Best way to make an uncrackable passphrase, using What3words

flaneurs_lobster

zagubov said:

Not trying to hijack the thread but do many sites let you use spaces as a "special character"?
Password security checkers put passwords with spaces into the trillion-year crackable range. 

Most of the major online services (Google, Microsoft, Amazon etc) have no problem with spaces WITHIN a password but don't allow them at the beginning or end of the password string - it's for implementation reasons, it's really hard to validate (at least for a human) when a space is appended to a string of characters. It's pretty standard to strip spaces from the beginning/end of character data inputs (not just passwords) in most online interactions. 

The financial institutions that I have accounts with have a range of rules about the character set that can be used for passwords, NatWest Group, for example, only allow alphanumerics so space wouldn't cut it. Others (annoyingly) use a subset. Wouldn't be at all surprised if most exclude space.

I've just checked a couple of password manager's generator options, neither include space in their "special characters".

It's not obvious (at least to me) why a space character would be more secure than, say, an underline or percent sign.

outtatune

Keepass allows you to choose (or exclude) spaces in generated passwords.

theoldmiser

outtatune said:

Two observations:

1. Since correct horse battery staple became a common password strategy brute force attackers will routinely target those as part of the attack on the encrypted password file, so a three word phrase from a list of even 10000 potentials will not last long, unless you then start swapping $ for s, adding digits and symbols, etc. And once you start doing that, you're going to need a password manager anyway, so you might as well do it properly and get the password manager to create proper strong random strings.

LOL. I explained very clearly in my original post how to use What3Words to find a completely secure password, we aren't talking about 10,000 potential passwords, we are talking about 57 TRILLION squares on What3Words, without any effort required whatsoever to change one of the squares' three words. 57 Trillion is far more secure than 99.9% of people's passwords.

theoldmiser

poppellerant said:

I won't enter an argument about this, but anybody who thinks a long password which is made up from words is kidding themselves if they think their password is impregnable.  You would need to change the letters in the password to symbols and/or numbers.

For example, changing MoneySavingExpert to |\/|0n3y$8\/1n93xp3rt would make the password far harder to crack.  The time on PasswordMonster increases from a mere 33 hours to 106 billion years.

Anyway, I'll stick to using randomly generated passwords, that can be 50-100 characters to long depending on the website.  If I remember right, my Google password is over 200 characters long - have fun cracking that.

So 57 Trillion different combinations, in What3Words, isn't secure enough? And 57 Trillion to the power of 57 Trillion, using TWO sets of three words from What3Words, isn't secure enough? Seriously?

theoldmiser

John_Gray said:

How long would it take to crack your password?

I cracked it immediately simply by looking at your post, where you have written it down...

That's proved me wrong then! Hilarious.

theoldmiser

SteveJW said:

I usually look around at letters, leaflets etc etc and pick three random words translate a couple of words to a foreign language in Google translate, say Thai and then use the pronunciation words add a couple of numbers and special characters

Yes, anything but use my simple and far more secure method, that anybody can use, with zero effort...

theoldmiser

SteveJW said:

Why not just let a password manager generate passwords for you?

Some websites will not let me copy and paste passwords

I like many people struggle to remember a string of random numbers, letters and characters

I can remember three words even if in a foreign language or phonetic, combined with a year and a couple of special characters

Thank you. This is precisely why using What3Words is by far the best method available - it's easy to use, easy to find a random square in the middle of the ocean, that nobody else is going to find (there are 57 Trillion squares on What3Words!).

Isn't it odd how, when you present a simple idea that should make life better for everybody on Earth who uses a computer, you can always guarantee there will be people on forums who don't understand your SIMPLE idea, misread what you wrote, and then criticise it and claim it can't possibly work, without ever explaining why?

theoldmiser

poppellerant said:

IvanOpinion said:

victor2 said:

SteveJW said:

I usually look around at letters, leaflets etc etc and pick three random words translate a couple of words to a foreign language in Google translate, say Thai and then use the pronunciation words add a couple of numbers and special characters

Why not just let a password manager generate passwords for you?

While I use one, I no longer include high security passwords in it (e.g. bank account, trading accounts etc.) - I have become more wary since a couple of recent high profile hacks, and discussions with real security experts.

There is an argument that if someone uses a password manager then you only need to hack a single password to gain access to all passwords. On the other hand there are much simpler ways to gain access.

If you're that weary, surely you could download a password generator from somewhere and generate your passwords offline?

I use online passwords to generate my Wi-Fi keys of 30+ characters.  I must admit this can make entering the key for the first time interesting.

I use 'online passwords' to generate my passwords too - it's a website called What3Words.com. This is apparently too easy, and therefore must be the wrong thing to do.

theoldmiser

outtatune said:

IvanOpinion said:

victor2 said:

SteveJW said:

I usually look around at letters, leaflets etc etc and pick three random words translate a couple of words to a foreign language in Google translate, say Thai and then use the pronunciation words add a couple of numbers and special characters

Why not just let a password manager generate passwords for you?

While I use one, I no longer include high security passwords in it (e.g. bank account, trading accounts etc.) - I have become more wary since a couple of recent high profile hacks, and discussions with real security experts.

There is an argument that if someone uses a password manager then you only need to hack a single password to gain access to all passwords. On the other hand there are much simpler ways to gain access.

Use an offline password manager that runs on your computer instead of a cloud based one. Keepass for example.

Why not just use my simple method, and write the passwords in a password book that you keep on your desk? The ones you use every day, you will soon learn off by heart. (I have about five I use every day, and they're all really long, but easy to remember after I've typed them in about twenty times.)

theoldmiser

flaneurs_lobster said:

zagubov said:

Not trying to hijack the thread but do many sites let you use spaces as a "special character"?
Password security checkers put passwords with spaces into the trillion-year crackable range. 

Most of the major online services (Google, Microsoft, Amazon etc) have no problem with spaces WITHIN a password but don't allow them at the beginning or end of the password string - it's for implementation reasons, it's really hard to validate (at least for a human) when a space is appended to a string of characters. It's pretty standard to strip spaces from the beginning/end of character data inputs (not just passwords) in most online interactions. 

The financial institutions that I have accounts with have a range of rules about the character set that can be used for passwords, NatWest Group, for example, only allow alphanumerics so space wouldn't cut it. Others (annoyingly) use a subset. Wouldn't be at all surprised if most exclude space.

I've just checked a couple of password manager's generator options, neither include space in their "special characters".

It's not obvious (at least to me) why a space character would be more secure than, say, an underline or percent sign.

A space isn't more secure, it's just far more easy to remember a password (and read a written down one) if it has normal spaces in between the words...

Most 'experts' haven't got a clue about passwords, and in businesses they just regurgitate over and over the 'Don't repeat a character, use a capital letter, use a number, must use a special character' stupidity, because they don't understand what they are talking about.