Category Archives: passwords

Security of a non-random password but that relies on information an attacker cannot possibly know

Posted on by

I am trying to figure out whether a non-random password that relies on information an attacker cannot possibly know can be secure.

To give an example, let’s say that I generate my password by putting together the surnames of the first 5 people that I ever fancied. Let’s also assume that there is nobody in the world who knows those names apart from me. I can think of reasons for why this password can be considered both insecure and secure, and I am unable to determine which one is correct.

Reasons it might be insecure:

  1. The password entropy associated with this method for generating the password is 0. It is completely deterministic.
  2. All discussions I found on password security center around entropy, so this should be considered a weak password based on its entropy of 0.

Reasons it might be secure:

  1. The information required for generating a password using this method cannot be known by a potential attacker.
  2. The best an attacker can do is somehow figure out my method. Even then, the “word list” of all possible surnames would contain thousands of words, so perhaps the entropy should not be considered as 0 in practice?
  3. While it sounds like security by obscurity, I believe that it might not be, because this is a case where an attacker cannot possibly get to know the surnames.
  4. And all of this is assuming that the attacker can somehow figure out my method of generating the password, which they have no way of figuring it.

I went through lots of great questions on here regarding password entropy:

  1. XKCD #936: Short complex password, or long dictionary passphrase?
  2. Is “the oft-cited XKCD scheme […] no longer good advice”?
  3. Why are passwords generated by a password generator a complicated mix of letters and numbers instead of a long phrase?
  4. Should passwords be truly random?
  5. What does “random” mean in the context of password creation?
  6. Confused about (password) entropy
  7. Why use entropy at all in considering password strength?
  8. How secure is Snowden’s MargaretThatcheris110%SEXY password?

However, I am still unable to find the answer.

Continue reading Security of a non-random password but that relies on information an attacker cannot possibly know

Passwords under seven characters can be easily cracked

Posted on by

Any password under seven characters can be cracked within a matter of hours, according to Hive Systems. The time it takes to crack passwords increases Due to the widespread use of stronger password hashing algorithms to protect data, the time it takes … Continue reading Passwords under seven characters can be easily cracked

Most people still rely on memory or pen and paper for password management

Posted on by

Bitwarden surveyed 2,400 individuals from the US, UK, Australia, France, Germany, and Japan to investigate current user password practices. The survey shows that 25% of respondents globally reuse passwords across 11-20+ accounts, and 36% admit to using… Continue reading Most people still rely on memory or pen and paper for password management

What is multi-factor authentication (MFA), and why is it important?

Posted on by

Setting up MFA can seem daunting for consumers just beginning to clean up their security postures. In this Help Net Security video, Larry Kinkaid, Manager, Cybersecurity Consulting at BARR Advisory, shares tips for consumers who need simple, accessible… Continue reading What is multi-factor authentication (MFA), and why is it important?

Understanding next-level cyber threats

Posted on by

In this Help Net Security video, Trevor Hilligoss, VP of SpyCloud Labs, discusses the 2024 SpyCloud Identity Exposure Report, an annual report examining the latest trends in cybercrime and its impact. Researchers recaptured nearly 1.38 billion password… Continue reading Understanding next-level cyber threats