PASSWORDS USING 3 RANDOM WORDS

arclight

arclight

Oooh that burglar's a cutie
Suspended / Banned
Messages
11,633
Name
Doug
Edit My Images
Yes
There is frequent advice appearing that the strongest passwords are simply comprised of three random words. If that is true is is very handy, but many organisations will not accept such passwords and require a mix of letters, numbers, characters etc. ............ bloody Neothanderals .

There have always been lazy people who unfailingly use the word "password".
I would not be surprised if some people now use the three word locator generated by WHAT3WORDS .............. :eek:
 
Yet another "clever idea" that will end in tears..

Think about it: an average person, according to this report: https://www.economist.com/johnson/2013/05/29/lexical-facts knows 20,000–35,000 words, so a dictionary of three word phrases will cover most options with 100,000 entries. That's pretty trivial for a password cracker.

I think that I'll stick with my own system, which I will not explain to anyone. :naughty:

Using a computer on the train.JPG
 
I always use Safari's built in password generator which goes something like jufdUv-bezse2-ftrnj
pretty hard to suss those type s out
 
Been using the same password for years now, I vary it on different platforms, sometimes using caps, sometimes omitting certain numbers [my pword is just letters and numbers] and not been hacked yet. On sites where they want more security, as in a non letter/number inc. I simply add '!' to the end of my usual.

Try hack me, I've nothing to lose either way ;)
 
That probably explains why my router uses 3 random words as the password
 
I worked in a place (very briefly), where I would be dealing with very large amounts of money on a daily basis. The system in use demanded a password change every 30 days (absolute madness IMHO), so they had a book with the latest passwords written down and left it next to the main PC :oops: :$ On my first day there, they tried to get into the PC (which I was now in charge of) to no avail, then tried to accuse me of logging in and changing the password, bearing in mind I didn't even know what their system was at that time.
It was complete and utter chaos, something which I cannot stand.
As Cagey75 said, have a password which is random, then change certain characters.
 
AndrewFlannigan said:
20,000–35,000 words, so a dictionary of three word phrases will cover most options with 100,000 entries.
Click to expand...


Can't help thinking that there are rather more than 100,000 options available with a 20,000 word choice. My mats is rather rusty but something tells me that it's 20,000 x 20,000 x 20,000 options.
 
I have used Lastpass for a few years now. Can't fault it. The only password I now have to know is the access one to my Lastpass account and that is both complex and lengthy. Every other password is an auto generated one by Lastpass which meets the criteria of the requester.

Would it be a target for hackers? Probably but I'll give them my trust to store passwords securely and see if it is repaid.
 
Mr Perceptive said:
Car Registration plates can be useful as part of a password, doesn't have to be a current car or even one you own!
Click to expand...
Yeah they are great, I don't have to remember them, I just look out the window.
However if my neighbours change their cars that me screwed :D
 
I attended a lecture by the technical director of Sophos who demonstrated breaking a password live. I now use KeePass which will generate Passwords randomly and store them in encrypted. Given I need passwords for every forum, trader, service etc. I have many hundreds and could not possibly remember them. I just have to remember two passwords only the PW for my PC and the PW for Keepass.

Dave
 
Mr Perceptive said:
Car Registration plates can be useful as part of a password, doesn't have to be a current car or even one you own!
Click to expand...

I used to use footballers names and their shirt numbers. Then, shirt number and name when I needed to update it... Trouble is, there was a lot of short names and single digit numbers, so I had to think about making them 8 characters....
 
Mr Perceptive said:
Car Registration plates can be useful as part of a password, doesn't have to be a current car or even one you own!
Click to expand...


Used to use one of my bikes' reg as the upper case and number requirement for a marque/model specific forum with a few extra lower case letters to make it the 8 characters required length.
 
Always a relevant XKCD

password_strength.png


BTW this advice is so old that some security systems refuse to accept a password of correct-horse-battery-staple

Also - the latest advice on passwords from Microsoft may surprise a lot of people:
  1. 8 characters minimum - longer is not always better
  2. Don't change them
  3. Don't require character patterns
www.semperis.com

Microsoft upends traditional password recommendations with significant new guidance - Semperis

Based on research gleaned from literally billions of login attempts to its Azure cloud service, Microsoft updates its password recommendations – and throws out several long-held industry best practices. Microsoft has recently published a white paper, “Microsoft Password Guidance” that explains...
www.semperis.com www.semperis.com
 
onomatopoeia said:
Can you explain how you get to only needing a list of 100,000 entries please?
Click to expand...
I was being simplistic.

Putting it more clearly, let's say the words are unitary and can only take the positions 1, 2 and 3. If the words are represented by A, B and C, then you can get the following possible strings: ABC, ACB, BAC, BCA, CAB, CBA. If there are twenty thousand words in the dictionary you need to test for 120,000 combinations.

Of course, if you mix up the spelling of the words, allow capitalisation and so on, then the possible combinations increase rapidly. The important point is that if your login system permits unlimited failure attempts from unknown locations, then t's easy for a black hat to get through. The simplest security system is to block any account where more than, say, three consecutive login attempts fail.

The other thing is that where consecutive blocking is enforced, even simple passwords can be quite effective. However, "password" is always a bad password. :naughty:
 
AndrewFlannigan said:
Putting it more clearly, let's say the words are unitary and can only take the positions 1, 2 and 3. If the words are represented by A, B and C, then you can get the following possible strings: ABC, ACB, BAC, BCA, CAB, CBA.
Click to expand...


What about AAA, AAB etc.?
 
Nod said:
What about AAA, AAB etc.?
Click to expand...
That wold change things but the original discussion was about three distinct words.
 
No. Read the thread title and the original post.
 
Nod said:
No. Read the thread title and the original post.
Click to expand...
Normal use of the English language implies three different words to me.
 
I worked for a local authority, some desks had the password on a Post It label stuck to the side of the monitor!
 
AndrewFlannigan said:
I was being simplistic.

Putting it more clearly, let's say the words are unitary and can only take the positions 1, 2 and 3. If the words are represented by A, B and C, then you can get the following possible strings: ABC, ACB, BAC, BCA, CAB, CBA. If there are twenty thousand words in the dictionary you need to test for 120,000 combinations.

Of course, if you mix up the spelling of the words, allow capitalisation and so on, then the possible combinations increase rapidly. The important point is that if your login system permits unlimited failure attempts from unknown locations, then t's easy for a black hat to get through. The simplest security system is to block any account where more than, say, three consecutive login attempts fail.

The other thing is that where consecutive blocking is enforced, even simple passwords can be quite effective. However, "password" is always a bad password. :naughty:
Click to expand...
I think you are being too simplistic

For a combination without repetition (ie the 3 words can be any order but not repeated), 20,000 words can be combined using the following formula

20,000! / (3! * 19,997!) = 1.3e12 ie over a trillion

There are online calculators to make it easy to work out combinations using the function nCr where n=number of words and r=number of combinations; just Google combination calculator
 
bemcsa said:
I think you are being too simplistic
Click to expand...
I'll stick with my current theory if only on the basis that good security relies on using the worst case assumptions.
 
Last edited:
AndrewFlannigan said:
I'll stick with my current theory if only on the basis that good security relies on using the worst case assumptions.
Click to expand...
I thought you said that using three words would only provide 120,000 combinations which would easily by cracked.

3 random words from a dictionary of 20,000 would actually have over a trillion combinations, so I doubt that a password cracker would be the weak link
 
Forgive my ignorance, but how does a password cracker work?
 
bemcsa said:
3 random words from a dictionary of 20,000 would actually have over a trillion combinations,
Click to expand...
It really doesn't matter.

If the attacker can make multiple attempts on a password, your system is vulnerable. The key point is that any system protected by a password must prevent multiple attempts. The password is only one part of a successful protection strategy.
 
Norkie said:
Forgive my ignorance, but how does a password cracker work?
Click to expand...
In crude terms, the attacker has a file of known or possible passwords. They then start a program which reads the file and attempts to log in to the target using the first string in the list. If the attempt fails, the cracker moves on to the next line of the file.

Typically, the cracker will attempt to fool the target by using multiple slave machines, thus disguising the fact that only one machine is doing the work.

This is why good security practice is to lock an account if multiple attempts to log in fail.
 
So my bank account on line is a username and password, then a selection of 3 letters from my 15 letter word, then a text with a 6 digit code.

If I mess up logging in, I’m suspended for 15 minutes.

That sounds pretty good to me?
 
AndrewFlannigan said:
It really doesn't matter.

If the attacker can make multiple attempts on a password, your system is vulnerable. The key point is that any system protected by a password must prevent multiple attempts. The password is only one part of a successful protection strategy.
Click to expand...


Nothing can prevent it but delaying the inevitable is possible.

FWIW, what3words uses triplicated words.
 
Norkie said:
So my bank account on line is a username and password, then a selection of 3 letters from my 15 letter word, then a text with a 6 digit code.

If I mess up logging in, I’m suspended for 15 minutes.

That sounds pretty good to me?
Click to expand...
That's kind of annoying, as I don't always know where my phone, I know its in the house somewhere, but I have to go find it :D
But I understand why they do it, but you are screwed if you truly lose your phone.
 
Cobra said:
That's kind of annoying, as I don't always know where my phone, I know its in the house somewhere, but I have to go find it :D
But I understand why they do it, but you are screwed if you truly lose your phone.
Click to expand...
Hmmm, yes. I’ll have to check what I need to do to use my back up mobile number (wife’s phone).
 
Norkie said:
Hmmm, yes. I’ll have to check what I need to do to use my back up mobile number (wife’s phone).
Click to expand...
I'm not actually sure you can add a second, well not my bank anyway, I guess it would be a matter of phoning them up, jumping through hoops and then changing the number?
 
One of the reasons I don't do internet banking is my inability to remember passwords. Not a problem with forum and similar ones - they don't really give much to any hacker, so they get written down. I also keep my phone on a lanyard, usually round my neck or in 2 or 3 places round the house so I can always find it if I need to accept an SMS sent code.
 
Do you remember what you had for breakfast Nod :oops: :$
 
Only because I have the same thing every morning!

Things from 20 years ago are no problem but shortish term memory was screwed completely by a brain tumour 10 years ago (well, the surgery was 10 years ago, the tumour was rather older!)
 
AndrewFlannigan said:
I'll stick with my current theory if only on the basis that good security relies on using the worst case assumptions.
Click to expand...
I wonder how many more orders of magnitude wrong you need to be before admitting an error...
I think the difference between 100,000 and 27,000,000,000,000 is enough that you may need to reconsider your initial position!

bemcsa said:
I think you are being too simplistic
Click to expand...
I think you are being far to polite - it is not simplistic, but wrong to many orders of magnitude!
PS, isn't it an nPr rather than nCr?
 
Last edited by a moderator:
  • Like
Reactions: Nod
You must log in or register to reply here.
Back
Top