security passwords: Updated Wed, 28 Sep 2022 07:45:05 GMT

Is repeating text in a password considered weak?

I saw an article on password strength from this site, which mentions that the strength of a password depends on A) the length of your password, and B) having every type of character(lowercase, uppercase, special character, number).

So I drafted a password test using the formula on their site. Now, according to the article, using a password like Eee!eeee!eeEE33 is good, and would take a very long time to brute force. I won't post the results. Suffice to say it's a very large number.

My question here is if repeating text matters if you make up for it with a longer string and use all character types. Does that seem realistic? Is there anything else I'm forgetting to keep in mind? Is something like aaaAAA!1aaaa really a good password?

Solution

Brute force is really a bad way to judge the strength of passwords. The way passwords are most commonly cracked is using a dictionary attack, along with some patterns. While it is still brute forcing the password, it is isn't trying anything near the usual 62^n or so attempts your brute force calculation is based off of.

Dictionary attacks have two main components:

The dictionary. The size and quality of the dictionary are highly important. If your dictionary is 12 words long it is going to be phenomenally fast, but it probably won't be very effective. On the other hand, if you just save the 62^n -ish brute force attempts as a dictionary, you aren't going to do very well either. A good dictionary typically has a full dictionary of words (or at least the most common ones), common letter combinations (e.g. aa, aaa, aaaa), names, profanity, slang, etc. It covers all of the bases but is still going to be small relative to a brute force attempt.
The pattern(s) to match. A dictionary attack often uses patterns in an attempt to get common passwords. For example, a very common pattern would be word digit digit where the pattern would attempt every word in the dictionary with 2 digits. This gives us 100 * number of words attempts, which isn't too bad, and this often gives very good results. Another common pattern is to capitalize the first and last 1 or 2 letters of the word, maybe combine it with this pattern. Using this method and a good dictionary, we can find most people's passwords.

Keep in mind this is just one method of password cracking, there are other methods and ways to do things, but this is straightforward and is probably the best method to illustrate the difficulty of having a good password.

So, for your original question: is aaaAAA!1aaaa a good password? I mean, now that you posted it here, probably not. But This would be a pretty good password in terms of brute force and dictionary attacks. You may even want to alter some of the letters, for example aaaAAE!1aaeaa would be a bit stronger of a password, and still plenty memorable.

External Links

External links referenced by this document:

https://www.password-depot.com/know-how/brute-force-attacks.htm

References

https://stackoverflow.com/questions/40325028