Are passwords that are easy to type also easy to crack?

[pajenn]

For example, if my password is

q1111111111`

will that be faster to crack than a randomly generated password of the same length? (those keys are next to each other on my keyboard)

Can software available to the public discover how long a password is or whether it includes capital letters without actually finding it by brute-force?

[JRViejo]

pajenn, perhaps you can use this Check your password — is it strong? to check different password combos. Also, review Password Recovery Speeds.

[crofttk]

Furthermore, a password easy to type doesn't necessarily have to be that simple. Yeah, of course, that implies some minimum of typing skill.

[Searching_ _ _]

I think pattern password symbol combination's were discussed in the privacy section some time ago.

Brute forcing any password using a word list is slow. Some things to speed up bruting include most common occurring passwords and analyzing human behavior in password generation, then organize the results into an ordered list of which to check first.

A password like W#r56yuo0pLKv4e@axCF is 20 characters, uppercase, lowercase, numbers, and special symbols fulfilling the requirements for a strong password, but it is a pattern of connecting keys, does that make it easier to crack?

Edit:
At the Microsoft password strength site, the above password is rated as "Strong".
The password 'd8.K,~0PO^Jm;;}X4Zw generated at GRC is rated as "Best" by the Microsoft site.

[crofttk]

"App1e5&Ca66a9e" (constructed from Apples&Cabbage) is also rated "strong" at MS. I rate it "easy" to type after about the 10th time, but that's just me.

[ArtemisX]

Quote:

Originally Posted by crofttk

"App1e5&Ca66a9e" (constructed from Apples&Cabbage) is also rated "strong" at MS. I rate it "easy" to type after about the 10th time, but that's just me.

I've always wondered about similar password construction (we use one at work just like that). If it were me looking to crack a password (not that i'd truely know where to start) i'd guess i'd start with a large dictionary attack, i could look at combining that into common phrases and groups of words and then also switch out words with possible symbols (all the "leet" speek ones 3=E, 4=A 5=E,9=g, and so on).

Though that might produce quite a large extended dictionary type attack i figure it would possibly save alot of time and break alot of these types of passwords as alot of it could quite easily be automatically generated. So i'd question that password (or its style as "strong".

I just tested that link myself with a password generated in LastPass 8*3UgvPHd!v*Qb lists as strong also and is just as long if it comes to rating passwords in that way.

[crofttk]

Quote:

Originally Posted by ArtemisX

I've always wondered about similar password construction (we use one at work just like that). If it were me looking to crack a password (not that i'd truely know where to start) i'd guess i'd start with a large dictionary attack, i could look at combining that into common phrases and groups of words and then also switch out words with possible symbols (all the "leet" speek ones 3=E, 4=A 5=E,9=g, and so on).

Though that might produce quite a large extended dictionary type attack i figure it would possibly save alot of time and break alot of these types of passwords as alot of it could quite easily be automatically generated. So i'd question that password (or its style as "strong".

I just tested that link myself with a password generated in LastPass 8*3UgvPHd!v*Qb lists as strong also and is just as long if it comes to rating passwords in that way.

I'm in alignment with that. FWIW, I've used 14-18 digit randomly generated passwords too. It just takes 20 type-ins to make them "easy" rather than only 10. Of course, I'm only talking very important passwords like a Windows local admin or bank account.

[raspb3rry]

John The Ripper includes options to make leet-speak permutations from a wordlist on the fly.
I'm pretty sure the same is possible using crunch to generate the wordlist.

I recommend using http://www.passwordmeter.com/ to check password-strength - It's an very comprehensive opensource javascript.

[pajenn]

Quote:

Originally Posted by crofttk

"App1e5&Ca66a9e" (constructed from Apples&Cabbage) is also rated "strong" at MS. I rate it "easy" to type after about the 10th time, but that's just me.

For me "easy" would be something that feels natural to type very quickly with your non-dominant hand and therefore would include consecutive keys on the keyboard, for example, 1234 or qwer or fdsa, which you can type by strumming your 4 non-thumb fingers on them in quick succession or by dragging one finger across them. Makes it easier when you have to type the same password multiple times a day.

[16s]

Try SHA1_Pass. It's free and open source. All you have to do is remember your sentences. http://16s.us/sha1_pass/

Just type your sentence(s) and select the SHA1 encoding you wish to use, then paste the password. For example, you might type

"Wilders Security is awesome! Pumpkins are too."

Your hex encoded SHA1_Pass: 187c4043bcae4413da7340a2445385858cdb06aa

Or if you prefer Base64: GHxAQ7yuRBPac0CiRFOFhYzbBqo=

Cool, huh?

You can reproduce the results with OpenSSL, Crypto++, sha1sum, etc. No secret sauce or vendor lock in. Try it.