Assume I follow the EFF’s instructions for generating a secure password and produce the word list HURT, WEIGH, CHAIRS, BOOKS, HORSE, 8492. Would I decrease the password’s strength if I were to rearrange and slightly tweak the words to produce a more memorable phrase like “HorsesWeighBooks&8492ChairsHurt”?
In principle the answer is yes - you would slightly decrease the entropy in the passphrase, and thus its strength. Anything that reduces the ‘randomness’ component of the password in principle makes it slightly more subject to attack. So the idea that a ‘more memorable’ ordering of the words reduces the number of possible orderings of the constituent words means there is slightly less randomness present. So an attacker might prefer attacks against ‘more memorable’ orderings of words ahead of ‘less memorable’ and thus gain a slight advantage in cracking the password.
All the above is in principle. In reality it makes not a jot of difference.
Yes. Rearranging, tweaking, or rerolling until you get a set of words you like reduces the strength of your passphrase. Exactly how much is hard to calculate.
The passphrase you find more memorable is very likely to be one lots of other english speakers think is more memorable too. Attackers try to guess your password by trying more common/memorable combinations from the wordlist first, and then will have a better chance of getting your password than if you take the list as generated.
In reality a 6 die passphrase is probably enough overkill (assuming decent hashing/salting on the system’s part) that you’re still good. So many people use such god-awful passwords that you’re likely still among the last few percent cracked. Unless you’re a high-value target (celebrity, high-level politician, etc) I wouldn’t worry about it. The bigger issue you’ll have is a lot of systems limit your password to much fewer characters than your passphrase uses.
The worst are systems that don’t tell you about the password character limits and just quietly truncated your password. That could leave you with a two or three common english word password … that gets cracked very quickly.
No, the worst are systems that quietly truncate passwords when you’re setting them, but not when you’re logging in, and so not only is your password insecure, but you can’t even log in, either.
I’m not sure about that. In your case you at least know you have a problem…
Four replies and no link to the relevant XKCD yet?
As a quick and dirty empirical estimate, I generated a bunch of random passphrases, and I liked about 1 in 10. If my preferences were completely predictable, my selections would reduce the password space by ~10-fold. That shouldn’t be a big deal if you start with a very large password space, where 10-fold (or even 100-fold) reductions will still leave you with a plenty strong password.
Rearranging words in a passphrase could be more harmful. For a six-word phrase, there are 720 possible permutations. Worst case scenario, if rearranging is perfectly predictable, you just went from a password space of ~2^77 to ~2^68. Practically speaking, that should still leave you with a password that’s plenty good enough for ordinary use.
Shoehorn butterhorse, the password1 for the new age.
Just reminder that classic thread is from an earlier new age.
The worst are systems which can conveniently email you your password if you forget, or email you your password on signup, or email you your password after it’s been changed, but, of course, never email you your password when their database was illegally copied because they don’t know it’s been copied but they do know your password and now the attacker does, too, because they were capable of emailing you your password.
And, of course, they, all doe-eyed and innocent like an architect whose building just collapsed in a massive earthquake which measured 2.5 on the Richter scale, had absolutely no idea what they were doing wrong, or how it could ever be a problem, or how anyone, anywhere could argue against the convenience of being able to email people their passwords.
Or e-mail your password to anyone who can tell them what street you lived on as a kid or what your mother’s maiden name is.