[dark_silicon]

Is there any sort of metaheuristic a good password cracker can follow for juggling between rounds of dictionary iteration, character substitution, brute force suffixing, etc?

In other words, how do you most effectively combine different strategies?

[dsfyu404ed]

Target someone. Wget their LinkedIn and their friend's LinkedIns. Wget the wikipedia pages for their hobbies and skills on said linkedIn pages.

Remove duplicate words and code.

Repeat with other sources of information (FB profiles, etc, etc).

Remove duplicate words.

Add it to your dictionary and then use that to see the generated dictionary.

Password cracking is always a compromise between speed and thoroughness.

[tempVariable]

This is very close.

I used to provide crypto coin wallet password recovery service. The first couple of days would be spent on building a knowledge database with the help of the wallet owner. Plugging that data into the algorithm, even if the password was random and long allowed me to usually get the correct password. Exploring the whole search space without pruning is a fools errand

[zeveb]

That's why I love passwords like PNe1KaC5gZGF5hlonE1k7g: they're just completely unguessable.

I don't have a guessable password on any remote account I have. A remote attacker simply cannot guess passwords; he'd have to use some other method, e.g. taking over my phone number or email account.

[yosito]

Depending on how those passwords are generated, they could be less than truly random and thus easier for an algorithm to guess.

[IncRnd]

Thanks a lot! Now I need to change my password at all sites I have a login...

[htrp]

how do you remember something like that across all of your accounts? (or do you just use lastpass)?

[lucb1e]

There are a few you need to remember, for example if you have a password manager then it would be worth memorizing one of those over the course of a few days. All the rest: use a password manager. I'd expect that not even the most brilliant 1% of this planet to have unique, 14-character random password for each account they own.

For special accounts, such as bank accounts, you could have a second password manager database with a unique password, if you are concerned that a password db which gets unlocked (almost) daily is not secure enough. Or remember unique password for those special accounts.

[zeveb]

I store them in a password store[0], encrypted to my GPG key. That store is itself a git repo, which is encrypted to the same key using git-remote-gcrypt and synced with a remote server.

Thus I can run something like:

    $ pass foobar.example
    jDHQxFTkPjLkvbLNRQe5Ad

Or:

    $ pass -c bazquux.example
    Copied bazquux.example to clipboard. Will clear in 45 seconds.

[0] https://www.passwordstore.org/

[pwg]

One does not try to "remember" those. One uses a password manager, it does the remembering, and you only have to remember the one long password that unlocks the manager.

[enzanki_ars]

There is a chicken and egg problem. How does one make a secure password manager password...? There still is the need for users to learn how to generate secure but memorizable passwords.

[pwg]

With one big exception. There is only one (not 30 or 50 or 100) to have to remember (the master one) and it is one that someone will have to enter repeatedly (until they decide to change it) so they will eventually have enough practice to actually remember it.

[ape4]

Oh no you guessed my password "brakecaliper"

[IncRnd]

Wow. My password is "caliperbrake." What a coincidence. I feel really safe about this, since I never tell people if the period or quotes are included in the actual password.

hehe - I actually change that per site for extra strong security. Site 1 = caliperbrake. Site 2 = "caliperbrake"

It's really been very reliable.