2

Many people, including my friends, use passwords that sound exactly how they sound when responding to a question about what the password is. For example, if person X asks person Y what the password to the computer is, person Y responds "i don't have one". Now that is meant to be taken literally as the the quote is the password.

So should these types of passwords be used and what are their limitations? I suspect not for the same reasons why we don't use 1234 or abcd as passwords.

Anthony Pham
  • 123
  • 6

2 Answers2

4

The problem with this approach is that people are very predictable. These sorts of password schemes turn out to not be very origial. For example don'tremember and don'tknow are both among the 1,000,000 most common passwords. While I don't know didn't pop up in my quick search, it seems way too predictable.

A further problem with this sort of password scheme is that it encourages reuse of passwords across websites. There are many good answers on this site (eg: this one) that explain the problem of reusing passwords.

Community
  • 1
Neil Smithline
  • 14,702
  • 4
  • 38
  • 55
  • 1
    the spaces are what throw it off, most dictionary attacks don't even try words. The problem is that we continue to use the term "password" which doesn't have spaces, and a great many sites don't allow special characters, or spaces. That said, I didn't mention the problem of reuse, which is also true. – xenoterracide Oct 04 '15 at 17:49
  • Then for sites that don't allow spaces, they must be using those passwords without spaces thereby making them easy to crack. – Neil Smithline Oct 04 '15 at 22:45
1

This seems too "clever" to be a good idea. Like you think you're clever in giving your password to people in a way that they won't recognize. However this won't stand up to social engineering, if someone is smart enough they'll figure it out. If they're malign, meaning not out for the best interest of the password holder (police, nsa count), then you've got a problem.

That said, if these responses are as complex as (meaning passphrases) "i don't have one", they are probably not very vulnerable to automated attacks such as dictionary attacks.

Per comments "i don't have one" will take about 6 days to crack. "I don't have one" will take a month. Yoda speak, "have one, I do not" is measured in centuries currently. You can see that by capitalizing letters you significantly increase entropy. My point on passphrases stands but you should mix case, and add punctuation.

xenoterracide
  • 322
  • 1
  • 2
  • 11
  • Dictionary attacks frequently use lists of popular passwords. This type of password seems to be vulnerable to such an attack. – Neil Smithline Oct 04 '15 at 17:18
  • 1
    @NeilSmithline can you confirm "I don't have one" is in a dictionary? I suppose I could go check cracklib. And that "specific one" might be, but that doesn't mean all such responses are. passphrases are usually sufficiently complex not to be. – xenoterracide Oct 04 '15 at 17:24
  • 1
    @xenoterracide: according to [zxcvbn](https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html) password strength meter, it'll take around a month to crack "I don't have one" via dictionary attack. In practice, it is probably crackable a lot faster than that, since this sentence is fairly predictable. – Lie Ryan Oct 04 '15 at 17:50
  • 2
    @LieRyan 16 characters in a month? this is of course why we need authentication throttling... urgh... why the heck do we bother... I'm kind of assuming that the op is giving us an example, not his actual response. Though perhaps all such responses are easy, but I doubt it. – xenoterracide Oct 04 '15 at 17:56
  • It's not sixteen random characters, but four very common English words. A **ten random letters** password would actually be a lot stronger (centuries) than four-words passwords like "I don't have one". – Lie Ryan Oct 04 '15 at 18:07
  • Hmm... I think I read recently that you could brute force 10 characters in a lot less than that, at random. 12 was the new recommended. Something about "Thanks Amazon" and other cheap computing clusters. – xenoterracide Oct 04 '15 at 18:11