how you dodged the questions I had about the racism shown by ignorant, gullible, cowardly people when the Poles, like your partner, were the immigrants. Ahem. I wonder how you'd feel if native born Brits suddenly treated you as "dirty crooked immigrant" for being half Trump-American? If they ordered you to leave and "go back to your corrupt country" (on the other side of the Atlantic), would you go? The truth is based on facts as supported by evidence. As requested in your previous posts, I have used the facts in your own post to show everyone the truth.
    • Why it's almost impossible to produce a smartphone in the United States

      By dismuter · Posted

      US citizens are paying to their government, who could use that to fund healthcare and tuition and relieve the costs of these for citizens instead of making tax breaks that overwhelmingly favor the rich. I'm not saying that tariffs are the correct solution, but what else would they be used for? What else could Trump have in mind for wanting them, if he hasn't figured out that labor costs are higher in the US?
    • Sihoo Doro C300 Pro V2 Ergonomic Office Chair review: The Ikea of chairs

      By Dan~ · Posted

      I’m in need of a new chair and it sounds like the backrest cannot be locked? I also sat on a Herman miller and was devastated that it couldn’t be locked also, what is going on with chairs. I want to be able to lock the backrest into any position but not even the Herman’s do that
    • Sihoo Doro C300 Pro V2 Ergonomic Office Chair review: The Ikea of chairs

      By Steven P. · Posted

      Sihoo Doro C300 Pro V2 Ergonomic Office Chair review: The Ikea of chairs by Steven Parker I've reviewed a few gaming chairs over the past three years or so and generally found them to score well in our reviews. SIHOO reached out asking if I was interested in taking a look at their flagship chair, the Doro C300 Pro V2. I never got the chance to check out its predecessor, but the V2 is described as an "Adaptive Ergonomic Chair." It became available to buy in April of this year. Let's get things rolling with a closer look at the specifications and features. Specifications Doro C300 Pro V2 Model Ergonomic Materials Mesh Back and Seat; Soft PU Coated Armrests Height adjustability 45.5 - 53 cm / 17.5" - 20.9" Seat (w+d) 52 x 43 - 47 cm / 20.5" x 16.9" - 18.5" (adjustable) Backrest 52 – 60 cm / 20.5" - 23.6" (adjustable) Lumbar support Mesh built-in (adjustable) Armrest adjustability 8D Bionic Armrests Rocking angle 105°, 120°, 135° (fixed) Neck support Mesh built-in (adjustable) Net weight 27.3 kg / 59.64 lbs Weight support 150 kg / 330 lbs Colors Black, White Warranty 5 years (upon registering) Price $499.99, $539.99 Introduction At first glance, it looks like a chair that in another life wants to be a Herman Miller; It certainly looks like my Aeron Remastered, but the Doro C300 Pro V2 has quite a few more features and costs quite a bit less. SIHOO says that it is made up of a "DynaCore" system that tracks your movement and synchronizes the headrest, backrest, lumbar support, and armrests as you shift, twist, or recline. They also say that the "SyncroFlex Backrest" molds to your spine, which kind of describes how the mesh fabric works in most ergonomic chairs, but anyway. Below are the meat and potatoes measurements for the chair. Here is the same tech sheet, but in inches. Durability I would be remiss to not talk about the various durability testing this chair underwent before coming to market, as this is claimed on the product page. First of all, the chair is BIFMA-, SGS-, and TÜV-certified. As for durability, the tests undergone were: 100,000 Castor cycles tested 120,000 Armrest cycles tested 120,000 Recline cycles tested 120,000 Gas lift cycles tested 60,000 Armrest durability cycles tested 120,000 Rotation cycles tested Nothing about weights testing, though. Now that's all disclosed, now onto my own personal findings. Assembly The Doro C300 Pro V2 came in two large boxes (1) (2), and everything was packed very well, protecting the different parts of the chair. In the box, there is a folded sheet that explains the 12 steps to assemble it; they are: Remove the bottom cover on the aluminum base; Insert the five legs into the aluminum base and use ten screws to fasten them; Insert the castors into the legs; Replace the bottom cover on the bottom of the aluminum base; Place the Class 4 Hydraulics gas cylinder into the aluminum base; Screw the bottom part of the arm rests, taking care of the orientation using two screws on each side; Use three torx screws to fasten the footrest to the bottom of the seat; Fasten the backrest to the seat using four torx bolts; Fasten the armrests to the backrest using four Torx bolts (two on each side), taking care to note the orientation; Place the chair onto the Class 4 Hydraulics gas cylinder; Insert the headrest into the top of the backrest; Use two torx screws to fasten the headrest to the backrest. There's also an online guide you can refer to. Carefully unpacking the two boxes took around 15 minutes because almost everything is wrapped in plastic and protective foam; the chair assembly itself took around an hour. I say in the above assembly steps to take note of the orientation, because it's not obvious which way around the bottom portion of the armrests go, and although there is an L and R on the bottom of the armrests, it also wasn't clear from the instructions which was actually left or right, facing the chair, or in the seated down orientation? Anyway, I ended up putting the bottom portions on the wrong sides, and after securing one of the armrests, I discovered that although it was on the correct side, the armrest base could rotate a full 360°, but not when bolted to the chair, so I had to remove it, rotate it, and then bolt it back on. Truly an Ikea experience! Also, to complicate things further, although all the parts are labeled from A to X (yes, that's 24 parts) unhelpfully, these letters do not appear on the parts themselves or the package with the bolts, screws, and washers. There's also a pair of protective gloves in the box, but I think they were made for much smaller hands than I have. Even my friend, who is 5.1, had difficulty putting them on. Once assembled, I needed to sit down. Anyway, as I said, it looks quite similar to my Herman Miller. And here is the back of it. If you look at the product page and on Amazon, it seems like a lot of thought has gone into the chair itself and what it's capable of, but there is no mention at all about the castors, and this is an area where I think the chair trips up quite quickly. I found it difficult to move the chair in any direction. I asked a friend who came to visit me earlier this week to test my findings, and she said that the wheels were "no good," so it definitely isn't just me. I am 6'2 myself and a big guy, I work from home and gained a few pounds from mostly staying in and the hell away from other people. However, the Doro C300 Pro V2 is rated for up to 150kg (330lbs), which in my case is used well within its max rating. Ergonomics The number of adjustments you can make, right up to setting it in nap mode — which I haven't fully tested yet — is what you'd expect from a premium chair. Yes, you can go up and down (max 7.5 cm adjustment), rock back and forth (with tilt adjustment), and lock the chair between three stages of 105°, 120°, 135°, which is not quite as flat as the AndaSeat I tested at 160°. Some thought has also gone into the "8D" armrests, too, which are cushioned but quite firm; you'll only know it if you press hard into the PU-covered tops, which give about half a centimeter, but it's enough to ensure your skin won't get awkwardly stuck to it in warmer (or sweatier) conditions. It almost feels like plastic and is very easy to keep clean. However, the armrest positions move far too easily, and I am not sure what that "elbow" function is. Maybe it is good for a short person with short arms, anyway, I never used it and kept it flat at all times. There are eight levels of adjustment for the armrests, they are: backwards, forwards, swing left/right, height up and down, tilt, and 360° rotation, which can be handy for desk clearance. As I said, the armrest pads shift far too easily, which could give off an ergonomic vibe, but who wants the armrest sliding when you are shifting weight? The height adjustability does lock into place when lifting and adjusting. Comfort This is ultimately what it boils down to at the end of the day, right? Quite a lot of reviews praise the comfort of this chair, and I don't disagree that the mesh seating is quite comfortable. I am used to the material from my daily Herman Miller. However, the backrest cannot be locked into place, and this is actually a feature; as you shift or recline yourself on the chair, the backrest moves with your body. It took some getting used to. The lumbar gives ample support, but I would have preferred an adjustable one built into the seat base, as this causes the backrest to move up and down at will. Again, as with my previous chair review, this chair is also rated for tall people, but nowhere in the product documentation does it say how tall. Being 6'2 myself, I'm happy to say that the backrest is tall and wide enough, and thought has been given to being able to adjust the neck rest, but as others have mentioned in their reviews, people as tall as 6.2ft is about the limit for the neckrest. Conclusion What I didn't like The footrest is rated for 15kg (33 lbs), which to me seems a bit light, and after looking online, it seems like a chair footrest for adults must be at least twice that rating. In all honesty, they are just hollow metal tubes, so it is not recommended to let a kid sit on them. I also feel like it doesn't really go out far enough for my height, so that kind of puts the dampener on me being able to use it regularly. I'll just have to continue to use my subwoofer as a footrest! I do not like the armrests being able to shift around as easily as they can, and they are a little too forward-positioned in the chair to comfortably sit close to my desk, because even in the lowest height position, they don't allow me to go under the desk like is possible with my Herman Miller. I also feel like this chair could have been delivered partially constructed, especially the armrests on the seat, and why the aluminum base wasn't already pre-constructed (without the castors) is baffling, considering it would have fit in one of the two boxes that way. The instructions also need to be clearer. On the pamphlet, there's an A to X listing (which is also used in the steps), but none of the physical parts use this lettering system! What I did like I'll be honest, I haven't used it for very long, just one week, and seating comfort is subjective after all! Any spills wiped straight off it, the stitching, and the lines look great, not a fray to be seen or stitch out of place. It looks kind of cool, too. My favorite feature of these seats is the nap mode. While you're not lying completely flat, it leans far back enough to make you easily doze off after a heavy gaming or working session. Overall, this chair offers plenty of comfort features. The MSRP does vary quite a bit depending on the region, at £549.99 in the UK, and €580 in Europe, and $599 before tax in the U.S. However, shipping is free, which is a bonus for such a heavy item. Is it worth it, though? At three years' warranty, I think it's a decent deal. Another firm out of Germany sent me a free replacement hydraulic gas spring for a chair that failed after almost four years, so it was well outside its two-year warranty. My advice is to always try, as you might have the same luck I did. If I could fault it at all, it would be the constant shifting of the armrests and backrest. Where to buy Although the footrest variant normally costs $539.99, it has been discounted to $469.99 on the official website in Black or White. In fact, the non-footrest variant is only $40 cheaper. On Amazon, it currently costs more at $499.99 links below. Sihoo Doro C300 Pro V2 for $469.99 (official website) Sihoo Doro C300 Pro V2 for $499.99 at Amazon US SIHOO provided a free sample without any review or pre-approval. Good to know This Amazon link is U.S. specific, and not available in other regions unless specified. We only use first-party seller links (at the time of article publishing); ensure that you purchase from a first-party seller link only. Check out Today's Deals on Amazon | or our recent tech deals. Become a Prime member (for Students or SNAP) via Neowin Get Prime Access - Prime for half price (for qualifying Medicaid, EBT, SNAP) Subscribe to Prime Video, Audible Plus, Music Unlimited or Kindle Unlimited via Neowin As an Amazon Associate, we earn from qualifying purchases.

  • Recent Achievements

    • Conversation Starter
      jessse3334 earned a badge
      Conversation Starter
    • Reacting Well
      JuvenileDelinquent earned a badge
      Reacting Well
    • One Month Later
      Excellence2025 earned a badge
      One Month Later
    • Week One Done
      Excellence2025 earned a badge
      Week One Done
    • Week One Done
      flexorcist earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      506
    2. 2
      +Edouard
      207
    3. 3
      PsYcHoKiLLa
      151
    4. 4
      Steven P.
      73
    5. 5
      macoman
      62
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!