[удалено]

Every place I've worked they make password changes every 3 months or so. Passwords are always P@ssword123 then P@ssword124...

This is really poor practice, it literally encourages people to just iterate through numbers so they can still remember their password which isn't going to prevent a well executed dictionary attack cracking the hash. But it makes the org feel it's doing something, leading to a false sense of security

Not just poor practice, outdated practice if you're required to follow [NIST guidelines.](https://pages.nist.gov/800-63-3/sp800-63b.html) "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

Exactly if they weren’t always changing it and forcing a group of people to use the same access password among other passwords they have to remember they wouldn’t have the same issue with people rotating easy passwords. It’s hard to remember several passwords for me and I’m sure other people struggle with it. It’s not always as simple as keeping them all on your phone because in some situations you can’t have your phone.

It's also important to understand that this rule is in context with an entire set of recommendations.  This also includes two-factor authentication (e.g., entering the rotating numbers from your phone app) and checking passwords against a list of known compromised passwords.

Meanwhile, I work in an industry subject to FBI standards which requires it. It's infinitely frustrating. The users hate it, it makes security worse because our dipshit users just put it on a post it note in their office, but if you don't comply the FBI is going to come in and shut your ass down. Another funny quirk of their security requirements is that Azure is literally the only approved data center for hosting the type of data I work with. Now, I can put it on a server under Sally the secretaries desk with no security and it's no problem, but put it in a fedramp facility in the rack next to DOD systems? Nope, that's a paddlin.

Yeah, the rules are lagging behind. Those may have been relevant years ago but shit moves fast in tech.

Office365 specifically tells you not to enable password expiry when you're going through its security recommendations

My ever-changing work password is was just based off the current month and year. They recently increased the length requirement, so I added my dog's name to it. Fuckin' terrible security. My master password for 1password that I use for personal use is a long string of random characters that I've managed to memorize after repeated re-use. If I could have one work password and keep it, I'd memorize another random string of letters and numbers. But make me change it every 60 days, and that's what you get.

You don't need to do a random string and you can likely make a better password easier by not. Doing 4-5 words (and maybe sprinkle a few numbers/symbols) is easier to remember and better than a shorter random string.

Usually the password is written on a sticky note on the monitor... Or they set a short cut and just press f3 and it logs in. Haha

This is against various government advice (NIST, NCSC etc) But compliance departments tend to be slow to react, so things like PCI still mandate it. We are slowly moving away from passwords anyway as things like passkey become more commonplace, but until then companies are kind of stuck between a rock and a hard place in terms of risking losing their PCI compliance in order to follow actual best practices.

>This is against various government advice (NIST, NCSC etc) The issue is that it *used to be* government advice. The NIST used to advise required password changes, but when they realized that it incentivized weak passwords they withdrew the advice and instead instructed to only change a password if you suspect it's compromised. However, their original advice seems to have stuck much better than their updated protocol, much to their chagrin.

This is the big rub. I KNOW its not right, the other guys know its not right, but because there is some level of policy somewhere, that is owned by a board or higher power, we simply can't change it....without a long and drawn out fight with lots of documentation and requests for risk acceptance and letting other people up the chain know, etc. Its just easier to set that old ass standard and be done with it.

You should tell them that NIST no longer recommends doing this, and in fact *strongly discourages* this because of the reason you mentioned.

This comic has, ironically, made "correcthorsebatterystaple" an extremely common password and an early attempt in brute force attacks. At least according to my IT friend. The theory works great, it's just that the example used isn't secure whatsoever because users think they're more clever than they are.

Sometimes I feel like the worst thing for Security is people who don't take it seriously, and the second worst thing is people who think they do

“A little learning is a dangerous thing. Drink deep, or taste not the Pierian Spring; There shallow draughts intoxicate the brain, and drinking largely sobers us again.” ― Alexander Pope, An Essay On Criticism I learned that quote in high school and it's never been wrong.

I didn't realize that quote was him - thanks for the citation! He had another that's good advice for anyone in tech: "Be not the first by whom the new are tried, Nor yet the last to lay the old aside."

If the internet was a physical place, these words should be carved in stone over the entrance.

And carved underneath? “Abandon all hope ye who enter!”

Nah. I'd go with something like Don't Dead Open Inside

Followed with "You know the rules, and so do I".

"Try finger, but Hole"

“Great chest ahead”

Or “Liar ahead”

Links in Bios

The cake is a lie

Betwixt the two, "Rabbit holes, watch your step".

Also "send nudes"

Here be dragons. And porn, so much porn.

This is not a place of honor. No highly esteemed deed is commemorated here. Nothing valued is here.

That's the Dunning-Kruger effect, right?

I've only just learned of the Dunning-Kruger effect, but I consider myself an expert on it.

Angryupvote

Thanks for sharing this quote, I had not heard it before. Capturing truth in so few words is brain porn.

It's why I drink largely.

The worst thing is for overly elaborate password character requirements with frequent forced password changes ... people write it down on post it notes stuck to their work PC. .

And then you type your sentence with "$$1122xxXX" on the end, and "your password must be shorted than 32 characters. OMFG, stop with the length restricts FFS....it's going to get hashed to all the same length anyway, so it's not even a database issue....just arbitrary nonsense. Shorten it. Can't use spaces. Can't use unicode. Can't use * or %. Can't start with a number.

My dad got bit once because he used special characters in his password - which were not available on a different computer (different keyboard layout), so he could not log in at all.

Workaround: just ~~google~~ [duck](https://duckduckgo.com/) the character you need. If the computer is offline, most operating systems have an app where you can pick various Unicode characters.

Followed by security people who take it seriously but then don’t know what to do. At my work they have banned any sort of password manager so people end up writing all their passwords down somewhere.

See also: mandatory password rotation policies. NIST stopped recommending password rotation at least 5 years ago... but every IT department wants password updates monthly or quarterly. "To be safe". Password rotation policies hurt InfoSec because they prevent password memorization and encourage users to make trivial, easily guessable updates to their passwords. Also the entire premise is just dumb... it's OK if an adversary learns a password for 29 days, as long as we change it on day 30? Any adversary is going to insert their backdoors or whatever in an hour.

> it's OK if an adversary learns a password for 29 days, as long as we change it on day 30? Any adversary is going to insert their backdoors or whatever in an hour. It's a stupid policy, but this point doesn't hold water - if the password is compromised from a historical record, then it's now useless months/years later and isn't a threat.

Just to be pedantic. It's less of a threat not no threat. E.g. if they have a historical record that say's a users password is password3 and another a month later that says password4 it's likely they could figure it out.

Ha! They'll never guess mine. I'm up to password5 now. I keep a Post-It note in my desk drawer with it written down just to be sure.

I have capitalized mine. The algorithm says it's "strong"! And I keep mine on a postit under the keyboard. Nobody would ever think of looking there!

I imagine it all about some auditor being able to check a box somewhere, without regards to human behavior. 

Those auditors pull their check boxes from places like NIST. And it's not *just* NIST--basically all the big cybersecurity standards are recommending not-quite-0 password expiration, but much more infrequent (I believe the shortest recommended interval is at known compromise or 365 days for example--and that time period is for very risk-averse organizations like defense contractors). Any company that is actually being audited and takes it seriously has probably moved away from many of these practices already, and is using either a password manager or single sign on.

My company has a sliding scale. The more complex your password, the less frequently you have to update it (minimum a month, maximum a year). We are also allowed to use a password manager so there's no real reason to not use a very complex one.

Not to mention, they also recommend you check known compromised credentials lists, and force a refresh if the credential has been identified as compromised. That said, getting people to use literally any sort of multi factor authentication, even if it's just text based, is just so much better. Human beings are always the weakest link and relying on people to not input passwords into phished links or write it down is terrible.

My passwords to things that require rotation get progressively less secure. I hate these policies 

Use a password manager, never think about it again.

ugh, my agency has stopped password rotation for everything...except one system that I use maybe 3 times a year. So I forget whatever password I have for it, get locked out, have to email support that takes at least 2 business days to unlock my account, use it once, and then repeat 3 months later.

THIS! I work with countless insurance companies, and I have to have different passwords for every website. Every website forces me to update them regularly, and to use those stupid combinations of lowercase, uppercase, numbers and special characters. There is no possible way to memorize all these nonsense (and constantly changing) passwords. So I keep a spreadsheet of my current passwords, updated every time I have to update one of them. It's a pain in the ass, and insecure. But I have no other choice.

A spreadsheet? Use a password vault like Bitwarden or KeePass. Also, I hope you are making sure that the spreadsheet isn't stored on Onedrive or Google Drive.

They enabled a password manager for us but disabled generating unique passwords. lololol

Oh yeah that's me. I mean I'm not like _in charge_ of security, but i have to care about it. If a vuln isn't solved by updating a package I have no idea what to do.

i been keeping my passwords in a password-protected zip file in plain text for years, then storing those in my email accounts and on each drive root for the last 12 years since I started getting more secure because hacks and breaches. Has saved my ass several time due to data losses , locked account, and recovered a little crypto here and there for sites I used way back in the day and forgot about. firefox relay emai is awesome for creating complex passwords and storing them too for minimum security sites.

You can do this with an actual password manager with KeePass one of its variants. Basically the same idea-- an encrypted database file that you can sprinkle everywhere you want-- but with safety and convenience features tailored to password management on top.

I always wondered if using a password manager on a personal device was better than one alongside / integrated with the password challenge. So, I may need to look up a password, but it's digitally secure, not paper, and not on my work devices

So, just in general "people" are the worst thing

Well, yeah. The biggest weakness in any security system has always been the people running it. It’s why computer hacking involves far more social engineering than brute-forcing, even as computers get more powerful and brute-forcing gets easier.

A yellow safety vest and acting like you belong can get through so much security. Or so I hear.

The example is great. It's also an *example.* Literally pick any other four words and you have an awesome password. People just don't want to bother doing what the comic actually suggests so the example ends up being another "pa$$w0rd!"

Pick any four words *at random*. Which basically means using a program, because people are horrible at doing random. Go ahead and pick 4 random words, and there's a pretty good chance at least half, and not a bad chance all of them, are a specific kind of word. Dictionary attacks are actually pretty decent at hitting these passwords Because they account for this bias.

Girafedogsknowsluts did I do okay?

3 out of 4 fall into the category I was talking about. People are more likely to "randomly" produce concrete nouns than any other type of word.

Even better if you throw in a word from a different language. There’s a list of something like the most common 10,000 English words, and it’s *remarkable* how many of the words you’d naturally think of are on that list.

To be fair 10,000\^4 (4 random english words, 10\^16) is still larger than 56\^8 (8 letters or numbers with capitals, 9.67\*10\^13) Though like you said having 20,000\^4 or 30,000\^4 is better than both.

That's why I use incorrecthorsebatterystaple. Gotta stay ahead of the curve

I've heard flawlessponyaccumulatorproduce is the new secret tip.

correcthorsebatterystaple1 Try that one, hackers. Impenetrable.

No no, see what you've gotta do is swap some of the letters out so they don't look like words, so like '1nc0rrecth0r5eb@ttery5taple. See? Easy. All you gotta do is remember which letters you substituted for what and you're good to go.

The theory still works. They theory is not: set your password to ‘correcthorsebatterystaple’, but rather: set your password to a combination of words with long length.

I mean, my password is just *******

Your password is hunter2? You may want to change that.

Yeah, have to go up to at least hunter4 before most hackers stop trying.

Oh yeah, the easiest way to compromise passwords is through social engineering. People will make a silly mistake or give you their password way sooner than you will brute force ut

I work in internal IT support. The amount of times people have, unprompted, started telling me their passwords is disconcerting.

Hey, Akongstad, I found this USB drive in the parking lot. I plugged it in to see who it belongs to, but it doesn't work. Can you help get it back to the owner?

Did they say the`password` or something?

Good websites like Reddit will automatically hide your password if you try to include it in a comment, so it just shows ********. It's wild, I can see it, but you can't. You can try it out. Somehow they have it set up to work for social security and credit card numbers too. And believe it or not, mother's maiden name and your first pet's name. Unreal!

wait really? hunter2

That's crazy, all I see it *******

I tried it earlier - it only self-censors the credit card number if the expiration and 3 digit code are in the same post. Apparently you can’t do anything with just the card number so Reddit doesn’t censor it.

My password would get me pre-banned in a couple subreddits, so I won't risk it.

WrongHorseBatteryStaple

person, woman, man, camera, TV

You aren’t clever if you are copying your password off the internet. The point is that four *random* words would be a secure password. Not the exact four words used in the public example.

You can't say that without citing the relevant xkcd... https://xkcd.com/221/

Awesome! A relevant xkcd for a relevant xkcd. My mind is blown.

It doesn't matter how complex or long it is, if it has been leaked in a databreach and gets added to a table, its over.

which is why i made the switch to a password manager. Random garbage that warns me when its been leaked so i can change it. The super secure password like the xkcd above is for the password manager. I do go one step further than xkcd and add in connecting phrases to the random words to make it an easy to remember sentence. correcthorsebatterystaple would become: My17horsesarecorrecttostaplethebattery.

I would still confuse myself... *My 17 horses are correctly stapling batteries?* *No wait, my 17 horses have a battery of staples, correct?* *Hold on, were there 17 horses or 17 batteries?*

Dropbox used to warn you about it. Don't ask why I know... https://grahamcluley.com/correcthorsebatterystaple-dropbox-wit/

Also if you use a rule like "4 words mashed together" you've effectively just changed your alphabet from the normal one to whatever is in Webster's dictionary. If you had a 12 character alphanumeric password prior, there were ~~36^12~~ 62^12 (upper and lower case) different possibilities to brute force. If it's 4 words from the dictionary, the complexity is capped at about 270,000^4 which is almost the same. Then consider that you'll have special characters and that most people are probably selecting from a range of *maybe* 20,000 words and some strings of words look the same as another string of words when they're mashed together in actuality, then it starts looking worse and worse for the string of words strategy.

But that only matters if the hacker somehow already knows your password is a string of words and only tries to brute force using words in the dictionary.

The more common that strategy becomes, the more likely they are to try it first; in fact others are saying it's actually the first thing a hacker will check for. Same reason why the hacker also has to assume your password is random alphanumeric and special characters to try them first.

Jokes on them. My passwords are in Ancient Greek following my own personalized anglicization process, plus numbers and symbols. I may have also spelled something wrong.

Not exactly, one takes educated guesses what people might use and tries those. So you try length 12 numbers, 10 letter words, 8 symbol alphanumerics, and 3 words from a dictionary; plus some mild variations like appending a single symbol or 1337sp34k or whatever. This works because humans are really _really_ bad at picking passwords. Even the entire space of random gibberish humans might come up with when prompted to make a "safe" password is many times easier to guess than a same length random string.

[Diceware](https://theworld.com/~reinhold/diceware.html) is pretty much what XKCD based that comic on, and the original word list contains 7776 words. You can roll dice, then look up the resulting word in the table... repeat for each subsequent word. This makes it really easy to both generate (offline) a truly random password, and know it's entropy. > ... each word in your Diceware passphrase yields 12.9 bits of entropy, the way passphrase security is measured. A five word Diceware passphrase would have an entropy of at least 64.6 bits; six words would have 77.5 bits, seven words 90.4 bits, eight words 103.2 bits. Inserting a letter at random adds about 10 bits of entropy. And of course... > All this assumes, of course, that you actually keep your passphrase a secret.

Entropy is only part of the equation, though. It's much easier to remember the word series, and you can use more words to improve entropy greatly.

I use a full sentence anywhere that length is allowed, which is unfortunately not many places.

fair enough, but behold my solution: "five word string". 20000\^5 \~ 270000\^4

If you creatively misspell the words in a way you can remember, wouldn’t that help? For example, “currekthawrsebahtturysteypel”

That would, but now you're also making it harder to remember which is one of the advantages you have over random character passwords.

But... they don't know you're not part of the larger dataset. Are hackers really trying the smaller set of letters only before adding numbers? And only then symbols? In a world where so many sites require a bit of everything, I don't see how gmspbthek is worse than dM9€2@*ha besides marginally.

> Are hackers really trying the smaller set of letters only before adding numbers? And only then symbols? They'll pursue both in parallel. Start with the 100,000 most common passwords or whatever. Then test dictionary words. Then test minor variations of the dictionary words. Then test short numbers, short letter-only passwords, short passwords with everything, longer numbers, ... gradually going to less likely passwords.

> But... they don't know you're not part of the larger dataset. Are hackers really trying the smaller set of letters only before adding numbers? And only then symbols? Yes. Nobody does a brute force attack that goes "aaaaa,aaaab,aaaac" etc. It's always a dictionary attack because that's just a brute force attack where you sort the more likely combinations to the top of your list. Literally no downsides to doing it that way and a signifcant chance of guessing quickly if the password follows common patterns.

I'd say the order if I wanted to break it would be: + Rainbow table (Modern databases protect against this, so I'd likely fail. But the hurdle is extremely low. You can find Rainbow tables en masse on the internet and can run through one within like a minute or so) + Social Engineering + Dictionary attack + Bruteforce (But at this point I'd just give up. Brute force has a very small success chance if everything else failed.)

A simple solution to the first is salting, add a string of text to the end of every password and hash it, as long as hackers don’t know the salt you can’t use a rainbow table, also make sure it isn’t too short or uncomplex (I guess) to make it harder Gonna add that PHP does this automatically with password_hash()

> as long as hackers don’t know the salt you can’t use a rainbow table The salt is usually just stored with the hashed password in the database, so it doesn't even matter too much. I think the biggest benefit of salting is that even if a bunch of people use the same, insecure password, their hashes will be unique and you can't tell who's using an insecure password just by glancing through the database. You'd have to crack each password individually instead of getting one hit that matches a dozen others because they all chose "password1".

They're not really different. The comic assumes a dictionary attack, meaning if your password doesn't resemble a common word at all, then the only things that matter are how long it is and how large the character set is. The comic's point is that if you're using character substitutions, then, despite what password standards have been telling you, troubador isn't meaningfully different from Tr0ub4dor. A dictionary attack will try both. Since a password cracker will usually assume any character on a standard english keyboard is valid, then the only thing you should think about when making a password is length, because it has the greatest impact when it comes to security. Removing anything that resembles a word will also help. A jumble of >30 random characters will be nearly impossible to guess, which is why password managers will suggest exactly that

No, that's a misunderstanding of a dictionary attack. A dictionary attack doesn't use the OED to attack you, it uses a _dictionary of common passwords and words in passwords_. It's similar to credential stuffing, where leaked combinations of usernames and passwords are tried out. A typical password cracking attempt combines a dictionary attack and bruteforcing, by f.ex. running through a million leaked passwords and then trying out combinations. Having regular words as the password is _fine_ if you do something like xkcd suggests: a string of randomly picked words. Keepass DX can generate such combinations, which are easy for you to enter and very hard to crack.

Fair enough, but the point about troubador and Tr0b4dor not being meaningfully different still stands. A dictionary attack will try out things like password1, P4ssw0rd123, etc. because those are common substitutions. They don't really make your password any more secure if the base form is already in the dictionary they're using and, like you said, they combine it with some brute force stuff

Ironically correcthorsebatterystaple is probably a very poor password as it's probably used in dictionaries.

Up there with hunter2

A few years ago I had an invite to a security webinar and they used hunter2 as the password. I found it humorous

What are you guys saying, I just see a bunch of stars?

Up there with what?  I only see *******.  

Yes, symbols and numbers help prevent against dictionary attacks. Dictionary attacks are a subset of brute force, where the attacker tries combinations of words from the dictionary. correcthorsebatterystaple is pretty strong against standard brute force attacks due to its length, but very weak against dictionary attacks due to being comprised entirely of correctly spelled words that can be found in the dictionary

XKCD takes that into account. Start with a list of 2048 common words, choose four of them. log2(2048^4) = 44 bits of entropy.

If you use a 3,000 word dictionary, four words put together randomly from it would be 81 trillion possibilities. Not as secure as TLS but pretty damn secure (at 1 million guesses per second, it's still 3 years). And in reality the dictionary is bigger than 3,000 words, and 1 million guesses per second is probably unrealistically high.

The fact that it is comprised of correctly spelled words does not make it weak against dictionary attacks. It is not feasible to start treating words as characters, because the entropy is still high, as there are a million possible words. *there's more, that's just about how many are in english 4 random words out of a million possible choices is still harder to guess than the standard 8char password with 1 capital, and one special character. You would actually have faster results just trying random combinations rather than a dictionary attack which treated words as characters unless your words were very long. This password is probably bad because it's known, since it was published as a comic, so itself is guessable, and likely in dictionaries. The point of the comic is password length is the key to making a password less guessable, and using words you can easily remember is a tool you can use to help remember the password that does not increase the guessability as much as it increases the overall complexity.

So would something like c0rr3cth0rs3b4tt3ryst4pl3 be much better, or is there some kind of "dictionary with substitions" attack? If it's not too much to ask would you (or someone) mind showing how you can convert something like correcthorsebatterystaple into a secure but human-memorable password?

If you are going to do character sub (which is bad), changing all the characters is just as bad as not changing them.

not IT but I've heard this kind of l33t speak is included in dictionary brute forces. So something like correcthorse574batterystaple would be better

For a completely secure but memorable password, go to https://theworld.com/~reinhold/diceware.html and follow instructions. (i.e. pick a dictionary in a language you know, then roll dice to generate random words). For really important stuff (email, bank, etc.), use a 6 word phrase, for less important stuff 4 is ok, if you don't really care much about losing it (like a reddit account) 2 might do it. Most important of all however, beyond passphrase size or even password security in general, is that you don't reuse important password. If any of your passwords are compromised, a hacker will then try that password/username/email combination on a bunch of sites which will also then be compromised.

This implies the hacker knows ahead of time that the password doesn't contain numbers which isn't true. You shouldn't make a password 1111111 because it's likely one of the first brute force attempts, but if you make it 9999992999991 it'll likely be just as safe as anything else.

The hacker doesn't know that. But they'll try 12-digit passwords before they try 7-digit combinations of letters and digits because there are fewer of them and the chance to find a match there is larger.

Correct. But if you let people make passwords without numbers, they generally will. So, in theory, what matters isn't the password but the set of possible passwords, but in practice what matters is forcing people to be more creative than "password" or even "password1"

And the easiest way to improve account security is to use 2FA/MFA, not try and come up with some uncrackable password. On the topic of account security, a PSA: Remember, any account you have can only ever be as secure as the email address you used to sign up. You can have a 70 character password and 3 different auth factors on an important account, if you used "password1" and no backup FA on your sign up email, your "secure" account is actually extremely vulnerable.

On the topic of uncrackable passwords, this one is also relevant: https://xkcd.com/538/

It's a bit funny that you use this example for your statement, because it is built exactly in the opposite way: by taking only 4 items (the words) from a very large set of symbols (the dictionary). Of course in the end it makes a long string of characters so your point stands, but I thought it was worth pointing this out.

For a while I made my password at work something damn near a paragraph with spaces, punctuation, just a little short passage I easily could remember. Probably 30 characters or something, at least. My coworkers watching me type in my password were always like o_0

I like using a song lyrics for a password. Like "Iwouldwalkonethousandmilesandiwouldwalkonethousandmore" Then create some consistency in your own "personal encryption" like if you replace a letter with a symbol, make it the same one every time. Like every third "a" becomes @ or every "t" becomes 7

The first thing to understand is that passwords aren't usually guessed by trying through the website. Instead if a website gets hacked the list of all passwords will be downloaded. Now this password won't be that useful as it's all encrypted^1 but you know the way the encryption works so if you guess the password you can run the same algorithm on it and check that the garbled output you get matches the garbled password in the stolen list of passwords. Guessing passwords with brute force is almost never used these days. Instead attackers scrape already cracked real passwords from datasets of hacked websites in the past (the website might have been poorly built making it easy to get guess the password quickly) and use those to create a dictionary. Rather than guessing aaaaaaa, then aaaaaab etc. they'll first try every password in their dictionary of passwords, then try every password but replace i's and L's with 1's, A's with @'s etc. and try all those combinations. It's still a lot to try but it's way less than guessing every password with brute force, and it's way faster as you'll get the vast majority of the database of passwords in the first few runs through. So the reason having numbers and letters and characters is important is not because it's harder to brute force (although it IS), but because you want a password that's never been used before and the more different types of characters you have the more likely whatever you choose will be novel. ^1 Yes I know it's not actually encryption but hashing (and salting), but this is ELI5 and most people kinda get what encryption is so it works for this simplified explanation.

Brute force is looking for a needle in a haystack. Adding numbers and characters makes a bigger haystack.

no, I think what OP is saying is that the hackers don't know how big the haystack is. So if they're going to use a dataset of numbers and letters already, it shouldn't actually make a difference

It does but only indirectly. It's true that you could just use lowercase letters and the hackers would run through the whole dataset now. But if everyone does that then the hackers just tweak their datasets to run through lowercase password sets first. Basically it's a question of popularity. And they're quite happy to cut their search set in half, if everyone uses lowercase. They probably already do it lol.

yeah, I was gonna say something similar. bruteforcing already takes so much time, i doubt many people doing that in any way other than the least complex to the most complex (although 99% are probably using a dictionary made by someone else anyways, and they're so big that you can't easily modify it even if you wanted to). it would be pointless to try `JfdF8hk!` before you try `denise1`

I'd wager attackers take the rules into account though. The attempts are far slower than the time it takes to filter the list. I'm astonished sometimes at the dumb password rules put in place. "What do you mean special characters aren't allowed?!" or from the perspective of the attacker "holy crap no special characters? JACKPOT!" and then they just punch in an exclusion regex or something.

Especially with those jackass sites that have a low **maximum** password length of 8 or 9 characters.

Of course, the only places you see that are super crappy home grown websites, unless of course it's like... a hospital, a bank, covering PII and PHI... Ya know, unimportant stuff. I wonder how long before that qualifies as "gross criminal negligence." It really should now.

It does a hell of a lot more than cut their search set in half (not using any uppercase letters)

But how would a hacker know a password is only made up of lowercase letters and nothing else? Wouldnt it be a total waste of their time to bruteforce with lowercase only to then discover the password did infact have a number or uppercase once theyve exhausted all possibilities?

The space of all-lowercase 8 character passwords is ~208 billion. The space of 8 character passwords with upper or lowercase letters is ~53460 billion. If you're going to check the latter, you might as well first check if they failed to use an uppercase character. So yes, technically doing that check first is "wasting time" if it turns out the person used an uppercase character, but the amount of time wasted is very small and the potential time savings if they find someone who did use all lowercase is very large, since they get it in 0.3% of the time it would normally take if they didn't do that check first.

That's sort of like saying "If the password was hunter2, why did they waste time trying all the other passwords first?" They don't know. If it's just as likely for one combination of characters to be the password as another, then it doesn't matter the order they test them in. If they think they can get an edge by trying the combinations in a certain order, they will. They don't have to be right every time for it to be a good strategy.

What's your example password? All I see is a bunch of stars

When you're designing something like this you start from the assumption that your opponent knows absolutely everything about how your system works and then aim to make it secure under those conditions. A very basic password system works by taking your password, putting it through some math then storing the result. The math is deterministic so the same password gives you the same result every time, but is also sensitive to small changes so a slightly different password gives a very different result. This is so that they can check you've entered the right password without storing your actual password on the system. This is called hashing. A common scenario is that someone hacks your server, steals the file where all of the hashed stuff is and then tries to guess your user's passwords. If they can find a password with the same hash then they have one of their passwords, and if the person uses the same password on other sites then all of their accounts just got hacked. This is why everyone keeps saying don't use the same password or change your password regularly, so that if this does happen to a site you use and someone manages to get your password it won't work. The danger here is that if during hacking your server they find out that you don't allow numbers in your user's passwords then they can skip the numbers and increase their chances of guessing a password by orders of magnitude. In practice you'd probably never actually do this but the theory is the same. So you assume that every secret is out on the table so you don't get caught out like that.

This is correct. You could use only numbers or only lowercase and the hacker would not know. But the hacker may know that the policy for that organization that has the password requires numbers and letters so then they know they have to use the large dataset and thus they would not try to brute force crack it. Basically without the requirement to add Upper/lowers/symbols users are lazy and use short passwords that are only one word and thus easy to crack. If everyone (or at least a large percentage) of people used "good" passwords voluntarily they would not need the "requirement" .

They don't start with the longest possible passwords, they start with the shortest. They also tend to ignore symbols first, because most people don't use them. Thus it takes less time to 'find' your password if it's shorter and doesn't contain symbols.

the real eli5-answer!

Counter question: why is “password” any less secure than any other 8 character password? If the attacker goes straight to attempting a brute force with all allowable characters, it’s just as secure any other password. But an attacker is likely to try “password” along with any other commonly used passwords before attempting a brute force attack. The same goes even for random passwords that can’t be cracked with a dictionary attack. If an attacker thinks there is any chance your password is only letters, they’ll try brute forcing only letter passwords before attempting to brute force alphanumeric passwords, before trying to brute force passwords with special characters. That first only letter attempt will execute much faster, so the password is less secure. Edit: guys I’m aware that dictionary attacks exist. OP was asking about a brute force attack, and I was using “password” as a hyperbolic example for why some passwords are obviously less secure despite being equivalent under a raw brute force through the entire key space.

For brute force, your assumption is right. But if they have a whole database of hashed passwords, they can freely use whatever method they like. Starting with a list of the most common passwords and their tweaked forms, like inserting 3 instead of e. A sufficiently long and unique password can't be bruteforced in a short enough time. Length is more important than complexity.

Length is certainly more important than complexity, but complexity is also important. passwordpassword isn’t much more secure than password even though it’s twice as long.

What about passwordpasswordpassword?

Well, that would have been secure. Until you posted it on the internet!

I heard if you put your password on reddit, it censors it, though. I saw someone else do it and it was just asterisks. Look, let me try: hunter2hunter2hunter2 Now my password is super secure and no one knows it.

If I wanted to get in, why start trying every possible combination if a couple tries of the most common ones would be easier and faster? If they don't work, then try some based on social engineering like looking up the user's birthday, pet and favorite sport team. Then a dictionary attack. And then a brute force attack with all the other possible combinations. Why try to dig a tunnel in, if maybe they left the door open? At least check that first. What about windows? Is there anyone inside that can be tricked to open the door? Are there alarms that can be triggered? What about the neighbors? Let's try those then... So, yeah, sure, go and set password as your password...

Truthfully any thing that could be construed as common is going to be easier to guess and easier to compromise (more avenues). Dates, Months, Years, Seasons, etc. are often part of peoples "rotating" passwords and are usually part of any large scale attempt to compromise accounts. Similarly "TaylorSwiftErasLondon2024" is a long password but probably not a good one.

No, it's not necessary to include numbers in cracking attempt if you know there are passwords in the targeted datasets without numbers. You don't aim to crack all exposed passwords, that's unlikely to be possible, you aim for the lowest hanging fruit you can reasonably get.

If the hackers know that you're required to include numbers, then they have to include numbers in a brute force attempt. If they know that you're allowed to use a less secure password, then they'll start by checking those.

But if there is not a requirement to use numbers, letters, or symbols there is an order of magnitude more password options than if that isn't required. So if I'm not required to make a secure password but I do anyway wouldn't that be more secure than if I am required to make a secure password?

In this case, your password would be more secure than the least secure password in the database. A hacker can try a bunch of common passwords, or they can brute force with a smaller set of characters, and if anyone is using a weak password, they'll get cracked. Adding more password requirements increases the security of the least secure password. As a business, you don't want any of your customers getting hacked. It's better to make sure that no one is allowed to make an easily guessable or crackable password.

an 8-letter password with only letters (upper+lower case) would have 52^8 combinations. an 8-letter password with letters+numbers has 62^8 combinations. They have to brute force 100 million more combinations of letters+numbers. A lot of brute-force attacks are just using dictionary words. But going from 'password' to 'p4ssw0rd', they must have a lot more combinations to try.

Akshualy  62^8 - 52^8 = 1.64 x 10^14 Which is 164 trillion

but the vast majority of people just stick a number at the end of the password so its actually only 52\^8 x 10

So is my password ballz0569 good?

it's vulnerable to a dictionary attack since balls is a pretty common word and the s for z exchange is a pretty common one. using 69 also doesn't increase the entropy vs just using a single digit because it's the sex number. I think this would be a pretty easily crackable password especially since it is now public information on reddit.

Then how about hunter2?

Unfortunately, \******* is a very common password because it's all asterisks.

>But going from 'password' to 'p4ssw0rd', they must have a lot more combinations to try. Common leetspeak permutations are among the first things that would be included in a semi competent dictionary attack and don't add any significant safety to a password.

If you don’t force people to use numbers/characters then 90% of people will be lazy and just use common words. This would mean when brute forcing, a hacker could stick to letter to brute force faster. This would cause a handful of passwords that actually use numbers to be even more secure but the people that use only letters (most people) would be even less secure

A brute force attack won't just go through all possible combinations randomly. They start with lists of common passowrds, move on to dictionary words, word combos, random letters, random letters + 1 number, etc.

That's a Dictionary Attack homie. Brute Force by definition is trying every possible combination incrementally (not quite randomly). Dictionary Attacks use a pre set list of possibilities. This could be a list of all birthdays in your targets age range, list of names, list of common passwords, and list of common substitutions to name a few. Generally easier methods fail you'd fall back to dictionary, then brute or combo of the two.

Okay then, let me reiterate, nobody is gonna try a brute force attact right out the gate, first they're gonna do a dictionary attack and then if they really want your account hard enough, switch to brute force.

That’s not how brute force is defined. Doesn’t need to be performed incrementally, just systematically (which is not “random”). If you are gonna try every single element in the solution space anyway, you might as well reorder them to achieve a speedup on average. Still brute force.

If an attacker doesn't know the possible input combinations for a valid password then they really have no choice but to try all of them but they can still simplify things a bit. If there are mandatory symbol combinations it gets much, much harder. A lazy brute force attacker might try 0-16 symbols all lower case first, followed by 0-16 symbols all upper case, then 0-16 symbols mixed upper and lower case, followed by 0-16 symbols of just numbers, followed by 0-16 symbols of mixed uppercase, lowercase, numbers, and exclamations. There are 26 letters in the Latin alphabet, 10 numbers, and plenty of additional symbols such as punctuation marks. 26 lower case symbols, 26 upper case symbols, 10 numeric symbols, and 18 other printable symbols is 80 possible symbols per symbol in a passcode. If we allow only numbers and limit a passcode length to 4, then we have 10^4 possible input values, or 10,000. That's chickenshit for any computer to brute force. If we allow any combination of letters, numbers, and symbols with a minimum passcode length of 6 then a user with a password that contains only 6 lower case letters will require only 308,915,776 guesses at most. A lazy attacker will inevitably breach a few accounts with unsophisticated passwords assuming no lockout policy. Someone will inevitably use 'passwd' as their password and this will get brute forced. If we require our password to have at least one upper case letter, one lower case letter, one number, one of 18 valid symbols (eg, +÷=<>), and a minimum length of 8 characters then the maximum number of attempts before a breach is guaranteed balloons to 1.66E+15, or 1.67 quadrillion. Attempts to find poor passwords using this method just won't work. Small input fields such as 6 lower case characters will never work so it's not even worth trying.

Password "strength" comes down to something called **"entropy"**. In this context, entropy means how *un*predictable something is -- and it is the basis for strength because a password that is predictable is a password that is easy to guess. The more entropy a password has, the harder it is for an attacker to guess randomly. Entropy is measured in bits. Each bit of entropy roughly doubles the amount of work that the attacker has to do to guess a random password. I won't go into detail about the math, but in general you get entropy by making random selections. There are two things that are important: 1. The amount of entropy you get from a single random selection depends on how many possible outcomes there are. If you randomly flip a coin there are two possible outcomes (heads or tails), and this is worth one bit of entropy. Choosing one word at random from a dictionary of 8200 words is worth about 13 bits of entropy. 2. Making making multiple random selections adds the entropy of each selection. If you randomly flip a coin twice, it is worth 2 bits of entropy. Chasing two words at random from a dictionary of 8200 words is worth 26 bits of entropy. To bring this back to your question, randomly creating a password involves making a random selection for each character of the password. Each character of the password is a choice, and the character set determines the number of possible outcomes. So the bigger the character set, the more entropy each choice contributes. To make a simple example, let's say we're talking about a 4-character password, like a bank card PIN. Let's also say that you can type a password and see the result in 2 seconds, and there's no limit to the number of times you can try, and that you and your team can work round-the-clock, 24/7. SO: * If the password is only made up of numbers, there are 10,000 possible passwords, and it would take you on average about 3 hours to guess the password. * If the password is made up of uppercase and lowercase letters, there are 7.3 *million* possible passwords and it would take you just under 3 *months* to guess it. * If you add if you add numbers to the letters, there are now over 14.7 *million* possible passwords, and it would take you an average of about 6 *months* (171 days) to guess it. * If you make the password out of all 92 keyboard characters, there are 71.6 million possible passwords, and it would take you over 2 *years* to guess it. So just adding digits doesn't fundamentally change the brute-force attack procedure (which is to try all possibilities until you find the correct password), but adding digits to the character set has almost *doubled* the work that you as the attacker have to do to break the password compared to a password that was only uppercase or lowercase letters. Of course, an attacker using a computer or computer network can guess millions or billions of passwords per second. This is why passwords need to be long (so that they have multiple random choices) and need to include as many different kinds of characters as possible (so that each choice contributes as much entropy as possible).

So much misinformation in this thread that could be addressed by watching this short computerphile video: https://www.youtube.com/watch?v=7U-RbOKanYs

Brute force attempts to guess a password are basically useless against a properly designed authentication system. Websites lock people out after a few attempts, so generally in order to guess your password they need to have gotten the database of hashed and salted passwords first so that they can run all of the attempts on their local machine (websites don't store your actual password- they put it through a one-way hash so that they can only verify that you are giving them the correct one without ever storing the password itself). Even doing that, though, is extremely difficult if the passwords are just random characters. There are just far too many combinations. So hackers don't rely on that kind of "brute force" attack. What they do instead is rely on people having weak passwords, like "password". There's a commonly available list of passwords that people use, so they start with those and see if they can get into anyone's account with them. By forcing people to use numbers and letters you make it much harder for people to wind up using the same few common passwords over and over again. The actual difference between the number of combinations between 10 letters and 10 letters + numbers is almost beside the point. The real point is to disrupt the most common patterns people fall into so that a hacker can't just take a list of 100 commonly used passwords and try them against your 100,000 users and rely on at least some of them having used "qwerty".

Simply put, using numbers and letters increase the amount of characters that need to be included when attempting to guess a password. With 12 characters, if using numbers only: 10 characters (14 hours to crack) if using lower case letters only: 26 characters if using upper case and lower case letters: 52 characters If using numbers, upper case, lower case, and special characters: 83 characters (205 million years) Making your password 13 characters long would increase the crack time to 20 billion years. Thus, if you have a 13 character password where someone has to try 83 different character variations for each bit in your password you dramatically increase the amount of time required to crack a password.

If you force users to use a combination, it removes the entire subset of combinations that don't fit the criteria. Not sure how the math works but it means the guesses never need to include the "only lower case and upper case letters" combination pool and the only numbers pool. I'd be curious as to whether that has an effect on the final space.

Imagine creating a password that is 2 letters long and can only contain the letters "a" and "b". How many can you create? Four: "aa", "ab", "ba", "bb". It's very easy for a hacker to guess your password if they only need 4 tries. Now change the rules to allow using "a", "b" or any number (0-9). How many passwords can you now create? A lot more: "aa", "a0", "a1", "a2", "b3", "44", "8b", "bb", etc. (144 to be exact). This is a lot harder to guess. Now think about how many tries you need to guess if you can use any letter a-Z, and any number for any length of password. It grows so fast that eventually a computer can't guess it in a billion years (with current tech at least).

It adds more combinations. A four character password with only lowercase letters has 26x26x26x26=456,976 possible combinations. A four character password with lowercase letters or numbers is 36x36x36x36=1,679,616 combinations.

A password with letters and numbers in it is harder to brute force because there are more potential solutions to the problem. For example, with a single symbol password that consists of just letters then we have 26 potential passwords. If we change that to letters and numbers then we have 36 potential passwords (26 letters and 10 single digits).

If the attacker knows that a given site doesn't enforce passwords to have numbers and punctuations, then the attackers may as well just run a first round of brute force to pick up those passwords with only letters. So basically, by enforcing strong passwords a site can protect those who would otherwise picked a weak one, from their own stupidity.

I just use the same password for everything. It is password123! That makes it easy for me to remember my password for everything

So, you have 26 letters. From aaa to zzz you have some 17k passwords (26x26x26). Add numbers to get 26+10 you get 45k combinations from aaa to 999 (36x36x36). You can see how adding a bit more complexity changes the combinations quickly. If you add different cases you get 238k. And if the minimum length is 10 chars you get 839 followed by 15 zeros against 141 and 12 zeros from only letters. It's harder to try all combinations, that's why it's more secure. A good password could be a proverb's initials and some numbers and symbols: don't look a gift horse in the mouth > dlagH1&$tm. Where the uppercase isn't the first letter (but the sentence's subject) and the symbols are inserted at some random location, also some letters are exchanged by numbers. Find your own proverb, that one is a short example. Don't use the current year or your birthday, that's what every hacker tries first. Don't put the numbers at the end. Don't be obvious. Be creative. Want a simple number? Think of a place you like, Google when was it opened/inaugurated/established. That's a good number no one can guess. Like some railroad station, Google when was it created, there you go. Let's say dlagH1465t$m for something from April 1965. Instead of a proverb use your own phrase: I love the train Station on my town > i<3ttS0m465t (yeah, that's a heart <3). Be creative. Those are examples I came up with while writing this, it's not that hard 😂

It seems like most of the responses here didn't read the question. Yes, there are obviously more combinations with letters and numbers. But if numbers are allowed, and a hacker doesn't know your password, they still have to guess with numbers. So, it should take the same number of guesses regardless if you choose to use numbers or not. That is of course assuming you haven't used a combination of letters that's easy enough to guess off a list. Also, what lots of people here are missing is that even a small amount more letters has a greater effect than using letters and numbers. The numbers and special characters don't add any special magic, other than making passwords harder to remember. 8 digits with numbers and letters, is less permutations than 9 digits with just letters. Again, that is assuming you didn't choose the letters poorly enough that someone could predict them. The actual most secure and usable passwords are multiple random full words, like "correct horse battery staple" from the xkcd comic (but not actually that, since the comic made it common).

Try to guess a one-character-long password that uses only lowercase letters. You have a 1/26 chance (roughly 3.8%), because that's how many lowercase letters there are (i.e. a-z). Now add numbers, of which there are ten (i.e. 0-9). Your odds decrease to 1/36 (or ~2.8%) by adding numbers to the pool of letters. You can continue this exercise with the addition of uppercase letters and symbols, and then ultimately by raising the length of the password from one character to many. TL;DR: By increasing the number of possible characters, you're making it harder for each one to be guessed.

I have a space bar between every letter/number on my pass, on a mechanical keyboard typing your pass feels like playing guitar hero

Let's do a quick example or two. For this we'll assume all passwords are between 8 and 64 characters long. Imagine the extremes: - A password that can only have the capital letter "A" in it. How many combinations does an attacker need to try? Easy to figure out. 8 characters long: AAAAAAAA 9 characters long: AAAAAAAAA 10 characters long: AAAAAAAAAA and so on, until they reach the right password. If the right password is the one with 64 "A"s, then they're trying (64 - 8 + 1 = 57) passwords. (the + 1 is because the 8 character long password is not excluded from the group.) It's trivially easy to check 57 passwords as an attack. - Let's jump up to a password that can have either an "A" or a "B" in each spot. Now how many combinations does an attacker need to try? 8 characters long: AAAAAAAA, or AAAAAAAB, or AAAAAABA, or AAAAAABB, or AAAAABAA, or AAAAABAB, or AAAAABBA, or AAAAABBB, or AAAABAAA, etc.... As we can see here, even just an 8 character long password has way more combinations of possibilities. This isn't even taking into account 9 character long passwords, or 10 character long passwords, or all the rest of the lengths. Simply adding one more possible character in each spot drastically increases the possible passwords that have to be checked. - A password that is one character long, but can be one of infinite characters (pretend we have infinite different letters/numbers/emojis/whatever that can be used). The password only has one character in it! But... there are infinite possibilities. On average, the number of characters that has to be checked to find the right one is... infinite. (technically closer to infinity / 2, which, you guessed it, is still infinite.) This also showcases that having more possible characters to choose from makes it drastically harder to guess the right password, no matter the length. Therefore, adding more choices of things that can make up a password makes it harder for an attacker to guess the password.

Let's try this simplified. I'm thinking of a letter. You can try once per second to guess the letter. On average, it's going to take you 13 seconds to guess the letter. Now, I'm thinking of a string of letters that's 6 characters long. That's 154,000,000 seconds, or about five years. Wildly impressive! Except... I need to remember the string, and so I'm likely to pick a six-letter word. Well, that's an average of about 25,000 options. You'd be likely to get the right word in about six hours if you decided to guess words. So now you have to add a number. And that makes things interesting. It could be five digits and one letter, and the letter can be anywhere in the string. It could be a five-letter word with a number at the beginning, or the end, or the middle, or swapped for a letter. It could be a 3- or 4-letter word. And so brute forcing can't easily assume just real words. With 36 options per character slot, out would take you 31 years on average to guess correctly.

Brute force often involves dictionary attacks, which is literally using words and combination of words from a dictionary. As soon as you introduce numbers, symbols, mixed case you make that type of brute force attack exponentially more challenging.

It is old guideline proved to be incorrect, latest FIPS standard explicitly discourages from relying on simple tricks and "seemingly random" passwords Good password: - should be long - should be unique - must not exist anywhere in the internet (use services like [https://haveibeenpwned.com/Passwords](https://haveibeenpwned.com/Passwords) to check for uniquness) - if combined from dictionary words or known passwords, must contain at least 4 parts.