Nice password you got there! Super complicated, I love it. You know who else loves it? Computers! Because by carefully crafted a string of alphanumerical gibberish that you need tattooed on your palm to remember, you’ve made a password much easier to crack than, say, four simple unrelated words. But hey, at least it feels safer, right? [xkcd]
Boogoose
Tuesday, January 31, 2012 at 10:54 AMMy password is great its, trog4459K, nobodys going to guess that in a million years!!
I am such a genius.
JonBOY
Tuesday, January 31, 2012 at 10:57 AMHaha, classic. My employer recently FORCED me to update my password to something that matches the ‘easy’ layout above, i.e. Capital letter + a special character + number.
Awesome.
Nate
Tuesday, January 31, 2012 at 10:58 AMDeja vu?
Nytrojen
Tuesday, January 31, 2012 at 11:04 AMisn’t it only really harder because it’s a longer password? 25 characters vs 11, of course it’s going to be harder to crack, regardless of the contents
Nytrojen
Tuesday, January 31, 2012 at 11:06 AMthe other thing that you don’t take into account is muscle memory – a lot of my passwords I don’t even really “remember” per se – but I recall the keystrokes
meh
Tuesday, January 31, 2012 at 2:31 PMnice to hear you use passwords for so long as to get muscle memory, very safe
Mark
Tuesday, January 31, 2012 at 5:16 PMIt’s a blessing and a curse. I’ve spent half an hour trying to type one of my passwords in on my phone, but I couldn’t do it. When I got up to use my computer I was able to type it in first go.
Ben
Tuesday, January 31, 2012 at 11:09 AMOld! So old!
Jackson Bison
Tuesday, January 31, 2012 at 11:13 AMYup – I even posted a link to the same article that Brian posted back in August, but it got deleted!!!
Ogre
Tuesday, January 31, 2012 at 11:15 AMNot true. Let’s say we use all the typeable characters on a standard english keyboard. That’s 26 * 2 letter characters, plus 10 numeric characters, along with ~`!@#$%^&*()_+-=|\{}[]:;”‘,./? giving us a total of 94 characters. An 11 character password like the one in the comic, assuming we actually generate passwords randomly, gives us 94^11 possible combinations. Now, it’s estimated there are 250000 english words. If we use the word as the basis of our password, and we only choose four words, then we have 250000 ^ 4 possible passwords (and we all know that yes, you can perform dictionary based attacks on paswords). Of course, if we chose a 5 word password, then yes, suddenly we have more possible passwords than the normal password case, but this is why I use 16 character passwords.
Surely you know that Randall Munroe was just trolling with that comic, right?
Marrowmaw
Tuesday, January 31, 2012 at 11:36 AM;)
lon
Tuesday, January 31, 2012 at 10:22 PMNow add a capital letter on one of those dictionary words how many combinations now?
Blake
Tuesday, January 31, 2012 at 12:09 PMAssuming they know you’re only using dictionary words in lower case and nothing else.
Adding a capital letter somewhere in the middle of one of the words means for all the 250000^4 word combinations you have, you’d have to multiply it by the length of that combination, so suddenly even something short like abeeisflat goes from one password to 10 passwords.
So something like correcthorsebatterystaple isn’t one possible combination, it’s 1/25th of them.
Of course adding numbers and symbols to the end basically forces them to brute force the entire thing again.
Nigel
Tuesday, January 31, 2012 at 12:22 PMI think the problem there, though, is that you can’t actually dictionary attack only a single word in a multi word password. In other words, if my password was ‘elephant’, even though that’s an eight character password, it would be broken very quickly in a password attack.
But if I had ‘turquoise elephant backscratch blowdryer’ I suddenly have a very long string that cannot be broken with a dictionary attack unless someone has a dictionary with that entire exact string in it. They can’t break it down into individual words – they have to get the entire string in one go by chance. And that’s before I replace characters with numbers or specials, or introduce weird spacing, or anything like that.
The point, in the end, is not to have an unbreakable password. It just needs to be good enough, and ideally easy to remember on your part. In most cases it just needs to last a lifetime.
Mark
Tuesday, January 31, 2012 at 5:20 PMYou can use a dictionary attack if you stop thinking them as words but rather letters. The dictionary attack could be made to try a password such as.
ape ape ape ape
ape ape ape bat
ape ape ape cat
etc
Alex
Tuesday, January 31, 2012 at 12:24 PMif you can see you self typing 25 char password 30+ times per day…why da hell not
Alex
Tuesday, January 31, 2012 at 12:41 PMAlways been a big advocate of passphrases, but it’s surprising how many sites out there seem to have passwords limited to 16 – 20 characters. Even if you type more, they just truncate the extra and use the first 16.
D
Tuesday, January 31, 2012 at 3:38 PMExactly, I would much prefer using a sentence or pass phrase (Maybe with capitalisation/punctuation etc if I must) to a random gibberish password that I have to use some software to remember them all.
But many places I have to use a password force 6 – 8 character passwords, and have other restrictions (like no dictionary recognizable words in the password, must not start with a number, must only contain A-Z a-z 0 – 9 (no spaces) etc) making the example given above (4 common words) as an unacceptable password.
Jack
Tuesday, January 31, 2012 at 4:38 PMMy school’s admin password is G01t0n@WIM!