What. The. Actual. Fuck.

My co-workers just tried to convince me that the following is a secure password:

"ThisIsASecurePassword2018"

Just... I mean... Why? *sigh*

Their argumentation is based on the new NIST guidelines.

If they've read these guidelines CAREFULLY though... (not only the appendix) it actually states "Don't use words from the dictionary". Passwords like these should even be rejected right away.

ThisIsASecurePsasword2018

Actually it is, it’s long.

You’d need to add weird symbols and all, but it is

Add three words that are weird enough (at least one of them not in like.. top 100.000 used words)
Or mix another language, a name, a title, - swap a letter or add one (or a number) and you're safe.

ThisIsASecureComment2018

Can we have his email then? So we can put his new password to the test

@RedBorg well, but the point here is that this particular password is not secure at all.

Better than ‚password‘

Also not secure now that it's been posted here

@hitchhiker42 oh shit! 😱 I feel so silly now 🙄

This🕗Is🕤Some🕙Timed🕛Password

For a developer it's pretty easy to create a correcthorsebatterystaple.

iloveindentingmyphpcodewiththreespaces
mysqlisthebestquerylanguageeverinvented
imakeallmywebsitesusingadobeflashplayer

ThisIsASecurePassword#2018!!

Gotchu.

@bittersweet @ArcaneEye a main problem is that since the password is not composed of random words the entropy of all words after the first one is near 0 which leads to affectivly only the first one 'hard' to guess. Intuitively that makes sense since every succeeding word is not only part of a dictionary but also entangled with grammar/logic information which is really helpful in computing the password.

Mathematically the entropy would be for the first word out of a dict of 1024 words 10 bit and for all succeeding words nearly 0. An entropy of 10 is not secure. 5 random words out of 2048 words on the other hand would have 5 times 11 bit entropy, so 55 in total which is quite reasonable. Important is randomization. The same would be achieved with a dict of 100 characters selecting randomly 8. This leads to nearly the same entropy.
The first example is pretty long and rememberable, the latter is the opposite and todays taught standard.

@justwellbrock I get that entropy decreases when you use words which are commonly grouped together.

I do think the best approach is using a password manager to generate very long and totally random strings.

In some cases, I prefer a human rememberable password though... and I think the decrease in entropy can be mitigated a bit by adding "weirdness" and naturally occurring symbols/numbers.

A sentence like "the $1 purple cakerol tastes like farting sloths" can not easily be brute forced per-character, and is fairly hard to brute force using a dictionary or by training a predictive algorithm, as the words aren't used in "normal" sentences.

@bittersweet I second that.