Sure, but then that wouldn’t be a dictionary type attack, right?
I often see the suggestion of using “special” characters in your password, like @, !, $, #, etc., but there are so many varying rules as to which special characters are allowed in a password, depending on the security system, that I don’t bother with trying to use non-alpha numeric characters.
So, Arnold, did you have any beloved pets when you were younger…?
Surely you mean 6[sup]62[/sup] which is a 49 digit number.
Did you take 26 letters and add 10 lowercase and 10 uppercase numbers to get 46 rather than 26+26+10 = 62?
That was first used in Mainframe computers about 35 years ago. It is built into the Mainframe OS now, and automatically part of the system. You can adjust the number of password tries you get (3 is typical), but I don’t think it is even possible to completely turn this off. (I’ve certainly never seen a shop do this.)
And on Mainframes, you can’t try again the next day. The lockout is permanent, and stays until you contact the security staff to get it reset.
^ What he said. :o
(I was falling asleep when I wrote that post.)
This is one of the main problems. Some password registration things only accept certain combinations of characters, which means that even if you do have a good strong password or three, periodically you’re forced to come up with a one-off for a particular service which you end up forgetting.
A simple method of creating strong passwords is to combine two words connected by a number or character that has a meaning, and either has one word in all caps, both words beginning with a capital letter, or one word beginning with a capital.
LOVE4goats
Run2Store
Batman<CTHULHU
etc.
Not as strong as a purely random set of letters and characters, but certainly viable and memorizable.
Don’t remind me of the sad death of my favorite newt Rumplestiltskin Disraeli Boddingstons III. 
That’s a good method. Another algorithm that seems popular in password method recommendations these days is the “memorable phrase” approach, e.g. “I, Arnold Winkelried, joined the SDMB in October 1999” - use the first sentence from each word, password becomes something like iawjtsdmbio1999.
My biggest pet peeve is not which particular characters things accept, my biggest pet peeve is the requirement that the password be between 6 and 8 characters. This is idiotic. They never say this on the front page when you need to login, so even though I login to some of these sites several times a month every time I have to get my password reset. One of them disallows reuse of any of the past five passwords, and forces me to reset the password on three failed attempts. I don’t even bother writing them down or trying to remember anymore, I just use the password reset page as my login page.
Surely you really mean 62[sup]6[/sup]
Each character can be one of 62, that’s 62 * 62 * 62, etc.
On Unix. On an as400 you could not get to it.
Gaudere appears to extend into math as well. You are correct.
62[sup]6[/sup] gives 56,800,235,584 possibilities.
A few years ago, the University administration sent out a memo to everyone on campus, reminding us to use secure passwords for our Banner accounts (the system which handles all the university records). A good password, they said, should be at least eight characters long, and contain some each of upper-case not at the beginning of the word, lower-case, numbers, and symbols. Which would be good advice, except that the only passwords supported by the Banner system are numbers of exactly six digits.
First you run the attack with a dictionary file of the language used, (say English.)
Then you run it with an English proper name file.
Then you run it in, say, French in Canada or Spanish in US.
Then …
You’re only delaying the break-in. With a cut and paste you put the dictionary files together and start the attack until the program stops with a break-in.
With faster and faster processing speeds this is becoming less secure.
This security policy opens up another kind of “attack”. You can effectively lock someone else out of their account just by trying to login as them constantly.
When this security was originated, it was on Mainframe systems, where terminals were hardwired to specific addresses. So if that kind of an attack occurred, the security people could look up the location of the terminal the logon attempts came from, walk down to that person’s office, and “speak” to him about it. That generally took care of the problem.
Or, if you’re a good typist and you’re using a system that allows it, use the entire phrase including punctuation. Stick a number or symbol in the middle of one word. Even with valid dictionary words in the rest of it, it’s so long that it’s going to be nigh impossible to crack.
I was thinking it must be that the hashing function isn’t one-to-one, in other words, that you can have more than one password that yields the same hash. But I don’t know anything about this stuff so I’m just guessing.
Theoretically, two passwords can hash to the same value, to be certain. Most hashes have enough bits in them though that this isn’t likely to ever happen though.
The main thing though is that the username also needs to match, so it doesn’t matter if two different people have the same password, nor the same hash.
Well, in my example, though I didn’t emphasize it, I suggested an “unusual” language (icelandic or hungarian in the US for example.) If someone is that determined, they can probably crack my 5UPE4L33T!@# password also.