Jux said:
OneCatch said:
Aye, alphanumerics with no actual words, and random capitalization. I'm pretty paranoid about identity theft.
I should mention that in reality, this kind of password is no better than "Banana ice cram eating proves sufficient." In fact, it's more insecure in many ways. If you're trying to protect yourself from a person guessing a random word you like, that's not a real issue. Unless you use your pet's name, or something, of course - "marmalade" is not real different from "m4Rm/-\lD3" they are both pretty difficult to guess. The difference is that the latter is a lot harder to remember and type, too. At the same time, a sentence is easy to remember, and really hard to guess. Pretty much impossible if you just throw in very little logic (externally, to you it may make more sense). If you're protecting yourself from a dictionary attack, then a sentence is pretty impossible to crack. Well, the same with a random collection of symbols...unless it happens to be a word in a different language[footnote]my university password policy is EXTREME in that regard, I managed to hit several words that were in other languages without even knowing...and the passwords were rejected... took me 20 minutes to find a suitable password that's not in (apparently) French, Czech, Welsh or who know what else.[/footnote] but the sentence still wins in being easy to remember, you don't even need to further expose your password to risk by writing it down. Or you could but you can just include some memorable information "What do I do in the summer?" or "Biceps" for an acronym. And if you're protecting yourself from brute force attacks, then a sentence is millennia away from being cracked as opposed to any shorter password. Literally millennia away, as it could seriously take 1000 years or more (in theory) of computation to crack it[footnote]Although if talking theory, it might be faster for a potential cracker to exploit Moor's Law, so if, assuming, the task would take 1000 years to finish, they can just wait 500, then get the new and better hardware available, and run it for only 250. Although, I think we can both agree, hackers rarely have so much free time. Also worth noting that they are more likely to get to a hash collision than just bruteforce a sentence. Though a hash collision is still pretty fucking hard to achieve.[/footnote]. If you're protecting yourself from a random person peeking over your shoulder, then just cover the keyboard with...anything. Anything really - your coat, your body, a box - whatever, anything would be better than increasing password complexity.
Thing is - if somebody is going to steal your password it wouldn't really matter for them if you had it as "2hL9qCPqryXFprg" or not. Well, unless they watch you type it, guess it, or use a dictionary attack/bruteforce, then they'll actually need the password. Option one is to snatch it on transmission by tapping your connection in some way, though passwords tend to be send over securely, so "2hL9qCPqryXFprg" and "acknowledgement" (both are 15 characters, for the record) would look the same - jumbled and encrypted. Option two is to impersonate something, so you give them the password (mostly easy to avoid, though). And the final way to get the password is to steal it from wherever it's stored. The last one is the one you should beware, and even then, password strength shouldn't matter one bit if the password storage is compromised. Worst case scenario is whoever kept your password was stupid and kept it in plain text. Do yourself a favour and if you know a website or service would send you back your original password if you use "forgotten password" (as opposed to offering to reset it to something else) absolutely do not trust the password you give them, make sure it's unique and never reuse it ever. If they can return the original password, it's either in plain text or otherwise not really secured. Competent services encrypt your password using a hashing function[footnote]for the record, that's a one-way encryption algorithm, so if text is hashed it can never be recovered. Hence one-way. In short, "password" the word, hashes to "5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8" (using SHA-256) and if you input "password" again next time you log in, it would hash to the same value. The service can then just keep the hash and not your actual password[/footnote] and include salt[footnote]it's just a random other info added to your password to make it unique. So if your user ID is 20 and you add that to the password "password", you get "password20" which hashes to "7535D8F2D8C35D958995610F971287288AB5E8C82A3C4FDC2B6FB5D757A5B9F8" while if a user with user ID 57 has uses the same word for a password, their has would be "5436508FB28E193DA4A51C675D96E1D412D5E2AB3E128E509A27EFCCFF2A9240", so you get two different entries thus even at a glance a potential cracker wouldn't know which passwords are the same or not.[/footnote].
Thus your actual password strength plays no actual role in your security. Long passwords sentences are just as secure as "2hL9qCPqryXFprg" but easier to remember, easier to type and are just plain cooler overall.
