Password security : complexity and length

Question

Possible Duplicate:
XKCD #936: Short complex password, or long dictionary passphrase?

I've read that there is many solutions available to crack passwords.
Reading these tips, I can understand that :

a password like "I want to swin in the sea", even if long enough, is not a safe password because it can be cracked with a dictionary
a password like "az2+" is not safe because it's too short.

But, what about the following passwords :

I want to swin in the sea az2+
I want to swin in the sea +
I w+ant to swin in the sea

Are these safe passwords ?

http://en.wikipedia.org/wiki/Password_strength gives you most of the information needed to calculate the entropy itself. — , Jul 18 '12 at 09:49

score 1 · Answer 1 · answered Jul 18 '12 at 10:20

This is called "munging" and it is a good way to improve the quality of a password without making it much harder to remember.

It's generally not a great idea to add the extra characters in an obvious place, such as the beginning or end, or to consistently replace a particular character with a symbol. Since a dictionary attack is relatively fast, a smart attacker will also run it with the dictionary munnged in a few simple ways.

Note that your initial passphrase choice of "i want to swim in the sea" is poor and can be easily improved - do that before munging. That's one of the advantages of passphrases, they are easier to remember even when more random - "I drill to sea in a chicken" is just as memorabel, but much more resistant to dictionary attacks since it is almost certainly not to be found in any of the usual corpuses.

Andrzej Bobak · Answer 2 · 2012-07-18T13:08:55.140

-1

Simple solution: add a special character between every word. If you are bilingual use every other word in different language, I haven't heard of any rainbow table prepared this way.

Example: my#password@is#very@secure#duh

Bilingual example (English + Polish): moje@password#jest#very@bezpieczne#duh

Benefit: easier to remember than eRRe$#@as1!234errQa.!X

edited Jul 18 '12 at 13:08

answered Jul 18 '12 at 10:03

Andrzej Bobak

119
5

score -1 · Answer 3 · answered Jul 18 '12 at 10:43

If you are going to build a password out of dictionary words without any sort of modification then you have to think of each word as a character rather than the password's character length. "I want to swim in the sea" is 7 words, therefore is no stronger than a 7 character word. That's only true if the one cracking it knows that you are using straight dictionary words though. Of course "i want to swim in the sea" is 19 lower case characters so not strong even as a set of characters as the range of possible characters is very small. If you add special characters, numbers, and capitals to the mix it gets an order of magnitude harder to crack.

One method to make safe phrases is to substitute characters for words, or shorten words. "i want to swim in the sea" is much stronger as "iwtoswinthsea" even though it is shorter as it uses dictionary words as a basis rather than directly. Substitute some numbers for letters, add a special character or two, and use some capitals and you could get "1wnt2sw!minTS33" which is pretty strong.

Password security : complexity and length

3 Answers3

Linked

Related