The only way to do this is by making an educated guess on how the brute force algorithm works or probably works.
Lets say you were trying to crack a combination lock with 3 discs each with 10 notches for 0-9.
I would start with 000, 001, 002
and so on, using my very complicated cracking algorithm, the code which would get cracked on the last attempt would be 999
therefor in this instance its the strongest/safest.
We can assume a real algorithm wouldn't just increment through the numbers or work its way through the ascii table.
for example with a 3 digit numeric code you're probably far better off trying 123
, 000
and 111
before 001
when trying to crack it. common pin numbers
This goes for other ascii characters
- lowercase is far more commonly used than uppercase in passwords(definitely)
- special characters are used far less that alphanumeric chars(definitely)
- special character "common substations" are more common than other special characters s$,4A@ i!.(probably).
- 0,1 and 9 are more commonly used than other numbers. (seems likely)
Using the common password method "at least 8 characters including one uppercase letter, one special character and alphanumeric characters" I've created a random* very strong 8 character password of Fs9@lw$a
.
My theory is that the following random* strong passwords would be progressively harder to crack.
Fs9@k0$a
(password)Fs9@k0$q
(changed "a" to the least common letter in english "q")FS9@K0$q
(convert lower to uppercase leaving 1 lowercase)FS5@K7$q
(change common numbers to other numbers)FS5&K7?q
(changed common special Chars with other special chars)*%.&K7?q
(replace uppercase with special char leaving 1 uppercase char.*%5&K7?q
(replace numbers with special char leaving 1 number.
I am looking for a complete(ish) list of characteristics that a "brute force resistant" password should/n't have.
I would assume that at the top of the list would be the password length, for the example i only used 8 characters ideally you would use the maximum allowed.