Use longer passwords instead of complicated ones?

User avatar
HansV
Administrator
Posts: 79521
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Use longer passwords instead of complicated ones?

Post by HansV »

Best wishes,
Hans

User avatar
Ted Myers
4StarLounger
Posts: 570
Joined: 30 Oct 2010, 02:12
Location: England UK

Re: Use longer passwords instead of complicated ones?

Post by Ted Myers »

I just used my password manager to create a 16 character password.
-
CKTOb54EeyiwmE1j
I altered it to prevent confusion when entering it in my Android Phone to:-
CKT£b54Eey@wmE&j
If it wasn't for bad luck I'd have NO luck at all.
Windows 11 Home 24H2 Laptop

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 16270
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Use longer passwords instead of complicated ones?

Post by ChrisGreaves »

This brings up the age-old question of how to remember these longer passwords. I know of two tricks:-

(1) Use place or people names from your youth; “Crawshawbooth” in Lancashire and “Boodarockin” in Western Australia come to mind. Then switch one (or two) adjacent letters on the QWERTYkeyboard: Use”M” instead of “N”, or “0” in place of “O” to fool some of the people who might be watching you log in (or unlock a template or …)

(2) Use repetition. I can remember 3-character strings such as "fjl" and "vsj", so "fjlvsi" could be a password, but "fjlvsifjlvsifjlvsifjlvsi" is four times as long yet just as memorable.

Cheers, Chris
If it isn't one thing it's another, and very often both. E.F.Benson

User avatar
HansV
Administrator
Posts: 79521
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Use longer passwords instead of complicated ones?

Post by HansV »

Many people use "tricks" such as o > 0, i > 1, e > 3 and s > 5, but that doesn't really fool advanced algorithms anymore.
Best wishes,
Hans

User avatar
Ted Myers
4StarLounger
Posts: 570
Joined: 30 Oct 2010, 02:12
Location: England UK

Re: Use longer passwords instead of complicated ones?

Post by Ted Myers »

I find it easier and saves time if the chance of inputting a character can have another that looks similar, especially when adding them to a phone as I havn't mastered copy from pc + paste to phone.
If it wasn't for bad luck I'd have NO luck at all.
Windows 11 Home 24H2 Laptop

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 16270
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Use longer passwords instead of complicated ones?

Post by ChrisGreaves »

HansV wrote:
05 Oct 2024, 12:22
... but that doesn't really fool advanced algorithms anymore.
Agreed. I was looking at the human side of remembering long passwords.
I've believed in longer passwords at least since the 62-element character set (a-z, A-Z, 0-9) was allowed. Each character multiplies the time-to-crack by a factor of 62, and I reasoned that even if the most powerful (to date) computer was turned loose, an extra (say) 62x62x62 level of time is significant.

If it all took 238,328 times as long (the price of those extra three characters), then either "they" would need 238,328 times as many computers OR "they" could only crack at 1/238,328 the number of passwords they currently crack, loosely speaking.

In my example above "fjlvsi" is 238,328 times more expensive to crack than "fjl", and while "fjlvsifjlvsifjlvsifjlvsi" is 56,800,235,584 times more expensive to crack than "fjlvsifjlvsifjlvsi", it needs no more effort on the part of the human to memorize.

Cheers, Chris
If it isn't one thing it's another, and very often both. E.F.Benson

User avatar
StuartR
Administrator
Posts: 12819
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Use longer passwords instead of complicated ones?

Post by StuartR »

ChrisGreaves wrote:
05 Oct 2024, 11:23
This brings up the age-old question of how to remember these longer passwords. I know of two tricks:-
...
The recommendation in NIST SP 800-63B-4 is
NIST.SP.800-63B-4.2pd.pdf wrote: 765 Verifiers SHALL allow the use of password managers. Verifiers SHOULD permit claimants
766 to use the “paste” functionality when entering a password to facilitate their use.
767 Password managers have been shown to increase the likelihood that users will choose
768 stronger passwords, particularly if the password managers include password generators
StuartR


User avatar
silverback
5StarLounger
Posts: 798
Joined: 29 Jan 2010, 13:30

Re: Use longer passwords instead of complicated ones?

Post by silverback »

I use a combination of all the postcodes (=zipcodes for Non UK residents) plus upper and lower case. I don't know how secure they are against a password cracking algorithm but when I use them, I get a 'Strong' rating.
Silverback

User avatar
BobH
UraniumLounger
Posts: 9564
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Use longer passwords instead of complicated ones?

Post by BobH »

Am I doing this wrong? I use Roboform to generate passwords. I can control their length and allow the use of capitals and special characters. I use a different password for every need. I store them in Roboform which uses cloud storage so that I can access them from all platforms. I don't even try to remember them.

What's wrong with this practice?
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
HansV
Administrator
Posts: 79521
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Use longer passwords instead of complicated ones?

Post by HansV »

That's perfect!
Best wishes,
Hans

JoeP
SilverLounger
Posts: 2142
Joined: 25 Jan 2010, 02:12

Re: Use longer passwords instead of complicated ones?

Post by JoeP »

Better yet, start migrating to using passkeys. See Passwordless authentication and Should you use passkeys instead of passwords.
Joe

User avatar
StuartR
Administrator
Posts: 12819
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Use longer passwords instead of complicated ones?

Post by StuartR »

I use Roboform for most sites, but passkeys where they are available. Here is an example of a generated password following my Roboform rules.

-4@D4uKXE£$QyJUZR#%7tqBs^eeY
StuartR


User avatar
BobH
UraniumLounger
Posts: 9564
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Use longer passwords instead of complicated ones?

Post by BobH »

Does Eileen's Lounge support passkeys?

Can password managers (like Roboform) store them and provide them appropriately for website credential checking?

I wish there were standard for web page authors. Two things I'd like to see in that standard are 1) the date last updated, and 2) whether site supports passkeys. Maybe you can suggest other standards.

If browsers were written (or modified) to look for the standards and display them in a consistent manner - and not display pages that are not compliant, perhaps web designers would be encouraged to adopt the standards.
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
StuartR
Administrator
Posts: 12819
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Use longer passwords instead of complicated ones?

Post by StuartR »

Roboform can store passkeys..
Eileen's Lounge does not support passkeys.
StuartR


User avatar
BobH
UraniumLounger
Posts: 9564
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Use longer passwords instead of complicated ones?

Post by BobH »

Thank you, Stuart.
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs