I think he came up with the idea originally, of using common words like this.
Because they really do have higher entropy, even if the attacker knows you are using common words and what dictionary you are using. Most modern systems (like bitcoin keys etc) use this idea now.
I think it has to do with the fact that brute force attacks are far less likely to arrange letters in a way that matches a series of legitimate words and far more likely to use jumbled nonsense
That’s plainly false if we are talking about machine-generated brute forcing. Any sequence of equal length is equally likely, generally. Furthermore, if someone artificially restricts it to narrower patterns and someone can guess that is the case, the machine generated brute-forcing has an easier time. Dictionaries exist and can be used.
The only reason to make this claim is if you’re irrationally married to the idea of typing in your password. At that point, it can no longer be a properly strong password (a hundred characters of random garbage), and so it must be a weaker password you can remember (some long string of words). And then you need to justify it with nonsense.
Get a goddamned password manager already for fuck’s sake.
actually, script automated brute forcing would be better at guessing randomized characters for a passwords.
No. It wouldn’t. It’s neither better nor worse at anything. If you’re unfamiliar with programming, it’s difficult to understand, but I’ll try to explain it to you…
No matter what characters are used, brute-forcing is like counting up from one. 1, 2, 3, 4. Just using more than the 10 numeral symbols. That’s why it’s called brute-forcing, it is literally trying every password possibility after the other. This will include actual words. This will eventually include even passwords that don’t look random to you at all.
By choosing words as your password, if someone can guess that this is what you’ve done (which is an easy guess, because most people are cretins when it comes to passwords) then they can go look for a dictionary. There are maybe 100,000 words in English. 250k if you use the OED. Other languages’ dictionaries are available too. Then they configure the brute-forcing program to ignore the sequential-every-password-possible stuff, and use words instead.
This reduces the number of passwords that you can have chosen by some ridiculously large number.
It’s literally, mathematically-provably, easier for the automated brute-forcing to do the non-randomized passwords… assuming someone can guess that that’s what you did. And it’s not much of a guess even, considering that you blather all over the internet about how you think it’s a smarter approach.
the dilemma with your thinking is the time vs success factor. Given enough time and an indefinite number of attempts before security measures kick in and block the active IP, a brute force attack will eventually be successful,
That’s not even how this works. It’s not 1986, you’re not Matthew Broderick hacking into WOPR.
Some Romanian shitbag used stolen credit cards to buy a database dump from another Russian shitbag who got it in an as-of-yet-undisclosed data breach. Somehow, the people who got their database stolen weren’t complete morons, and your password is hashed in it. But it was hashed poorly with some reused salt (also included, the Russian wants repeat business?).
The website it was stolen from has at least taken measures that they can’t get into amphibeanfursuits.com with any of the stolen data. But you reuse the same password everywhere, including your online bank accounts. How do I know this? Because you’re a dumbass who talks about choosing memorable passwords. The typical person out there has 50+ online accounts. If they’re remembering their passwords, I know they don’t have eidectic memory and know 50 unique passwords by heart. They’re remembering one.
So once they brute-force the hash, they’ve got most or all of your passwords (maybe literally not all, you probably think you’re clever by having two or three slight variations on it like “every word in it starts with uppercase!” or some shit like that). And it’s alot easier to brute-force this when you assume that they used dictionary words.
Here’s where you bust out with “but now you’re full of shit DPUGT, because I didn’t mean 1 or 3 or even 5 dictionary words, I meant like a phrase from Moby Dick or a passage out of Harry Potter!”.
Except you’re still wrong. That fucking website truncated the password (and always truncates, since you didn’t notice), or it has a maximum password length (don’t ask, I have no explanation, this is so far off in WTF territory that I give up).
And so your password will be broken. Likely with the help of Amazon compute time bought with more stolen credit cards or something. There is no lockout that will save you. Their IP will not be blocked.
You tried to be clever with passwords, which is what all stupid people do.
All your passwords have to be different. They shouldn’t even reuse sequences longer than 2 or 3 characters, and those only by accident.
You have 50+ passwords (my count’s something like 300+ and always going up).
They should all be long as hell. Ideally 50-100 characters or more. This means they’re also untypeable from a practical point of view.
They should never be written down anywhere, digitally or physically.
And, if we were making rules for websites/accounts, they shouldn’t limit possible passwords. No maximum lengths, no “can’t use that character”. Like why not? They shouldn’t be storing the damned password in plaintext, the hash should be hex and fixed legnth anyway. But can’t do anythign about that.
Once you understand these rules, there is only one correct way to do passwords. And it’s not setting a new one every 6/10/12 weeks. It’s not 2FA. It’s not any of the garbage everyone always repeats as if it were wisdom.
No. Words are just easier to remember. It’s about probability. If you only use lower characters, it’s 1 in 26, with upper case 1 in 52, with nunbers 1 in 62. With weird chars, I don’t know. If you now take one english 6 char word, and compare it to a random string with 6 chars. Which one is more secure? But, if you compare 6 characters with 6 words, then it’s not that easy. But random chars will always be more secure if both passwords have the same size. But it might be easier for you to remember 12 words than 12 signs. The orobabikity is so low, who cares if it’s 1 or 2 quadrillion years?
deleted by creator
This is the reason (relevant xkcd) https://xkcd.com/936/
deleted by creator
I think he came up with the idea originally, of using common words like this.
Because they really do have higher entropy, even if the attacker knows you are using common words and what dictionary you are using. Most modern systems (like bitcoin keys etc) use this idea now.
That’s plainly false if we are talking about machine-generated brute forcing. Any sequence of equal length is equally likely, generally. Furthermore, if someone artificially restricts it to narrower patterns and someone can guess that is the case, the machine generated brute-forcing has an easier time. Dictionaries exist and can be used.
The only reason to make this claim is if you’re irrationally married to the idea of typing in your password. At that point, it can no longer be a properly strong password (a hundred characters of random garbage), and so it must be a weaker password you can remember (some long string of words). And then you need to justify it with nonsense.
Get a goddamned password manager already for fuck’s sake.
deleted by creator
No. It wouldn’t. It’s neither better nor worse at anything. If you’re unfamiliar with programming, it’s difficult to understand, but I’ll try to explain it to you…
No matter what characters are used, brute-forcing is like counting up from one. 1, 2, 3, 4. Just using more than the 10 numeral symbols. That’s why it’s called brute-forcing, it is literally trying every password possibility after the other. This will include actual words. This will eventually include even passwords that don’t look random to you at all.
By choosing words as your password, if someone can guess that this is what you’ve done (which is an easy guess, because most people are cretins when it comes to passwords) then they can go look for a dictionary. There are maybe 100,000 words in English. 250k if you use the OED. Other languages’ dictionaries are available too. Then they configure the brute-forcing program to ignore the sequential-every-password-possible stuff, and use words instead.
This reduces the number of passwords that you can have chosen by some ridiculously large number.
It’s literally, mathematically-provably, easier for the automated brute-forcing to do the non-randomized passwords… assuming someone can guess that that’s what you did. And it’s not much of a guess even, considering that you blather all over the internet about how you think it’s a smarter approach.
That’s not even how this works. It’s not 1986, you’re not Matthew Broderick hacking into WOPR.
Some Romanian shitbag used stolen credit cards to buy a database dump from another Russian shitbag who got it in an as-of-yet-undisclosed data breach. Somehow, the people who got their database stolen weren’t complete morons, and your password is hashed in it. But it was hashed poorly with some reused salt (also included, the Russian wants repeat business?).
The website it was stolen from has at least taken measures that they can’t get into amphibeanfursuits.com with any of the stolen data. But you reuse the same password everywhere, including your online bank accounts. How do I know this? Because you’re a dumbass who talks about choosing memorable passwords. The typical person out there has 50+ online accounts. If they’re remembering their passwords, I know they don’t have eidectic memory and know 50 unique passwords by heart. They’re remembering one.
So once they brute-force the hash, they’ve got most or all of your passwords (maybe literally not all, you probably think you’re clever by having two or three slight variations on it like “every word in it starts with uppercase!” or some shit like that). And it’s alot easier to brute-force this when you assume that they used dictionary words.
Here’s where you bust out with “but now you’re full of shit DPUGT, because I didn’t mean 1 or 3 or even 5 dictionary words, I meant like a phrase from Moby Dick or a passage out of Harry Potter!”.
Except you’re still wrong. That fucking website truncated the password (and always truncates, since you didn’t notice), or it has a maximum password length (don’t ask, I have no explanation, this is so far off in WTF territory that I give up).
And so your password will be broken. Likely with the help of Amazon compute time bought with more stolen credit cards or something. There is no lockout that will save you. Their IP will not be blocked.
You tried to be clever with passwords, which is what all stupid people do.
And, if we were making rules for websites/accounts, they shouldn’t limit possible passwords. No maximum lengths, no “can’t use that character”. Like why not? They shouldn’t be storing the damned password in plaintext, the hash should be hex and fixed legnth anyway. But can’t do anythign about that.
Once you understand these rules, there is only one correct way to do passwords. And it’s not setting a new one every 6/10/12 weeks. It’s not 2FA. It’s not any of the garbage everyone always repeats as if it were wisdom.
It’s Get a goddamned password manager already.
deleted by creator
No. Words are just easier to remember. It’s about probability. If you only use lower characters, it’s 1 in 26, with upper case 1 in 52, with nunbers 1 in 62. With weird chars, I don’t know. If you now take one english 6 char word, and compare it to a random string with 6 chars. Which one is more secure? But, if you compare 6 characters with 6 words, then it’s not that easy. But random chars will always be more secure if both passwords have the same size. But it might be easier for you to remember 12 words than 12 signs. The orobabikity is so low, who cares if it’s 1 or 2 quadrillion years?