Q&A Passwords: "This is fun" is 10 times more secure than "J4fS!2"

Discussion in 'General Security Discussions' started by jackuars, Dec 29, 2017.

?

What kind of passwords do you use?

  1. "This is fun"

    11 vote(s)
    31.4%
  2. "J4fS!2"

    24 vote(s)
    68.6%
  1. jackuars

    jackuars Level 21

    Jul 2, 2014
    1,089
    2,137
    What are your thoughts about this?

    A password that uses 3 common words with spaces is much more secure than one with special character, numbers, capital & small letter o_O

    If true then I will try to reconfigure my passwords this way.

    [​IMG]
    [​IMG]
    [​IMG]
     
  2. Marko :)

    Marko :) Level 10

    Aug 12, 2015
    490
    3,239
    Croatia
    Windows 10
    Emsisoft
    #2 Marko :), Dec 29, 2017
    Last edited: Dec 29, 2017
    If you ever created BitCoin or any other cryptocurrency wallet, you could see that majority of them does not ask for password. Instead, they give you passphrase which has usually 12 words, which you use, along with few more security measures, to sign in on a new device.

    Some wallets will give you passphrase, ask you to enter PIN and even offer two-step verfiication.
     
  3. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,396
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    #3 SHvFl, Dec 29, 2017
    Last edited: Dec 29, 2017
    The issue is not in the math. The issue is that if the password is not random and it's words, lists can be created that cover it. One security leak of a few millions passwords and you get a huge database of such passwords. Then the secure forever words password might drop to way lower numbers.
    The security of the random password with characters, letters etc is that it has to be brute forced and no lists can be used on it to reduce the time and guesses that are needed.
     
    Opcode, shmu26, BryanB and 9 others like this.
  4. tim one

    tim one Level 18
    Trusted AV Tester

    Jul 31, 2014
    897
    9,029
    Europe
    Windows 10
    Emsisoft
    I have to admit that I didn't know that passwords like "This is fun" is one of the most secure.
    Yeah this is funny :p but interesting for sure, thanks for sharing :)
     
    Opcode, shmu26, BryanB and 8 others like this.
  5. TrinitronMSDOS

    TrinitronMSDOS Level 2

    Sep 29, 2017
    82
    340
    Graphic Designer
    Monaco
    Windows 10
    Emsisoft
    If this is true, that means most password managers should update their "new password" with an option to choose random words phrases. I honestly think they should as in the end it's up to the user to choose. I know some already does such as 1password. Problem is that many PM companies will probably try and debunk that, as that would render password managers less useful (but still very convenient). I think i already saw similar articles in the past.

    Also there is the possibility that hackers update their cracking method for this "common words with space" sooner than the traditional random one, as it would make sense that a space + dictionary words algorithm wouldn't be that hard to do. But that's just speculation as my knowledge on the subject is limited.

    Anyway most PM uses at least 12 characters long letters + words + characters passwords by default, so i think most of us using one are safe.
     
  6. Flengo

    Flengo Level 1

    Oct 19, 2017
    41
    261
    Australia
    Linux
    From this post on the Naked Security blog:
     
  7. Mohan Rajan

    Mohan Rajan Level 2

    May 7, 2016
    83
    205
    India
    I absolutely agree. using phrases is only secure so long as that phrase is not on any list.
     
    shmu26 likes this.
  8. Danielx64

    Danielx64 Level 8

    Mar 24, 2017
    396
    1,690
    Australia
    Windows 10
    ESET
    I pick *"J4fS!2" but much longer, imo words are too easy to crack.
     
    GonzitoVir, BryanB and Sunshine-boy like this.
  9. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,170
    5,187
    IRAN
    Windows 10
    ESET
    I use at least 20 characters:notworthy: I want to be safe even from Quantum computing.
     
    tim one, bribon77, Andytay70 and 2 others like this.
  10. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    750
    2,127
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
  11. TairikuOkami

    TairikuOkami Level 8
    Content Creator

    May 13, 2017
    378
    1,599
    Postal Worker
    Slovakia
    Windows 10
    It all comes down to "space". He has not used any spaces in complex passwords, but used them in weak ones. Space is hardly, if ever used, it is usually recommended not to use or not even supported, so using it creates a very strong password by itself. I do not use space either, maybe I should, this is one of mine:

    Code:
    L!(-Kf"mBKT050jRN5TW7?HRyK-Xe4Kjk?`]}M^zOWbGb>`!w|8tVrI]m41upo~3:5fQR`q*236G4~iB4$,WifNyj6?A#W1I3x
     
  12. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,259
    13,540
    Utopia
    Any special character not commonly used, when placed in the middle of the password, will work just as well as a space. Put a capital letter and a weird special character in the middle of your password, and you are good, as long as the rest of it is relatively random, too.
     
  13. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,303
    Caille
    Windows 10
    "HELLOHELLOHELLOHELLO" -> 20 characters like this won't be good against Quantum Computing I don't think. Whereas a password like "\0x9\Ex56\x8pep8z!Lo577Op1OrNS62nhas72" probably be a huge lot harder to crack.
     
  14. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,170
    5,187
    IRAN
    Windows 10
    ESET
    I know lol! i use bitwarden to create the random pass for me:D
     
    tim one and Marko :) like this.
  15. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    Hackers don't brute force your password. They're not idiots - the smart ones anyway. They know it is a futile enterprise to brute force strong passwords and pass-phrases. They aren't going to waste their time. Instead they hack the servers on which e-v-e-r-y-o-n-e'-s passwords or pass-phrases reside and try to steal them all in one grab. They are going to make the most money that way - by dumping the credentials and selling them.

    So whether you use a password or a pass-phrase is negated in the end anyway.

    The really smart ones will maintain stealth...
     
  16. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    I do not believe this is accurate and there are 'issues' with using it on a wide scale because MANY sites won't accept spaces. Also, brute force techniques always do a base line sweep of 'space' when sweeping through the potentials. Space-A, Space-!, Space-} etc. IMO, you need to be more worried about the NUMBER of characters as it is an unknown quantity in the sweep. Brute force mechanisms don't know if your password is 8, 10, 14, or even 30 characters which is why the number of characters add exponentially to the difficulty in solving the problem. A short set of random characters like “*K>#)0$j4” is NOT super secure, but a long string of memorable words like “billjamesisagoodguitarplayer” is actually stronger simply because of the length as an unknown modifier, password entropy: a representation of how much uncertainty there is in a password.

    Anything under 16 characters should be considered risky 'today'. 16 should be the minimum.

    Is 35t8@nz4 a good password? Not really. But %%%%%35t8@nz4%% is an absolutely phenomenal password just by virtue of the %'s being added to the front and back increasing the length and thus, substantially increasing the entropy.

    Remember - a few key points, a funded, smart hacker will simply compromise the AD and expand laterally within the network utilizing methods to scoop up data from the compromised systems. Although we still see modern, well funded attackers phishing for passwords but not so commonly brute forcing. Also, what is strong today won't be tomorrow. Plan ahead. Techniques in use today should be factoring the coming age. Everything they can't compromise or hack is being 'stored' for a reason, eventually they know they will probably get into it. Use lengthy, strong entropy passwords and cascade encrypt, not necessarily for today, but for the safety of your loot tomorrow.
     
  17. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,259
    13,540
    Utopia
    So accordingly, the most important thing is not to use passwords over and over again. Don't log into every smiley-face website with your Gmail password, because sooner or later, one of those sites will be leaked.
     
  18. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,705
    11,848
    AppGuard LLC Virginia, U.S.
    #18 Lockdown, Dec 30, 2017
    Last edited: Dec 30, 2017
    It is why it is recommended to change your passwords often. However, credentials management is such a pain - even with password managers - that only the most OCD actually do it.

    Just try a single time to change all your passwords on all the sites that you use - all of them - even the ones that you rarely use. Every single one of your passwords on all the sites on which you have credentials. I bet you will not ever do it again.

    The industry solution to the huge hassle of changing passwords was two-factor authentication - and we know that is not secure.
     
  19. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,259
    13,540
    Utopia
    Sounds like you actually tried it...
     
    TerrakionSmash likes this.
  20. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    Password reuse or 'similar' password reuse is one of the most common methods people get hit.

    I set a time to change my passwords and stick to the schedule. So for me as an example, I change most of my passwords between Dec.30 and Jan.2. Easy to remember, start fresh for the new year. I login to a legacy laptop running Debian that has been air gapped for the entire year, connect it to the internet, change my passwords, disconnect the machine when I am finished then wipe it and reinstall the latest Debian version. It's a ritual I've done for several years and don't plan to stop.
     
Loading...
Similar Threads Forum Date
Hacking Alert L0phtCrack 7 audits passwords up to 500 times faster News Archive Aug 31, 2016
Thousands of Serial-To-Ethernet Devices Leak Telnet Passwords Security News Dec 1, 2017
Anyone Can Change macOS High Sierra Passwords Security News Nov 28, 2017