Is your impossible-to-remember password really secure?

[legoboyvdlp]

Results from http://random-ize.com/how-long-to-hack-pass:

Code: Select all

drearisome pitcher 12840510 years, 1 month

aqx7c03Lz 1 month, 25 days

Two random words from http://www.wordgenerator.net/random-word-generator.php and you have a password... add some capitals and two random numbers, and it will be really secure.

Right... a boring pitcher, and my birthday is the 30th day of the month... DrearisomePitcher30!
128670047768353630 years... I doubt even a bot can wait so long.

[legoboyvdlp]

Don't worry, DrearisomePitcher30 is not my password!

[legoboyvdlp]

CompressedRabbi30: 33472957275846 years, 4 months

[legoboyvdlp]

PediatricLugworm2016: 7977542961637923000 years

[IAHM-COL]

you missed the point a keyphrase is more secure than a keyword, basically. (in order words, add space in between)

normalword(space)normalword, is already more secure than a scramble 1 word
Now onto the math

The most important thing here in complexity is length. (specially if you treat backspace as just another possible keystroke)
drearisome pitcher = 18 characters
aqx7c03Lz = 9 characters

Combinatorial mathematics will tell you how much harder it is to test all possibilites on 18 than on 9, specially when combinatorial mathematics grabs the usage of Factorials.

Finally off course, if you go
9scramblechars(space)8scramblechars will also give you 18 keystrokes passphrase, harder to crack, but on the negative side, also harder to humanly remember.

[legoboyvdlp]

Drearisome Pitcher 30: 3.0883057306793835e+24 years
aJ3o0aXmz Dfd021@cX: 349514003019396100000 years

[IAHM-COL]

Drearisome Pitcher 30: 3.0883057306793835e+24 years
aJ3o0aXmz Dfd021@cX: 349514003019396100000 years

Interesting. ...
The difference there is on a 10^4 fold years magnitude, but the char length is similar.
I wonder how space is computing here.

I mean, who cares. Most people password is pwd123, anyways.

[KL-666]

It is a misconception that a good password must be hard to remember. A computer has to crack it, and he does not see a diff between bdtvgu and wiliam. Both 6 letters, both same time to crack. Length is everything (i believe israel said that too). MyNameIsWiliam is a lot stronger than bdtvgu.

Btw, brute force attacks should not be fended by stronger passwords, no matter how strong they eventually get cracked, but by banning (temporarily to slow them down) of ip's that try it. Linux has fail2ban for that.

Kind regards, Vincent

[OPFOR77]

Relevant XKCD

[KL-666]

The bottom line of that cartoon is so true, OPFOR77. That whole bull of special characters is only there to confuse humans. Length is everything.

About brute force attacks, there is a big misconception too among administrators. They think they are safe when they turn on 3 times failed login on the same user. Wrong! Brute force attackers know about that and they first vary username, and second password. By the time they get to the same username again, the timout for that username has long passed. So a failed sense of security on the part of the administrators here!

No, there is only one secure way: ban on 3 times failed login on any username from the same ip. That is fail2ban.

Kind regards, Vincent