What really is a strong password?

Mine isn't in too dissimilar a format and it's fairly easy to remember.

Dictionary attacks necessitate a need to break up at least one of our dictionary words.

You could do DonutAlgebra51972!?

easy to remember... and then simply

D0nu7Algebra51972!?

I personally use something more like that.

If I were to do a truecrypt password and I considered hte ifno on my computer critical it would be more like:

591Donut!Algebra?Dinosaur72

FYI doughnut is the proper spelling. I do'nt know if dictionaries often include mispelled words like donut =p

I might consider changing it up a bit like:
591Donut!Algebra?Dinosaur72

59172Donut!Algebra?Dinosaur25917

The idea is that I've taken three words I know and can easily remember. Two symbols, which are simple to remember. And a date that I remember but is not personal to me.

All of these things are easy to remember. I then switch them around a bit and there's a password that is basically impossible to attack via web and will still be secure if a person is in front of the machine.

I do not think that a dictionary attack would do so well against the last one. The words would HAVE to be in the dictionary first of all and mispelling donut is gonna quite possibly kill that.

IMO passwords are fairly weak verification but they're what we have to work with and they're one security mechanism where you pretty much just keep throwing things at it.

 

Password idea:

ifyoujustmakeareallylongstringofwordsidoubtitcouldbecracked

Translation of above: "If you just make a really long string of words I doubt it could be cracked."

That's 16 words, 60 characters total. Even though it's all lower-case alpha, I imagine it would still take an astronomical amount of time to crack something like that. The only weakness, I suppose, is if it's an easily-guessable phrase.

Even still, I always prefer to incorporate uppercase, numerals, and/or special characters into long passphrases. It doesn't necessarily have to be random per se... it just has to be unpredictable. The goal is basically to "stump" the cracker by going against the normal patterns of human behavior. It just requires some outside-of-the-box thinking.

 

http://www.cyber-junkie.com/tools/bruteforcecalc/index.php?uc=0&lc=50&nu=0&sc=0&ran=0&rans=0&dict=0

 

It actually only comes at as 'strong'

But on the Brute Force Calculator it says:

So, I guess MS checker ain't so bad or they are both inaccurate??

 

This is a really good thread. I too have changed my password method.

Going to use a few of either my favourite or most loathed hardware component part numbers as the basis with a few symbols and/or emoticon keystrokes thrown in for good measure.

 

That brute force calculator on cyber-junkie.com seems buggy. Apparently, there are only five (5) words in the English language dictionary.

Huh

 

Sometimes password like abcdefg is good enough and even mixed 50 characters password get stolen.
In my definition the password which is not get cracked or stolen is best password

 

in the cartoon in the first post, the password "correct horse battery staple" (including spaces) would take over 7 billions years to crack, according to my password manager.
without the spaces the password is cracked within 11 hours.

i like those kind of password but Hotmail only uses the first 16 characters unfortunately.

using only 16 characters (planes horses staple) the password is cracked in 1 hour.

 

Just thinking about this, my isp doesn't allow me to use characters or symbols in my password which I think is kind of crazy.

 

Use a physics or math formulae as a pass phrase and make a few spelling errors and logic errors on purpose:

EG

{The square of the hypotheses} = {the som of the squares of the other three sides}

 

I'd say 1337 and proper grammar (spaces, capitalization, punctuation, etc.) works well compared to their ease of use.

 

I use http://www.realhacker.altervista.org Cyberx Password Generator 15 or more random characters. The stronger the better, I also use keepass password Manager.

 

Long quote LOL but I will answer as best as I can.

1) A password like "519Don?utAlg!ebra72" Would not be crack-able by dictionary attack unless the attacker knew your method (where you put symbols). An easy way to break a dictionary attack would be to use a password like "Donut519Algerbra72?" Simply adding numbers in between words defeats a dictionary attack as it would take forever to guess the right words + numbers + order. Tacking number on the end isn't strong as all I have to do is have the attack go through every word and than every word with the numbers added on one at a time. (i.e. Dog than Dog1 than dog2 and so on).

2) You can use something like keepass or keysafe as long as you use a VERY strong password for it. That way you only need to remember one password and not 20. I use LastPass with a strong password and Yubikey for extra security. Everything is encrypted with AES256bit so without the password (which Only YOU have) no one can access the data. Keypass allows for keyfiles as well.

3) The comic: The password is strong... Against a brute force NOT a dictionary attack. Something to take into account with the examples people always use. The truth is the method is sound but the example is not. I would do two words + number/symbol + two words + optionally another number or symbol.


4) I know you were asking Hungry man but I will add in I use random passwords. I use lastpass to generate passwords for websites (and use the max length they allow/ 30 or so is the norm). The ones for offline/ encryption are all at LEAST 64 chars. and completely random and only memorised.

You have a great system at work. I would only like to add the the common misspelled words were in my dictionary (donut). My dictionary is a huge dictionary based off of scrapping every word off wikipedia and several similar sites. If you google for it you may find it (I can't link as I am have trouble finding it ).

I like using two factor authentication with google, paypal and lastpass. My own server uses it too. Yubikey is an awesome system. There is also keyfiles, and google authenticator (open source), RSA tokens (well maybe not ) and many more option that are far better, if used with a password. I trust long passwords and a second factor. Mainly because as long as I can remember the password and it's strong no one is getting in