Amazing, I have the same combination on my luggage.

[leo-rcc]

[Faith No More]

That is some damn funny shit.

[thesummerqueen]

Your turn to make me spit out my coffee and LOL, Leo.

[Doubting Thomas]

LOL. If 12345 is the second worst password, what's the worst? "Password?" That's why my password is "password1." The combination of the "1" with "password" will totally confuse them.

Oh crap... I just told everyone what my password is. Oh well, no problem. I'll just use "password2."


Here's an interesting site listing the 500 worst passwords of all time. It has 123456 as #1.

http://www.whatsmypass.com/the-top-500-w...f-all-time

[Tiberius]

The best password you can have is one that has never been used by anyone before. The longer the better, and don't listen to anyone who tells you you need a mixture of upper / lowercase characters, numbers, and symbols. The passphrase "My purple donkey went to Rome" is far more secure than stuff like "Hw12ebA!", and as a bonus, it's far more memorable too!

[Jackalope]

I'm going to be sharing this article with my boss, who happens to be Syrian. Hopefully he sees the humor in it.

The best password you can have is one that has never been used by anyone before. The longer the better, and don't listen to anyone who tells you you need a mixture of upper / lowercase characters, numbers, and symbols. The passphrase "My purple donkey went to Rome" is far more secure than stuff like "Hw12ebA!", and as a bonus, it's far more memorable too!

Tell that to my IT department. They insist that the 41 character passphrase that I was trying to use as a password was insecure.

[Tiberius]

IT departments know nothing about actual computer security.

[Autumnlicious]

unfortunately, if everyone followed your recommendation Tiberius, then most brute forcers would try dictionary combinations of words with spacers, like they do now.

You want to do the bare minimum and toss a number in somewhere. I like to denote spaces or other common characters with a number representing the index of that.

So "My purple donkey went to Rome" becomes "My2purple9donkey16went21to24Rome", which is arguably more secure and unpredictable unless you know:
- A space is index in string from first character == 0
- the spaces in the hypothetical password

An improvement would be for the USER to determine what 'salt' or weird 'twist' on the password FROM a pass phrase.

Sometimes I instead use this:
salts = {all the special characters on a standard US 105 keyboard above the numbers} = !@#$%^&*()
samplePassword = {I am a meat popsicle}
item to replace = ' ' (space)
result = I!am@a#meat$popsicle

The magic is:
- not be predictable with everyone else (i.e. be unique)
- use passphrases in conjuction with a salt

And you get most of your power right there in environments that use passwords.

[Tiberius]

The point is that an attacker doesn't know what your password looks like, or what kind of passphrase you are using.

Your suggestions are all perfectly valid, but they ignore the most common reason people choose short passwords: memorability. People do not want to have to spend 60 seconds typing their password in because they need to remember (or work out) which numbers go where. A far more memorable way of doing it (and the way I currently do it) is to include punctuation in your pass-phrases, and replace letters with numbers/symbols if they make sense (i.e. e => 3, a => @, etc).

In any case, I'd hold that the sheer number of combinations of all possible words is far greater than the number of combinations of letters and numbers. Think about it; there are 52 letters (upper / lowercase), 10 digits, and probably around 20 or so common punctuation symbols. That gives us 82 characters in total to play with, but let's be generous and hike the number up to 100. Brute-forcing an 8 character password would take at most 100^8 = 10,000,000,000,000,000 attempts. How many possible words are there? The OED estimates almost a quarter of a million, but lets assume our attacker takes out a large number of them, and we are left with a dictionary of 100,000. How many words do we need in a passphrase to generate the same level of attempts? Roughly, 3:

100^8 = 100,000^x
x = 16/5
x = 3.2

Source: http://www.wolframalpha.com/input/?i=100...100000%5Ex

Reduce the dictionary further to only 10,000 words and you only need one extra word in your passphrase in order to meet the same exhaustive search requirements. This is all done without the use of punctuation or altering the words in any way.

[Autumnlicious]

The problem isn't making it impossible to randomly guess.

The problem is people -- they chose commonly guessed phrases and passwords. If they bothered to salt it with '@'s and the like, we'd see less hacking because of that 'takes forever to brute force a character' routine. But they don't.

So once again, you run afoul of the user issue.

We need to convince more people to salt their passwords.

Also, your suggestions don't factor in a targeted attack -- in this case, even if they divine the common phrase, they'll be unable to recover it completely if you salt it.

All I'm advocating is one step more -- salting the damn thing.

And if people insist on short passwords, "I like football" is probably going to crop up more often than "The emperor of the old republic smells like crayon farts".

However, if they at least salt the short password (that currently has TOO few words), they've strengthened it significantly at little cost.

I do agree with replacing characters with similar looking ones as a salt, but think that even that is too damn obvious unless you like to add in funky punctuation sporadically.