

Ask HN: g00d t0 r#plce l3tt3rs n p55w0rd5? - gregwebs

A few years ago I started the practice of replacing letters in passwords with numbers and special characters. But everyone seems to be doing this now. Is this still good enough for strong passwords? What techniques do you use?
======
danso
It seems assumed that crackers, when doing a brute force dictionary attack,
will check the common substitution, i.e. e/E == 3, I == !/1, and so on...so
the main rule still stands, don't use simple words found in the dictionary.
Also, concatenating two simple words, e.g. "d0gk1tt3n" is also vulnerable
given a fast-enough-brute attack.

I don't use symbol/number substitution unless the password-policy mandates it.
These days, I'll type out a bunch of objects that are in front of me or on my
mind when I'm changing the password, something like
"purplepencilandsennheiserheadphones" or
"funnyrerunofseinfeldwhiledrinkingminttea"...though obviously not as
grammatically correct or as sensical as that, with maybe at least one symbol-
alteration...so: "someskittleswithpurple! outside4pigeons" These phrases are
relatively easy to remember and are long enough to make a brute attack
unlikely.

------
Codhisattva
xkcd says it all <https://xkcd.com/936/>

[edit: tl;dr longer is better]

