Best way to make an uncrackable passphrase, using What3words

noitsnotme

https://forums.moneysavingexpert.com/discussion/comment/81855502#Comment_81855502

It took you nearly 2 years to reply to bob2302s post! Let’s hope you find your passwords a bit quicker than that.

sausage_time

Three words: UsePasswordManager

Barand

OP is focussing too much on having an "uncrackable" password when the password itself is only part of the solution and vulnerable on its own without an additional layer of protection like Multi Factor Authentication through a OTP or hardware key. As mentioned several times above a good Password Manager will help you generate strong and unique passwords using fit for purpose algorithms and don't rely on you memorising them. Keeping your password safe is far more important than the theoretical time to crack it as most hacks will result from stolen / leaked credentials from data breaches or by being tricked into giving them over from social engineer or phishing attempts.

spud17

I've got other things to worry about rather than if a password is crackable in 100billion years or 101billion years.

booneruk

Well, the 'crackable' risk and computational effort will only (generally) apply if a bad actor hacks an institution you use and extracts your hashed password - after which they can then get to work on brute forcing it. It's this brute force that can take thousands of years with modern hash algorithms and computing power - however, the brute force could always luck it and get the password correct instantly. Thankfully there are further methods known as salt and peppering which massively increase brute force complexity (and that is too technical to go into in a brief post)

Some organisations used to store passwords in plain text - thank god those days are largely gone. Any organisation that can email you your password is highly likely still committing this crime!

If anyone thinks a brute force attack could be conducted against a bank's login page they're mistaken. 3 or so failed login attempts and you're into account locked territory.

Anyway, back to the OP's 'revelation'. I wouldn't use a password constructed out of multiple dictionary words - that's keeping things too simple.

Vitor

Mostly agree on the attack model: offline cracking after a breach is the real risk, not hammering login pages. Salting and slow hashes matter.

Where I disagree is the dismissal of multi-word passphrases. The weakness isn’t “dictionary words”, it’s short or predictable ones. Several randomly chosen words give far more entropy than most symbol-stuffed passwords people invent. “It could guess it instantly” is technically true but irrelevant in practice. Length and unpredictability dominate with current compute.

The search space only collapses if the attacker knows the construction method. If they don’t know you’re using what3words, they have to assume a general passphrase model and search an enormous mixed space. At that point, three uncommon words is just a long, high-entropy string.

booneruk

Well, what I mean is - throw a couple of symbols into the mix, it's not hard 😁

outtatune

Source: https://xkcd.com/538/

Frozen_up_north

A user name and password are not secure against malware stealing your browser password file and other risks.

As several mentioned, an additional factor such as an authenticator app, or being sent an email with a few numbers, increases security significantly.

Windows helps you remember passwords too, it will respond by telling you what your password is: "your password is incorrect", change it to incorrect1 and continue 🤣.