Are passwords that are easy to type also easy to crack?

Discussion in 'privacy technology' started by pajenn, Jan 6, 2011.

Thread Status:
Not open for further replies.
  1. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    For example, if my password is

    q1111111111`

    will that be faster to crack than a randomly generated password of the same length? (those keys are next to each other on my keyboard)

    Can software available to the public discover how long a password is or whether it includes capital letters without actually finding it by brute-force?
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,912
    Location:
    U.S.A.
  3. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    Furthermore, a password easy to type doesn't necessarily have to be that simple. Yeah, of course, that implies some minimum of typing skill.;)
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I think pattern password symbol combination's were discussed in the privacy section some time ago.

    Brute forcing any password using a word list is slow. Some things to speed up bruting include most common occurring passwords and analyzing human behavior in password generation, then organize the results into an ordered list of which to check first.

    A password like W#r56yuo0pLKv4e@axCF is 20 characters, uppercase, lowercase, numbers, and special symbols fulfilling the requirements for a strong password, but it is a pattern of connecting keys, does that make it easier to crack?

    Edit:
    At the Microsoft password strength site, the above password is rated as "Strong".
    The password 'd8.K,~0PO^Jm;;}X4Zw generated at GRC is rated as "Best" by the Microsoft site.
     
    Last edited: Jan 7, 2011
  5. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    "App1e5&Ca66a9e" (constructed from Apples&Cabbage) is also rated "strong" at MS. I rate it "easy" to type after about the 10th time, but that's just me.
     
  6. ArtemisX

    ArtemisX Registered Member

    Joined:
    Aug 14, 2009
    Posts:
    19
    I've always wondered about similar password construction (we use one at work just like that). If it were me looking to crack a password (not that i'd truely know where to start) i'd guess i'd start with a large dictionary attack, i could look at combining that into common phrases and groups of words and then also switch out words with possible symbols (all the "leet" speek ones 3=E, 4=A 5=E,9=g, and so on).

    Though that might produce quite a large extended dictionary type attack i figure it would possibly save alot of time and break alot of these types of passwords as alot of it could quite easily be automatically generated. So i'd question that password (or its style as "strong".

    I just tested that link myself with a password generated in LastPass 8*3UgvPHd!v*Qb lists as strong also and is just as long if it comes to rating passwords in that way.
     
  7. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    I'm in alignment with that. FWIW, I've used 14-18 digit randomly generated passwords too. It just takes 20 type-ins to make them "easy" rather than only 10.:argh: Of course, I'm only talking very important passwords like a Windows local admin or bank account.
     
  8. raspb3rry

    raspb3rry Registered Member

    Joined:
    Jun 8, 2010
    Posts:
    37
    John The Ripper includes options to make leet-speak permutations from a wordlist on the fly.
    I'm pretty sure the same is possible using crunch to generate the wordlist.

    I recommend using http://www.passwordmeter.com/ to check password-strength - It's an very comprehensive opensource javascript.
     
    Last edited: Jan 7, 2011
  9. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    For me "easy" would be something that feels natural to type very quickly with your non-dominant hand and therefore would include consecutive keys on the keyboard, for example, 1234 or qwer or fdsa, which you can type by strumming your 4 non-thumb fingers on them in quick succession or by dragging one finger across them. Makes it easier when you have to type the same password multiple times a day.
     
  10. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Try SHA1_Pass. It's free and open source. All you have to do is remember your sentences. http://16s.us/sha1_pass/

    Just type your sentence(s) and select the SHA1 encoding you wish to use, then paste the password. For example, you might type

    "Wilders Security is awesome! Pumpkins are too."

    Your hex encoded SHA1_Pass: 187c4043bcae4413da7340a2445385858cdb06aa

    Or if you prefer Base64: GHxAQ7yuRBPac0CiRFOFhYzbBqo=

    Cool, huh?

    You can reproduce the results with OpenSSL, Crypto++, sha1sum, etc. No secret sauce or vendor lock in. Try it.
     
Loading...
Thread Status:
Not open for further replies.