Hacker News new | past | comments | ask | show | jobs | submit login

>You don't think the special character could be a mistake?

Not that it makes any real difference here with such a small search space, but in this scenario (known typo, information revealed) it's less likely. Remember, we're considering a human typing something out on a keyboard, so the probabilities aren't fully random. If we're trying to use probabilities to cut down the search space further, a caret character requires shifting well away from the home row (shift-6 US standard qwerty) so it's more likely to represent active intent. Perhaps it could be % or & (shift-5/shift-7), but if you know someone is trying to type a password out and has made a typo then a left/right neighbor with shifting preserved is an easy place to start guessing.

Obviously, this whole thing is such an awful idea and breaks everything so badly that it's all kind of theoretical anyway, hopefully no software has had behavior like this for a long time. And any actual brute force program today has far more sophisticated pattern attacks based on the enormous corpus of password leaks and knowledge there now is, which is why it's foolish to try to try to be clever with passwords rather then just generating something fully randomized.






Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: