I read what he tried. Password cracking software/algorithms are a lot more advanced than the average person might think they are, and the majority of people's passwords tend to be easy to crack via software means by using dictionary permutation attacks, common password database attacks, rainbow tables, brute force and other. As time goes on, the CPU/GPU power available to even an individual is enormous especially with easily available cheap cloud computing. 10/20 digit simple passwords that are just numbers or similar simplicity are just not significant to protect against the real world threats that are out there. Over time the problem gets worse because passwords become only easier to crack, but people's methods for choosing passwords do not tend to get more complex.

Security experts out there recommend password selection that is generally much more complex than people choose on their own fruition, and that leaves them more vulnerable. So websites etc. test password strength based on real world security guidelines and reject passwords considered weak. If someone considers their password strong and software considers it weak, it is probably a divergence between their perception of threat and the actual real threat.

The easy way for people to solve the problem without a lot of headaches is to use a vetted password keeping application such as KeepassX (cross platform) or PasswordSafe (Windows only). Then the program can generate amazingly complex passwords with built in global and per site customizeable rules, and the user doesn't have to bother worrying about these things, letting technology solve the problem instead. Just need to remember one master password then.

That's the solution for "my password needs to be too hard". One of them anyway.

Ah, good idea to use a Welsh word.

What did you find "strange" then? Of course. Just out of curiosity, though, because I don't know the numbers myself, I looked it up - Wikipedia claims 2 800 000 000 guesses per second on high-end GPU with "commercial products". That would still take 1132 years for 10**20. If you did that * 1000, but the OP changed it to 10**25, it would take 113249 years. If he didn't, then it'd still take you over a year. This is all worst case, of course, but that goes for any sort of password. If anyone is an expert (or has expert knowledge) on the matter, I'd love to hear about the state-of-the-art.

Login: a
Password: 1

"Begin" is a word. I passed that.

well this got out of hand lol

Ah, you seem to just want to be argumentive for no real purpose. No thanks.

Sorry you got that impression, it wasn't my intention.

Even if it's touted to take thousands or hundreds of thousands of years, i'd bet most passwords would be cracked fairly quickly. The reasoning is people are lazy, and memorizing a 20 digit number is annoying, while having a repeating 5 digit pattern or something is far easier. so someone might do 12312312312312312312 for their password, or just hit 1 until it hit max length.

And remembering a number is annoying, while remembering a word or phrase is easier. Not to mention each character is 26-36 combinations rather than 10. Unfortunately following the heavy redundancy of words, and character frequency it means that a lot of characters do or don't follow another set of characters.


I'm reminded of writing a solver for sudoku, and if you do only brute force methods then certain types of puzzles will take hours to solve, while tiny little helps or using pure logic solves nearly instantly. Brute force, is always a last resort, not the preferred method.

That's why I was careful to note it was the worst case. I just recently read this, so repeating simple patterns were definitely on my mind when I wrote this.

This. Length is the main factor in making a secure password. What always kills me is whenever I come up with a password or passphrase that I will definitely remember... only for it to be rejected because it is either too long or doesn't have a number and a symbol that doesn't fit into my mnemonic.

Well, I know for a fact that the password gdfsgsdfhgsdfghsdgfh is quite popular at GOG headquarters.

Hmmm I'm suddenly reminded of a Starcraft story that TB and Genna did, and in part of it (taking place in korea) are gaming cafes where you can queue up to play Starcraft games and get better at the game. Specifically if you wanted to play anonymously you'd use a random combination of 20 1's and I's, which then in chat looked totally illegible. To note, apparently lots of people did it (especially professionals just going casual), so it did it's job.

But if only a handful of people do it, it doesn't work :P

If the device or account gets locked within a pre-set number of attempts to login (it could be 10 to 20 as default, just to be sure the average user won't lock it by mistake) along with a few second delay that gets increased after every failed attempt (but gets reset after every successful login), wouldn't that make it extremely difficult even for an expert with special software and a super computer at hands?

Obviously I'm excluding security vulnerabilities in this case.

https://lastpass.com/generatepassword.php ?