# Password security



## Rakuen Growlithe (Nov 8, 2011)

Here's something that's always bugging me, people saying that adding symbols and capitals makes your password more secure. I get that there's now a bigger range of characters so it is technically harder to figure out but a hacker doesn't know what the makeup of your password is. Let's say I have two passwords "aaaaaa" and "aC3$l". "aC3$l" is obviously more complicated but doesn't that only apply when you already know the make up of the password? No one will say "aaaaaa" is a good password because it's just repeated but when you are hacking you don't know how long a password is or what symbols it is using. You wouldn't do all possible letters before trying to solve a password with symbols, would you? If it worked that way you could have a password "&" which would be stronger than "adagwes".

I'm not a programmer but I doubt you get told the make up of the password you are trying to hack so the only foolproof way would be to gradually increase the number of characters and using all possible character sets. Since you're doing that then there isn't a benefit of symbols over letters or numbers and also no benefit to mixing them. The probability of a character is dependent only on the number in the set. Am I just missing something here or what?


----------



## CerbrusNL (Nov 8, 2011)

You're partially correct, here.

Assuming a brute-force method, a attempt at breaching the site would look like this:
Try "a", fail,
Try "b" trough "z",
Try "A-Z"
Try all other available characters.

That's it for the first run through. As you can see, while the letters came first, a "&" would soon have followed. Now, you've had all 1-length possibilities, what next?

Try "aa-a&" (Assuming "&" is the last char)
Try "ba-b&"

Etc etc etc. Just like you'd normally count, but instead of 0-9, you'te using "a-z, A-Z, 0-9, !-&" etc.

That way, "&" would take shorter to crack than "aaaaaa", but, -any- password can be cracked given time, if a brute-force approach is possible.

If such a approach isn't possible, though, both "&" and "aaaaa" would be among the first things someone'd try to guess. Ghe more complex (/random) you make a PW, the harder it is to guess.


----------



## Rakuen Growlithe (Nov 8, 2011)

If that's how it goes and the majority of people still have passwords that are easily broken then wouldn't it make sense to just not use letters at all, if that's what is tried first. That also still sounds like a longer password is always more secure even if it's rather simple. 

Also that would suggest, for English sites anyway, if you allowed Japanese characters then you could just use one or two kanji and hackers wouldn't even try those possibilities. I have seen some sites saying what symbols can be accepted for passwords though.


----------



## CerbrusNL (Nov 8, 2011)

It's mainly the length of the passwords, combined with the amount of possible characters, that affects how long it would take to brute force a PW.It doesn't really matter what character you use, though, if a brute force is possible. It won't make much of a difference.But that's why any decent site blocks login on a account after a couple of incorrect tries. To prevent such attacks.As a general rule of thumb: the longer and more complex a PW, the better. Words are easy(/ier) to guess.


----------



## ToeClaws (Nov 8, 2011)

The answer to the question of a better password is actually quite simple - don't use passwords anymore; use pass-phrases.  No matter how complicated the password my look to a human, extra characters or letters swapped out in lieu of characters are pretty easily cycled through by a computer.  Pass-phrases increase the number of possibilities, literally, exponentially.   This makes them very hard to crack by comparison, yet, easier to remember.  So rather than use something "l0lwut!!?", you could use "Well-damn,this-is-a-hell-of-a-password!".  XKCD summed it up best:


----------



## BRN (Nov 8, 2011)

I tend to use simple passwords where passwords seem redundant. I have complicated passwords for various important sites - paypal, online banking.

> But for shit like FAF, fuck complicated passwords, I just want something I can type in under a second. I don't give out my passwords, and if somebody wanted access, they could get it regardless of if my password was "sixtynine" or fifty characters long.

I guess the point I'm making here is that password security is good and all, but, when a site asks you to register before submitting your CV, I don't want my password to be forced to have several numbers and symbols. Nobody else in the world fucking cares about my password for that site.


----------



## CaptainCool (Nov 8, 2011)

ToeClaws said:


> The answer to the question of a better password is actually quite simple - don't use passwords anymore; use pass-phrases.  No matter how complicated the password my look to a human, extra characters or letters swapped out in lieu of characters are pretty easily cycled through by a computer.  Pass-phrases increase the number of possibilities, literally, exponentially.   This makes them very hard to crack by comparison, yet, easier to remember.  So rather than use something "l0lwut!!?", you could use "Well-damn,this-is-a-hell-of-a-password!".  XKCD summed it up best:



that is exactly what i wanted to say, too  making proper passwords is very easy, we are just trained to use super complex ones...
many sites and programs actually require you to make a password that contains capital letters, numbers and punctuations AND they have a limit on how long the password can be... its like they want your password to be hard to remember but easy to guess at the same time


----------



## LizardKing (Nov 8, 2011)

In b4 xkc... fuck.

I tend to use small but non-ditionary passwords on forums and shit, then real bitchin' passwords on important things like my e-mail (e.g. "thisismypassword4gmail@googledotcom:3")


----------



## Elim Garak (Nov 8, 2011)

I have password manager, All my passwords are at least 14 chars long with random mix of everything.
I also have Two-Factor authentication enabled for both my Google(including gmail) account and my password manager.


----------



## Aden (Nov 8, 2011)

The pass-phrase thing is a nice idea, but many places will actually limit the length of your password (e.g. 'your password must be 8â€“14 characters in length'). When I hit that kind of thing, I break out the random string generator.


----------



## CaptainCool (Nov 8, 2011)

Aden said:


> The pass-phrase thing is a nice idea, but many places will actually limit the length of your password (e.g. 'your password must be 8â€“14 characters in length'). When I hit that kind of thing, I break out the random string generator.



i hate it when they do that. limiting the user in terms of what kind of password they can use just sucks... 
and i dont like random strings because those are REALLY hard to remember and essentially just as unsafe as any other non-dictionary password of the same length.


----------



## ToeClaws (Nov 8, 2011)

Yeah - places that limit passwords to pathetically short lengths really bug me.  Of all places, banks are particularly bad for this.  My usual pass-phrase is 21 characters long, and the bank allows a whopping 8.  Oooo... real secure.  I'd love to see a minimum character limit move up to 15, and most places should allow 32 character phrases or more.  Banks, financial institutions, government and basically all of the people that need to get their security act together more than anyone tend to be the LAST people to modernize.  Kinda scary.


----------



## CaptainCool (Nov 8, 2011)

ToeClaws said:


> Yeah - places that limit passwords to pathetically short lengths really bug me.  Of all places, banks are particularly bad for this.  My usual pass-phrase is 21 characters long, and the bank allows a whopping 8.  Oooo... real secure.  I'd love to see a minimum character limit move up to 15, and most places should allow 32 character phrases or more.  Banks, financial institutions, government and basically all of the people that need to get their security act together more than anyone tend to be the LAST people to modernize.  Kinda scary.



yeah, especially places like that should do that.
but its "common sense" today that a short but super complicated password is secure. but in reality a brute force attack tool doesnt care whether you use letters, numbers, punctuations or symbols! you are just using signs that it has to cycle through until it finds your password. granted, using more than just letters does make it more secure but since its only like 8 signs long its still just a matter of days or maybe weeks until the password is cracked which is still a very managable amount of time...


----------



## Runefox (Nov 8, 2011)

I'd just like to say:

Fuck passwords. Use a master password, and generate 32-character (or whatever the maximum for a given site/account is) randoms for everything else.

Also, most normal users don't know or care about it, but RSA/DSA keys > pass-anythings.


----------



## Aden (Nov 8, 2011)

Runefox said:


> I'd just like to say:
> 
> Fuck passwords. Use a master password, and generate 32-character (or whatever the maximum for a given site/account is) randoms for everything else.



This intrigues me


----------



## Runefox (Nov 8, 2011)

Also, two-stage security via authenticators. Google uses this (opt-in, mobile app / SMS), and LastPass can integrate with it, too. Steam and Facebook also have a similar system (opt-in, confirmation e-mail on login to a new computer; combine with Google authentication + GMail for high security). USE IT WHENEVER YOU CAN. >=|

For me, Google houses my most important services. Two-stage auth virtually removes the possibility of brute-force attack on my account (barring an attack on Google themselves, but that's out of my hands). As a user, this is the greatest precautionary measure you can use. Even a weak password provides decent security in this case, assuming you're in physical possession of your mobile device.


----------



## ArielMT (Nov 8, 2011)

Virtually all of the password-related security compromises that have made the news within the last two years have been through password reuse.  It doesn't matter how strong or secure your password is if you use the same password in two or more places.  Don't reuse your passwords.

Also, don't dismiss the worth of your accounts so quickly, because every account you have is part of your general Internet identity.  Someone will assume that anything said or done through your account is inherently trustworthy because it's you, even when it isn't you at all.


----------



## Ricky (Nov 9, 2011)

ArielMT said:


> Virtually all of the password-related security compromises that have made the news within the last two years have been through password reuse.  It doesn't matter how strong or secure your password is if you use the same password in two or more places.  Don't reuse your passwords.



That's the big one.  If someone wants to target someone the easiest way to do it is usually through some system they access that's only marginally secured.

The most common passwords are compiled into lists.  Programs like Burp Suite's Intruder have them built-in.

Then there's your dictionary attacks and concatenations of words (maybe with a number or two) or something a bit more complicated, like in that comic.

Symbols can help but I don't think it really matters.  Pick something random that's not a word and has numbers in it, maybe symbols.

Also, yeah -- public key cryptography rocks but it's not always practical in every situation.


----------

