Youâre not completely correct thereâŚand I spent the last 20 years of my working life in the computer security biz. Youâre not far wrong though in some respects.
YesâŚa lot of leaked passwords, standard phrases, speeches, quotations, common substitutions, and what have you are already in the hackers dictionary attack and rainbow attack tablesâŚbut at some point based solely on length of password those tables are too big to be feasible and the only method that will work at that point is brute force try every password until it works. Thatâs just the way things are.
Back when I retired in 2011âŚthe generally accepted in DoD length needed to force a brute force attack was 17 or 18 characters longâŚitâs surely longer today with faster GPUs and suchâŚI donât know what it would be today but probably 24 or 25 isnât a bad guessâŚespecially for a random Joe User account that isnât valuable or has a lot of money or is a celebrity or NSA spy or whatever.
When you force the bad guy into a brute force attackâŚhe has to input an entire guessâŚthe password isnât broken a character at a time like you see on TVâŚand either the entire guess is rightâŚor the entire guess is wrong.
SoâŚone pretty foolproof way is to choose 3 or 4 common wordsâŚand it doesnât matter that each word is in the dictionaryâŚunless the entire sequence of words with any uppercase, symbols, and numbers is in the dictionary/rainbow table as a single entryâŚit fails.
SoâŚEagle$$Apple$$Heron1234 is 23 characters long and a quick look at Steve Gibsonâs Haystack page says that a brute force attack against that password will take 9.88 billion trillion centuries at one hundred trillion guesses per second. Thatâs plenty long enough.
You can argue that a completely randomly generated 23 character password has more entropy and will be longer to crackâŚand you might be correct and you might not be correct. Even through Apple, Eagle, and Heron are in the dictionary attackâŚtheyâre useless as a guess since theyâre not the password.
And in any eventâŚeven if the completely random one is ever so slightly âbetterââŚwho cares. The ease with which that one can be remembered if itâs your master password and typed without error in the field of bullet characters makes the perhaps ever so slightly less good argument irrelevant.
You say users should not create passwords. I say that users should not create bad passwords and that choosing 3 random 5 letter words that arenât associated with you (no dogs names, kids names, etc) along with a symbol that you never tell anybody and then 4 digits (again nothing that directly associates with you)âŚis creating a good password. It might not be the best possible password of a given length depending on how you define the term bestâŚbut once you go over a few centuries to crack itâŚwell, it doesnât really matter at that point.
Iâve been using the several words schemeâŚand no, itâs not the exact number of words or pattern above, thatâs just an exampleâŚwith numbers and symbolsâŚand to my knowledge Iâve never used the same word twice since I always choose 3 randomly selected words that donât go togetherâŚfor instance Hawk, Duck, and Egret would never make the cut. An even if I did manage to pick one of those random words twice the other two that go along with it arenât the sameâŚso itâs not the same guess and Apple being in the dictionary doesnât matter a whit. Diceware is based on this very same schemeâŚalthough to my mind it doesnât go far enough since itâs only got a limited number of wordsâŚbut again, itâ[s probably got plenty of words given that youâve forced the cracker into a brute force scenario.
What youâre talking about with password complexity is entropyâŚand like in many, many other thingsâŚbetter is the enemy of good enough.