Passwords- how long to hack yours

I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it.

Similar with forcing one symbol. There are ~ 33 symbols, but 62 number/Upper/lower case choices. Or 95 if the symbols are optional. So now two are easier to crack.

And one upper case means one only has 26 choices versus the 95 . They have reduced the complexity on 3 of the 12 entries.

-ERD50
That's only true if there are designated places for numbers and characters. There isn't, so every single spot can either be a number, upper case letter, lower case letter, or a symbol. 10 + 26 + 26 + 33 = 95
 
Interesting to see that of these 2 passwords the first is so much easier to remember but 95 times harder to guess than the second since it's one character longer. Contrary to popular belief high entropy is not necessary for strong passwords.....all talked about in the above link.
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9

I don't put too much faith in that. The first password becomes rather trivial to find if a cracker is aware that users may follow a common password with a series of identical characters. Each common password is tested with (number of special characters easily entered)*(number of places to check, say up to the limit of password size for the site). That's probably no more than a few thousand extra checks per common password.

I have a lot of respect for Mr Gibson but hackers may also be aware of his advice. I'll take the second, more random password any day.
 
Most secure websites either lock up after 3-4 wrong attempts and require a password reset which generally involves an email address or phone access. Also almost all of my sensitive online accounts require 2 factor authentication to my cellphone which reduces the potential for unauthorized access to almost zero.
 
Last edited:
That's only true if there are designated places for numbers and characters. There isn't, so every single spot can either be a number, upper case letter, lower case letter, or a symbol. 10 + 26 + 26 + 33 = 95

No, I still think (but I'm not 100% sure) it reduces the number of attempts, even though it can appear anywhere. If I get motivated, I'll do a small truth table to demonstrate.

But as I followed up, once you get to even an 8 char PW, the reduction that I think occurs is so slight percentage-wise, that it really doesn't matter anyhow. It's just academic at this point, but maybe still a little interesting.

-ERD50
 
You can check a password "live" at Password Strength Checker and you can adjust it to fit the limits of wherever you need a password. 14 characters with upper and ower case, numbers and special characters and no adjecent repeats of the same type symbol - "Bt" is OK but not "BT" or "bt", "3e" but not "33" - is usually more than adequate. If it's the only key to a $5 million account, then perhaps a longer password would be better or you use two-part authentication - password plus a one-time PIN received via a text, phone call or email.

I never test my password on any site. It's too risky.

A really clever hacker could set up a site, and then just add all the good passwords to a dictionary list to try on the next stolen password database/file.
 
That's only true if there are designated places for numbers and characters. There isn't, so every single spot can either be a number, upper case letter, lower case letter, or a symbol. 10 + 26 + 26 + 33 = 95

Here's my simplified 'proof'. The requirement that one must be a number does restrict the number of tries:

Simplified Example PW 3 char; one must be number, others can be number or Upper Case.

Compare to 3 char, number or Upper case, but no requirement for one to be number.

PASS#|Char 1|Char 2|Char 3|SUM|formula
||||38,880
1st PASS|10n|x36|x36|12,960|<< 10*36*36
2nd PASS|x36|10n|x36|12,960|<< 10*36*36
3rd PASS|x36|x36|10n|12,960|<< 10*36*36

w/o one number restriction:||||||
1st PASS|x36|x36|x36|46,656|<< 36*36*36

38,880 < 46,656


edit/add: Actually the difference is greater with the full 95 U/L/Symbol case and 3 char PW

270,750 < 857,375

further edit/add: It's actually greater savings than that. After the first pass, you know that char 1 cannot be a number, you already tested all combos. So the second and third passes for char 1 would be just 26x. Same for char 2 on the third pass. So only requires 28.37% as many scans.


PASS#|Char 1|Char 2|Char 3|SUM|
||||243,250
1st PASS|10n|x95|x95|90,250|
2nd PASS|x85|10n|x95|80,750|
3rd PASS|x85|x85|10n|72,250|

w/o one number restriction:||||||
1st PASS|x95|x95|x95|857,375|

-ERD50
 
Last edited:
I use KeePassXC to create the longest acceptable password allowed. 20 character totally random, even without special characters is still good. Obviously the longer the better, but 20 characters would be my minimum for most purposes.
 
I have Apple iPhone and a ipad. I used their password generator. It makes for dynamic passwords. It is simple to use. However, if there is a downfall to using Apple, please let me know.

BTW, my password for my Apple account is pretty strong.
 
I use KeePassXC to create the longest acceptable password allowed. 20 character totally random, even without special characters is still good. Obviously the longer the better, but 20 characters would be my minimum for most purposes.

One of my important accounts allows a 50 character password, so I use 49 :dance:

I also just realized that KeePassXC will include high ascii characters in the random password creation by clicking on 1 button.
Of course the 1st place I try it on called LinkedIn doesn't allow them :facepalm:
 
I w*rk in IT and passwords are not good enough anymore. Need some sort of token or other verification process. At least that is seeming to be the trend that I see.
 
Last edited:
^ True. There are techniques where the web site you're going to can know it's the same person as before without having to keep any secrets at all. So hackers get the authentication database, there's no secrets to break into. Most of those schemes require a 3rd party (someone not to trust), but there's one that doesn't: SQRL. Unfortunately, none of the big players want that because they don't want anonymity...they all want your cell phone number and anything else they can get, and then tell you it's the "only way" they can make sure it's you.
 
Back
Top Bottom