Password strength question

M

Mojave

Beta member
Messages
5
I use LastPass for my passwords and, of course, have a master password for LastPass. I've opted to use a complex mix of characters rather than a lengthy passphrase.

While my master password is strong and complicated, I think it may be too short. I would simply like to add a multi-word passphrase inside the password to give it a lot more bits of information, but keep it easy for me to memorize.

Is it generally OK to mix complex passwords (letter cases, numbers, special characters) with passphrases? Or should I stick to one system?

Thanks!
 
Last edited:
IMO the best password system is one that uses words not just random characters. e.g. "smokeyBACON11" or something
1.You can't use a dictionary attack on that because of the numerical content (use a symbol as well if you'd like to be even more secure)
2. The only cracking method that'd be an option is brute force. And the length of that password is way too long for that to work either.
3. It's much easier to remember than "ApB3*k32S3#@"

I take it one step further and use an algorithm to create my passwords. I use a site characteristic that I can reasonably guess, a middle part that never changes (e.g. "eNTER") and 3-4 letters on the end that depend on the site characteristic. e.g. I might say that if the site characteristic ends in a-m the letters will be 507, if it ends in n-z it will be 406. That way even if I forget the password, as long as I can guess the site characteristic I can work out my password
And unless you know what particular algorithm I've used to generate those last numbers is, you'll never be able to guess it even if you do happen to know my middle word and site characteristic.
 
IMO the best passwords arent "words" they are phrases. Many of my accounts are protected by a passcode similiar to "!correctly4named3bed2post1".

password_strength.png


Try this tool out - enter anything into it and hit "grade my password" (dont type your real password), it will show a lot of information about password strength tips
 
iParanormal said:
IMO the best passwords arent "words" they are phrases. Many of my accounts are protected by a passcode similiar to "!correctly4named3bed2post1".

*snip*

Try this tool out - enter anything into it and hit "grade my password" (dont type your real password), it will show a lot of information about password strength tips
Click to expand...

Was just going to post this comic when I read the title, but saw you already did lol.
 
It was the exact comic I was thinking of when I said use words not random letters too :p
I'd still say using only lowercase actual words is a bad idea though, dictionary attacks might still be effective against that
 
I've simulated some attacks against myself with no successful results so i think the method is pretty good unless the attacker is EXTREMELY determined
 
Hmmm I'm bored at work...lets see :grin:

According to this, the top 10,000 words contain 97.2% of all the words (based on 29.2 million words gathered from TV and movie scripts and transcripts). So we need a dictionary with just 10,000 words to have a pretty darn high success rate.

"Horse" and "correct" are in top 1000-2000 word list, "battery" is in 4000-5000, so far so good.
"staple" is in 18000-20000 so I'll give XKCD credit there for being part of the rare cases we can't crack with just our 10,000 word list. Apparently people don't say "staple" on tv very often lol

Lets use a single GTX 980 - conservatively lets say we can only do 5 billion hashes a second (though real world rates can exceed 10BH/s with this gpu pending on what hash is used)

It would take 23 days 3 hours 36 mins to guess absolutely *every* permutation in a 4-word password using the above 10,000word list.

AND luckily for us probability is a finicky ***** and we'd hardly even need to attempt 10% of that to get a massive amount of matches. https://en.wikipedia.org/wiki/Birthday_attack

So yeah, I dunno if I'd call that particularly secure :p

edit: for fun, lets compare that to the system I like using. Lets say 2 letters for site characteristic, 5 letters that don't change, and 3 numbers on the end. 10 characters in total.
26 upper case + 26 lowercase + 10 numbers = 62 possible characters

At the same rate as the above (5BH/s) it would take 1,942.8 days to calculate all possible permutations.
I usually use 3-5 letters for the site characteristic though, which brings days to 120,370 for 3 site chars, and 462,962,963 days for 5 chars :p
 
Last edited:
S0ULphIRE said:
Hmmm I'm bored at work...lets see :grin:

[snip]

So yeah, I dunno if I'd call that particularly secure :p
Click to expand...

Yeah, the XKCD method was outed as terrible pretty much the day it went up. If you're just using four words for your passwords (regardless of the length of those words), you've reduced your password to four characters in length (though in an alphabet that has, as you say, tens of thousands of characters rather than the 256 extended ASCII). Random capitalisation helps a lot, and putting numbers between the words helps a bit.
 
S0ULphIRE said:
Hmmm I'm bored at work...lets see :grin:

According to this, the top 10,000 words contain 97.2% of all the words (based on 29.2 million words gathered from TV and movie scripts and transcripts). So we need a dictionary with just 10,000 words to have a pretty darn high success rate.

"Horse" and "correct" are in top 1000-2000 word list, "battery" is in 4000-5000, so far so good.
"staple" is in 18000-20000 so I'll give XKCD credit there for being part of the rare cases we can't crack with just our 10,000 word list. Apparently people don't say "staple" on tv very often lol

Lets use a single GTX 980 - conservatively lets say we can only do 5 billion hashes a second (though real world rates can exceed 10BH/s with this gpu pending on what hash is used)

It would take 23 days 3 hours 36 mins to guess absolutely *every* permutation in a 4-word password using the above 10,000word list.

AND luckily for us probability is a finicky ***** and we'd hardly even need to attempt 10% of that to get a massive amount of matches. https://en.wikipedia.org/wiki/Birthday_attack

So yeah, I dunno if I'd call that particularly secure :p

edit: for fun, lets compare that to the system I like using. Lets say 2 letters for site characteristic, 5 letters that don't change, and 3 numbers on the end. 10 characters in total.
26 upper case + 26 lowercase + 10 numbers = 62 possible characters

At the same rate as the above (5BH/s) it would take 1,942.8 days to calculate all possible permutations.
I usually use 3-5 letters for the site characteristic though, which brings days to 120,370 for 3 site chars, and 462,962,963 days for 5 chars :p
Click to expand...

The thing is, is crunching away at that one account worth 23 days to the attacker? Or is there worth somewhere else. I mean, all encryption can eventually be broken - it's just the amount of time that is the barring factor for how strong it is. If it's long enough to make it not worth the attack, wouldn't the attacker move onto something that could be more fruitful? Of course like I said, that's assuming you're not a high value target.
 
You must log in or register to reply here.

Similar threads

T
BIOS Reset without password
Replies
2
Views
829
Joe C
Joe C
P
password on windows 10
Replies
7
Views
835
pnolans
P
S
Suspicious wifi location. Seems inside my place.
Replies
1
Views
395
pete.i
P
Trotter
Remove BIOS password
2
Replies
13
Views
2K
Rohit
Rohit
Captain Xarzu
How do I ensure I properly get text alerts on my Android phone?
Replies
2
Views
839
Joe C
Joe C
Back
Top Bottom