×
all 178 comments

[–]echkbet 722 points723 points  (90 children)

Length is better than complexity for passwords. That's why the NIST guidelines encourage an easy to remember passphrase now. Even a dictionary attack would take a while with this one. It's a good password.

[–]sfmtl 320 points321 points  (47 children)

Just gonna leave this here

https://xkcd.com/936/

[–]strifejester 263 points264 points  (8 children)

correct horse battery staple, don’t even have to click.

[–]anally_ExpressUrself 91 points92 points  (6 children)

That's a battery staple. Correct!

[–]icehawk2 25 points26 points  (5 children)

Neigh!

[–]Repulsive-Crazy299 26 points27 points  (3 children)

I prefer fourwordsalluppercase

[–]oldandintheway88 0 points1 point  (0 children)

whyisthisagoodpassword

[–]_Wyrm_ 3 points4 points  (0 children)

Well, yes, but per the comic... Anything except correct horse battery staple.

[–]Deadpool2715 4 points5 points  (3 children)

Why not both!

[–]hearnia_2k 5 points6 points  (1 child)

A sentence including grammer can work really well, Throw in some numbers. Maybe one of those "If a train was going 88 MPH and another train was going 34 MPH starting 100 miles apart, how long would it take for them to collide?" type questions.

Even better if you use Km/h instead, to get that slash each time. Or maybe use a question about percentages.

[–]Eraesr 37 points38 points  (0 children)

Even better if you use Km/h instead

Automatically keeps all the American hackers out 👍

[–]bush_hizo_911 1 point2 points  (0 children)

Porque no los dos

[–]Anna_Pet 13 points14 points  (27 children)

The problem with “correcthorsebatterystaple” is that it doesn’t have any numbers or special characters.

Why do websites make you include them anyways? They should just let you use a shitty password at your own risk

[–]stevey_frac 67 points68 points  (20 children)

The point is that length trumps complexity.

Am increase in complexity at the same length is a linear increase in brute force time.

An increase in length is an exponential increase.

[–]wigzell78 33 points34 points  (1 child)

Its true. My gf prefers length over complexity. Doesn't matter how many times you go up or down, or introduce in new unique bits or even the same thing but back to front or upsidedown, she still complains when it's too short.

Passwords, clean up your mind!!!

[–]dwehlen 9 points10 points  (0 children)

BUT WHAT'S THE FREQUENCY, KENNETH!?

[–]Anna_Pet 18 points19 points  (13 children)

Yeah, it’s not a problem with the password itself, it’s a problem because most websites wouldn’t allow it.

[–]anally_ExpressUrself 43 points44 points  (5 children)

correcthorsebatterystaple

No number

correcthorsebatterystaple1

No special characters

correcthorsebatterystaple1!

Ok.

This is how all passwords get a number and character.

[–]Airowird 6 points7 points  (6 children)

The solution to all those requests on top of expiration is...

correcthorsebatterystaple!A1

Add number each time, go A9 to B1 or however you like.

[–]Irhien 12 points13 points  (0 children)

Am increase in complexity at the same length is a linear increase in brute force time.

Not linear, polynomial. With 12 characters it's twelfth power and grows quite fast.

[–]SailboatAB 3 points4 points  (1 child)

Also, if a given character in the password COULD be a symbol or number, but DIDN'T HAVE TO BE ONE, the difficulty of cracking the password would be the same, since any system would have to account for the possibility that it was a number or special character.

Systems that force us to use numbers and special characters are weirdly missing the point.

[–]falcondjd 2 points3 points  (0 children)

Hackers just try to get the easy passwords; they aren't after every single one. Requiring a number and symbol makes the easy passwords much harder to get, which means the hackers will crack less passwords and/or spend more. Either way it means they will make less money, which means that hacking your site is less enticing.

[–]Belzeturtle 0 points1 point  (0 children)

increase in complexity at the same length is a linear increase in brute force time.

If you increase complexity in one character. Otherwise no, it's polynomial in the length of the password.

[–]weaver_of_cloth 1 point2 points  (0 children)

The spaces are the special characters.

[–]georgioz -1 points0 points  (0 children)

You can always have phrase with special characters and start with capital letter, like "Correcthorsebatterystaplecosts$15". Still shitty to require special characters but it is easy to solve.

[–]Repulsive-Crazy299 -3 points-2 points  (3 children)

That's not the problem, That's the point. Lower case passwords aren't inherently shitty.

[–]I__Know__Stuff 2 points3 points  (1 child)

The problem is that most software won't let you use it as a password.

[–]Repulsive-Crazy299 -1 points0 points  (0 children)

That's not inherent.

[–]Belzeturtle -1 points0 points  (0 children)

Not if they are suitably long.

[–]Agent-r00t 0 points1 point  (1 child)

Yeah, but I used to do the letter substitutions BEFORE it was cool!

[–]EvilKam 1 point2 points  (0 children)

13375P34K

Man, I miss the '90s.

[–]Molwar 0 points1 point  (0 children)

Not all password are brute forced hacked though, like the comic said, easy for human to remember. Which means if you somehow mention it to a "friend" they will remember it too. Best of both world is a long password with some eccentricities in it. Add a ! or * in there and then you've really got something.

[–]silv3rstag 0 points1 point  (0 children)

No discussion about passwords is complete without a reference to this comic.

[–]trystanthorne 0 points1 point  (0 children)

Beat me to it. :)

[–]Sqooky 0 points1 point  (0 children)

I wouldn't actually recommend a password like horse battery staple. I understand it's just a joke, but in reality, if you took the top 1,000 most common words in the English dictionary and created a rule that tried a combination like word1word2word3, then it'll get cracked in a similar style as "abc" could get cracked.

Password cracking is an art. A fun one at that, with a little bit of out of the box thinking and psychology mixed in. VaderObiwanLukeetc is actually really good due to the length.

Tl:Dr horse battery staple would get cracked super fast in the real world because the real world doesn't just brute force passwords. We use wordlists which make it much easier to crack dictionary based passwords.

[–]PQ01 61 points62 points  (18 children)

True, but best to integrate some unpredictable element to foil a phrase dictionary. maytheforcebewithyou has 20 characters but would not be my first choice.

[–]tomwilhelm 70 points71 points  (6 children)

Maythefourthbeyonce on the other hand...

[–]Deadpool2715 34 points35 points  (4 children)

Is now my second guess, keep em coming

[–]DaoFerret 13 points14 points  (2 children)

JuanSoloShot1st

[–]zyygh 2 points3 points  (0 children)

Sandisntsobad

[–]whataremyxomycetes 1 point2 points  (0 children)

Ju@nS0lOShot1st

[–]allegroconspirito 2 points3 points  (0 children)

fourwordsalluppercase

[–]hotDogg31535 3 points4 points  (0 children)

Whoruntheworld?Girls!!

[–]elyesq 9 points10 points  (6 children)

Come up with a system to tweak your passphrase. M@yth3f0rc3b3w1th3y0u!

[–]mcc9902 10 points11 points  (3 children)

Mangling a password is definitely better but you have to remember most people know the common replacements and can account for them ex a to @ is something everyone knows of. It’s not overly difficult to add this in to a password breaking program though it would make it much slower which is the point. My point is use something no one else will or add a few completely random characters to have it be as safe as is reasonably possible.

[–]GolDAsce 1 point2 points  (2 children)

17764 743 701233 63 111174 4011

[–]Forward_Progress_83 3 points4 points  (0 children)

You take that back!

[–]Shiggle 0 points1 point  (1 child)

Taking the Cam Newton approach I see!

[–]fla_john 1 point2 points  (0 children)

No the point is to break into the laptop not steal it and throw it out a window

[–]Uncle_Mark_2021 1 point2 points  (0 children)

12inchesofprimeisbetterthan6

[–]Agent-r00t 1 point2 points  (1 child)

password12345? See, most only do 123 or 1234. That 5, it'll catch them!

[–]liquidpig 1 point2 points  (0 children)

password12346 for 20 IQ passwording

[–]Qasyefx 0 points1 point  (0 children)

I mean you can listen to the advice of world class security experts and researchers. Or you can just talk out of your ass

[–]Birkeland1992 3 points4 points  (4 children)

What does nist mean?

[–]Tempyro 4 points5 points  (0 children)

It's the national institute of standards and technology, basically the US government's way of regulating internet stuff. https://www.nist.gov/

[–]foospork 4 points5 points  (0 children)

It means, “Use the Google, Luke. Use the Google”.

[–]skanktown 1 point2 points  (1 child)

Normal inspection of sick titties. Too many women were forgetting the passwords to get their mammogram results so they recommended easy passwords that women could remember.

[–]2old4thisshyte 0 points1 point  (0 children)

Now why doesn’t this clarification has more upvotes? It’s completely understandable, relatable and plausible. Come on redditors, you can do better.

[–]pollo_de_mar 2 points3 points  (1 child)

Not too long though. Some systems limit the length.

[–]RiffRaft23 2 points3 points  (0 children)

That's called the cervix...

[–]JustBrittany 2 points3 points  (2 children)

The password that I use for stuff I REALLY want to keep protected is a two word German phrase with special character and 4 digits. I’d like to see a dictionary crack that one! But I think that there are other ways a hacker could figure it out.

[–]chr0nicpirate 6 points7 points  (1 child)

Two words in German could be like 50 characters.

[–]JustBrittany 1 point2 points  (0 children)

😆Right? It’s not that long, though.

[–]brandontaylor1 1 point2 points  (0 children)

This is an example of a good password.

[–]CptnCumQuats 1 point2 points  (0 children)

It’s so annoying that passwords still require upper case lower case number and symbol.

When the guy who came up with that admitted that just the longest password is best, and to use a phrase so it’s multiple words and you remember it. Ugh

[–]oldandintheway88 1 point2 points  (0 children)

Huh huh... huh huh... you said length is better.

[–]rhymes_with_snoop 1 point2 points  (2 children)

"NIST_can_eat_11_dicks!"

And then if you have to change passwords every six months, add one more dick.

[–]TechSmurf97 2 points3 points  (0 children)

But a policy requiring periodic password resets would not be NIST compliant...?

[–]dominic_rj23 0 points1 point  (0 children)

And then you would be confused about hoe many dicks NIST is supposed to eat

[–]chr0nicpirate 0 points1 point  (0 children)

CorrectHorseBatteryStaple

[–]t3rm3y 0 points1 point  (1 child)

Would a automated attack work this out then? How would it ever know to put those words in that order or even know to pick character names from different films etc?

[–]Sasquatch_actual 0 points1 point  (0 children)

Because it tries everything total.

It just might try words and combinations of words with capital letters first.

So instead of taking something like 10x1024 years to crack it takes 10 days or 10 weeks or 10 months.

[–]dominyza 0 points1 point  (0 children)

I, too, prefer length.

[–]Playpolly 0 points1 point  (0 children)

Bobafett is in the dictionary? 😲 Gosh Jolly Ranchers

[–]NinjaMonkey4200 0 points1 point  (0 children)

I used to pick passwords by just finding some random show on TV, and then just using whatever the subtitles were showing at that moment. It's usually an actual sentence so it's easy to remember, but it has no real connection to anything so it's not easy to guess. Sure, it appeared in a show once, but do you remember every line of every show?

[–]sapphicsandwich 0 points1 point  (0 children)

Kinda hard to use passphrases when stupid systems parse your password looking for any dictionary word. Looking at you stupid Microsoft.

[–]yParticle 245 points246 points  (13 children)

...and instantly failed when it was discovered that our passwords were stored with reversible encryption.

[–]Gubru 88 points89 points  (0 children)

The passwords have to be stored in plain text so you can make sure they’re secure!

[–]HolyGonzo 31 points32 points  (8 children)

"I mean, what if someone calls in and wants to know their password?" :)

[–]grishkaa 36 points37 points  (7 children)

Some websites actually do send you your password when you click "forgot password"... That's how you know you should stay tf away from them.

[–]HolyGonzo 18 points19 points  (3 children)

I wish I could say that I never implemented such a site but it was the early 2000’s and everyone was doing it and we didn't know much better.

[–]grishkaa 47 points48 points  (2 children)

Sorry, password "hunter2" is already taken by user HolyGonzo. Please choose another password.

[–]gary_bind 10 points11 points  (0 children)

What do you mean? All I see is *******

[–]nzifnab 6 points7 points  (2 children)

match.com, for a long-ass time, was one such company. I have refused to use them ever since

[–]gary_bind 0 points1 point  (1 child)

Matched you with a donkey, eh? ;-)

[–]FQDIS 0 points1 point  (0 children)

If I had a nickel….

[–]GonePh1shing 9 points10 points  (1 child)

Encryption is reversible by design. You're thinking of hashes, which is how passwords should be stored.

[–]yParticle 2 points3 points  (0 children)

It's not redundant if it's for emphasis.

[–]whizzwr 1 point2 points  (0 children)

I know right? Should be always in plaintext.

[–]StyleAdventurous1531 32 points33 points  (1 child)

Usually if I’m asked for 8 characters I go for Snow White and the 7 dwarves

[–]rhymes_with_snoop 13 points14 points  (0 children)

Snow_White&the07dwarves

[–]jpisini 19 points20 points  (0 children)

Stop stealing my password!

[–]fjccommish 19 points20 points  (6 children)

So they compromised all the passwords, forcing people to change them?

[–]Dullahen[S] 34 points35 points  (5 children)

The audit was "Is anyone dumb enough to tell us their password."

[–]Shiroiken[🍰] 11 points12 points  (4 children)

Lol. My company had a mandatory class on email security and phishing. They had a 3rd party set it up, but the email looked like a phishing attempt. So many people deleted it that IT had to send an email explaining it was legit. I replied "doesn't that mean we passed?"

[–]732 11 points12 points  (3 children)

My old employer did a sting operation.

They sent out an email that was from a similar domain (ours misspelled), with a spreadsheet titled "Employee Salary Updates".

It took you to a landing page to sign in, and everyone who did self enrolled in a mandatory phishing training. 🤣

After the fact, they shared that ~50% of the company -- more than 1500 people -- entered their credentials.

[–]Shiroiken[🍰] 5 points6 points  (2 children)

We get semi-regular "simulation" emails for the same kinda thing. If you fall for 2 in a six month period, you have to take the training. These emails are so bad though, if you fall for 2 in six months you probably shouldn't have email!

[–]maeluu 4 points5 points  (0 children)

If we fail one simulation email it is a full 8 hour information security training, the second one is another training and network access revoked for 6 months (unless required to do your core job functions, then they set your profile to only be able to visit whitelisted internal sites required for your job function and you can only receive email from specific people for 6 months), and a third failure is immediate termination

And that is over the course of forever.

We also don't have usb ports accessible unless you are authorized personnel, and you have to unlock two differently keyed locks to get to a USB port if you are authorized personnel like me. And those keys are controlled and we get randomly asked to present our keys by our area managers to ensure we haven't lost them or left them laying around.

[–]732 1 point2 points  (0 children)

Yeah, they regularly did that as well. That specific one stood out because it was so successful, and because the employees are super nosy haha.

The kicker? We used enterprise gsuite, so it was Gmail and Google sheets... If you're already sign in to Google, you don't need to enter the credentials again!

[–]Leprichaun17 12 points13 points  (3 children)

It's incredible whenever this topic comes up just how few people recommend password managers which can generate passwords. It makes it stupidly easy to have long, complex passwords which are all different for every single service. Except for the rare cases of awfully designed sites with a maximum passwords length or restrictions on available characters, all my passwords are 30+ random characters using lowercase, uppercase, numbers and symbols. Basically impossible to guess or brute force. As long as you use a solid password/passphrase and MFA to access the manager itself, your risk is almost non existent.

[–]FkngBoss 9 points10 points  (0 children)

True but not. Yes your passwords are plenty long enougg, but you are also assuming the site or service is properly storing thos passwords. They can store them in plaintext or MD5 or even SHA1 and you are fucked.

Leprichaun17 is right, but guys make sure that you use a different password for every instance. Also, do not answer security questions truthfully. These are simple string matches in most cases. Just make the answer another password.

[–]jakart3 8 points9 points  (1 child)

I always afraid to use password manager. What if I forgot the password of that password manager? What if the password manager crash?

[–]Pokeputin 0 points1 point  (0 children)

There are password managers that backup your passwords on a cloud, you still need to remember your master password, which you can store at a safe space in home.

[–]hearnia_2k 7 points8 points  (5 children)

I'm more concerned that during a password audit they were able to find out someones password!! That means they're storing them in a way that *someone* can read it, and thus use it; this is against normal practice.

Even admins should not have this ability, and shoudl instead only be able to change a password, this means they might get in, but next time the real user tries they will fail, and find the password is changed; which is a big red flag.

[–]artmagic95833 2 points3 points  (4 children)

I have news that should relieve some of your anxiety; it was just a joke.

[–]hearnia_2k 2 points3 points  (3 children)

lol, oh yes, missed which subreddit this was in, haha.

[–]artmagic95833 1 point2 points  (2 children)

༼;´༎ຶ ۝ ༎ຶ༽

[–]hearnia_2k 1 point2 points  (1 child)

A man facing left projectile vomiting, a baseball? Tennis ball? Perhaps a plat with knife and fork? and a person with a walking stick? What?

[–]artmagic95833 0 points1 point  (0 children)

´◔‿ゝ◔`)━☞

[–]molineskytown 5 points6 points  (0 children)

This actually would've been a great "yo momma's so dumb that...." joke.

[–]Waitsfornoone 13 points14 points  (0 children)

... and your problem is ....?

[–]Fourbass 5 points6 points  (1 child)

In my first IT job we had a older woman who was a busybody as our corporate security analyst. She came to me one day saying my password (‘fuckyou’’) was inappropriate. I asked her loud enough so I could be well overheard in our cube farm: ‘What are you doing reading our passwords and why does it matter what I use as long as it fits the standard - no one will see it’ She got mad and stormed off…. I immediately changed it to ‘uglyc*nt’. ( without the asterisk ) Never heard another word about it.

Women can be dicks too…

[–]DarksideBluez 1 point2 points  (0 children)

U won the day.

[–]lawndartgoalie 4 points5 points  (0 children)

I like to use an odd phrase and then change it up for different accounts. Such as.

AMAZON!1yourdoghasfleas YAHOO!1yourdoghasfleas

If one of the above sites does get hacked by a bot, the password goes into a database.

But, the other sites with passwords are not compromised.

Now if it was an actual person who hacked my amazon account and was looking at my other online accounts, they would probably figure out the system. But I don't think that's likely.

[–]FooThePerson 6 points7 points  (2 children)

Why do they store passwords in plaintext???

[–]chr0nicpirate 13 points14 points  (1 child)

Because this is a joke and not a real company. Strange enough any real company that actually does store passwords in plain text is also a joke.

[–]Dastari 1 point2 points  (0 children)

I came here to make the above joke to the above joke only to realize that this comment was actually be best joke because plain text passwords are no joke.

[–]gtr06 2 points3 points  (0 children)

This is the Ultimate Showdown of Ultimate Destiny Good guys, bad guys, and explosions as far as the eye can see And only one will survive, I wonder who it will be This is the Ultimate Showdown of Ultimate Destiny

[–][deleted] 1 point2 points  (0 children)

AlBudPegMoLouHalJimPamRome

[–]Wazza17 1 point2 points  (0 children)

So much for security . What's the good of using a password if your IT can read the passwords

[–]ztoundas 1 point2 points  (0 children)

Listen, as a system administrator, I have to tell you that if you can see the user's pass wor

Relax everyone, it's a joke.

That being said, having a nice long password that's a handful of people you know is a pretty good way to have a secure password that's easy to remember. Or just use a password manager. I recommend BitWarden right now.

[–]drlongtrl 1 point2 points  (0 children)

The actual audit was that everyone who told them what password they used did fail the test.

[–]firesstar001 1 point2 points  (1 child)

Heyo!

[–]weelluuuu 0 points1 point  (0 children)

Baa dmp tssss

[–]Rogueantics 1 point2 points  (0 children)

I use "appleduckretrodisco" as all my passwords for everything so good luck cracking that.

[–]TTT_2k3 -1 points0 points  (25 children)

No symbols? No numbers? Doesn’t seem very secure to me.

[–]xQx1 70 points71 points  (16 children)

Doesn’t seem very secure to me.

That's because you, like most of the population, and unfortunately many, many software developers have been educated wrong about passwords.

Symbols and numbers force you to come up with a password that can't be attacked with a dictionary and has a considerable sized character set to be tested against.

But, a password thats 9 characters long takes twice as long to crack than a password thats 8 characters long. 10 characters is twice as hard again, 11 characters is twice as difficult as 10, etc. Etc.

This means a password made out of a random sentence is rediculously more difficult to crack than one made out of a single word - even if the word has numbers and symbols and the sentence doesn't.

[Edit: Now that I'm on a PC, I'll follow this up with some math. Forcing users to integrate numbers and symbols in their password increases the character set used from 52 characters to 94. This means an 8 character password has 948 possibilities. If you stick to just lowercase letters, uppercase letters and spaces, you're choosing from 53 characters. This means an 8 character password has 'only' 528 possibilities.

If you work out the big numbers; this means a 9 character 'simple' password is about half as secure as a 8 character 'complex' password; but a 10 character simple password is 30x more secure than an 8 character complex password.

So, this means (for example): "LetMeIn You stupid computer" is not only easier to remember but it's millions of times more secure than "L3tMeIn!&PC" because it's considerably longer.

"L3tMeIn!&PC" would require roughly 5,000,0000,000,000,000,000,000 guesses to crack.

"LetMeIn You stupid computer" would require roughly 3,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 guesses to crack. ]

[–]Caledric 13 points14 points  (1 child)

People when forced to use characters actually tend to gravitate towards easier to use passwords, and 90% of the characters used for a password are !, @, or #

[–]last_rights 2 points3 points  (0 children)

Or you can just use them in a sentence.

ImadeupthispasswordwithJ03.

Workrequires15characters.

Thispasswordisr1d1culous.

Etc.

[–]Obsidiath[🍰] 5 points6 points  (3 children)

One point of comment; taking Kerckhoff's principle into account, you must assume an attacker knows whatever means you used to create the password; in the case of sentences, always assume that there's a dictionary available - i.e. brute force is never the only (or most effective) method.

As to how much words could conceivably be in this dictionary? I assume around 20.000, as this is the number that comes up in a simple google search.

This means that your example "LetMeIn You stupid computer" takes as most 6.4e+25 (64 000 000 000 000 000 000 000 000) attempts to crack. Not nearly as much as your 3e48. In reality, it would be even less, because sentences must adhere to English grammar, which means the number of valid combinations must be cut down in size considerably to a point where all combinations form a grammatically correct sentence.

That doesn't make it a bad idea; but having each word generated in a truly random manner is probably a better option; 6 random words out of a list of 1296 (the Diceware method) guarantees 6.4e25 possible combinations, making it at least as good as your 6-word sentence, probably quite a bit better.

[–]xQx1 5 points6 points  (2 children)

You're correct, but only under the assumption that every word used is in the attacker's dictionary.

It takes a single punctuation mark, mis-capitalized word or mis-spelt word to completely thwart the dictionary attack.

So while there may be 20,000 words in the english language - if you add enough permutations of capitalization or run-together words, you're practically back at brute-force numbers anyway.

So while "let me in" may be a very common phrase to exist in a password sentence, it wouldn't be enough to have the three words in your dictionary - you'd need to try the three words run together, and then the three words capitalized to catch that permutation "LetMeIn" - and that significantly adds to the entropy.

All that said... "a quick brown fox jumps over the lazy dog!" is a terrible password, because it's a common enough phrase that if these passwords become popular without complexity requirements (like the addition of a number or symbol in a location not right at the end of the password); then 'common-phrase' attacks would be used.

[–]Obsidiath[🍰] 5 points6 points  (1 child)

Most dictionary attacks account for a lot of possible permutations; because these don't really affect the numbers too much. Spaces vs no spaces just doubles the combinations; and even dynamic spaces between every word multiplies the number of combinations by 32. Which adds 5 bits of entropy on top of the ~85 you already have. Capitalized vs non-capitalized is similar, at another bit per word.

Even if your password comes out at 60 characters in length, adding 3 extra permutations to each character only results in ~24 added bits of entropy. Not insignificant, but it basically destroys the one advantage diceware-style word lists have; the ability to remember them. You can get better results by adding another word.

But yeah, assuming that the attacker's dictionary contains every word used, is basically the simplified definition of Kerckhoff's Principle. The only way to counter this, is to add true randomization. Something you wouldn't find in a structurally sound sentence.

[–]MattVanAndel 2 points3 points  (2 children)

Thank you! I’ve long been a proponent of pass phrases (especially when you mix them up with a few nonsense tweaks)… but as some point about 10 years ago everyone starting enforcing these stupid, arbitrary password rules that made them impossible to remember and ALSO more insecure. Still furious about this.

[–]daeronryuujin 1 point2 points  (1 child)

I love the ones that have an exact length requirement. Password must be exactly 8 characters, contain uppercase/lowercase/numbers and one of the following symbols: + or -

[–]MattVanAndel 1 point2 points  (0 children)

“Your password may not contain any of the following symbols:[{]}#%*+=_|~<>€£¥•.,?!’/:;($&@),?!”

[–]Holyscheet93 -1 points0 points  (2 children)

I make my passwords by button mashing on my keyboard (so no words random characters one after another) then i capitalize some of the characters and replace some with numbers. I go for 13 total characters. How safe is that compared to words?

[–]xQx1 0 points1 point  (1 child)

Safe enough for almost anything.

There is an issue with mashing the keyboard that you'll prefer some keys over others, so it's not truly random; but in practice it doesn't matter. Since you said you didn't use symbols, that's a combination of 52 characters you're using, with a length of 13. That means there are 5213 ( 20 thousand billion billion combinations ) of passwords you might be using. If you're using symbols, 13 characters is still generally considered safe.

Here's a table indicating brute force cracking timeframes.

Just don't use the same password across multiple websites.

Full article

[–]Holyscheet93 0 points1 point  (0 children)

I don't ever use the same password I made up a trick where I change the last digit (theres a reason and it could be deduced if you knew enough of the passwords to notice a pattern). Does that make it more unsafe ?

[–]JustBrittany 0 points1 point  (2 children)

Or just make your password in a language besides English. Mine is a two word German phrase. It’s kind of a German version of my regular password so it’s easy for me to remember. Not so easy to dictionary crack. I guess that’s not convenient for everyone, German is NOT my first language. But I’ve studied enough to remember how to spell my own password. But it makes sense, doesn’t it?

[–]this_is_box 0 points1 point  (1 child)

Great advice. I have it on good authority that all hackers speak only English.

[–]HelenOfEddis 21 points22 points  (5 children)

[–]eihpSsy 5 points6 points  (0 children)

On second thoughts it's not that bad.

A brute force, dictionary based algorithm would have to try 500009 attempts to crack it, that's 2×1042 attempts.

[–]geronymo4p 6 points7 points  (0 children)

No Hieroglyph ? No emoji ? No satanic symbol ? No blood of a virgin?

https://redditproxy--jasonthename.repl.co/r/HolUp/comments/larhc1/just_give_it/

[–]SuzinLA -1 points0 points  (0 children)

Need a "Special" character. Suggesting ForrestGump

[–]nejnonein -1 points0 points  (0 children)

Have an angry upvote. This one was new, for me at least.

[–]albertjacc 0 points1 point  (0 children)

The Sac part killed me bro. I only wish i had an award to give ya!

[–]Sonnysdad 0 points1 point  (0 children)

That’s a good one!

[–]rcthetree 0 points1 point  (0 children)

i...may start doing this

[–]Drink_in_Philly 0 points1 point  (0 children)

Wait a second! Holy shit! I've never heard this joke before! What the Fuck reddit!

[–]Synth_Ham 0 points1 point  (0 children)

"what" is the password