Who actually started the reign of mixed character passwords? because seriously it sucks to have an unnecessarily complex password! Like websites and apps requesting passwords to contain Upper/Lower case letter, numeric characters and symbols without considering the average user with low memory threshold (i.e; Me).

Let's push the complaint aside and return back to the actual reason a complex password is required.

Like we already know; Passwords are made complex so it can't be easily guessed by password crackers used by hackers and the primary reason behind adding symbols and numbers in a password is simply to create a stretch for possible outcome of guesses.

Now let's take a look into the logic behind a password cracker.

To hack a password,
1) The Password Cracker will usually lookup a dictionary of passwords (This point is very necessary for any possible outcome).
2) Attempts to login multiple times with list of passwords found (In most cases successful entries are found for passwords less than 8 chars).
3) If none was successful after the end of the dictionary, the cracker formulates each password on the dictionary to match popular standards of most website (i.e; First letter uppercase, a number at the end followed by a symbol. Thanks to those websites!)
4) If any password was successful, the cracker adds them to a new dictionary called a "pattern builder list" (This gives the cracker an upper edge on that specific platform because most websites forces a specific password pattern anyway)

In comparison:
>> Mygirlfriend98##
would be cracked faster compared to
>> iloveburberryihatepeanuts

Because the former is short and follows a popular pattern.

In reality, password crackers don't specifically care about Upper-Lowercase-Number-Symbol bullshit! They care more about the length of the password, the pattern of the password and formerly used entries (either from keyloggers or from previously hacked passwords).

So the need for requesting a humanly complex password is totally unnecessary because it's a bot that is being dealt with not another human.

My devrant password is a short story of *how I met first girlfriend* Goodluck to a password cracker!

  • 4
    I have 5 different "levels" of passwords based on the importance of the account, eg shit sites get a shitty password that's easy and fast to type, banking and shit gets the toughest mother fucking passwords you'd need a quantum computer to crack.

    Funny part is even my simplest passwords never actually got brute-forced BUT the websites got hacked or leaked or sold the info so they got into my accounts on a few other sites where i used the same shitty password - no harm done they were shit anyway...

    My point is even if you have the most complex password ever (like what your gf moaned the first time you pushed her mud upstairs?), if you use the same password everywhere you will eventually get fucked.
  • 2
    ...Best way to deal with this shit? a different COMPLEX password for each single account of any kind you have. Even better if you can use a different email address, like, buy a bunch of domains, set up catch-all accounts, forward all into a central mailbox and just use a different email/domain on every account. And if you're like me (92385927359279345 accounts everyfuckingwhere), good luck remembering all the emails and pwds dumbass.

    Also, MFA works and anyone who builds a web app without MFA should suck cocks in hell.

    And speaking of MFA, fuck devise: it took me less time to roll out my own solution including 100% coverage than it took to get devise to work with the most basic options.

    Also, FUCK those password management apps, none actually works all the way. It either doesn't work at all on a device, or doesn't sync, or doesn't work on some browser or just crashes or costs more than getting a testicle transplant.
  • 7
    I get pissed if I can't have at least a 40 character password. I don't know any of them. They all reside on encrypted, triple redundant stores. The only key I know is the 30 character master encryption key.
  • 5
    I use 20 character random passwords, and a different one for each website. How I remember them? I don't, I let the browser do this work.
  • 6
    It's not even about the password cracker. That's where we are making things complex for no reason.

    It's about math:
    If the character set is for example [a-c] (a,b,c)
    You can make this 4 letter password:

    To calculate all possibilities you do:
    size_of_character_set raised to length_of_password
    That is: 3^4 = 81
    If you add two new characters like "d" and "e" it will be: 5^4 = 625
    But if you increase the length by two instead it will be: 3^6 = 729

    See the difference? By increasing the length you get more password possibilities than by increasing the characters you have to choose from.

    TL;DR; ask users to make long passwords instead of complex ones. (minimum 8? Maybe 10? 🤔)

    (I wrote this on my phone sorry if there's errors)
  • 2
    @SortOfTested this - it annoys me to no end when a site or app login requires me to UsE a sTRoNg pAssWoRd, yet the max char length cannot exceed 18 and no 2FA options whatsoever ....like WTF?
  • 1
    A password resembling actual passwords I usually use:


    So long AND complex.
  • 0
    Imho just use very long passwords to inflate bit entropy. Even a standard/silly phrase with some mixed numbers/capitalized letters. Just avoid trivial substitution.

    E.g. ihadagreatdaybecausemycodecompiledreallYfasT
  • 0
    @molaram I'm using kee pass for storing and less pass for generaring passwords on two computers and smartphone. They work well.
Add Comment