Q&A Passwords: "This is fun" is 10 times more secure than "J4fS!2"

What kind of passwords do you use?

  • "This is fun"

    Votes: 11 31.4%
  • "J4fS!2"

    Votes: 24 68.6%

  • Total voters
    35

Marko :)

Level 12
Verified
Joined
Aug 12, 2015
Messages
572
OS
Windows 10
Antivirus
Emsisoft
#2
If you ever created BitCoin or any other cryptocurrency wallet, you could see that majority of them does not ask for password. Instead, they give you passphrase which has usually 12 words, which you use, along with few more security measures, to sign in on a new device.

Some wallets will give you passphrase, ask you to enter PIN and even offer two-step verfiication.
 
Last edited:

SHvFl

Level 33
Content Creator
Verified
Joined
Nov 19, 2014
Messages
2,266
OS
Windows 10
Antivirus
Emsisoft
#3
The issue is not in the math. The issue is that if the password is not random and it's words, lists can be created that cover it. One security leak of a few millions passwords and you get a huge database of such passwords. Then the secure forever words password might drop to way lower numbers.
The security of the random password with characters, letters etc is that it has to be brute forced and no lists can be used on it to reduce the time and guesses that are needed.
 
Last edited:
T

TrinitronMSDOS

Guest
#5
If this is true, that means most password managers should update their "new password" with an option to choose random words phrases. I honestly think they should as in the end it's up to the user to choose. I know some already does such as 1password. Problem is that many PM companies will probably try and debunk that, as that would render password managers less useful (but still very convenient). I think i already saw similar articles in the past.

Also there is the possibility that hackers update their cracking method for this "common words with space" sooner than the traditional random one, as it would make sense that a space + dictionary words algorithm wouldn't be that hard to do. But that's just speculation as my knowledge on the subject is limited.

Anyway most PM uses at least 12 characters long letters + words + characters passwords by default, so i think most of us using one are safe.
 
Joined
Oct 19, 2017
Messages
53
OS
Linux
#6
From this post on the Naked Security blog:
The meters are designed to help users understand if their password choices will resist attempts to crack them.
The trouble is, they don’t quite do that.

The Theory

The best way to determine how difficult it is to crack a password is to try doing just that.
But attempting to crack passwords requires lots of time and lots and lots of processing power, and it isn’t a practical solution for websites.

The next best option is to try to work out what characteristics passwords that are difficult to crack share, and to check for those instead.

Simple password meters check the length and entropy of the password and have checklists for the kinds of things that users are advised to include in their passwords; mixtures of upper and lower case letters, numbers and special characters, for example.

That helps determine a password’s ability to withstand a brute force attack (an attacker making guesses at random), but being resistant to brute force attacks is only useful if that’s what an attacker is going to do, and it probably isn’t.

A brute force attack assumes that all guesses are equally good.

The reality is that some guesses are far better than others because our password choices are not random – they’re underpinned by patterns and habits.

Modern password cracking is about making smart guesses in the order that’s most likely to yield the greatest number of cracked passwords for the least effort.

Attackers can feed their cracking software with huge repositories of real words and then create rules to modify those words in the same way we do when we create passwords.

They know that some words are used more often than others and they know about the cute tricks and bad habits we use to obfuscate them. They know that we use 0s instead of Os and 4s instead of As, and they know that we tend to put our upper case letters, special characters and numbers at the beginning and end of our passwords.
 
Joined
May 7, 2016
Messages
84
#7
The issue is not in the math. The issue is that if the password is not random and it's words, lists can be created that cover it. One security leak of a few millions passwords and you get a huge database of such passwords. Then the secure forever words password might drop to way lower numbers.
The security of the random password with characters, letters etc is that it has to be brute forced and no lists can be used on it to reduce the time and guesses that are needed.
I absolutely agree. using phrases is only secure so long as that phrase is not on any list.
 
Likes: shmu26

TairikuOkami

Level 16
Content Creator
Verified
Joined
May 13, 2017
Messages
799
OS
Windows 10
Antivirus
Default-Deny
#11
It all comes down to "space". He has not used any spaces in complex passwords, but used them in weak ones. Space is hardly, if ever used, it is usually recommended not to use or not even supported, so using it creates a very strong password by itself. I do not use space either, maybe I should, this is one of mine:

Code:
L!(-Kf"mBKT050jRN5TW7?HRyK-Xe4Kjk?`]}M^zOWbGb>`!w|8tVrI]m41upo~3:5fQR`q*236G4~iB4$,WifNyj6?A#W1I3x
 

shmu26

Level 65
Verified
Joined
Jul 3, 2015
Messages
5,408
OS
Windows 10
#12
Any special character not commonly used, when placed in the middle of the password, will work just as well as a space. Put a capital letter and a weird special character in the middle of your password, and you are good, as long as the rest of it is relatively random, too.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,534
#15
Hackers don't brute force your password. They're not idiots - the smart ones anyway. They know it is a futile enterprise to brute force strong passwords and pass-phrases. They aren't going to waste their time. Instead they hack the servers on which e-v-e-r-y-o-n-e'-s passwords or pass-phrases reside and try to steal them all in one grab. They are going to make the most money that way - by dumping the credentials and selling them.

So whether you use a password or a pass-phrase is negated in the end anyway.

The really smart ones will maintain stealth...
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,631
OS
Other OS
#16
What are your thoughts about this?

A password that uses 3 common words with spaces is much more secure than one with special character, numbers, capital & small letter o_O
I do not believe this is accurate and there are 'issues' with using it on a wide scale because MANY sites won't accept spaces. Also, brute force techniques always do a base line sweep of 'space' when sweeping through the potentials. Space-A, Space-!, Space-} etc. IMO, you need to be more worried about the NUMBER of characters as it is an unknown quantity in the sweep. Brute force mechanisms don't know if your password is 8, 10, 14, or even 30 characters which is why the number of characters add exponentially to the difficulty in solving the problem. A short set of random characters like “*K>#)0$j4” is NOT super secure, but a long string of memorable words like “billjamesisagoodguitarplayer” is actually stronger simply because of the length as an unknown modifier, password entropy: a representation of how much uncertainty there is in a password.

Anything under 16 characters should be considered risky 'today'. 16 should be the minimum.

Is 35t8@nz4 a good password? Not really. But %%%%%35t8@nz4%% is an absolutely phenomenal password just by virtue of the %'s being added to the front and back increasing the length and thus, substantially increasing the entropy.

Remember - a few key points, a funded, smart hacker will simply compromise the AD and expand laterally within the network utilizing methods to scoop up data from the compromised systems. Although we still see modern, well funded attackers phishing for passwords but not so commonly brute forcing. Also, what is strong today won't be tomorrow. Plan ahead. Techniques in use today should be factoring the coming age. Everything they can't compromise or hack is being 'stored' for a reason, eventually they know they will probably get into it. Use lengthy, strong entropy passwords and cascade encrypt, not necessarily for today, but for the safety of your loot tomorrow.
 

shmu26

Level 65
Verified
Joined
Jul 3, 2015
Messages
5,408
OS
Windows 10
#17
Hackers don't brute force your password. They're not idiots - the smart ones anyway. They know it is a futile enterprise to brute force strong passwords and pass-phrases. They aren't going to waste their time. Instead they hack the servers on which e-v-e-r-y-o-n-e'-s passwords or pass-phrases reside and try to steal them all in one grab. They are going to make the most money that way - by dumping the credentials and selling them.

So whether you use a password or a pass-phrase is negated in the end anyway.
So accordingly, the most important thing is not to use passwords over and over again. Don't log into every smiley-face website with your Gmail password, because sooner or later, one of those sites will be leaked.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,534
#18
So accordingly, the most important thing is not to use passwords over and over again. Don't log into every smiley-face website with your Gmail password, because sooner or later, one of those sites will be leaked.
It is why it is recommended to change your passwords often. However, credentials management is such a pain - even with password managers - that only the most OCD actually do it.

Just try a single time to change all your passwords on all the sites that you use - all of them - even the ones that you rarely use. Every single one of your passwords on all the sites on which you have credentials. I bet you will not ever do it again.

The industry solution to the huge hassle of changing passwords was two-factor authentication - and we know that is not secure.
 
Last edited:

shmu26

Level 65
Verified
Joined
Jul 3, 2015
Messages
5,408
OS
Windows 10
#19
I

Just try a single time to change all your passwords on all the sites that you use - all of them - even the ones that you rarely use. Every single one of your passwords on all the sites on which you have credentials. I bet you will not ever do it again.
Sounds like you actually tried it...
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,631
OS
Other OS
#20
So accordingly, the most important thing is not to use passwords over and over again. Don't log into every smiley-face website with your Gmail password, because sooner or later, one of those sites will be leaked.
Password reuse or 'similar' password reuse is one of the most common methods people get hit.

I set a time to change my passwords and stick to the schedule. So for me as an example, I change most of my passwords between Dec.30 and Jan.2. Easy to remember, start fresh for the new year. I login to a legacy laptop running Debian that has been air gapped for the entire year, connect it to the internet, change my passwords, disconnect the machine when I am finished then wipe it and reinstall the latest Debian version. It's a ritual I've done for several years and don't plan to stop.