

"qqqq ... qqq" is a strong password according to Microsoft - jchernan
https://www.microsoft.com/security/pc-security/password-checker.aspx

======
JSON_2212
Does anyone else find it super annoying with sites tell you what to use as
your password? "You have to use a capital letter, at least 3 numbers, a
symbol, it has to be 12 characters long, and it can't be one that you've used
before." This type of attitudes leads to people writing down their passwords
on paper and then getting hacked when someone finds it. As this password
shows, not all passwords need to have all those things in order to be secure.

------
jnorthrop
Its not going to be in a rainbow table nor will most attacks try anything of
significant length. It may be easy to shoulder surf the password, but a
typical attack probably won't succeed. That is unless the attacker has some
way of guessing the length, but a hash will take care of that.

------
wkearney99
Passwords have to satisfy multiple security issues. Brute force by code is
just one. Shoulder-surfing is another. A password like that is going to be
incredibly weak as an observer might easily be able to detect it. Same thing
goes with longer phrases if they're based on something well known or easily
guessed.

------
peteretep
12 characters long ... you'll be waiting a while to brute force that one, I'd
have thought...

~~~
billswift
Pure brute force is a bad metric, every 12 character password is equally good
or bad by that standard. The problem is in how accessible the password is to
faster, less random searches. I would think that anyone writing a cracker
program would check for single or double character repetitions pretty early in
their search.

~~~
tnicola
> Pure brute force is a bad metric, every 12 character password is equally
> good or bad by that standard.

This is not entirely correct. If you had 12 q's in a row (or any 12 lower case
letters) there would be 12^26 permutations that computer would have to check
in order to guess it. Adding a capital Q would increase the number of
permutations to 12^52. For each additional character set you throw in the mix,
you would add the total number of those characters to the exponent part.
Adding numbers would make it 12^62 etc. Not all 12 character passwords are
created equal and some (like 12 numbers in a row) can quite possibly be brut
forced.

~~~
Codhisattva
Are brute force attacks always sequential?

~~~
tnicola
I am not entirely familiar with modern day algorithms behind brut force
attacks, but the math I described above is the theory behind them. I would
imagine that it would have to be in some kind of ordered sequence so that you
didn't miss any possibility and that your brut force time would average out
(assuming infinite number of tries over rendom selection of passwords). It is,
however, reasonable to assume that once the attack got part way though a word,
that it would then try most common words etc. But assuming a random
compilation of characters, sequential would be the most efficient over many
number of tries.

Note: the above does not apply to brut force attacks that try most common
passwords and other techniques that include human element. It's just math
behind the algorithm.

------
pepsi
FWIW, @e31z.P8 is considered 'weak', which most people would consider a pretty
hard password.

~~~
michael_fine
The thing about password entropy is that it doesn't matter how many special
characters you have in your password, only that they are present because then
the computer has more combinations to search through. For example, Foxtr0t! is
just as secure as @e31z.P8, but much easier to remember. Helpful hint: long
pass phrases are far more secure than random strings of letters and symbols,
but easier to remember. thequickbrownfox would take around 5 million years to
crack, compared to your example taking 87 years, which probably doesn't
matter, but still a fun thought experiment

------
sheckel
Hm. It tells me "Worst Password Ever!" is a "Best" password. Better start
using that one!

~~~
tnicola
That is actually a very good password.

~~~
batista
Not anymore! I'm adding it to my brute-force dictionary.

------
benologist
That might be strong, but "qqqqqqqqqqqqqqqqqqqqqqqqqqqq" is BEST!

