Hacker News new | ask | show | jobs
by lelandbatey 4465 days ago
To follow up, I will say that my favorite way to create a password is to use sayings from two or more of your favorite books or other sources.

So, if you like Harry Potter and Enders Game, what are the phrases that come to mind?

    Harry Potter - expelliarmus
    Enders Game - win all the future fights
Now you have a great password: "winallthefuturefightsexpelliarmus" Nice and long (33 chars), with some made up stuff. Maybe tack some numbers on the end.
3 comments
pilom 4465 days ago
Modern password crackers are pulling all of wikipedia and youtube for seed words. If your words are in either of those, don't expect the password to stand to a dedicated attacker
link
riquito 4465 days ago
There are 1160290625000000000000000 combinations of 5 words with a dictionary of 65000 words. That's not brute-forceable. If you take existing phrases it's another story, but random words works well.
link
pilom 4464 days ago
Being a little loose with my estimates and a bit of Fermi Math, thats only about 300 years of computing time on a small home built GPU cluster.

Basically tells me that 4 random words are definitely crackable and 5 are theoretically possible (and definitely doable with 5-10 years of Moore's law)

link
dllthomas 4464 days ago
lg(65k^4) is very nearly 64. If you worry about 4 random words being brute forced, you should worry about 64 bit symmetric keys being brute forced. I don't know where the current recommendations come down on that.
link
elwell 4464 days ago
not sure what your calculation is, but permutations is what you should have calculated.
link
woqe 4464 days ago
His calculation was (65000 Choose 5) * 5!. His premise required a combination then a permutation.
link
dllthomas 4464 days ago
If you're picking with structure (including "phrases that spring to mind"), agreed. If you genuinely include enough entropy, then it doesn't much matter what mnemonics you layer on top.
link
vacri 4465 days ago
winallthefuturefightsexpelliarmus

Why not "Win all the future fights expelliarmus"? Passwords that don't accept spaces are pretty rare, and you end up with a longer password 'for free'.

link
SlashmanX 4464 days ago
> Passwords that don't accept spaces are pretty rare

Oh how I wish that was the case. Twitter is one such example which don't allow spaces (Last time I checked anyway)

link
TazeTSchnitzel 4465 days ago
More modern guessing methods might try that one.
link