Best way to make an uncrackable passphrase, using What3words

IvanOpinion

theoldmiser said:

IvanOpinion said:

theoldmiser said:

The most important thing in a passphrase is its length, not using 'Capital letters, numbers, and symbols', like you so often hear.

So a passphrase such as

"responded impressed licks Theoldmiser444"

is uncrackable due to its length.

Actually that is not correct either. As km1500 mentions a dictionary attack could eventually crack 3 words in a much shorter time than you anticipate (measurable in days or weeks).  However you are actually using 6 words and some numerics which would take significantly longer.

There are still weaknesses in your suggestion though - the biggest of which is that you have had to write something down. You could strengthen the password by interjecting characters between the words (symbols or (e,g,) the 4th letter of the previous word) and adding random mixed case e.g. resPondeDPimpreSseDrliCks@Theoldmiser444$$.

Alternatively you could mangle the words e.g.  resPimpRlicKondeDesseDs@OldTheMi444ser  (makes it a bit more difficult though).

These will cause a dictionary attack to fail and are as good as random characters with the added advantage of memorability and less of an issue if written down.

Show me a website that suggests that any of the What3Words word combinations are easy to crack. You say "measurable in days or weeks."

Passwordmonster.com doesn't agree with you.

For example, "grand inch supper" it says will take 78 years to crack.

Dictionary attacks become more and more time consuming the more words you use.

There is no weakness whatsoever in writing a password down. If you can remember more than two or three of your passwords, then you are either a genius, or your passwords are too short to be secure.

You don't have to mingle the words, you just have to use MORE of them. There is no need whatsoever to make your passwords as complicated as you have suggested.

You act as if a 'dictionary attack' is some kind of magic that doesn't become incredibly more time consuming to complete every time you add just one word.

I showed you how to make uncrackable passwords, and proved it with Passwordmonster.com.

"potato bucket visit Theoldmiser444"  24 trillion years to crack.

"nodded judge mild Theoldmiser444" 387 trillinon years to crack.

Or try

https://bitwarden.com/password-strength/

"potato bucket visit Theoldmiser444"  - centuries to crack

"nodded judge mild Theoldmiser444" - centuries to crack

Or try

https://www.security.org/how-secure-is-my-password/

"potato bucket visit Theoldmiser444"  -It would take a computer about 9 tredecillion years

to crack your password

"nodded judge mild Theoldmiser444" - It would take a computer about 9 tredecillion years

to crack your password

Or try

https://password.kaspersky.com/

"potato bucket visit Theoldmiser444"  - Your password will be bruteforced with an average home computer in approximately... 10,000+ centuries

"nodded judge mild Theoldmiser444" - Your password will be bruteforced with an average home computer in approximately... 10,000+ centuries

I think you need to reread my post. What I said was
"As km1500 mentions a dictionary attack could eventually crack 3 words in a much shorter time than you anticipate (measurable in days or weeks).  However you are actually using 6 words and some numerics which would take significantly longer."

However your assertion that "grand inch supper" will take 78 years to crack is false. These days that could be cracked in less than an hour (although more likely to be measured in hours).
https://paul.reviews/passwords-why-using-3-random-words-is-a-really-bad-idea/

Writing any password down is a significant weakness in any system, however there are much easier ways of getting other people's passwords.

In the main I agree with you that length is one of the most important factors (if not the most important factor), but these days shorter passwords of random characters can be just as effective and you should avoid using only dictionary words (hence why you adding the TheOldMiser444 at the end is helping. However if someone figures out your root phrase (which is doable) then within minutes they could have access to all your passwords that use that phrase.

BTW most of the time I can remember any password (min 16 characters, and only a small number of duplicates) without using a password manager or writing them down. I also know my main bank account number/sortcode and credit card details, and, most of the time, I can remember my other bank account and card details (but falter some times if I have not used the account in the last year or so).

goodValue

I must admit to being confused about the details of a Dictionary attack.
If a website login page was repeatedly given an incorrect password it would surely cut out after a few failures.
So is the Dictionary attack only for those occasions when a company's system has been compromised, and the hacker has a copy of the password database?

If so, isn't this only a small percentage of the login situations?

theoldmiser

km1500 said:

I think my post was a bit confusing in that I did not make it clear I was talking about password length

so for example supposing you have decided that you want a 15 character length password

then it is much better to have 15 random characters than say three 5-letter words

It is, but why would you decide that you want a 15 character password?

theoldmiser

IvanOpinion - I presume brute force attacks only take place once an attacker has managed to 'break into' a system, rather than trying to guess an individual user's password by trying to log in using their email address and a guessed password, over and over again?

I didn't advocate just 3 words, I showed 3 words AND an extra 'password' such as 'Theoldmiser444' added to the end of every What3Words 3 word combination that you used.

You could just as easily use 6 words from What3Words and make your password even more secure.

I would be very interested to see what sort of passwords are actually being guessed by hackers.  We know that loads of people actually use the word 'password' as their password, or '12345678. This is just ridiculous.

I would also have suggested simply changing the first or last letter of each of the three words, to make up non-words, but I expect most people would find that incredibly simple task to be too difficult. That would also thwart dictionary attacks...

IvanOpinion

theoldmiser said:

IvanOpinion - I presume brute force attacks only take place once an attacker has managed to 'break into' a system, rather than trying to guess an individual user's password by trying to log in using their email address and a guessed password, over and over again?

That's not really how it works. It takes a pretty poor system to allow infinite guesses at passwords, but they do exist.

I was on a security training program last year. Training us was just a side-task of the company's core business, we did not know at the time, but they also used their courses to train their own team. By the end of the 1 day course his team had managed to leave messages on the computers of several of the course attendees. Not only that, they got bank account details of several of the attendees.

Yes they got access to my laptop but, in the time given, were unable to locate anything personal. They did tell each of us the technique they used to get in to allow us to fix our security (the techniques they used and logic being applied were fascinating).

theoldmiser

Ten most common passwords:

https://www.dashlane.com/blog/ten-most-common-passwords

"The most used passwords are all extremely similar, fairly predictable, and follow the same patterns. Variations of “123456789” are very popular and dominate this list, taking up seven of the ten rankings. In terms of alphabetical passwords, nearly a quarter of Americans use the phrase “qwerty” as an exact or partial match in their passwords. 

Here’s a list of the most common passwords in 2023:

1. Password
2. 123456
3. 123456789
4. 12345678
5. 1234567
6. Password1
7. 12345
8. 1234567890
9. 1234
10. Qwerty123"

Surely if people who use those passwords were to go to What3Words and use a random three word sequence from there, they would be infinitely better off?

Unfortunately they link to the following:

https://faust-cms.vercel.app/blog/how-strong-is-your-password

"Include a mix of characters

Use a combination of symbols, numbers, and upper and lower case letters to make a good password. However, adding just one of each to your password doesn't make it fully secure. It's easy for computer programs to try variations on everyday phrases and words with numbers and symbols. Think beyond tacking an exclamation point and a number to the end of your passwords. 

1. Use at least 8 characters; 12+ is even better

When it comes to password security, the longer, the better. A password with a minimum of eight characters is good, one with a minimum of 12 characters is better, and one with 20+ characters is ideal. The longer the password (consisting of symbols, numbers, and upper and lower case letters), the more complex it becomes to hack."

Use at least 8 characters! They have got to be kidding.

I would recommend using two squares from What3words.com, and then you have a 57 trillion to the power of 57 trillion password. Completely and utterly uncrackable, even by bruteforce attacks.

I used to make up my own passphrases, but my mind would go blank and I would often think of words I had used before (not that that matters if the passphrase itself was different and contained other words that I hadn't used before), but with What3words providing a never ending supply of three word phrases, it's a piece of cake.

Here are two 3 word phrases from What3words:

"treasured.tumbles.unabashed.lightened.reconfigure.troopers"

Just change the first letter of each word to make a non-existent new word:

"breasured.pumbles.inabased.gightened.beconfigure.broopers"

Even more secure than before!

But for most websites (i.e. for forums and the like) a three word version of the above would be fine:

"breasured.pumbles.inabased"

For your bank, you could use the six word method.

onomatopoeia99

theoldmiser said:

I would recommend using two squares from What3words.com, and then you have a 57 trillion to the power of 57 trillion password. Completely and utterly uncrackable, even by bruteforce attacks.

"squared", or "to the power two" you mean. 

Which infosec qualifications do you have?  Or even which mathematics qualifications?

cerebus

onomatopoeia99 said:

theoldmiser said:

I would recommend using two squares from What3words.com, and then you have a 57 trillion to the power of 57 trillion password. Completely and utterly uncrackable, even by bruteforce attacks.

"squared", or "to the power two" you mean. 

Which infosec qualifications do you have?  Or even which mathematics qualifications?

I suspect the answer is "none" for both of them

Especially as he keeps changing his mind about which way you build your password is best 

mksysb

Think he must be a shill for  what3words the number of times he has mentioned them.

km1500

when you are talking about online passwords for example logging into your bank accounts then pretty much any decent password will do because these systems will only allow say three attempts before locking you out. so unless your online password is super simple it is unlikely anybody will get it

the situation changes for offline passwords by this I mean eg somebody has a word document they want to find the password to or maybe they have hacked a site and have all the password hashes and want to find out what the original password is. in this case they get an infinite number of attempts - what they will they do is get a fast computer to keep trying different combinations of words and letters until they hit on the right one - there is no lockout after 3 attempts.

in this latter situation you may think for example your word document is super protected because you have a 19 character password to it - but if this password is 'elephantrhinoceros' then this is equivalent to two characters in a dictionary attack and you might as well use a password 'ab' as it is the same strength