From my experience brute forcing passwords, no. It’s smart enough to try character substitutions and it annoys me so much that the FBI recommends this practice.
Wait it’s not? I remember some people in the industry recommend this sort of password albeit with variation of other random words as it’s pretty strong and would take a very long time to crack.
It’s not. A dictionary has on the order of ≈100,000 (10^5) words in it. Picking five words entirely at random gives you 10^25 combinations, which is about the complexity of 14 alphanumeric characters. So pretty secure.
That’s true for a dictionary of 10^5 words. However the xkcd comic assumes a 2048 word dictionary, which only gives you 1.75 x 10^13 combinations. If your password is hashed with a weak algorithm, that can be cracked in minutes on a decent GPU. Luckily that can be fixed with just a few more words; 7 words gives you 1.5 x 10^23 combinations.
I don’t really like the xkcd comic because it says the user shouldn’t be worried about offline attacks on hashed passwords. Unless you have a unique password for every service (best practice, but too much for the average user) using a password that is weak to offline attacks puts your other accounts at risk if one service has their password hashes leaked. Which does happen, a lot.
So i guess p@s5w0RD123pA55wOrD would be super strong.
From my experience brute forcing passwords, no. It’s smart enough to try character substitutions and it annoys me so much that the FBI recommends this practice.
Wait it’s not? I remember some people in the industry recommend this sort of password albeit with variation of other random words as it’s pretty strong and would take a very long time to crack.
Indeed, just four impersonal words is a great password. Mix up the capitalization and it’s even better.
If it’s a bunch of words found in any dictionary then with or without character substitution it’ll be easy to crack.
It’s not. A dictionary has on the order of ≈100,000 (10^5) words in it. Picking five words entirely at random gives you 10^25 combinations, which is about the complexity of 14 alphanumeric characters. So pretty secure.
That’s true for a dictionary of 10^5 words. However the xkcd comic assumes a 2048 word dictionary, which only gives you 1.75 x 10^13 combinations. If your password is hashed with a weak algorithm, that can be cracked in minutes on a decent GPU. Luckily that can be fixed with just a few more words; 7 words gives you 1.5 x 10^23 combinations.
I don’t really like the xkcd comic because it says the user shouldn’t be worried about offline attacks on hashed passwords. Unless you have a unique password for every service (best practice, but too much for the average user) using a password that is weak to offline attacks puts your other accounts at risk if one service has their password hashes leaked. Which does happen, a lot.
I just see *******************
Need your credit card number and the 3 digit number at the back of the card to see what i typed.
That’s okay at best. Better if a passphrase, just random, impersonal words, something like this (~50 bits of entropy):
“virtual raging vineyard clad runner”
Best is a long, completely random string, stored in the password manager that you should be using anyways ~150 bits of entropy):
“hX0hZ1QTWtQo(h[Ta9jH]TmsVIhUTgSE”
I did use a password manager, but issue is i still need password for the password manager so it can’t be random lol.
I just generated a 16 character random password and practiced typing it for a while; eventually it just becomes muscle memory.