https://www.grc.com/passwords.htm - this site makes it pretty handy
I now use 32-character "word combos" (lower + upper case), padded with numbers and specials. I can remember them verbatim and input them into any device at any time. And according to the haystack calculator, they're every bit as secure.
For example, here's a couple of 28-character examples that are completely equal in terms of brute force protection:
t9]$xoJNV^:tBnFp8''R'\2%p:tF
B.B.King.*.RIP2015.*.DaBlues
Actually, if you take a peek around at Steve's site, you'll see that he's into "password haystacks" now. While 64-character randomly-generated passwords are highly secure, they're also nearly impossible to use in a practical fashion.
"Padded" passwords are, in most cases, more secure and infinitely easier to remember (and thus use).
https://www.grc.com/haystack.htm
I used to use 32-character (lower + upper + number + special) random PSKs for wireless and if I wanted to add a new device or similar, I had to open my password manager on my PC or phone and slowly do a stare-and-compare.
I now use 32-character "word combos" (lower + upper case), padded with numbers and specials. I can remember them verbatim and input them into any device at any time. And according to the haystack calculator, they're every bit as secure.
For example, here's a couple of 28-character examples that are completely equal in terms of brute force protection:
t9]$xoJNV^:tBnFp8''R'\2%p:tF
B.B.King.*.RIP2015.*.DaBlues
I do not buy that last comment. "King", "2015", and "Blues" would be on any word-list, dropping entropy way below the truly random character string.
Let's say a 10,000 word wordlist has those 3 words.
10,000 ^ 3 = 1e12 possibilities using 13 characters
vs
13 random alphanum chrs
~64 ^ 13 = 3e23 possibilities using 13 characters
Random wins by a land-slide.
Disclaimer: I doesn't math.
Yeash, but as soon as one changes King to K1ng, 2015 to 2oI5, and 8lu3s, then rainbow tables go out the window... and we get the entropy back
I do not buy that last comment. "King", "2015", and "Blues" would be on any word-list, dropping entropy way below the truly random character string.
Let's say a 10,000 word wordlist has those 3 words.
10,000 ^ 3 = 1e12 possibilities using 13 characters
vs
13 random alphanum chrs
~64 ^ 13 = 3e23 possibilities using 13 characters
Random wins by a land-slide.
Disclaimer: I doesn't math.
The haystack thing does not consider the human element at all. Brute-forcing every character is the last resort and best-case scenario for the password's chances.
Dictionary attacks use predetermined word lengths. A dictionary attack can find "dog" and "d0g" but it won't find dog* because it's not a 3-letter word.
A dictionary attack would never break the B.B. King password above because even though those individual words exist in every dictionary, the likelihood of them appearing together, in that exact order, with all the padded characters, in a pre-compiled attack dictionary is virtually nil. Furthermore, keep in mind that what I have there is only an example. You can do character replacement and other things to make them more complex (even though that's really unnecessary).
At that point, the attacker is forced to the last resort, brute force. And at that point then, the random password is no more secure than the B.B. King password because it's all about possible mathematical combinations.
If you didn't already, you should check out the article. Entropy isn't the be-all-end-all they once thought it to be.
As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers — a common approach) may cost a password cracking device a few more seconds; this adds little strength.
Well.. I don't think any of us are NSA grade cryptologists...
I still like pwgen - it makes passwords of any length that are reasonably secure...
I think we've beaten this horse down - we've answered the OP's questions with a number of alternatives...
sfx
I think you are mistaken about how dictionary attacks gain efficiency over per-character brute-forcing. If your pass includes words, or any grouping, you lose entropy. Multi-word passwords are cracked just like single-word or multi-character passwords.
Humans suck at recognizing random. We need patterns. Humans are insecure, lol.
Multi-word passwords padded with special characters are not multi-word passwords. I can assure you that Steve Gibson's research on haystacks has been verified. There's a HUGE difference, when it comes to dictionary attacks, between "weakpassword" and "weak#password".
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
C | Random Wi-Fi speed issues | General Wireless Discussion | 2 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!