We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Best way to make an uncrackable passphrase, using What3words

Options
24567

Comments

  • theoldmiser
    theoldmiser Posts: 102 Forumite
    Part of the Furniture 10 Posts Name Dropper Combo Breaker
    km1500 said:
    remember, if you consider an offline dictionary attack (eg someone is trying to get into your encrypted word document) then a three-word password is equivalent to a three-character password

    you should not use words you should use random letters and numbers

    No, a three word password is not equivalent to a three character password.

    There are about 100 characters that the average person will use (at most 255).

    There are tens of thousands of words that What3Words uses.

    Therefore we are talking about at least
    50,000 x 50,000 x 50,000 combinations.

    In fact, What3Words has 57 TRILLION different 3m squares on its map of Earth, so that's how many combinations there are - then add on the extra, simple passphrase that you add to the end, and you have an uncrackable password.
  • theoldmiser
    theoldmiser Posts: 102 Forumite
    Part of the Furniture 10 Posts Name Dropper Combo Breaker
    edited 16 July 2023 at 2:48PM
    The most important thing in a passphrase is its length, not using 'Capital letters, numbers, and symbols', like you so often hear.

    So a passphrase such as
    "responded impressed licks Theoldmiser444"

    is uncrackable due to its length.

    Actually that is not correct either. As km1500 mentions a dictionary attack could eventually crack 3 words in a much shorter time than you anticipate (measurable in days or weeks).  However you are actually using 6 words and some numerics which would take significantly longer.

    There are still weaknesses in your suggestion though - the biggest of which is that you have had to write something down. You could strengthen the password by interjecting characters between the words (symbols or (e,g,) the 4th letter of the previous word) and adding random mixed case e.g. resPondeDPimpreSseDrliCks@Theoldmiser444$$.

    Alternatively you could mangle the words e.g.  resPimpRlicKondeDesseDs@OldTheMi444ser  (makes it a bit more difficult though).

    These will cause a dictionary attack to fail and are as good as random characters with the added advantage of memorability and less of an issue if written down.


    Show me a website that suggests that any of the What3Words word combinations are easy to crack. You say "measurable in days or weeks."

    Passwordmonster.com doesn't agree with you.
    For example, "grand inch supper" it says will take 78 years to crack.
    Dictionary attacks become more and more time consuming the more words you use.
    There is no weakness whatsoever in writing a password down. If you can remember more than two or three of your passwords, then you are either a genius, or your passwords are too short to be secure.
    You don't have to mingle the words, you just have to use MORE of them. There is no need whatsoever to make your passwords as complicated as you have suggested.
    You act as if a 'dictionary attack' is some kind of magic that doesn't become incredibly more time consuming to complete every time you add just one word.

    I showed you how to make uncrackable passwords, and proved it with Passwordmonster.com.

    "potato bucket visit Theoldmiser444"  24 trillion years to crack.
    "nodded judge mild Theoldmiser444" 387 trillinon years to crack.

    Or try
    "potato bucket visit Theoldmiser444"  - centuries to crack
    "nodded judge mild Theoldmiser444" - centuries to crack

    Or try
    "potato bucket visit Theoldmiser444"  -It would take a computer about 9 tredecillion years

    to crack your password

    "nodded judge mild Theoldmiser444" - It would take a computer about 9 tredecillion years

    to crack your password


    Or try

    https://password.kaspersky.com/

    "potato bucket visit Theoldmiser444"  - Your password will be bruteforced with an average home computer in approximately... 10,000+ centuries
    "nodded judge mild Theoldmiser444" - Your password will be bruteforced with an average home computer in approximately... 10,000+ centuries


  • theoldmiser
    theoldmiser Posts: 102 Forumite
    Part of the Furniture 10 Posts Name Dropper Combo Breaker
    edited 16 July 2023 at 2:55PM

    SteveJW said:
    I look round the home and use three names I can see
    For example at the moment
    FriendshipsCoffeeGeralgine

    Add the time and a couple of special symbols, so end up with

    $FriendshipsCoffeeGeralgine1040#

    Wonder how long that would take to crack

    Then use a password manager to store my passwords

    Steve


    Steve, you don't need to use the numbers or special symbols, it's much easier and more secure to just add a few more words.
  • SteveJW said:
    I look round the home and use three names I can see
    For example at the moment
    FriendshipsCoffeeGeralgine

    Add the time and a couple of special symbols, so end up with

    $FriendshipsCoffeeGeralgine1040#

    Wonder how long that would take to crack

    Then use a password manager to store my passwords

    Steve

    Any reason not to use the password manager to generate a password for you? 
  • theoldmiser
    theoldmiser Posts: 102 Forumite
    Part of the Furniture 10 Posts Name Dropper Combo Breaker
    The other reasons for not using special characters are that
    a) It makes your passphrase impossible to remember - if the passphrase is long enough to be uncrackable, and
    b) it makes it more likely that if you write your passphrase down (by hand), that you won't be able to read the special character in the future.

    Using a password manager is 'putting all your eggs in one basket'.
    For example, LastPass was hacked:

    Nobody is going to hack into your physical address book, which is sitting on your desk, or on a bookshelf, or which you hide inside another book, etc. I have searched and searched online, and I can't find a SINGLE case of a burglar stealing somebody's password book from their house, and then using the passwords to steal from them.
    (Of course, most people don't write their passphrases down, because the idiotic advice we read everywhere is "don't write your passwords down", without any reasons given. So most people's passwords cannot be uncrackable, precisely because they have to memorise them, and thus they end up making short, insecure passwords, and they reuse them on different sites (which I agree is a bad idea), because who can remember 200 different passwords?

    If you have to use a passphrase at work, you can still write it/them down - I am presuming you don't need more than two or three passphrases, so write them down and store them on a card that you keep in your wallet. If you lose your wallet, you'll know that you've lost it, and then you can contact your I.T. department immediately and get them to reset all your passwords. Or store them on a small card that you keep on your keyring.

    But for home use, where you probably scores of different accounts, writing down passphrases is the best thing to do - it means you can make passphrases that are so long (and therefore so secure) that you can't remember them. It means that you don't need to reuse passphrases on different websites.

    Now, obviously passphrases for some websites that you visit are much more important than for other websites:
    1) Banking, email, Paypal, Ebay, Amazon, Facebook, Twitter, and anywhere else you can buy things. These websites need your most secure passphrases. If you log into your email every day, you will soon learn your passphrase by heart, if it uses my method.
    2) Forums and everything else - maybe your passphrases here don't need to be so secure - but you only have to add another word or two to a three word phrase to make it uncrackable - if it isn't already uncrackable. So why bother? Just use the method I described in my first post for everything, write down all of your passwords in an address book, hide it on a bookshelf if you want to (burglars aren't going to steal books when they break into your house), or just under a cushion, then get it out when you are on the computer. Simple.

  • theoldmiser
    theoldmiser Posts: 102 Forumite
    Part of the Furniture 10 Posts Name Dropper Combo Breaker
    edited 16 July 2023 at 3:19PM
    Even Microsoft give bad advice:


    "Easy for you to remember but difficult for others to guess."

    This is the sort of confusing and unhelpful advice that billions of people are given all the time.

    "Or just a hint...

    Rather than writing down your password, consider writing down a hint that reminds you of what the password is. So if your password is "Paris4$pringVacation" you could write down "Your favorite trip." "


    If you can remember most of your fifty or more passphrases like that, then the passphrases probably aren't any good in the first place.  Note how it uses the dollar sign instead of an 'S'. All unnecessary.




  • cerebus
    cerebus Posts: 677 Forumite
    500 Posts Name Dropper
    km1500 said:
    remember, if you consider an offline dictionary attack (eg someone is trying to get into your encrypted word document) then a three-word password is equivalent to a three-character password

    you should not use words you should use random letters and numbers
    I've already tried telling the OP this but he doesn't listen and instead sends me abusive private messages.
  • cerebus
    cerebus Posts: 677 Forumite
    500 Posts Name Dropper
    It's not worth anybodies time trying to reason with the OP he doesn't listen

    His last thread on this very subject got deleted cause he told the world how he sets his passwords up and therefore making himself very vulnerable to being hacked

    This thread will probably go the same way to protect the OP 
  • km1500
    km1500 Posts: 2,790 Forumite
    1,000 Posts Second Anniversary Name Dropper
    I think my post was a bit confusing in that I did not make it clear I was talking about password length

    so for example supposing you have decided that you want a 15 character length password

    then it is much better to have 15 random characters than say three 5-letter words


  • cerebus
    cerebus Posts: 677 Forumite
    500 Posts Name Dropper
    km1500 said:
    I think my post was a bit confusing in that I did not make it clear I was talking about password length

    so for example supposing you have decided that you want a 15 character length password

    then it is much better to have 15 random characters than say three 5-letter words


    Again you're correct   any half decent computer could do a dictionary attack and crack a three worded password very quickly (especially when the three words are guaranteed to be in the dictionary) , the OP is under the mistaken impression that it is only the length that makes a password hard to break (no password is uncrackable) but you can't tell him it's a combination of what the password contains and its length which makes it hard to break.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.8K Banking & Borrowing
  • 253K Reduce Debt & Boost Income
  • 453.5K Spending & Discounts
  • 243.8K Work, Benefits & Business
  • 598.6K Mortgages, Homes & Bills
  • 176.8K Life & Family
  • 257K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.