Best way to make an uncrackable passphrase, using What3words

RumRat

It makes no sense trying to use a 'memorable' phrase or numbers unless you are going to use them for every password, which is then, obviously not the way to go.
I have 300 passwords and can't remember any of them except the banking ones which are the only ones committed to memory. The password manager handles all the other stuff, including suggesting random passwords.
I also use a variety of email addresses as well.

theoldmiser

km1500 said:

when you are talking about online passwords for example logging into your bank accounts then pretty much any decent password will do because these systems will only allow say three attempts before locking you out. so unless your online password is super simple it is unlikely anybody will get it

the situation changes for offline passwords by this I mean eg somebody has a word document they want to find the password to or maybe they have hacked a site and have all the password hashes and want to find out what the original password is. in this case they get an infinite number of attempts - what they will they do is get a fast computer to keep trying different combinations of words and letters until they hit on the right one - there is no lockout after 3 attempts.

in this latter situation you may think for example your word document is super protected because you have a 19 character password to it - but if this password is 'elephantrhinoceros' then this is equivalent to two characters in a dictionary attack and you might as well use a password 'ab' as it is the same strength

Define "decent password".

Your final paragraph is completely wrong, a two character password is orders of magnitude less secure than 'elephantrhinoceros', unless there are only 26 WORDS in the English language.

As usual, people who have no idea what they are talking about are trying to tell me that I am wrong, because they can't even understand the basic idea I am putting forward. No wonder thousands of computer systems are hacked every day, and thousands of people's various accounts are hacked every day.

theoldmiser

IvanOpinion said:

theoldmiser said:

IvanOpinion - I presume brute force attacks only take place once an attacker has managed to 'break into' a system, rather than trying to guess an individual user's password by trying to log in using their email address and a guessed password, over and over again?

That's not really how it works. It takes a pretty poor system to allow infinite guesses at passwords, but they do exist.

I was on a security training program last year. Training us was just a side-task of the company's core business, we did not know at the time, but they also used their courses to train their own team. By the end of the 1 day course his team had managed to leave messages on the computers of several of the course attendees. Not only that, they got bank account details of several of the attendees.

Yes they got access to my laptop but, in the time given, were unable to locate anything personal. They did tell each of us the technique they used to get in to allow us to fix our security (the techniques they used and logic being applied were fascinating).

Your anecdotal case has nothing to do with my idea....

Do you seriously believe this password is crackable:

""breasured.pumbles.inabased.gightened.beconfigure.broopers""

I've explained several times in this thread how to make an uncrackable password. Apparently that is too much of a threat for some people here, I'm not allowed to say why, or that would be perceived as 'unfriendly behaviour' and they would again be able to get me silenced for pointing out why they can't stand people who are highly intelligent coming up with new ideas to improve things for everybody on Earth... What an awful person I must be.

km1500

theoldmiser said:

km1500 said:

when you are talking about online passwords for example logging into your bank accounts then pretty much any decent password will do because these systems will only allow say three attempts before locking you out. so unless your online password is super simple it is unlikely anybody will get it

the situation changes for offline passwords by this I mean eg somebody has a word document they want to find the password to or maybe they have hacked a site and have all the password hashes and want to find out what the original password is. in this case they get an infinite number of attempts - what they will they do is get a fast computer to keep trying different combinations of words and letters until they hit on the right one - there is no lockout after 3 attempts.

in this latter situation you may think for example your word document is super protected because you have a 19 character password to it - but if this password is 'elephantrhinoceros' then this is equivalent to two characters in a dictionary attack and you might as well use a password 'ab' as it is the same strength

Define "decent password".

Your final paragraph is completely wrong, a two character password is orders of magnitude less secure than 'elephantrhinoceros', unless there are only 26 WORDS in the English language.

As usual, people who have no idea what they are talking about are trying to tell me that I am wrong, because they can't even understand the basic idea I am putting forward. No wonder thousands of computer systems are hacked every day, and thousands of people's various accounts are hacked every day.

you completely misunderstand my post.

RumRat

theoldmiser said:

"Which infosec qualifications do you have?  Or even which mathematics qualifications? "

Appeal to authority fallacy.

What's that got to do with the price of eggs???

poppellerant

I won't enter an argument about this, but anybody who thinks a long password which is made up from words is kidding themselves if they think their password is impregnable.  You would need to change the letters in the password to symbols and/or numbers.

For example, changing MoneySavingExpert to |\/|0n3y$8\/1n93xp3rt would make the password far harder to crack.  The time on PasswordMonster increases from a mere 33 hours to 106 billion years.

Anyway, I'll stick to using randomly generated passwords, that can be 50-100 characters to long depending on the website.  If I remember right, my Google password is over 200 characters long - have fun cracking that.

outtatune

Two observations:

1. Don't assume that online passwords don't need to be as secure as offline ones because the site will freeze your account after x attempts. The risk is not that hackers are individually targetting you; it is them stealing the site's encrypted password file using an attack on the site itself, then doing a brute force offline attack on that file.
2. Since correct horse battery staple became a common password strategy brute force attackers will routinely target those as part of the attack on the encrypted password file, so a three word phrase from a list of even 10000 potentials will not last long, unless you then start swapping $ for s, adding digits and symbols, etc. And once you start doing that, you're going to need a password manager anyway, so you might as well do it properly and get the password manager to create proper strong random strings.

cerebus

outtatune said:

Two observations:

1. Don't assume that online passwords don't need to be as secure as offline ones because the site will freeze your account after x attempts. The risk is not that hackers are individually targetting you; it is them stealing the site's encrypted password file using an attack on the site itself, then doing a brute force offline attack on that file.
2. Since correct horse battery staple became a common password strategy brute force attackers will routinely target those as part of the attack on the encrypted password file, so a three word phrase from a list of even 10000 potentials will not last long, unless you then start swapping $ for s, adding digits and symbols, etc. And once you start doing that, you're going to need a password manager anyway, so you might as well do it properly and get the password manager to create proper strong random strings.

You're wasting your breath , the OP won't listen 

outtatune

cerebus said:

outtatune said:

Two observations:

1. Don't assume that online passwords don't need to be as secure as offline ones because the site will freeze your account after x attempts. The risk is not that hackers are individually targetting you; it is them stealing the site's encrypted password file using an attack on the site itself, then doing a brute force offline attack on that file.
2. Since correct horse battery staple became a common password strategy brute force attackers will routinely target those as part of the attack on the encrypted password file, so a three word phrase from a list of even 10000 potentials will not last long, unless you then start swapping $ for s, adding digits and symbols, etc. And once you start doing that, you're going to need a password manager anyway, so you might as well do it properly and get the password manager to create proper strong random strings.

You're wasting your breath , the OP won't listen 

I know, my post was really aimed at others who see that what he (? I'm going to stick my neck out here and assume) has to say has a veneer of logic, and get taken in by it.

dogmaryxx

Checked my easy to remember password as you suggested.
 Result 
Time to crack your password:

32 trillion years

Review: Fantastic, using that password makes you as secure as Fort Knox.

 :Will stick with it as I'll be long gone by then.: