6

Who actually started the reign of mixed character passwords? because seriously it sucks to have an unnecessarily complex password! Like websites and apps requesting passwords to contain Upper/Lower case letter, numeric characters and symbols without considering the average user with low memory threshold (i.e; Me).

Let's push the complaint aside and return back to the actual reason a complex password is required.

Like we already know; Passwords are made complex so it can't be easily guessed by password crackers used by hackers and the primary reason behind adding symbols and numbers in a password is simply to create a stretch for possible outcome of guesses.

Now let's take a look into the logic behind a password cracker.

To hack a password,
1) The Password Cracker will usually lookup a dictionary of passwords (This point is very necessary for any possible outcome).
2) Attempts to login multiple times with list of passwords found (In most cases successful entries are found for passwords less than 8 chars).
3) If none was successful after the end of the dictionary, the cracker formulates each password on the dictionary to match popular standards of most website (i.e; First letter uppercase, a number at the end followed by a symbol. Thanks to those websites!)
4) If any password was successful, the cracker adds them to a new dictionary called a "pattern builder list" (This gives the cracker an upper edge on that specific platform because most websites forces a specific password pattern anyway)

In comparison:
>> Mygirlfriend98##
would be cracked faster compared to
>> iloveburberryihatepeanuts

Why?
Because the former is short and follows a popular pattern.

In reality, password crackers don't specifically care about Upper-Lowercase-Number-Symbol bullshit! They care more about the length of the password, the pattern of the password and formerly used entries (either from keyloggers or from previously hacked passwords).

So the need for requesting a humanly complex password is totally unnecessary because it's a bot that is being dealt with not another human.

My devrant password is a short story of *how I met first girlfriend* Goodluck to a password cracker!

Comments
  • 4
    I get pissed if I can't have at least a 40 character password. I don't know any of them. They all reside on encrypted, triple redundant stores. The only key I know is the 30 character master encryption key.
  • 5
    I use 20 character random passwords, and a different one for each website. How I remember them? I don't, I let the browser do this work.
  • 3
    It's not even about the password cracker. That's where we are making things complex for no reason.

    It's about math:
    If the character set is for example [a-c] (a,b,c)
    You can make this 4 letter password:
    aaaa
    or
    cbaa

    To calculate all possibilities you do:
    size_of_character_set raised to length_of_password
    That is: 3^4 = 81
    If you add two new characters like "d" and "e" it will be: 5^4 = 625
    But if you increase the length by two instead it will be: 3^6 = 729

    See the difference? By increasing the length you get more password possibilities than by increasing the characters you have to choose from.

    TL;DR; ask users to make long passwords instead of complex ones. (minimum 8? Maybe 10? 🤔)

    (I wrote this on my phone sorry if there's errors)
  • 1
    A password resembling actual passwords I usually use:

    ÷¥Ö0ì´¨&Ü7±ÕïK/QùcnrN8¢P%_¦ê¸àüËoc×ëvÍZ+#GjXÌvÆѹÇNÏíU=ÒF]ÊÞgç'¡_"à?ýuSÄdìÛ>±(Qgh@äæY÷ýÓu9Ë}È;;âö>POÒÌ8¡fü¾Å#¬W²{æ($][l*'(O/yª+´

    So long AND complex.
  • 0
    Imho just use very long passwords to inflate bit entropy. Even a standard/silly phrase with some mixed numbers/capitalized letters. Just avoid trivial substitution.

    E.g. ihadagreatdaybecausemycodecompiledreallYfasT
  • 0
    @molaram I'm using kee pass for storing and less pass for generaring passwords on two computers and smartphone. They work well.
Add Comment