Comments on: I Can Guess Your Password

By: ferrarislave

ferrarislave — Thu, 05 Apr 2007 05:58:56 +0000

Use SSH keys, problem solved!

By: Nick Mercer

Nick Mercer — Wed, 17 Jan 2007 05:29:44 +0000

Thats something that always amazed me was password simplicity and how easy people would over look such a major flaw in network security. I worked for Department of Defense from when I was 16 until I was 19 years old and worked as a IT Technician. Daily we had policies given to us to re-assign group policies and restrictions on passwords, but even when I left, a password such as “password12!@” was considered strong. How is this?

When I run clients networks, the users might complain about a password such as 0M$DA@@oo00&# but when they don’t have people stealing their data daily I don’t really here to many complaints.

Any password is breakable as said above, but it comes down to how hard users / businesses want to make it more secure.
-Nick

By: TerminalDigit

TerminalDigit — Wed, 17 Jan 2007 03:01:08 +0000

I never said weak. Just not particularly stronger. Want strength? Increase the length of the password or the size of the character set. Simply scrambling harder is not as effective.

By: david

david — Tue, 16 Jan 2007 21:36:33 +0000

Ilya,

Your method requires either leaving the home-row or using the weakest finger (pinky) to get down to the arrow keys. Either slows you down and makes it complicated to type. Its not that your passwords are weak, its that its too complicated, which leads to people reverting to a weak password.

By: Ilya Lichtenstein

Ilya Lichtenstein — Tue, 16 Jan 2007 21:31:51 +0000

It’s true that dictionary attacks try leet, as well as two sequential words with a special character in the middle. Care to explain how my method leads to weak passwords? The example I used was short for ease of explanation, but what about tpuorrbcohe (porche turbo)? Show me a password cracker that can break that easily.

By: TerminalDigit

TerminalDigit — Tue, 16 Jan 2007 20:51:01 +0000

Sorry it appeared, now. Strange.

By: TerminalDigit

TerminalDigit — Tue, 16 Jan 2007 20:50:23 +0000

Bingo. I wrote something to this effect, but I think this blog ate my comment.

By: TerminalDigit

TerminalDigit — Tue, 16 Jan 2007 20:49:07 +0000

99p0rsch3turbo is not an unbreakable password. Many dictionary attack algorithms know all about l33t-speak, compound words, and leading/trailing numbers. In fact, there is no such thing as an unbreakable password because brute force will always break your password–it’s just a matter of how long it will take. For some reason, there have been a lot of stories on digg and elsewhere from people who think that all of a sudden they’ve found the perfect way to create a memorable, unbreakable password. Easier to remember, sure, but neither this method nor the one in the article you linked creates a particularly stronger password (unless you weren’t planning on using numbers at all in your original password). Your best bet is to take a few minutes and just memorize something like :U*..Q/I%D~_sq(A1sJ53s]GqrJc;T. It’s not really that hard. Most people dismiss it as too difficult without even trying. I can do it in about 5 minutes, and it sticks.

By: Null

Null — Tue, 16 Jan 2007 20:40:11 +0000

As has been previously discussed at length, this is a very common technique, and consequently is added to dictionary attacks, providing not as much good as you’d expect.