If you’ve never heard of or listened to Security Now on the TWiT network, it’s a weekly netcast about security related topics. Recently, in Episode #303, Steve Gibson, of Gibson Research Corporation, the co-host of Security Now, spoke about password strength. An observation he makes is that it is very easy to make an incredibly Read MoreRead More
If you’ve never heard of or listened to Security Now on the TWiT network, it’s a weekly netcast about security related topics. Recently, in Episode #303, Steve Gibson, of Gibson Research Corporation, the co-host of Security Now, spoke about password strength. An observation he makes is that it is very easy to make an incredibly strong password that is also easy to remember through the use of “padding.”
Gibson points out on his web site that D0g..................... is 95 times stronger than PrXyc.N(n4k77#L!eVdAfp9 as far as brute forcing goes, even though the stronger password is more easily memorable. While the second password has much high entropy (or randomness), an attacker (hopefully) wouldn’t have any knowledge of how you padded your password, so it makes little difference whether you add ++++++++ to your password, or ,7Hq3_9F, simply because an attacker would have to guess all possible combinations of characters in a brute force attack.
If you’re anything like me, you’re hanging your head in embarrassment for not thinking of this yourself.
On GRC there is a page called Password Haystacks where you can see a simple analysis of your password, and some estimated times for a brute forcer to crack different passwords:
Take-away:
Change your password from F0x to F0x*************** so you can sleep better tonight.
References:
GRC’s Password Haystacks
