password strength – WindowsTechs.com

Security of a non-random password but that relies on information an attacker cannot possibly know

Posted on April 30, 2024 by hb20007

I am trying to figure out whether a non-random password that relies on information an attacker cannot possibly know can be secure.

To give an example, let’s say that I generate my password by putting together the surnames of the first 5 people that I ever fancied. Let’s also assume that there is nobody in the world who knows those names apart from me. I can think of reasons for why this password can be considered both insecure and secure, and I am unable to determine which one is correct.

Reasons it might be insecure:

The password entropy associated with this method for generating the password is 0. It is completely deterministic.
All discussions I found on password security center around entropy, so this should be considered a weak password based on its entropy of 0.

Reasons it might be secure:

The information required for generating a password using this method cannot be known by a potential attacker.
The best an attacker can do is somehow figure out my method. Even then, the “word list” of all possible surnames would contain thousands of words, so perhaps the entropy should not be considered as 0 in practice?
While it sounds like security by obscurity, I believe that it might not be, because this is a case where an attacker cannot possibly get to know the surnames.
And all of this is assuming that the attacker can somehow figure out my method of generating the password, which they have no way of figuring it.

I went through lots of great questions on here regarding password entropy:

However, I am still unable to find the answer.

Continue reading Security of a non-random password but that relies on information an attacker cannot possibly know→

Patterns in passwords

Posted on February 1, 2023 by anon

I am posting to ask about two conflicting password recommendations. I know only bits and pieces about cryptography. Let me begin by checking a basic assumption: in a cracking attempt, a string is hashed and compared to the target, so tha… Continue reading Patterns in passwords→

Impact of quantum computers on password security [closed]

Posted on January 25, 2023 by Roger A. Grimes

I wrote an article on the impacts of sufficiently capable quantum computers on password strength and attacks.
The basic premise is that Grover’s algorithm halves the protective strength of password hashes and passwords, plus any additional… Continue reading Impact of quantum computers on password security [closed]→

Can 777-characters long passphrase be considered too short?

Posted on December 18, 2022 by trejder

Is Rumkin.com’s password tool a reliable tool for password strength checking?
I am asking because:

I am getting confusing suggestions:

(the password in this example is 777 characters long)

D. W.’s comment to Jeff Atwood’s answer claims … Continue reading Can 777-characters long passphrase be considered too short?→

Hello ‘123456,’ my old friend, I’ve come to talk with you again

Posted on December 20, 2019 by Lisa Vaas

Once again, it reins supreme as the #1 smelliest old fish of a password on the list of ones that most frequently turn up in data breaches. Continue reading Hello ‘123456,’ my old friend, I’ve come to talk with you again→

Strong WooCommerce passwords – enforcing policies without deterring customers

Posted on December 12, 2019 by Robert Abela

Keeping your eCommerce store secure is a must. Not only is it an important source of income for your business, but it also contains sensitive customer information, such as billing details and credit card numbers. Strong passwords can prevent many cyber… Continue reading Strong WooCommerce passwords – enforcing policies without deterring customers→

Worst passwords list is out, but this time we’re not scolding users

Posted on December 17, 2018 by Lisa Vaas

This is on you, makers of sites and services that allow users to create passwords like “password.” You can do better! Continue reading Worst passwords list is out, but this time we’re not scolding users→

The smarter the student, the stronger the password – study

Posted on May 11, 2018 by Filip Truta

A consulting director at Asia Pacific College (APC) in the Philippines decided to match student GPAs against the strength of their passwords. The findings suggest there is some degree of correlation between smarts and good password hygiene. JV Roig, wh… Continue reading The smarter the student, the stronger the password – study→

Why you STILL can’t trust password strength meters

Posted on August 17, 2016 by Mark Stockley

18 months on from our original test and password strength meters are still terrible. Continue reading Why you STILL can’t trust password strength meters→

Can you spot a strong password?

Posted on June 7, 2016 by Bill Camarda

Security sophisticates tend to be rather cynical about “typical users”. However, this viewpoint may not be entirely justified. Continue reading Can you spot a strong password?→