Over the last 10 years, there have been serveral cases where hundreds of thousands of plain-text passwords have been exposed. As a result of this, it is now easy to create computer algorithms describing exactly what most (millions of) people mean by “easy to remember but hard to crack” passwords.
Of course, you could be really unique. But nobody else is. For everybody else, no matter what you think of as “easy to remember, but hard to crack”, lots of other people thought so too, and that method of generating passwords is now well-known to anybody who bothers to look at the lists of ?Millions? of known passwords.
As a consequence, the only secure password is one that is not easy to remember.
By the way, brute force cracking is moving ahead by leaps and bounds. I wouldn’t call anything less than 15 characters secure, and 15 is marginal.
This doesn’t mean someone will guess your password. It means that if Target exposed an encrypted version of your password, all your other acounts better have differenct passwords
Either way, there’s a moment in time when the server knows the plain text. Presumably this would be transient by design and never stored, but makes me wonder.
You might have problems where some passwords might get leaked to log files. And those log files may be easy to access. 100,000 passwords were stolen that way from a IEEE server. A tale of epic incompetence.
Which is yet another reason to always use different passwords for different sites. It is entirely possible that your plaintext password on some site or another will become known. In fact, there are some wolf-in-sheep’s-clothing sites out there for which that is their entire purpose. When that happens, you want all of your other sites to remain safe.
Going back to my analogy about door locks, I’d argue that if someone asks for help on how best to word their warning note to burglars, it’s better to discuss how to install a door lock.
I agree that you will need a small number of memorable passwords for things like system login and the password manager itself.
Just thought about this - if they’re going to brute-force the passwords, isn’t the safest password zzzzzz? Or, if they’re doing lowercase > numbers > uppercase, ZZY9zy (just to mix it up)?
But seriously, how’s this for increasing security: say you can remember a string of random characters, but it’s not very long - e.g. j7:Do’ so it’s not very secure. How about repeating it as many times as it’ll fit? j7:Do’j7:Do’j7: ? Should I be repeating my passwords to the max length to defend against brute force attacks? It doesn’t require any more memory work.
The message that this thread seems to keep coming back to is: ***any *logical formula or pattern that you use in your password makes it mathematically less secure.
Whether or not that translates into a real-world reduction of security is dependent upon factors outside of your control - that is, the methodologies of the people trying to break the security.
So… those points considered, it’s probably not a good idea.
Less secure? I don’t see how repeating it would make it less secure than the original. If anything, it should be more resistant to brute force attacks.
I just use names of rpg characters I used as a kid. They’re not real words and nobody knows them but me. Throw in a couple of numbers and a character, and you’ve got something that is pretty strong while being easy to remember. Here’s an example (not an actual character name or something I use any part of in any password)
Can you use a character from an exotic alphabet? Just copy one into a notepad file and put it on your desktop, and when you need to enter the password, copy and paste the character in. Like this: pass초word4 , which employs a Korean character. Very easy to remember, but very low probability that it would be discovered by trial and error.
It is not just trial and error brute force attacks that you are trying to defend yourself from. If it was, then you could mitigate this risk merely by having a long password.
AIUI, the way that hackers seem to be operating these days is to obtain (from various sources including purchasing) a bunch of hash codes that have been stolen from somewhere (including this site). This is then run through a dictionary attack – dictionary in this case meaning a file that may be 200 million+ words or phrases that have been found in the past to have been included in passwords. Remembering that there are non-english speakers in the world as well as gamers, history buffs, car enthusiasts and whatever, it is a fair guess that the kind of thing that you think up for a password is included in your hacker’s repertoire.
The next phase of the attack is to attempt common permutations and alterations that people employ. You think you have thought of something good? Chances are that a competent hacker already knows about it. Therefore we have devices such as
[ul]
[li]appending or prepending numbers: “password1” “346password”[/li][li]appending, prepending or inserting short text, “passworda” “bcpassword” “passdefword”[/li][li]common substitutions, “Ṕ4$swѲrd”[/li][li]permutations of upper/lowercase: “pAssWORd”[/li][li]writing backwards: “drowssap”[/li][li]hand shift on keyboard and other caesar ciphers, “0qww294e” “obttxpse”[/li][li]duplication, “passwordpassword” “ppaasssswwoorrdd”[/li][li]combining two dictionary words, “anotherpassword” "[/li][li]combining details from website or other contextual information “smdbpassword”[/li][li]exploiting a pattern that they have noticed you have used before, “passwordmycatisFLUFFY”[/li][li]combinations of any of the above attacks or any of a zillion others. One hacker I read had a selection of 1500 algorithms that he would select at random.[/li][/ul]
The basic strategy is to hack as many as possible simply and then continue with more and more sophisticated attempts until the rate of cracking passwords ceased to make it worthwhile. Given the possibility of setting up a network of powerful machines and letting them go for a number of days, that may result in a very high percentage of password cracks.
If you need a mnemonic password of some sort, then I think it is possible at present to get something secure – or at least something that is in the final 2% of cracked passwords by which time the hacker is likely to have given up. But then, I am by no means an expert and I am basing this comment on guesswork and a bit of reading. The consensus on these boards (read the rest of the thread) seems to be that you really can’t beat a good password manager if you want to be safe.
I have become a fan of the correcthorsebatterystaple method with the following provisos
[ul]
[li]the total length should be fairly long – greater than 16 characters[/li][li]there should be at least four words – three might be enough except that you don’t know if two words are not already combined in some hacker’s dictionary out there[/li][li]favour words that are not actually that common and preferably words that have meaning only to you[/li][li]include something non-alphanumeric to force hackers to employ a larger character set[/li][li]choose a structure that does not follow standard english sentence order – something like adverb, noun, verb, verb[/li][/ul]
Thus something for the straight dope might be slightlydiode<manglebifurcate~
I think I am safe. At least until hackers step up to another level of sophistry.
Please correct me if I am wrong here. In any case, some of the more recent suggestions in this thread strike me as being rather vulnerable.
I should add that dictionary in this context means a file containing millions of words that have already been discovered in password hacks. Thus “fluffyca#” is probably a dictionary word in this context.
Also as others have stated, you should consider that your username is public knowledge. (It might not be but it isn’t a stupid assumption.) Therefore if your security relies on one password and dozens of different usernames, you are not secure.
I mean less secure than a randomly-generated password - less secure than the ideal - any pattern or logic you use in your password makes it theoretically less secure than the ideal random password of the same length.
Obviously 123123 is a little bit more secure than 123, in the sense that a brute force attack against it takes a little bit longer.
Yes, if you’re going to generate passwords you might as well make them as long as allowed. But for people with passwords already memorized, shouldn’t they repeat them too?
No - if they’re going to make a change, they should change them for long, random ones.
Whilst repeating the same string to pad out a password does provide a little better resistance to brute-forcing, it’s not enough (so recommending that as a solution generates a false sense of security)
The first of these is short enough to be vulnerable to a brute force attack even though it draws from a large character set.
The second, at ten characters is probably outside the range of brute forcing. However, if the first is ever compromised and becomes part of some hacker’s dictionary, then cracking the second is close to inevitable.
The third represents reasonable security IMO. But it is a pain to remember – which is the topic of this thread.
There are satisfactory methods for obtaining memorable passwords, but repetition just isn’t one of them.
I certainly agree. However, IRL, we are often confronted with severe limitations imposed by obsolete software, or security designers who don’t have a clue.
Examples: My bank won’t allow non-alphanumeric characters. Some sites won’t allow passwords longer than 8 characters; others insist on 6-8 characters only. One site I signed on to recently insisted on 1 number, 1 upper case letter, the password cannot begin with a number, and no special characters allowed. Most sites disallow spaces or control characters (why would the processing routines care what ASCII number was used?)
This makes a brute-force cracker’s job incredibly easy, and it’s not the user’s fault.
At one time, it made sense to limit the length to keep it short; storage was expensive and processing long strings took time. Neither of these are good reasons today.
Yet another person who’s completely missed the point of the correcthorsebatterystaple method. In order for the method to work and to be secure, the words must be chosen completely at random. “Random” means just that: You don’t wrack your brain for good obscure choices, you don’t pick words that start with particular letters, you don’t pick words that follow particular patterns of part of speech (even nonstandard patterns). You roll dice. Or you put all the words on cards, shuffle them, and draw randomly from the deck. Or you put the word list on a computer, and have it select words from that list at random. Every time you try to assign some method to the madness, you weaken the method, and it’s not so strong that it can survive all that much weakening.