Page 1 of 2
Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 7:49 pm
by legoboyvdlp
Results from
http://random-ize.com/how-long-to-hack-pass:
Code: Select all
drearisome pitcher 12840510 years, 1 month
aqx7c03Lz 1 month, 25 days
Two random words from
http://www.wordgenerator.net/random-word-generator.php and you have a password... add some capitals and two random numbers, and it will be really secure.
Right... a boring pitcher, and my birthday is the 30th day of the month... DrearisomePitcher30!
128670047768353630 years... I doubt even a bot can wait so long.
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 7:49 pm
by legoboyvdlp
Don't worry, DrearisomePitcher30 is not my password!
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 7:50 pm
by legoboyvdlp
CompressedRabbi30: 33472957275846 years, 4 months
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 7:50 pm
by legoboyvdlp
PediatricLugworm2016: 7977542961637923000 years
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 7:55 pm
by IAHM-COL
you missed the point
a keyphrase is more secure than a keyword, basically. (in order words, add space in between)
normalword(space)normalword, is already more secure than a scramble 1 word
Now onto the math
The most important thing here in complexity is length. (specially if you treat backspace as just another possible keystroke)
drearisome pitcher = 18 characters
aqx7c03Lz = 9 characters
Combinatorial mathematics will tell you how much harder it is to test all possibilites on 18 than on 9, specially when combinatorial mathematics grabs the usage of Factorials.
Finally off course, if you go
9scramblechars(space)8scramblechars will also give you 18 keystrokes passphrase, harder to crack, but on the negative side, also harder to humanly remember.
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 7:57 pm
by legoboyvdlp
Drearisome Pitcher 30: 3.0883057306793835e+24 years
aJ3o0aXmz Dfd021@cX: 349514003019396100000 years
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 8:05 pm
by IAHM-COL
legoboyvdlp wrote:Drearisome Pitcher 30: 3.0883057306793835e+24 years
aJ3o0aXmz Dfd021@cX: 349514003019396100000 years
Interesting. ...
The difference there is on a 10^4 fold years magnitude, but the char length is similar.
I wonder how space is computing here.
I mean, who cares. Most people password is pwd123, anyways.
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 9:42 pm
by KL-666
It is a misconception that a good password must be hard to remember. A computer has to crack it, and he does not see a diff between bdtvgu and wiliam. Both 6 letters, both same time to crack. Length is everything (i believe israel said that too). MyNameIsWiliam is a lot stronger than bdtvgu.
Btw, brute force attacks should not be fended by stronger passwords, no matter how strong they eventually get cracked, but by banning (temporarily to slow them down) of ip's that try it. Linux has fail2ban for that.
Kind regards, Vincent
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 10:10 pm
by OPFOR77
Relevant XKCD
Re: Is your impossible-to-remember password really secure?
Posted: Thu May 26, 2016 10:50 pm
by KL-666
The bottom line of that cartoon is so true, OPFOR77. That whole bull of special characters is only there to confuse humans. Length is everything.
About brute force attacks, there is a big misconception too among administrators. They think they are safe when they turn on 3 times failed login on the same user. Wrong! Brute force attackers know about that and they first vary username, and second password. By the time they get to the same username again, the timout for that username has long passed. So a failed sense of security on the part of the administrators here!
No, there is only one secure way: ban on 3 times failed login on any username from the same ip. That is fail2ban.
Kind regards, Vincent