The four random words were much more secure: e.g. Looking at my Avatar, one might pick "CrackerPonyFlipFlop". This kind of password is easier to remember AND more secure...and I guess I won't be using "CrackerPonyFlipFlop" anytime soon...
This isn't secure at all. A dictionary attack will find all 4 words just as easy as it will find one.
Basically you take the first letter C and go down in your dictionary file to all the words that start with C. Then look for all worlds that are Cr within that subset, then Cra, etc.
Once you've found Cracker you just take the next letter P and look for all the P words.
I'll give an example of how easy it is to do: Way back in my high school English class we have to figure out compound words by breaking them apart into the Greek and Latin roots, then getting the meaning of each part and putting those back together into a definition.
I did this in Commodore Basic in 1989/1990.
That's still not a trivial computation. The computer must be prepared to try every combination of known words. If one character or one capitalization is out of place, then the dictionary attack won't work.
Anyway, obviously, the most secure passwords are going to be long and random. Any rule that deviates from that can be met with at least some criticism. There is a point at which your password is no longer the weak link (e.g., it may be much easier for a hacker to steal your computer's key strokes).
With a few simple modifications to the cartoon "CorrectHorseBatteryStaple", you can obtain a password that makes a dictionary attack substantially more difficult without being much harder to remember.
Here are some examples:
CorrecHorsBatterStapl (Drop the last letter of each word)
C!orrectHorseBatteryStaple (One random character in there)
cOrrecthOrsebAtterysTaple (capitalize second letter of each word)
It's not always possible/convenient to have a "long and random" password. Thus, some sort of mental hash algorithm is often required.
Previous Topic
Index
