Why some companies think ridiculously requirments hard passwords make my account more secure??

[mr moose]

28 minutes ago, coneve1414 said:

It is more secure though. Sometimes adding a single extra character and randomizing it can make it take longer to crack. Let’s say you had the password “Sheeprgreat69”. And let’s assume since there are dictionary words in there that the password would take, (in this fictional example) 2 weeks to crack. If you were to change it to “$he3prGre@t69!” Then it could possible take longer to crack, say 4 years.

(btw this is not my password lol I just made up a random sentence)

I was told brute force cracks are programed to check character letter replacements, so every time it tries sheep it will also try $heep and sh33p and $h33p.   so using symbols in place of letters for real words supposedly does not greatly increase the security.  

 

 

[TheEggComputer]

On 11/3/2021 at 7:53 AM, mr moose said:

I was told brute force cracks are programed to check character letter replacements, so every time it tries sheep it will also try $heep and sh33p and $h33p.   so using symbols in place of letters for real words supposedly does not greatly increase the security.  

 

 

This is true, but I just was using that as an quick and dirty example.

 

edit: still having special characters does help though

Edited November 4, 2021 by coneve1414

[TheEggComputer]

On 11/3/2021 at 7:48 AM, Spindel said:

The thing that would be even harder to crack would be to just use "SheepgreatSheepgreat" or "thisismylongpasswordasaphrase" no need for special characters and easier to remember. 

 

lenght > complexity when cracking

This is partially true, I was just using that as a quick and dirty example to show how even slight complexity can help sometimes

 

Edit: but even a mix of both complexity and length can make a password even harder to crack. Like LastPass’s password generator, it can go as low as (I think?) 8 characters. I think good practice would be a mix of both

Edited November 4, 2021 by coneve1414

[Anghammarad]

once a linux admin coworker asked me to create a really secure password for my logins to the linux systems... 

 

well

 

thisismyfullsecureandawesomepassword (well it wasn't in english and I'm not working there anymore)

 

He looked at me oogle eyed and asks what a brainiac I must be due to remembering such a long password.

He never imagined it being a full sentence ^^

[Sauron]

On 10/27/2021 at 5:45 PM, aqarwaen29 said:

Why some companies think ridiculously requirments hard passwords make more secure?

Because they are.

On 10/27/2021 at 5:45 PM, aqarwaen29 said:

if I need to keep my password just in notepad to able access my account? and every hacker who hacks into my computer can see my password?

This is what password managers are for. Don't use notepad.

On 10/28/2021 at 12:05 AM, comander said:

Of course the REAL solution is to just require longer passwords aka pass phrases.

Using uncommon characters in your long passphrase prevents combinatory wordlist attacks.

[Mark Kaine]

5 hours ago, coneve1414 said:

If you were to change it to “$he3prGre@t69!” Then it could possible take longer to crack, say 4 years

I don't think this is true anymore...there's only a very limited amount of "special signs" that people would use, it's gotta be trivial to program into a "brue force algorithm".

[TheEggComputer]

46 minutes ago, Mark Kaine said:

I don't think this is true anymore...there's only a very limited amount of "special signs" that people would use, it's gotta be trivial to program into a "brue force algorithm".

yeah, was using that as an example. Though I think doing both that and making passwords longer still helps atleast

4 hours ago, coneve1414 said:

This is true, I was just using that as a quick and dirty example to show how even slight complexity can help sometimes

 

Edit: but even a mix of both complexity and length can make a password even harder to crack. Like LastPass’s password generator, it can go as low as (I think?) 8 characters. I think good practice would be a mix of both

 

[wasab]

What I usually do, open a dictionary. Flip to a random page. Pick the first two words on the page. First word all lower case. 2nd word, first letter capitalize. If length is insufficient, go to the next two and so on. Combine the two, append the page number to the end. Some password requirement is even more insane like a special symbol. What I usually do would be to look at the day of the week. Find the corresponding number key on the keyboard. Hit shift and hit that number. Add that special symbol to the end. 

 

Also, ever consider adding spaces to your password? I have yet to see any password cracking dictionary include spaces in any password.  

[TheEggComputer]

2 hours ago, wasab said:

What I usually do, open a dictionary. Flip to a random page. Pick the first two words on the page. First word all lower case. 2nd word, first letter capitalize. If length is insufficient, go to the next two and so on. Combine the two, append the page number to the end. Some password requirement is even more insane like a special symbol. What I usually do would be to look at the day of the week. Find the corresponding number key on the keyboard. Hit shift and hit that number. Add that special symbol to the end. 

 

Also, ever consider adding spaces to your password? I have yet to see any password cracking dictionary include spaces in any password.  

Ohhhhh thats a good idea. I never thought of that. Pretty creative

[OneOfYas]

B@ecauseThis1295673ish4rd3r2br00tf0rce

 

Anything memorable, from DOB of people you know, names, random logins from the past, weird sounds you make or someone else makes which sounds like a new word, add in.

 

So for example Heeve@67SkylineniSmo091199 is far more complex as they don't know your logic or understanding of your password. to a brute force attack it looks like the rest of the crap jumbled up in the text file.

 

4 Titan X Pascal could brute for 10 character passwords, it get's astronomically harder the more weird characters are used and upper case as they will use a dictionary. Put it this way even 4 of your best now can't crack 15 characters, it is nigh on improbable for it due to the sheer amount of time needed.

 

Some words are not in a dictionary too, so use slang terms too.

 

With the base knowledge, know that it won't stay this way, your passwords have to get longer and more complex, just build upon your old one every now and then.

 

Make sure the password looks odd, like it makes no sense to the general person looking at it.

 

 

 

'Beast' cracks billions of passwords a second, Dr Mike Pound demonstrates why you should probably change your passwords... Please note,at one point during the video Mike suggests using SHA512. Please check whatever the recommended process is at the time you view the video. Here's a look at 'Beast': https://www.youtube.com/watch?v=RG2Z7... How NOT to Store Passwords: https://youtu.be/8ZtInClXe1Q Password Choice: https://youtu.be/3NjQ9b3pgIg Deep Learning: https://youtu.be/l42lr8AlrHk Cookie Stealing: https://youtu.be/T1QEs3mdJoc http://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: http://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com

 

[wanderingfool2]

17 hours ago, Spindel said:

The thing that would be even harder to crack would be to just use "SheepgreatSheepgreat" or "thisismylongpasswordasaphrase" no need for special characters and easier to remember. 

 

lenght > complexity when cracking

Not really.  Lets look at the examples you just chose.  The best is to mix a slight complexity with a passphrase

 

Realistically you would target using the 10,000 common words (which both examples falls into).  Your first example would be 20k^4 (with capitals).  Which is roughly 2^57.

 

Compared to abc!@#ABC#@!...[with special characters that about 72 options per character].  That's 72^12...roughly 2^74.  So greater complexity with 8 characters less than yours.

 

Your second example is a lot better though, at roughly 2^106, but still would fall victim to linguistic types of attacks...also your second examples can be bested by a 17 character long complex password (vs your 29 character long pass phrase).

 

So yea, a randomly generated complex password would be best....if a password manager isn't available...I would stick some special characters into a passphrase.

 

e.g. Passwords would always start with !@#$ and end in !@#$, and putting a period after the first character.  !@#$h.ellot.hisi.sm.yp.assphrase!@#$

Easy to remember, but hard to crack.  It also means I can write things like LTT = hellothisismypassphase more openly and be confident a passer by wouldn't figure out my system. [This is not how I actually do it, but I do similar things]

[Spindel]

1 hour ago, wanderingfool2 said:

Not really.  Lets look at the examples you just chose.  The best is to mix a slight complexity with a passphrase

 

Realistically you would target using the 10,000 common words (which both examples falls into).  Your first example would be 20k^4 (with capitals).  Which is roughly 2^57.

 

Compared to abc!@#ABC#@!...[with special characters that about 72 options per character].  That's 72^12...roughly 2^74.  So greater complexity with 8 characters less than yours.

 

Your second example is a lot better though, at roughly 2^106, but still would fall victim to linguistic types of attacks...also your second examples can be bested by a 17 character long complex password (vs your 29 character long pass phrase).

 

So yea, a randomly generated complex password would be best....if a password manager isn't available...I would stick some special characters into a passphrase.

 

e.g. Passwords would always start with !@#$ and end in !@#$, and putting a period after the first character.  !@#$h.ellot.hisi.sm.yp.assphrase!@#$

Easy to remember, but hard to crack.  It also means I can write things like LTT = hellothisismypassphase more openly and be confident a passer by wouldn't figure out my system. [This is not how I actually do it, but I do similar things]

I totally agree with you, I was just giving examples of passwords that you might actually remember without printing them down anywhere. 

 

for the second example, if I used that, I would probably actually use in example "-=thisismylongpasswordasaphrase=-" still easy to remember but with some added complexity. 

 

So I should probably rewrite my original statement to: 

 

long password that you can remember > complex password you have to write down somewhere (or can't remember)

 

EDIT:// And of course I have to add another factor that is true for my case. English is not my first language and when I do phrases they are actually not english words which makes linguistic approaches harder in a "blind" attack since most attacks assume it should be english words. If it is a targeted attack against me the attacker might know more about me and language preferences and in that case your analysis holds true. 

[Rex Hite]

I write my passwords on a piece of paper in a folder labelled "PASSWORDS"  in a drawer near my computer and that has been very handy many times over many years (almost 20 years). If I really needed security I'd do better practices but for my uses passwords are just annoying security theatre probably mostly to give the appearance that I'm involved in some online security fiction.

[Bramimond]

I find those requirements very patronizing. For most sites, I don't care if the account gets hacked. 

What does it matter whether the password is more secure if I don't care about the security of the account in the first place?

 

And password managers are mostly stuck on just one PC. Which is why I don't use dedicated password managers. 

I let my browser remember it for all the sites I don't care whether I'm hacked or not and remember it myself for the few important ones.

 

But I use a different throwaway mail for each account I make, which is why my real mail address never gets spam. 

[TheEggComputer]

1 hour ago, Bramimond said:

I find those requirements very patronizing. For most sites, I don't care if the account gets hacked. 

What does it matter whether the password is more secure if I don't care about the security of the account in the first place?

 

And password managers are mostly stuck on just one PC. Which is why I don't use dedicated password managers. 

I let my browser remember it for all the sites I don't care whether I'm hacked or not and remember it myself for the few important ones.

 

But I use a different throwaway mail for each account I make, which is why my real mail address never gets spam. 

I am always curious how people do this. Do you have your own domain and make them or do you just make a new Gmail (doesn’t have to be a gmail just an example) account each time? I kind of want to do this lol

Edited November 4, 2021 by coneve1414

[Bramimond]

23 minutes ago, coneve1414 said:

I am always curious how people do this. Do you have your own domain and make them or do you just make a new Gmail (doesn’t have to be a gmail just an example) account each time? I kind of want to do this lol

I also have a domain and can do it that way, but that is usually too much work. I only do that for services that require personal information.

 

For everything else on the Internet, there are:

https://generator.email/

https://trashmail.ws/