Which of the following two passwords is stronger, more secure, and more difficult to crack?

Which of the following two passwords is stronger, more secure, and more difficult to crack?

  • D0g…………………
  • PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!

But wouldn’t something like “D0g” be in a dictionary, even with the ‘o’ being a zero?

Sure, it might be. But that doesn’t matter, because the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn’t know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.

And here’s the key insight of this page, and “Password Padding”:

Once an exhaustive password search begins, the most important factor is password length!

  • The password doesn’t need to have “complex length”, because “simple length” is just as unknown to the attacker and must be searched for, just the same.
  • “Simple length”, which is easily created by padding an easily memorized password with equally easy to remember (and enter) padding creates unbreakable passwords that are also easy to use.
  • And note that simple padding also defeats all dictionary lookups, since even the otherwise weak phrase “Password”, once it is padded with additional characters of any sort, will not match a standard password guess of just “Password.”
One Important Final Note

The example with “D0g…………………” should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like “” or “[*]” or “^-^”  . . . but do invent your own! 

If you make the result long and memorable, you’ll have super-strong passwords that are also easy to use!

Read More at GRC






HighCrypt Password Manager
HighCrypt is the best Password Manager and is absolutely FREE
This entry was posted in Security Tips. Bookmark the permalink. Both comments and trackbacks are currently closed.