-1

I post a question before about one password repeating to make it longer, now its a new way want to ask about, if take the word 'secure' and instead of repeating it put somenumbers between it, exp: s1e2c3u4r5e, or longer exp. PureSecurePassword would be

P1u2r3e4S5e6c7u8r9e0P1a2s3s4w5o6r7d8 is it better than repeating one word , can any one confirm this :) by the way i'll not put 123 numbers, it may my mobile numbers, or another word PcUoRoEl (PUREcool)

rezx
  • 1,069
  • 3
  • 12
  • 21
  • 2
    All of your examples are not secure, because in your examples, they are well known. Using 3 instead of E for example is something, a criminal who wanted access to your account, would try. So basically all your examples are vulernable to a dictionary account despite their length. – Ramhound Apr 12 '12 at 16:49

4 Answers4

7

When we talk about password strength we are talking about a password's resistance to "brute force" and "dictionary" attacks.

A brute force attack is simple. The attacker tries every possible password one after another until she finds the right one. There are two defenses against this attack.

  • First, you make it hard (or impossible) for the attacker to test if a password is correct or not. This is the best approach but is not always possible.

  • Second, you make it so that the brute force attack takes a very, very long time, usually by ensuring that there are a very, very large number of possible passwords to try. It's in this second defense that password strength plays a part; you can choose a password where there are so many possible passwords to check that a brute force attack would take a hundred years to work. This is called a "high entropy" password. You do this by choosing a password that is long, and is complex. Complex means it has lots of different characters - upper and lower case, numbers, and punctuation.

A dictionary attack is also simple. In the real world people have to remember passwords, so they almost never choose a truly random password. Instead they pick something that has meaning - a word, or their kid's birthday, or their dog's name, something like that. So before starting the brute force, the attacker takes a few seconds to try all the words, and all the dogs names, and all the birthdays, and all the phone numbers. (And with modern computers it really does only take a few seconds to try every word.)

People try to avoid dictionary attacks but keep the passwords memorable by making simple changes. This is sometimes called "munging". For example, someone might try "leet speak" and change "e" to "3". Of course, if this gets popular, the attacker will just take their dictionary, turns it into leet, and try all of those.

So now we can try to answer your question, which is basically "which of these munging approaches makes the stronger password?"

Against a pure brute force attack, only two things matter. Length, and complexity. Put upper and lower case and numbers and punctutation in your password, and then make it as long as you can manage.

Against a dictionary attack, you are vulnerable if the attacker thinks to use a dictionary with your password in it. So, if they guess your trick, they'll break your password. If they don't, they have to fall back to brute force.

So it all comes down to this: will an attacker guess your trick and try it? And that gets us to the standard answer to every security question: it depends on the attacker.

If the attacker specifically wants your account and has the resources then yes, they could very well think to try either of the tricks you mention. They're not as obvious as Leet, or adding two digits to the end of a word, but they're not hugely complicated either, and of course they've been suggested on the security stack exchange now!

On the other hand, if an attacker just wants to compromise any account on a server, then they're probably going to find someone with a worse password than yours first. (In the 2006 MySpace password loss, 4% of passwords were straight dictionary words, and would have been broken in half a second.) In that case, I'd choose interleaving a number over repeating another word, because it pushes the entropy up a little more, but there's not much in it.

For myself, I like passphrases, where you pick four or five completely random words and string them together, with a number thrown in to push the entropy up. Dictionary attacks on those take almost as long as brute force attacks do, but they're still easy to remember.

(All together now, and no peeking: CorrectHorseBatteryStaple!)

Graham Hill
  • 15,474
  • 37
  • 63
2

Yes, doing this is better than repeating the same word several times, because if somebody knew you are doing this, they would only need to know the length of the repeated word and then try to brute-force this single word.

At least in this new way you are suggesting there is no visible pattern and you avoid dictionary attacks.

One more thing: always remember that in a pratical scenario, passwords are usually hashed, and hashing tends to cancel patterns and return strings that are as random as possible.

user1301428
  • 1,947
  • 1
  • 23
  • 29
2

Any passwords based on patterns are susceptible to rules-based dictionary attacks, especially if someone is aware that you are using a pattern. As CPU power increases, it becomes more practical to try a huge number of rules, and I have seen some people come up with very clever and effective rules.

In analyzing millions of passwords over the years I have found that one important rule to remember is that you are never as clever as you think you are. If you think you have come up with a clever pattern, chances are it isn't that clever.

As Graham said, it's all about randomness and length. In general I tell people that if their password is at least 10-12 characters long and a google search for that password turns up nothing, chances are the password is fairly secure. By following those two rules, people become experts at picking great passwords in no time.

Mark Burnett
  • 2,810
  • 13
  • 16
0

I think instead of a password, you should think of it as passphrase.

String 3 or 4 words together and you'll have a passphrase.

IHatePasswords, IdontLikePasswords, ThisSiteSucksAtPassword, IHateRememberingAPassword.

How do you apply this to multiple sites? Apply a prefix or a suffix involving the site. Then, apply a prefix or suffix involving something only you'll know.

Hope this helps.

chuacw
  • 175
  • 10