Passwords, why not 2 or 3 little ones instead of 1 big one

[BoberFett]

Which proves my point. The easy to crack password is one that meets modern password guidelines and 95% of all password strength tests done by websites will say is secure. The others which follow the discussed upon solution are near impossible to crack.

Ultimately that means "fl9!!B*i&Gnu" and "Ippon means 1 point!" are technically as secure as each other (both take centuries) and one of them I can remember. Now the question is will my attacker know me well enough weaken my password.

You're correct, the version with spaces is pretty strong, as the spaces significantly increase entropy. Without spaces, it's a pretty basic dictionary attack.

Keep in mind you can use delimiters other than spaces as well, periods, commas, etc. will all add entropy.

 

[Fayd]

It's what all the cool kids are doing these days.

uh... those passwords are vulnerable to a dictionary attack...

 

[ultimatebob]

I love how people obsess over the perfect password with the ideal combination of letters/numbers/special characters and then use it at some poorly managed site that probably saves it in plain text somewhere in their database.

All the hacker needs is a few good database queries, and they have some great new passwords to add to his dictionary.

 

[destrekor]

uh... those passwords are vulnerable to a dictionary attack...

A dictionary attack isn't going to do very well when the password is 20 characters combined with words and spaces and perhaps special characters like punctuation.

Just because they are words, that's not how a "dictionary attack" works these days. The number of characters trumps complexity once you get passwords of sufficient length.

I've oversimplified it greatly, but hopefully you get the gist.

 

[DrPizza]

It's what all the cool kids are doing these days.

As of now, she said she’s sold "around 30" in total, including in-person sales.

Which means, Mom and Dad have purchased a password or two from her, as well as her grandparents, maybe an aunt or uncle - relatives trying to encourage her. However, now hipsters are going to purchase passwords to be cool and help her out as well.

Assuming letters and numbers only (to make it an easier calculation)

62^5+62^5 vs 62^10 or 1.8x10^9 vs 8.4x10^17.

So the single password is about 8 orders of magnitude stronger vs brute force.

Actually, it would be
62^5 times 62^5, not plus, unless the software says, "you got the first one right, but the second one wrong." Because if both have to be right to get in, if you get one right and the other wrong, you have no way of knowing that.

The difficulty would be the same, (excluding such things as salting and hashing).
For example, suppose there are two single digit passwords that have to be a number. Each has 10 possibilities, from 0 to 9. Or, you could have a single 2 digit password, from 00 to 99. Pretty easy to see that there are the same number of possible combinations.

 

[BoberFett]

Which means, Mom and Dad have purchased a password or two from her, as well as her grandparents, maybe an aunt or uncle - relatives trying to encourage her. However, now hipsters are going to purchase passwords to be cool and help her out as well.


Actually, it would be
62^5 times 62^5, not plus, unless the software says, "you got the first one right, but the second one wrong." Because if both have to be right to get in, if you get one right and the other wrong, you have no way of knowing that.

The difficulty would be the same, (excluding such things as salting and hashing).
For example, suppose there are two single digit passwords that have to be a number. Each has 10 possibilities, from 0 to 9. Or, you could have a single 2 digit password, from 00 to 99. Pretty easy to see that there are the same number of possible combinations.

That depends entirely on how the passwords are entered on the front end, validated on the back end and what type of attack it is.

Against a dictionary based hash database attack, pinkfrog is vastly harder to crack than pink and frog separately. Consider a dictionary of 10,000 passwords. 10,000 checks to get pink, 10,000 to get frog for 20,000 total checks. To find pinkfrog on the other hand requires 10,000 x 10,000 or 100,000,000 total checks.

Even better, put a space between them. You now have 10,000 x 10,000 x 96* = 9,600,000,000 possible combinations.

* Typical number of typable characters on a US keyboard

 

[darkewaffle]

Actually, it would be
62^5 times 62^5, not plus, unless the software says, "you got the first one right, but the second one wrong." Because if both have to be right to get in, if you get one right and the other wrong, you have no way of knowing that.

The difficulty would be the same, (excluding such things as salting and hashing).
For example, suppose there are two single digit passwords that have to be a number. Each has 10 possibilities, from 0 to 9. Or, you could have a single 2 digit password, from 00 to 99. Pretty easy to see that there are the same number of possible combinations.

Well if you could somehow bruteforce in a 'live' environment, that would be true because you would be forced to guess the full, correct combination all at once. But you'd get locked out instantly anyway.

However I think in OP's scenario/intent is that would actually have three individual passwords - which would probably each be stored individually and thus much more susceptible to being cracked on their own. That said if you used a multi-password interface to simply make it easier for the user to understand/approach and then combined them in some way behind the scenes that could be viable. Though I bet there'd be some negative feedback because the user wouldn't know their 'true' password.

But allowing the user to input something like 'pineapple behemoth evergreen' and then programmatically manipulating it into something like

pbeievnheeeramgporptelheen
(pbe + iev + nhe etc.)

Would actually probably work. It allows the user to make something easy to remember and type but still makes the password itself difficult to guess. Basically it's a second salt (it's pepper!) And you could/should even apply any number of different pre-hash 'ciphers' so that the plaintext phrases aren't all 'scrambled' in the same way.

Crackers could of course account for the ciphers but I would hope that those that a programmer could apply would be much more varied and complex than those that end users try to apply themselves (e = 3, s = $, etc) and it would really just be another layer on top of (hopefully) existing salting and encryption to make the process more arduous. At some point it's not so much about making passwords impossible to crack but rather making it take so much work that the cracker simply gives up or moves on.

 

[John Connor]

Sure, that's fine.

Don't literally use your own password, only an idiot would do that. Instead, use one that is similar to the style of your password: is it a 20 character unintelligible sentence, or is it a 10 character keyboard mash? The results will give you an idea as to the safety of your actual password(s).

I actually don't need a website to tell me my passwords are pretty secure. I mean just for this site the password uses upper, lower case letters numbers and symbols.

 

[John Connor]

At some point it's not so much about making passwords impossible to crack but rather making it take so much work that the cracker simply gives up or moves on.

That's the idea behind Bcrypt.