Defense against attacks using dictionariesXKCD #936: Short complex password, or long dictionary passphrase?How safe are password managers like LastPass?Where can I find good dictionaries for dictionary attacks?How can I generate custom brute-force dictionaries?Is it secure to allow an account to use `test123!` as their password?Are password-guessing attacks a real threat?Do password crackers / brute-force attacks put a higher priority on “picture-passwords”?How Aircrack reliable is for decrypting password? other alternative?Passwords - extended dictionary vs dictionary attacksHow to find out Wi-Fi password with dictionary attack without connecting to the Wi-Fi?
What is the difference between a premise and an assumption in logic?
Why does my house heat up, even when it's cool outside?
How to organize ideas to start writing a novel?
Does C++20 mandate source code being stored in files?
Something in the TV
Can you be convicted for being a murderer twice?
Vacuum collapse -- why do strong metals implode but glass doesn't?
How can I run SQL Server Vulnerability Assessment from a SQL Job?
Why would the US President need briefings on UFOs?
Are required indicators necessary for radio buttons?
What are the pros and cons of Einstein-Cartan Theory?
What does it mean to have a subnet mask /32?
The sound of thunder's like a whip
Does adding the 'precise' tag to daggers break anything?
How to determine if an Apex class hasn't been used recently
What professions would a medieval village with a population of 100 need?
Is it appropriate for a prospective landlord to ask me for my credit report?
Is "es" necessary in this sentence?
Can you grapple/shove with the Hunter Ranger's Whirlwind Attack?
Is refusing to concede in the face of an unstoppable Nexus combo punishable?
Thread-safe, Convenient and Performant Random Number Generator
In an emergency, how do I find and share my position?
How to avoid using System.String with Rfc2898DeriveBytes in C#
How do you call it when two celestial bodies come as close to each other as they will in their current orbits?
Defense against attacks using dictionaries
XKCD #936: Short complex password, or long dictionary passphrase?How safe are password managers like LastPass?Where can I find good dictionaries for dictionary attacks?How can I generate custom brute-force dictionaries?Is it secure to allow an account to use `test123!` as their password?Are password-guessing attacks a real threat?Do password crackers / brute-force attacks put a higher priority on “picture-passwords”?How Aircrack reliable is for decrypting password? other alternative?Passwords - extended dictionary vs dictionary attacksHow to find out Wi-Fi password with dictionary attack without connecting to the Wi-Fi?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Some forms of attacks on passwords use dictionaries. It is safer to use nonsense passwords like YunSUanLin, Artibichoke, etc., which do not seem to pertain to any dictionary?
passwords brute-force dictionary
edited 34 mins ago
schroeder♦
85.1k34 gold badges190 silver badges228 bronze badges
asked 8 hours ago
AlbertAlbert
111 bronze badge
New contributor
Albert is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Some forms of attacks on passwords use dictionaries. It is safer to use nonsense passwords like YunSUanLin, Artibichoke, etc., which do not seem to pertain to any dictionary?
passwords brute-force dictionary
edited 34 mins ago
schroeder♦
85.1k34 gold badges190 silver badges228 bronze badges
asked 8 hours ago
AlbertAlbert
111 bronze badge
New contributor
Albert is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Some forms of attacks on passwords use dictionaries. It is safer to use nonsense passwords like YunSUanLin, Artibichoke, etc., which do not seem to pertain to any dictionary?
passwords brute-force dictionary
edited 34 mins ago
schroeder♦
85.1k34 gold badges190 silver badges228 bronze badges
asked 8 hours ago
AlbertAlbert
111 bronze badge
New contributor
Albert is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Some forms of attacks on passwords use dictionaries. It is safer to use nonsense passwords like YunSUanLin, Artibichoke, etc., which do not seem to pertain to any dictionary?
passwords brute-force dictionary
passwords brute-force dictionary
edited 34 mins ago
schroeder♦
85.1k34 gold badges190 silver badges228 bronze badges
asked 8 hours ago
AlbertAlbert
111 bronze badge
New contributor
Albert is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 34 mins ago
schroeder♦
85.1k34 gold badges190 silver badges228 bronze badges
asked 8 hours ago
AlbertAlbert
111 bronze badge
New contributor
Albert is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 34 mins ago
schroeder♦
85.1k34 gold badges190 silver badges228 bronze badges
edited 34 mins ago
schroeder♦
85.1k34 gold badges190 silver badges228 bronze badges
edited 34 mins ago
schroeder♦
85.1k34 gold badges190 silver badges228 bronze badges
85.1k34 gold badges190 silver badges228 bronze badges
asked 8 hours ago
AlbertAlbert
111 bronze badge
New contributor
Albert is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
AlbertAlbert
111 bronze badge
asked 8 hours ago
AlbertAlbert
111 bronze badge
111 bronze badge
New contributor
Albert is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Albert is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Attackers often don't just use dictionaries, but also rules which permute the words in dictionaries.
For instance, a rule could be to substitute certain letters for numbers, which look the same. This would turn Password into P455w0rd.
A rule, which could apply in this case, would be to remove single letters from a word. That means just permutating the password by removing one letter or deliberately misspelling it will give you better chances, but it's not guaranteed.
To specifically answer your question: Yes, it is safer to use non-sense words than to use words in a dictionary.
However, it's not as safe as you can get. An offline password manager can generate truly random passwords for you, and will store them in an encrypted manner. This means that you never have to type in your password, except the master password to unlock the password manager.
To demonstrate this, ask yourself which password you consider safer: YunSuanLin0 or [D@,7##M]enMd*)j5fxG~KQ~?r<DdV^?
answered 7 hours ago
MechMK1MechMK1
6,3982 gold badges22 silver badges45 bronze badges
1
This is the best answer by far. The sophistication of modern password cracking (and the use of GPU compute) makes truly random passwords increasingly necessary. While it is not feasible to brute force 9+ character passwords offline, many of them are crackable with hybrid attacks. What we consider "complex" passwords pale in comparison to randomly-generated passwords. Since reuse is also very bad, that leaves password managers.
– DoubleD
1 hour ago
not just offline password managers can create random passwords ...
– schroeder♦
33 mins ago
add a comment |
This might seem like a question that has an obvious answer, but is not that trivial.
Words that do not appear in dictionaries have more randomness ('entropy') and are thus harder to guess for computers.
But they're also harder to remember for humans. And that leads to password re-use. That's very bad.
If you do not use a password manager (and you should!) using a sentence of random dictionary words is usually safer than random non-words. Learn more about this here: What password should I use? (which has a very accurate and easy to understand visual explanation)
Learn more about password managers here.
answered 8 hours ago
JenessaJenessa
5843 silver badges11 bronze badges
add a comment |
As far the dictionaries are concerned, they contain a list of most commonly used passwords, and that could be nonsense phrases and words as well. For instance, x+word+123 or x+monkey are some of the most commonly used passwords along with qwerty that don’t really make sense.
So, you can use nonsense passwords, but make sure that they are unpredictable and not so common. And if you are looking to add strength in your passwords, you can combine the initial 2 or 3 words of multiple phrases. Moreover, if you can add special characters in your password, you’d much safer.
answered 1 hour ago
Michael HaephratiMichael Haephrati
1649 bronze badges
New contributor
Michael Haephrati is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Albert is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215628%2fdefense-against-attacks-using-dictionaries%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Attackers often don't just use dictionaries, but also rules which permute the words in dictionaries.
For instance, a rule could be to substitute certain letters for numbers, which look the same. This would turn Password into P455w0rd.
A rule, which could apply in this case, would be to remove single letters from a word. That means just permutating the password by removing one letter or deliberately misspelling it will give you better chances, but it's not guaranteed.
To specifically answer your question: Yes, it is safer to use non-sense words than to use words in a dictionary.
However, it's not as safe as you can get. An offline password manager can generate truly random passwords for you, and will store them in an encrypted manner. This means that you never have to type in your password, except the master password to unlock the password manager.
To demonstrate this, ask yourself which password you consider safer: YunSuanLin0 or [D@,7##M]enMd*)j5fxG~KQ~?r<DdV^?
answered 7 hours ago
MechMK1MechMK1
6,3982 gold badges22 silver badges45 bronze badges
1
This is the best answer by far. The sophistication of modern password cracking (and the use of GPU compute) makes truly random passwords increasingly necessary. While it is not feasible to brute force 9+ character passwords offline, many of them are crackable with hybrid attacks. What we consider "complex" passwords pale in comparison to randomly-generated passwords. Since reuse is also very bad, that leaves password managers.
– DoubleD
1 hour ago
not just offline password managers can create random passwords ...
– schroeder♦
33 mins ago
add a comment |
Attackers often don't just use dictionaries, but also rules which permute the words in dictionaries.
For instance, a rule could be to substitute certain letters for numbers, which look the same. This would turn Password into P455w0rd.
A rule, which could apply in this case, would be to remove single letters from a word. That means just permutating the password by removing one letter or deliberately misspelling it will give you better chances, but it's not guaranteed.
To specifically answer your question: Yes, it is safer to use non-sense words than to use words in a dictionary.
However, it's not as safe as you can get. An offline password manager can generate truly random passwords for you, and will store them in an encrypted manner. This means that you never have to type in your password, except the master password to unlock the password manager.
To demonstrate this, ask yourself which password you consider safer: YunSuanLin0 or [D@,7##M]enMd*)j5fxG~KQ~?r<DdV^?
answered 7 hours ago
MechMK1MechMK1
6,3982 gold badges22 silver badges45 bronze badges
1
This is the best answer by far. The sophistication of modern password cracking (and the use of GPU compute) makes truly random passwords increasingly necessary. While it is not feasible to brute force 9+ character passwords offline, many of them are crackable with hybrid attacks. What we consider "complex" passwords pale in comparison to randomly-generated passwords. Since reuse is also very bad, that leaves password managers.
– DoubleD
1 hour ago
not just offline password managers can create random passwords ...
– schroeder♦
33 mins ago
add a comment |
Attackers often don't just use dictionaries, but also rules which permute the words in dictionaries.
For instance, a rule could be to substitute certain letters for numbers, which look the same. This would turn Password into P455w0rd.
A rule, which could apply in this case, would be to remove single letters from a word. That means just permutating the password by removing one letter or deliberately misspelling it will give you better chances, but it's not guaranteed.
To specifically answer your question: Yes, it is safer to use non-sense words than to use words in a dictionary.
However, it's not as safe as you can get. An offline password manager can generate truly random passwords for you, and will store them in an encrypted manner. This means that you never have to type in your password, except the master password to unlock the password manager.
To demonstrate this, ask yourself which password you consider safer: YunSuanLin0 or [D@,7##M]enMd*)j5fxG~KQ~?r<DdV^?
answered 7 hours ago
MechMK1MechMK1
6,3982 gold badges22 silver badges45 bronze badges
Attackers often don't just use dictionaries, but also rules which permute the words in dictionaries.
For instance, a rule could be to substitute certain letters for numbers, which look the same. This would turn Password into P455w0rd.
A rule, which could apply in this case, would be to remove single letters from a word. That means just permutating the password by removing one letter or deliberately misspelling it will give you better chances, but it's not guaranteed.
To specifically answer your question: Yes, it is safer to use non-sense words than to use words in a dictionary.
However, it's not as safe as you can get. An offline password manager can generate truly random passwords for you, and will store them in an encrypted manner. This means that you never have to type in your password, except the master password to unlock the password manager.
To demonstrate this, ask yourself which password you consider safer: YunSuanLin0 or [D@,7##M]enMd*)j5fxG~KQ~?r<DdV^?
answered 7 hours ago
MechMK1MechMK1
6,3982 gold badges22 silver badges45 bronze badges
answered 7 hours ago
MechMK1MechMK1
6,3982 gold badges22 silver badges45 bronze badges
answered 7 hours ago
MechMK1MechMK1
6,3982 gold badges22 silver badges45 bronze badges
answered 7 hours ago
MechMK1MechMK1
6,3982 gold badges22 silver badges45 bronze badges
6,3982 gold badges22 silver badges45 bronze badges
1
This is the best answer by far. The sophistication of modern password cracking (and the use of GPU compute) makes truly random passwords increasingly necessary. While it is not feasible to brute force 9+ character passwords offline, many of them are crackable with hybrid attacks. What we consider "complex" passwords pale in comparison to randomly-generated passwords. Since reuse is also very bad, that leaves password managers.
– DoubleD
1 hour ago
not just offline password managers can create random passwords ...
– schroeder♦
33 mins ago
add a comment |
1
This is the best answer by far. The sophistication of modern password cracking (and the use of GPU compute) makes truly random passwords increasingly necessary. While it is not feasible to brute force 9+ character passwords offline, many of them are crackable with hybrid attacks. What we consider "complex" passwords pale in comparison to randomly-generated passwords. Since reuse is also very bad, that leaves password managers.
– DoubleD
1 hour ago
not just offline password managers can create random passwords ...
– schroeder♦
33 mins ago
1
1
This is the best answer by far. The sophistication of modern password cracking (and the use of GPU compute) makes truly random passwords increasingly necessary. While it is not feasible to brute force 9+ character passwords offline, many of them are crackable with hybrid attacks. What we consider "complex" passwords pale in comparison to randomly-generated passwords. Since reuse is also very bad, that leaves password managers.
– DoubleD
1 hour ago
This is the best answer by far. The sophistication of modern password cracking (and the use of GPU compute) makes truly random passwords increasingly necessary. While it is not feasible to brute force 9+ character passwords offline, many of them are crackable with hybrid attacks. What we consider "complex" passwords pale in comparison to randomly-generated passwords. Since reuse is also very bad, that leaves password managers.
– DoubleD
1 hour ago
not just offline password managers can create random passwords ...
– schroeder♦
33 mins ago
not just offline password managers can create random passwords ...
– schroeder♦
33 mins ago
add a comment |
This might seem like a question that has an obvious answer, but is not that trivial.
Words that do not appear in dictionaries have more randomness ('entropy') and are thus harder to guess for computers.
But they're also harder to remember for humans. And that leads to password re-use. That's very bad.
If you do not use a password manager (and you should!) using a sentence of random dictionary words is usually safer than random non-words. Learn more about this here: What password should I use? (which has a very accurate and easy to understand visual explanation)
Learn more about password managers here.
answered 8 hours ago
JenessaJenessa
5843 silver badges11 bronze badges
add a comment |
This might seem like a question that has an obvious answer, but is not that trivial.
Words that do not appear in dictionaries have more randomness ('entropy') and are thus harder to guess for computers.
But they're also harder to remember for humans. And that leads to password re-use. That's very bad.
If you do not use a password manager (and you should!) using a sentence of random dictionary words is usually safer than random non-words. Learn more about this here: What password should I use? (which has a very accurate and easy to understand visual explanation)
Learn more about password managers here.
answered 8 hours ago
JenessaJenessa
5843 silver badges11 bronze badges
add a comment |
This might seem like a question that has an obvious answer, but is not that trivial.
Words that do not appear in dictionaries have more randomness ('entropy') and are thus harder to guess for computers.
But they're also harder to remember for humans. And that leads to password re-use. That's very bad.
If you do not use a password manager (and you should!) using a sentence of random dictionary words is usually safer than random non-words. Learn more about this here: What password should I use? (which has a very accurate and easy to understand visual explanation)
Learn more about password managers here.
answered 8 hours ago
JenessaJenessa
5843 silver badges11 bronze badges
This might seem like a question that has an obvious answer, but is not that trivial.
Words that do not appear in dictionaries have more randomness ('entropy') and are thus harder to guess for computers.
But they're also harder to remember for humans. And that leads to password re-use. That's very bad.
If you do not use a password manager (and you should!) using a sentence of random dictionary words is usually safer than random non-words. Learn more about this here: What password should I use? (which has a very accurate and easy to understand visual explanation)
Learn more about password managers here.
answered 8 hours ago
JenessaJenessa
5843 silver badges11 bronze badges
answered 8 hours ago
JenessaJenessa
5843 silver badges11 bronze badges
answered 8 hours ago
JenessaJenessa
5843 silver badges11 bronze badges
answered 8 hours ago
JenessaJenessa
5843 silver badges11 bronze badges
5843 silver badges11 bronze badges
add a comment |
add a comment |
As far the dictionaries are concerned, they contain a list of most commonly used passwords, and that could be nonsense phrases and words as well. For instance, x+word+123 or x+monkey are some of the most commonly used passwords along with qwerty that don’t really make sense.
So, you can use nonsense passwords, but make sure that they are unpredictable and not so common. And if you are looking to add strength in your passwords, you can combine the initial 2 or 3 words of multiple phrases. Moreover, if you can add special characters in your password, you’d much safer.
answered 1 hour ago
Michael HaephratiMichael Haephrati
1649 bronze badges
New contributor
Michael Haephrati is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
As far the dictionaries are concerned, they contain a list of most commonly used passwords, and that could be nonsense phrases and words as well. For instance, x+word+123 or x+monkey are some of the most commonly used passwords along with qwerty that don’t really make sense.
So, you can use nonsense passwords, but make sure that they are unpredictable and not so common. And if you are looking to add strength in your passwords, you can combine the initial 2 or 3 words of multiple phrases. Moreover, if you can add special characters in your password, you’d much safer.
answered 1 hour ago
Michael HaephratiMichael Haephrati
1649 bronze badges
New contributor
Michael Haephrati is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
As far the dictionaries are concerned, they contain a list of most commonly used passwords, and that could be nonsense phrases and words as well. For instance, x+word+123 or x+monkey are some of the most commonly used passwords along with qwerty that don’t really make sense.
So, you can use nonsense passwords, but make sure that they are unpredictable and not so common. And if you are looking to add strength in your passwords, you can combine the initial 2 or 3 words of multiple phrases. Moreover, if you can add special characters in your password, you’d much safer.
answered 1 hour ago
Michael HaephratiMichael Haephrati
1649 bronze badges
New contributor
Michael Haephrati is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
As far the dictionaries are concerned, they contain a list of most commonly used passwords, and that could be nonsense phrases and words as well. For instance, x+word+123 or x+monkey are some of the most commonly used passwords along with qwerty that don’t really make sense.
So, you can use nonsense passwords, but make sure that they are unpredictable and not so common. And if you are looking to add strength in your passwords, you can combine the initial 2 or 3 words of multiple phrases. Moreover, if you can add special characters in your password, you’d much safer.
answered 1 hour ago
Michael HaephratiMichael Haephrati
1649 bronze badges
New contributor
Michael Haephrati is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 1 hour ago
Michael HaephratiMichael Haephrati
1649 bronze badges
New contributor
Michael Haephrati is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 1 hour ago
Michael HaephratiMichael Haephrati
1649 bronze badges
answered 1 hour ago
Michael HaephratiMichael Haephrati
1649 bronze badges
1649 bronze badges
New contributor
Michael Haephrati is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Michael Haephrati is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Albert is a new contributor. Be nice, and check out our Code of Conduct.
Albert is a new contributor. Be nice, and check out our Code of Conduct.
Albert is a new contributor. Be nice, and check out our Code of Conduct.
Albert is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215628%2fdefense-against-attacks-using-dictionaries%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
