Passwords: "This is fun" is 10 times more secure than "J4fS!2"

What kind of passwords do you use?

  • "This is fun"

    Votes: 12 33.3%
  • "J4fS!2"

    Votes: 24 66.7%

  • Total voters
    36

jackuars

Level 27
Thread author
Verified
Top Poster
Well-known
Jul 2, 2014
1,688
What are your thoughts about this?

A password that uses 3 common words with spaces is much more secure than one with special character, numbers, capital & small letter o_O

If true then I will try to reconfigure my passwords this way.

password1.gif

password2.gif

password3.gif
 

Marko :)

Level 20
Verified
Top Poster
Well-known
Aug 12, 2015
954
If you ever created BitCoin or any other cryptocurrency wallet, you could see that majority of them does not ask for password. Instead, they give you passphrase which has usually 12 words, which you use, along with few more security measures, to sign in on a new device.

Some wallets will give you passphrase, ask you to enter PIN and even offer two-step verfiication.
 
Last edited:

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
The issue is not in the math. The issue is that if the password is not random and it's words, lists can be created that cover it. One security leak of a few millions passwords and you get a huge database of such passwords. Then the secure forever words password might drop to way lower numbers.
The security of the random password with characters, letters etc is that it has to be brute forced and no lists can be used on it to reduce the time and guesses that are needed.
 
Last edited:
T

TrinitronMSDOS

If this is true, that means most password managers should update their "new password" with an option to choose random words phrases. I honestly think they should as in the end it's up to the user to choose. I know some already does such as 1password. Problem is that many PM companies will probably try and debunk that, as that would render password managers less useful (but still very convenient). I think i already saw similar articles in the past.

Also there is the possibility that hackers update their cracking method for this "common words with space" sooner than the traditional random one, as it would make sense that a space + dictionary words algorithm wouldn't be that hard to do. But that's just speculation as my knowledge on the subject is limited.

Anyway most PM uses at least 12 characters long letters + words + characters passwords by default, so i think most of us using one are safe.
 

Flengo

Level 2
Verified
Oct 19, 2017
52
From this post on the Naked Security blog:
The meters are designed to help users understand if their password choices will resist attempts to crack them.
The trouble is, they don’t quite do that.

The Theory

The best way to determine how difficult it is to crack a password is to try doing just that.
But attempting to crack passwords requires lots of time and lots and lots of processing power, and it isn’t a practical solution for websites.

The next best option is to try to work out what characteristics passwords that are difficult to crack share, and to check for those instead.

Simple password meters check the length and entropy of the password and have checklists for the kinds of things that users are advised to include in their passwords; mixtures of upper and lower case letters, numbers and special characters, for example.

That helps determine a password’s ability to withstand a brute force attack (an attacker making guesses at random), but being resistant to brute force attacks is only useful if that’s what an attacker is going to do, and it probably isn’t.

A brute force attack assumes that all guesses are equally good.

The reality is that some guesses are far better than others because our password choices are not random – they’re underpinned by patterns and habits.

Modern password cracking is about making smart guesses in the order that’s most likely to yield the greatest number of cracked passwords for the least effort.

Attackers can feed their cracking software with huge repositories of real words and then create rules to modify those words in the same way we do when we create passwords.

They know that some words are used more often than others and they know about the cute tricks and bad habits we use to obfuscate them. They know that we use 0s instead of Os and 4s instead of As, and they know that we tend to put our upper case letters, special characters and numbers at the beginning and end of our passwords.
 

Mohan Rajan

Level 2
Verified
May 7, 2016
85
The issue is not in the math. The issue is that if the password is not random and it's words, lists can be created that cover it. One security leak of a few millions passwords and you get a huge database of such passwords. Then the secure forever words password might drop to way lower numbers.
The security of the random password with characters, letters etc is that it has to be brute forced and no lists can be used on it to reduce the time and guesses that are needed.
I absolutely agree. using phrases is only secure so long as that phrase is not on any list.
 
  • Like
Reactions: shmu26

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
It all comes down to "space". He has not used any spaces in complex passwords, but used them in weak ones. Space is hardly, if ever used, it is usually recommended not to use or not even supported, so using it creates a very strong password by itself. I do not use space either, maybe I should, this is one of mine:

Code:
L!(-Kf"mBKT050jRN5TW7?HRyK-Xe4Kjk?`]}M^zOWbGb>`!w|8tVrI]m41upo~3:5fQR`q*236G4~iB4$,WifNyj6?A#W1I3x
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Any special character not commonly used, when placed in the middle of the password, will work just as well as a space. Put a capital letter and a weird special character in the middle of your password, and you are good, as long as the rest of it is relatively random, too.
 
5

509322

Hackers don't brute force your password. They're not idiots - the smart ones anyway. They know it is a futile enterprise to brute force strong passwords and pass-phrases. They aren't going to waste their time. Instead they hack the servers on which e-v-e-r-y-o-n-e'-s passwords or pass-phrases reside and try to steal them all in one grab. They are going to make the most money that way - by dumping the credentials and selling them.

So whether you use a password or a pass-phrase is negated in the end anyway.

The really smart ones will maintain stealth...
 
F

ForgottenSeer 58943

What are your thoughts about this?

A password that uses 3 common words with spaces is much more secure than one with special character, numbers, capital & small letter o_O

I do not believe this is accurate and there are 'issues' with using it on a wide scale because MANY sites won't accept spaces. Also, brute force techniques always do a base line sweep of 'space' when sweeping through the potentials. Space-A, Space-!, Space-} etc. IMO, you need to be more worried about the NUMBER of characters as it is an unknown quantity in the sweep. Brute force mechanisms don't know if your password is 8, 10, 14, or even 30 characters which is why the number of characters add exponentially to the difficulty in solving the problem. A short set of random characters like “*K>#)0$j4” is NOT super secure, but a long string of memorable words like “billjamesisagoodguitarplayer” is actually stronger simply because of the length as an unknown modifier, password entropy: a representation of how much uncertainty there is in a password.

Anything under 16 characters should be considered risky 'today'. 16 should be the minimum.

Is 35t8@nz4 a good password? Not really. But %%%%%35t8@nz4%% is an absolutely phenomenal password just by virtue of the %'s being added to the front and back increasing the length and thus, substantially increasing the entropy.

Remember - a few key points, a funded, smart hacker will simply compromise the AD and expand laterally within the network utilizing methods to scoop up data from the compromised systems. Although we still see modern, well funded attackers phishing for passwords but not so commonly brute forcing. Also, what is strong today won't be tomorrow. Plan ahead. Techniques in use today should be factoring the coming age. Everything they can't compromise or hack is being 'stored' for a reason, eventually they know they will probably get into it. Use lengthy, strong entropy passwords and cascade encrypt, not necessarily for today, but for the safety of your loot tomorrow.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Hackers don't brute force your password. They're not idiots - the smart ones anyway. They know it is a futile enterprise to brute force strong passwords and pass-phrases. They aren't going to waste their time. Instead they hack the servers on which e-v-e-r-y-o-n-e'-s passwords or pass-phrases reside and try to steal them all in one grab. They are going to make the most money that way - by dumping the credentials and selling them.

So whether you use a password or a pass-phrase is negated in the end anyway.
So accordingly, the most important thing is not to use passwords over and over again. Don't log into every smiley-face website with your Gmail password, because sooner or later, one of those sites will be leaked.
 
5

509322

So accordingly, the most important thing is not to use passwords over and over again. Don't log into every smiley-face website with your Gmail password, because sooner or later, one of those sites will be leaked.

It is why it is recommended to change your passwords often. However, credentials management is such a pain - even with password managers - that only the most OCD actually do it.

Just try a single time to change all your passwords on all the sites that you use - all of them - even the ones that you rarely use. Every single one of your passwords on all the sites on which you have credentials. I bet you will not ever do it again.

The industry solution to the huge hassle of changing passwords was two-factor authentication - and we know that is not secure.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I

Just try a single time to change all your passwords on all the sites that you use - all of them - even the ones that you rarely use. Every single one of your passwords on all the sites on which you have credentials. I bet you will not ever do it again.
Sounds like you actually tried it...
 
  • Like
Reactions: Handsome Recluse
F

ForgottenSeer 58943

So accordingly, the most important thing is not to use passwords over and over again. Don't log into every smiley-face website with your Gmail password, because sooner or later, one of those sites will be leaked.

Password reuse or 'similar' password reuse is one of the most common methods people get hit.

I set a time to change my passwords and stick to the schedule. So for me as an example, I change most of my passwords between Dec.30 and Jan.2. Easy to remember, start fresh for the new year. I login to a legacy laptop running Debian that has been air gapped for the entire year, connect it to the internet, change my passwords, disconnect the machine when I am finished then wipe it and reinstall the latest Debian version. It's a ritual I've done for several years and don't plan to stop.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top