Contrarian password strategy

You should never even need to set a robust password, ever- not even a unique one.
As long as your password is not readily guessed within 1000 tries, it is secure.
Everything else is dependent on the security of the system you are using.

The correct security approach is to use on the fly and cached salting, hashing, sharding of identity, including your password, and engineered delay into password attempts and/or captcha so that nobody can ever easily create a hash table of possible passwords, nobody can ever dump hashes, and nobody can ever brute force your login.

This nonsense of “robust” passwords constituting 40+ character sequences of words or 12+ character sequences of expanded character maps is insane. it is security by obscurity, and it doesn’t make us more secure, it only creates the illusion of security. You should also never need to change your password.

Finally, we shouldnt have passwords at all. Rather, the use of secure login by card where your information is securely stored on the card and never leaves it, with per-site and per-portal unique salt exchange, should make it so that you never actually need to do anything but have physical possession of your card and a four digit pin. If the world could just move to that standard, we wouldn’t have this problem.

1 Like

Because sites don’t typically publish and audit how they manage password security, the best stance for users is a unique, strong, password-manager maintained password, as it overrides the necessity to create and memorize a password of that complexity and avoids truly weak security policies at sites. Billions of encrypted passwords have been exfiltrated.


That adds a lot of complexity. Just off the top of my head:

What sort of card is this? How is the information that it stores read? What happens if it is lost or stolen or breaks - what sort of backup is there for something like that? (If your wallet is stolen and the card is in your wallet, what method would you use to cancel credit cards, secure the logins on your account, etc.?) How can it be used on older technology that doesn’t support whatever card standard this is - will there be a way for people in developing countries to use this device on inexpensive devices?


The best stance for now is to use four passwords in total- one for banking/gov, one for trusted and a third for untrusted sites, and one more for an account with a service that wont ever be hacked that you use to reset the others- like a password manager. If your untrusted password is leaked it is not a real problem, if your trusted password gets hacked, reset it across all such services and if you can’t get into your password reset service because they were hacked or go out of business, you will still remember your most important password. Any approach based on trusting your password manager to manage security across many services is only useful for people managing API keys for service instance who need per instance credentials that are not shared.

1 Like

I guess I don’t see why this is better than having a unique password for every site, and making each of those passwords sufficiently complex to ensure a cracking attempt takes an impractically long time. Again, this is in the “for now” scenario; I’m not arguing the “should be” scenario, since I’m unqualified to do so.

With my strategy (by no means unique to me), I take matters into my own hands. If one site is compromised, there is no collateral damage, as my password for that site was the only place I used it. I certainly agree that passwords don’t need to be ridiculously complex. This calculator will help you gauge the effort needed to crack any proposed password. For example, the password “TidBITS+2022” would take 1.75 centuries for a “Massive Cracking Array Scenario” to break. Probably plenty strong.


This also gets back to Glenn’s point that we don’t know how competent the various sites are about security. If you use the same password everywhere, it’s only as secure as the site with the poorest security practices.


The only reason to use a few passwords is if you need to memorize them. You really only need to memorize one to three these days. I frankly picked a ridiculously long one that I feel confident using in multiple places in which the password is never entered on an Internet-connected browser, etc. 100% local.

Sure, but a similar logic is true of never changing a password on a specific site – you’re trusting that their security is and always has been effective.

I typed in what I would think is a “simple” test password
58.77 million centuries to “crack”

I think in my experience, compromised passwords have been the one’s contained
in a general website leak or hack

That whole password entropy thing is 98% nonsense in the real world. It applies only to a character by character brute force attack. Once upon a long time ago that was a thing, but for a long while now it’s primarily used by newbie amateurs with poor web search skilz.

Real password crackers use dictionary attacks, almost always offline, and in that dictionary are not only words plus phrases such as quotations (in all of the common languages), but every password that is known to have ever been used already.

More than that, they have many clever algorithms they can apply to account for the way humans think. Even if you make alterations to your very long quotation to make it ‘unique’, those are quite likely to be in the dictionary + algorithm too, because brains are anything but random. Character substitutions are fairly predictable–it’s known that if someone adds capitals it will be in a pattern e.g. second character of each word, or of alternate words, or… These things are well known because so many millions of passwords have already been exposed. Different people keep coming up with the same schemes and identical passwords.

People should not create passwords. If you find any scheme telling you how to create a password that says anything other than “have your password manager do it for you” it’s an ill-considered scheme. Password managers can create random passwords that are memorable enough for a minute or so (such as 6+ truly random words with a bit of decoration) in case you do have to type one in but it won’t fall into the ‘humans think like this’ trap. Good password managers will also automatically test that password at Have I Been Pwned to make sure that it isn’t one that’s known to have been used before.

Reuse is a different issue, but considering how poor the security is at many web sites, including high value sites, always assume the worst. Even if a site’s security is good enough today, if they don’t properly keep up (which costs real money), it won’t be good enough next year.


This is a site I found some time ago that is very informative visa ve password encryption strength. GRC's | Password Haystacks: How Well Hidden is Your Needle?  
You can enter your proposed password to see the compute time to break the code.

No, it’s just YA character by character brute force entropy calculator. I randomly put in brave new world and it claims at least a thousand centuries to break it. In a real dictionary cracking scenario it, and human-common variations, would be found in days at best. But since Have I Been Pwned: Pwned Passwords says it’s been used at least 3 times before in known breaches, that goes down to minutes.

It’s so easy these days to use a password manager with good password generators, and it’s so easy to use different passwords for every site that there’s absolutely no advantage, and many huge drawbacks, to doing anything else.

1 Like

haveibeenpwned site claims that whatafineday#2022 has not ever been pwned, um, but I would not recommend using it :upside_down_face:

westsidestory has been “seen” (only) 336 times. and has been found in data breaches

So to be fair, the “Haystack” approach outlined on the GRC site (which both I and @mrnoonan1 linked to earlier) starts with the disclaimer “After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search…”. The phrase “common passwords” in the GRC disclaimer might be more helpfully worded as “previously compromised passwords,” (as @gastropod pointed out in his post above). But the GRC folks are not saying that all cracking attempts are brute force attacks. The point of their article is that passwords should be sufficiently (but not needlessly) complex.

Given this, “whatafineday#2022” would in some ways be a pretty good password. It is not in a dictionary, it hasn’t been previously published as compromised, and it is sufficiently complex to render a brute force attack effectively moot. I doubt even the most sophisticated cracker natural language algorithm would come up with it. It might work for one of those few passwords you use in controlled circumstances where you want to be able to remember it (as @glennf pointed out in his post above). However, it is plausible that someone else might use it, and therefore it might be included in some future data breach. For any password that is stored anywhere outside of my control, I’d still use a combination of 10 random uppercase/lowercase/numeric/special characters, and let my password manager remember it.

Password-cracking techniques are much more sophisticated than you’re giving them credit for. I’d expect “whatafineday#2022" would be cracked in a matter of minutes. Back in 2013, Ars Technica published the following article, which was an eye-opener for me at the time.

GRC’s entropy calculation can be terribly misleading since it doesn’t recognize the significant reduction in entropy for certain combinations due to human tendencies.

1 Like

Great article, and point conceded: “whatafineday#2022” is a lousy password. :slight_smile:

I think one sentence in the article sums it up best: “readers should take pains to make sure their passwords are a minimum of 11 characters, contain upper- and lower-case letters, and numbers, and aren’t part of a pattern.”

You’re not completely correct there…and I spent the last 20 years of my working life in the computer security biz. You’re not far wrong though in some respects.

Yes…a lot of leaked passwords, standard phrases, speeches, quotations, common substitutions, and what have you are already in the hackers dictionary attack and rainbow attack tables…but at some point based solely on length of password those tables are too big to be feasible and the only method that will work at that point is brute force try every password until it works. That’s just the way things are.

Back when I retired in 2011…the generally accepted in DoD length needed to force a brute force attack was 17 or 18 characters long…it’s surely longer today with faster GPUs and such…I don’t know what it would be today but probably 24 or 25 isn’t a bad guess…especially for a random Joe User account that isn’t valuable or has a lot of money or is a celebrity or NSA spy or whatever.

When you force the bad guy into a brute force attack…he has to input an entire guess…the password isn’t broken a character at a time like you see on TV…and either the entire guess is right…or the entire guess is wrong.

So…one pretty foolproof way is to choose 3 or 4 common words…and it doesn’t matter that each word is in the dictionary…unless the entire sequence of words with any uppercase, symbols, and numbers is in the dictionary/rainbow table as a single entry…it fails.

So…Eagle$$Apple$$Heron1234 is 23 characters long and a quick look at Steve Gibson’s Haystack page says that a brute force attack against that password will take 9.88 billion trillion centuries at one hundred trillion guesses per second. That’s plenty long enough.

You can argue that a completely randomly generated 23 character password has more entropy and will be longer to crack…and you might be correct and you might not be correct. Even through Apple, Eagle, and Heron are in the dictionary attack…they’re useless as a guess since they’re not the password.

And in any event…even if the completely random one is ever so slightly ‘better’…who cares. The ease with which that one can be remembered if it’s your master password and typed without error in the field of bullet characters makes the perhaps ever so slightly less good argument irrelevant.

You say users should not create passwords. I say that users should not create bad passwords and that choosing 3 random 5 letter words that aren’t associated with you (no dogs names, kids names, etc) along with a symbol that you never tell anybody and then 4 digits (again nothing that directly associates with you)…is creating a good password. It might not be the best possible password of a given length depending on how you define the term best…but once you go over a few centuries to crack it…well, it doesn’t really matter at that point.

I’ve been using the several words scheme…and no, it’s not the exact number of words or pattern above, that’s just an example…with numbers and symbols…and to my knowledge I’ve never used the same word twice since I always choose 3 randomly selected words that don’t go together…for instance Hawk, Duck, and Egret would never make the cut. An even if I did manage to pick one of those random words twice the other two that go along with it aren’t the same…so it’s not the same guess and Apple being in the dictionary doesn’t matter a whit. Diceware is based on this very same scheme…although to my mind it doesn’t go far enough since it’s only got a limited number of words…but again, it’[s probably got plenty of words given that you’ve forced the cracker into a brute force scenario.

What you’re talking about with password complexity is entropy…and like in many, many other things…better is the enemy of good enough.


Correct…which is why the only…repeat the only…thing that matters is length. Make it long enough so that none of the leaked password tables or rainbow tables or dictionary attacks is a feasible alternative because the file size just gets so big and the access time so long that it falls apart…and for every successive character in length it gets exponentially harder. Something in the mid 20s is about the right length for any normal person.

Actually…What&a&Fine&Day2022 is only a couple characters longer and the likelihood that somebody has put those words together with the particular pattern…or perhaps & then && and then &&& instead is vanishingly small…which again forces them into brute force and then it’s solely based on length and search space depth.

No password is uncrackable eventually…you just need to make it random enough and long enough that it won’t happen anytime soon…with soon being a long time

1 Like

You’re right there…but only because bravenewworld isn’t long enough to force a brute force only attack…which is the whole point Steve is making with his page. Bravenewworldbravenewworld is probably long enough at 26 characters and I doubt that the cracker databases take into account the famous book title doubled like that…but in any event adding some upper case, numbers, and specials further compounds the difficulty.

He does recommend that just about any quotation or famous saying or book title or whatever not be used since those are in the tables. What it comes down to is you need it long enough to force brute force only attack…and simple enough to both remember if you need to and type in the blind without error…and as I said in the other reply while a completely random 1Password generated password might have more entropy and therefore be ‘better’…it might not and really…when we’re talking trillions of centuries whether it’s 1 or 1.5 of those is irrelevant.

Yes…that’s just another brute force calculator which he admits…and tells you to use long enough to force brute force only…which you’re conveniently ignoring.

1 Like

As you say, for cracking passwords, either the entire guess is right or the entire guess is wrong.

So then what I don’t understand is how or why it would matter if a password good enough (based solely on password length) to take centuries to crack included any words or numbers that could somehow/maybe/possibly be associated specifically with you? I know that’s standard advice, but unless it’s someone who already knows a lot about you and is simply making guesses at your password, how does it realistically factor in?

“words that aren’t associated with you (no dogs names, kids names, etc) along with a symbol that you never tell anybody and then 4 digits (again nothing that directly associates with you)”

Put another way, how would using the year you were born or the year you graduated from high school help an anonymous hacker more easily break your specific password if it was simply one within a million passwords stolen from a large company?

I realize I may be overlooking something obvious in my “how to crack passwords” ignorance, but I’d like to understand it better. And for the record, I do NOT use common words or relevant numbers in my passwords :slight_smile: