Article - How effective is a straight dictionary attack?

At what password length do you figure cracking arrays start at? Wouldn’t you agree that the majority of people, the way it stands nowadays, use password lengths of 6-8 characters? It’s pretty much common knowledge 6-8 is by far the most common pw length, so does it not stand to reason cracking attempts are going to start at 6 characters or less then work their way up from there? By the time a cracking array exhausts all its attempts in the lower ranges from, say, 4-11 characters, in working its way up to 12 and higher, it doesn’t matter any more because 100’s or 1000’s of years, at least, have already passed!

A long, simple pw of 12 or more characters made up of maybe a couple special characters to enhance its complexity is by far better than than one of 6-10 made up of every possible character type in an effort to achieve utmost complexity. That’s all Gibson is getting at and I agree with him. Look what happoens when you use TrueCrypt to create, for example, an encrypted container and you use a pw of less than 20 characters; it advises in no uncertain terms that it’s too weak and recommends a longer pw. There’s a reason for that and it’s because pw length is more important – not the only factor, just more important – than pw complexity.

I fully agree that increasing its entropy with the use of all possible character types is best for absolute strength, but all I’m saying, as Gibson points out, that it isn’t important as long as the length is substantial with a bit of special character padding to enhance it., because the cracking array starts with lower length attempts and takes countless years to work its way up to the longer lengths. Your “fear” example even proves this, and it had no special characters, nor numbers or upper case characters in it!

 

I'm not advocating one or the other. Best to use both.

But no a 12 character "simple" password isn't better than a 6 character "strong" password let alone a 10 character "strong" password. In terms of bruteforcing and flat out number of combinations it takes way few characters.

My "fear" example is somewhere around 30 characters iirc and I can create a 16 character password, which is very easy to remember, that'll take longer to crack.

I'm not saying one is better than the other. But if I have 8 characters lower case and I add a space at the end I've just added 1 character per character that needs to be bruteforced.

Like I said, it's best to employ both. I wouldn't say one is more "important" than another since as soon as you hit 10 (of any) characters you're very secure. They both work off of each other.

 

Agreed, which is why I said

Employing both is best, for sure. It's just that one doesn't have to get carried away with outright complexity in an effort to bolster its immunity to cracking attempts.

 

Oh I didn't read the bit about special characters. Yes, that would be very secure and in my opinion the ideal solution. Short, but not too short. Complex, but memorable.

I think we agree.

 

Yeah, and by special characters I'm not even including Alt key codes. Only ones like [ { > . * etc...

 

You mean like

?? that's 12 characters, excluding the spaces .
Password-entropy ?? Who gives a flying !"#¤

 

There is however ONE password that isn't crackable :
BRUCE SCHNEIER !

 

The only problem with expanding your character set beyond upper/lower case and numerals is that I've run into a number of important sites (e.g., several government ones, such as Revenue Canada's or Service Canada's "My Account") which flatly will not accept special characters in your password, and clearly say so on their registration/login pages. So my password is typically 8 characters, including mixed-case and numerals, and so far that seems to have been adequately secure.

 

You have to bruteforce spaces as well. Every character in your character set has to be guessed once per character in your password.So for each character you either have to guess 26 or 52 or 94 depending on the character set.

@Mike,

Yep, that's sometimes an issue. Just about every service allows symbols but some won't. I don't know of a single service that prevents you from using numbers though but I do know some that aren't case sensitive.

At that point the best you can do is make it long.