1

I recently saw a post asking why something that appeared to be a random string of characters was a bad password. One of the answers was that it already exists on a website so you can Google it by just searching the password.

More recently, I found out about Have I Been Pwned which has a database of user information that has been breached in the past. On its page about passwords, I noticed the same thing that the person said on StackExchange:

This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.

Why does the password existing online make it unsafe? If I uploaded an infinitely large text file containing every password possible, would that make all passwords unsafe?

JolonB
  • 111
  • 3

2 Answers2

2

A major difference between your hypothetical situation and the current situation is that instead of attackers having to brute force every possible configuration possible (your list), they can brute force with a list of every known configuration. Mathematically, if we assume all passwords are a variety of 8 characters with (Uppercase[26] + lowercase[26] + numbers[10] + special characters[26]) possibilities, that gives us a mathematical sum equal to...2.9642774844752946028434172162224e+79 or a lot. A lot more than 750,000,000.

And that's just 8 character passwords. It gets much worse with 9 and so on.

For an attacker, a library of all the known passwords makes it much easier to crack the general populations' password without the computation expense of generating and testing all those possible combinations. Even better, it cracks longer passwords too which is a nice bonus.

So for you to defend yourself best, you are best off hiding in everything that the 750,000,000 doesn't cover because you're that much harder to find. This is why NIST, Troy Hunt, and others recommend keeping your password unique to you as long as you possibly can.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Connor Peoples
  • 1,431
  • 6
  • 12
  • Does that mean those passwords are only at risk because attackers like to target the list of breached passwords? Maybe I misunderstood your answer, but do attackers use those passwords because if one person used it, its possible that another person would've as well (and even more likely the same person would've used it on another site)? – JolonB Jan 21 '19 at 00:33
  • You have the right idea. You are starting to get into different attacks such as credential stuffing where you take a user's email and password and try to authenticate on as many platforms as you can. One malicious site I came across would take your email, strip the user name, and try both the username and the full email to authenticate along with the email. Yikes. -------------- Your other point is also valid. Most attacks are pretty automated so they can take a dictionary of known password and let the attack run through all known passwords without having to think twice. – Connor Peoples Jan 21 '19 at 00:42
2

The problem is not that the string of characters exists on the Internet, but rather that the passwords are known to be used.

As the many answers explain, even something as random as Gbt3fC79ZmMEFUFJ is a problem because it turns out that it is a default password in some cases.

Random strings are not the problem. But the random strings that have context and relevance are a problem.

schroeder
  • 125,553
  • 55
  • 289
  • 326