If you have a password vault, use the vault first.
For rotating PC login credentials, I use codified passphrases. They typically meet security needs, are unique and nearly unguessable because it could be ANYTHING in your office, and don’t contain dictionary words. Example:
Annual evaluations are due before summer. Be sure to mention the Grodsky project!
aeadB4S.Bs2mtGp.
Where did Julie’s candy go? I ate it! She’ll never know >:D
WdJcg?I8i!Snn>:D
Even if I had a perfectly secure connection, I’m still getting a password from a service that could be tracking me.
Adding these symbols adds no security and just makes passwords harder to remember and type. If you dont use very common dictionary words, brute forcing will likely be just letter by letter
I want to be clear that what I’m about to say only refers to compromised systems where the password database has already been exfiltrated and systems that do not lock or otherwise slow down attackers.
A system where the passwords are inaccessible, requires periodic password changes, enforces complexity, and locks out invalid attempts probably is fine, but I’ll get there.
A password cracking tool will typically start with lists of known passwords, then it will move on to dictionary words. If the attacker has any personal information, and the means to add it, they will give priority to that information. Phrases with multiple words are more likely, and will be tested next. These dictionary attacks are run first because on a fast enough system they can crack a password in weeks. Munging standard spelling increases the entropy here, increasing the number of attempts to guess a password.
From here, an attacker must start brute force, which tries to decipher your password one character at a time. Adding uppercase characters doubles the number of characters, but that is still super quick to crack. Adding numbers begins to increase the time, but all this is going to be checked within hours or days depending on the length of the password and the resources the attacker is committing.
Adding special characters significantly increases the amount of time because just the standard (33?) characters characters easily accessible on a common US Qwerty keyboard multiples the checks that many times, per each character in the password.
So, uncommonly misspelled words and sprinkled in characters increase the security of your accounts over just dictionary words. This would guard a person’s reputation at work if anyone got their company’s AD password file out without notice, as well as one’s security if their browser’s password store is compromised. Also, some people refuse to follow proper security for convenience, and it is sometimes possible to find a service that will allow rapid password attempts.
I just made a simple excel sheet. Downloaded a large dictionary that I cleaned up so the min word size is 4 I think. Then build some random rollers and built a 3 or 4 word password with some numbers and special characters between words. Generally the passwords are 20+ characters long.
From most of what I’ve read, password length makes the most difference in their strength.
So, the difference with no numbers and special characters is 52^20 (2x10^34) versus 95^20 (3.6x10^39). There are three reasons this runs into issues.
Pure math indicates that a 20 digit alpha only password with caps sprinkled in is slightly stronger than 12-13 digits of alphanumeric plus caps and specials.
Out of the various people within various organizations I have supported, people have disclosed their passwords to me a breathtaking number of times. It is quite common for people to create a password with only lower characters. That would be 4x10^27, about the same as 14 characters using the full qwerty set.
Either way, we are discussing a password cracking tool running locally attempting to hash your password. You do have a point that 12 thousand years is a very long time to arbitrarily guess a password. Unless something changes where someone can easily access ten thousand cores at a reasonable utility, you are pretty much safe from anyone except state level threats. That would be full time use of that many cores for 37 days at 10k cores, or 9 hours access to a million cores. We just aren’t there yet. No clue if this would work better with GPU time, but that would still be a serious system.
Now, I am stepping into old lessons from 2011, and I can’t find a great source to back myself up. If I’m wrong, then I have been operating off this misinformation for 15 years and I’d gladly appreciate better information.
The final issue is that since passwords are hashed in chunks, parts of the password could become visible while the rest is being worked on. This could lead to the attacker guessing the rest of the password.
Ok I think I had a misconception about complexity. In case of brute forcing passwords, of course adding symbols helps.
I generally just use 5-6 passphrase words, which should be very safe as the wordlist is pretty long. But adding spelling errors or dialect is an amazing solution which I should add to all my new passphrase passwords
I didn’t type this right in the first place, but it DOES bring up a point.
Substituting symbols for letters, we always called it leet speak—but Wikipedia calls it munged—used to be considered safe quite some time ago.
It’s better not to use real words because it makes it easier for password cracking tools. If you have to, it is better to mung them, but also misspell them.
pY@zvvuD is much stronger than p@55w0rd, even if it is harder to remember. In the same vein, my bunged password would have been slightly more secure, even if someone had found my pass phrase. But in my case, my password sucked because I would have probably come back trying to put a k at the end. I have munged them like that in the past, but it is extra to remember.
That’s great if you only have a couple of online accounts, but get past a few dozen and you’re toast. I don’t know about you, but I sure can’t remember 50+ unique pass phrases. However, I can remember the one for my password manager, which has 30+ random character passwords for all my accounts.
Passphrases are easier when you need to enter the password on a system that isn’t logged into your vault, even if they are longer. I usually default to 3 word passphrase + random number at the end of a word + random special character in the middle of a word.
Pass phrases for things that need to be human readable/rememberable.
Generated strings for everything else.
Because a pass phrase is inherently vulnerable to a dictionary attack because… it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is “a=@” or “every ‘e’ is a ‘b’” and so forth.
Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and “one day we’ll have quantum computers” but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you… at which point “hmm. 96 characters? Must be a pass phrase”. So… not the venue to discuss.
But, at that point… if you are using a password manager/vault anyway…
Also the reality is that anyone who has ever dealt with a bank or some other “legacy” website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to “p@$$w0rd” level bullshit (or, better yet, you have a mental model/style of password).
![TIL that if you search "Password generator, [x] characters, [y] strength" at DuckDuckGo, it will generate a password for you.](https://lemmy.world/pictrs/image/31a5b1e1-4330-4a27-aa88-cc47a25acb05.jpeg){kind=link}
Ok but you should use passphrases. Better to type and remember in case you need to
There are instances where sites prevent copy-paste, or you are on another machine without your password manager available
If you have a password vault, use the vault first.
For rotating PC login credentials, I use codified passphrases. They typically meet security needs, are unique and nearly unguessable because it could be ANYTHING in your office, and don’t contain dictionary words. Example:
Annual evaluations are due before summer. Be sure to mention the Grodsky project! aeadB4S.Bs2mtGp.
Where did Julie’s candy go? I ate it! She’ll never know >:D
WdJcg?I8i!Snn>:D
Even if I had a perfectly secure connection, I’m still getting a password from a service that could be tracking me.
Adding these symbols adds no security and just makes passwords harder to remember and type. If you dont use very common dictionary words, brute forcing will likely be just letter by letter
I want to be clear that what I’m about to say only refers to compromised systems where the password database has already been exfiltrated and systems that do not lock or otherwise slow down attackers.
A system where the passwords are inaccessible, requires periodic password changes, enforces complexity, and locks out invalid attempts probably is fine, but I’ll get there.
A password cracking tool will typically start with lists of known passwords, then it will move on to dictionary words. If the attacker has any personal information, and the means to add it, they will give priority to that information. Phrases with multiple words are more likely, and will be tested next. These dictionary attacks are run first because on a fast enough system they can crack a password in weeks. Munging standard spelling increases the entropy here, increasing the number of attempts to guess a password.
From here, an attacker must start brute force, which tries to decipher your password one character at a time. Adding uppercase characters doubles the number of characters, but that is still super quick to crack. Adding numbers begins to increase the time, but all this is going to be checked within hours or days depending on the length of the password and the resources the attacker is committing.
Adding special characters significantly increases the amount of time because just the standard (33?) characters characters easily accessible on a common US Qwerty keyboard multiples the checks that many times, per each character in the password.
So, uncommonly misspelled words and sprinkled in characters increase the security of your accounts over just dictionary words. This would guard a person’s reputation at work if anyone got their company’s AD password file out without notice, as well as one’s security if their browser’s password store is compromised. Also, some people refuse to follow proper security for convenience, and it is sometimes possible to find a service that will allow rapid password attempts.
I just made a simple excel sheet. Downloaded a large dictionary that I cleaned up so the min word size is 4 I think. Then build some random rollers and built a 3 or 4 word password with some numbers and special characters between words. Generally the passwords are 20+ characters long.
From most of what I’ve read, password length makes the most difference in their strength.
So, the difference with no numbers and special characters is 52^20 (2x10^34) versus 95^20 (3.6x10^39). There are three reasons this runs into issues.
Pure math indicates that a 20 digit alpha only password with caps sprinkled in is slightly stronger than 12-13 digits of alphanumeric plus caps and specials.
Out of the various people within various organizations I have supported, people have disclosed their passwords to me a breathtaking number of times. It is quite common for people to create a password with only lower characters. That would be 4x10^27, about the same as 14 characters using the full qwerty set.
Either way, we are discussing a password cracking tool running locally attempting to hash your password. You do have a point that 12 thousand years is a very long time to arbitrarily guess a password. Unless something changes where someone can easily access ten thousand cores at a reasonable utility, you are pretty much safe from anyone except state level threats. That would be full time use of that many cores for 37 days at 10k cores, or 9 hours access to a million cores. We just aren’t there yet. No clue if this would work better with GPU time, but that would still be a serious system.
Now, I am stepping into old lessons from 2011, and I can’t find a great source to back myself up. If I’m wrong, then I have been operating off this misinformation for 15 years and I’d gladly appreciate better information.
The final issue is that since passwords are hashed in chunks, parts of the password could become visible while the rest is being worked on. This could lead to the attacker guessing the rest of the password.
Ok I think I had a misconception about complexity. In case of brute forcing passwords, of course adding symbols helps.
I generally just use 5-6 passphrase words, which should be very safe as the wordlist is pretty long. But adding spelling errors or dialect is an amazing solution which I should add to all my new passphrase passwords
WdJcg?I8i!Sn
nk>:DI didn’t type this right in the first place, but it DOES bring up a point.
Substituting symbols for letters, we always called it leet speak—but Wikipedia calls it munged—used to be considered safe quite some time ago.
It’s better not to use real words because it makes it easier for password cracking tools. If you have to, it is better to mung them, but also misspell them.
pY@zvvuD is much stronger than p@55w0rd, even if it is harder to remember. In the same vein, my bunged password would have been slightly more secure, even if someone had found my pass phrase. But in my case, my password sucked because I would have probably come back trying to put a k at the end. I have munged them like that in the past, but it is extra to remember.
typing passwords
That’s great if you only have a couple of online accounts, but get past a few dozen and you’re toast. I don’t know about you, but I sure can’t remember 50+ unique pass phrases. However, I can remember the one for my password manager, which has 30+ random character passwords for all my accounts.
You didnt read my comment
Passphrases are easier when you need to enter the password on a system that isn’t logged into your vault, even if they are longer. I usually default to 3 word passphrase + random number at the end of a word + random special character in the middle of a word.
Pass phrases for things that need to be human readable/rememberable.
Generated strings for everything else.
Because a pass phrase is inherently vulnerable to a dictionary attack because… it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is “a=@” or “every ‘e’ is a ‘b’” and so forth.
Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and “one day we’ll have quantum computers” but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you… at which point “hmm. 96 characters? Must be a pass phrase”. So… not the venue to discuss.
But, at that point… if you are using a password manager/vault anyway…
Also the reality is that anyone who has ever dealt with a bank or some other “legacy” website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to “p@$$w0rd” level bullshit (or, better yet, you have a mental model/style of password).
Passphrases everywhere, add dialect to make it harder, symbols if you like. Crazy but short passwords for limitations