ㅤ

[Symmetrick]

ㅤ

[1714101155]

1714101155

[1714101155]

1714101155

[Pmalek]

This is a good reminder that a strong password doesn't have to be simple to avoid being brute force and cracked. Use complex passwords with different sets of numbers, symbols, uppercase and lowercase letters.

More precisely, it can't be simple because it's instantly hackable judging by the information provided in the table. A password made up of only numbers can be instantly hacked even if it has 11 characters. The same rules apply to anything with lowercase letters of 8 characters or less.

I can't comment on the accuracy of the provided information and whether or not it's that easy. But there surely has to be a difference between using dictionary words and using random characters. 'accident' is easier to crack than 'gltrozxu' even though both examples are passwords with only lowercase numbers. I doubt the second example can be instantly bruteforced. I also think you would be safer with non-English words than English words in a password, if you absolutely have to use them.

I think that the timeframes are a bit too optimistic here.

[ANSEL_2.0]

I can relate, I'm running three email accounts on my phone and days back someone tried to log into my email account and the only thing stopping them is different location the hacker tried to log in from and my recovery email account, once location is different Gmail will sent a code to your recovery gmail account, I use words for that Gmail account I guess that's why they get my password easily.

[pooya87]

There is a flaw to numbers like this which is they don't mention what encryption algorithm they belong to.

Take BIP38 for example, which is an encryption scheme used for bitcoin private keys. Brute forcing it is extremely slow and even a password with 4 or 5 letters (no number, no symbol) would take hours to crack whereas the picture here suggests "instantly".
In fact someone ran an experiment a couple of years ago and the one with 6 random characters was not cracked in 2 years and finally the owner moved the funds.

On the other hand a simpler/faster encryption algorithm could take far less time to brute force. Or worse,  algorithms that are not designed for security like the "passphrase" used in BIP39 to extend the seed phrase.

In any case, I'm not trying to say "use small passwords" but the point is that you should also try to take a look at what algorithm you are using. I'd say a 10-char long BIP38 encryption password is a pretty strong one since you'd need a tremendous amount of computing power to break it.

[mk4]

*snip*

Yep! This graphic sure definitely over-simplified things to the point that we could probably somewhat call it inaccurate, but I guess what's important is that they dumbed it down enough and got the point across for most newbies to easily grasp. Short passwords = bad, long passwords with complexity = good.

[ABCbits]

--snip--

In any case, I'm not trying to say "use small passwords" but the point is that you should also try to take a look at what algorithm you are using. I'd say a 10-char long BIP38 encryption password is a pretty strong one since you'd need a tremendous amount of computing power to break it.

While i agree with flaws of the chart, how many people know the name of used algorithm (let alone how secure is it)? Using longer password by default is safer option, especially for website which need to consider available CPU resource.

[aoluain]

^
Its a nice visual chart though and highlights the necessity to have a complex
password structure.

But also remember the simple truths:

• Do not use words or a set of numbers as passwords
• Do not use automatic password generators, it is better to come up with a complex password yourself, it may be easier to remember it.
• Do not use a universal password to enter all sites (exchanges, wallets, etc.)
• Do not store your passwords in the cloud and on Internet sites
• Do not store your passwords in a text document on your computer desktop

I really hope in this day and age that people know and/or are conscious of
those points above. I hope people have really gotten away from "password" and "qwerty1"
passwords

[PrivacyG]

• Do not use a universal password to enter all sites (exchanges, wallets, etc.)

This is such an undervalued step towards account security.  There is no point in having a strong password that is impossible to brute force if you use the same password on multiple accounts.  Only one of your accounts has to be leaked for all of your 'impossible to brute force' accounts to be compromised.

I think it is safe to say that there should be an universal basic rule of password creation: at least 12 characters containing upper and lower case alphabet + numbers and symbols.  Mine are typically at least 15 characters long, with many of my sensitive accounts having over 20.  Since all my passwords are randomly generated and almost impossible to remember anyway, the only annoying part is having to type a long password out.

'accident' is easier to crack than 'gltrozxu' even though both examples are passwords with only lowercase numbers. I doubt the second example can be instantly bruteforced.

I have always wondered, if this is the case then how about '4accident9@!' versus '4gltrozxu9@!'? Is it still easier to crack the former just because of the brute force English words list?

-
Regards,
PrivacyG

[mk4]

I really hope in this day and age that people know and/or are conscious of
those points above. I hope people have really gotten away from "password" and "qwerty1"
passwords

Fortunately most(if not all) decent sites/platforms now require capital letters, numbers and special characters, and have a minimum number of characters. And along with that, 2FA as well.

[qwertyup23]

This is definitely an interesting post- it puts you into a perspective on how easy it is for hackers to crack complex passwords below 11 characters, even if you mix it with uppercase, lowercase, or special characters. As years progress, more and more technology is being developed for hackers to improve in cracking down passwords. Better to create something that can be future proof at least!

• Do not use a universal password to enter all sites (exchanges, wallets, etc.)

I am somehow guilty with this. Since I forget easily my passwords, I use something that is universal where I just put some random characters and numbers, but the essence of the password is the same.

[PrivacyG]

As years progress, more and more technology is being developed for hackers to improve in cracking down passwords. Better to create something that can be future proof at least!

Future proof is such a relative term.  Quantum computing could become a mainstream thing for what's worth and if such computers can be used for brute forcing, then the chart posted by Ratimov is going to be useless.  For now, the best future proof you can get is avoid having your passwords weakened by better hardware components.  And that probably means using a combination of minimum 15-17 random characters containing upper and lower case letters, symbols and numbers.

-
Regards,
PrivacyG

[tranthidung]

Complex password is good but a more important thing is back up your password. Weak, strong or complex password, you always must back it up and store back up safely, secretly and available to use in case you need it.

If you are bad at password brute-force, you will lose your crypto if you lose (forget, broken backup or whatever reasons)

• [GUIDE] How to Create a Strong/Secure Password
• Some password managers to use
  
  • Keepass: https://keepass.info/
  • Keepass (for Android): https://play.google.com/store/apps/details?hl=en&id=com.android.keepass
  • Password safe: https://pwsafe.org/

[pakhitheboss]

• Do not use words or a set of numbers as passwords
• Do not use automatic password generators, it is better to come up with a complex password yourself, it may be easier to remember it.
• Do not use a universal password to enter all sites (exchanges, wallets, etc.)
• Do not store your passwords in the cloud and on Internet sites
• Do not store your passwords in a text document on your computer desktop

Technically passwords are not human friendly. The more complex password you create the more chance is that you will forget. To create a strong password you need to have numbers, uppercase letters, lowercase letters and special characters in that password.

Do you think it is possible to remember those passwords? Complex passwords cannot be remembered. Therefore you need to have a simple password that can be supported by 2FA.

If anyone still wants a complex password then do keep a written document and always keep it somewhere safe otherwise you will never remember it.

Saving a password on the internet is always safe if you know how to securely use the cloud or the internet.

[Rich222]

over some years, as complexity is required and addition of password increased, humans have found it difficult to remember there password but makes  it  easier for  computer to generates password. it doesn't mean that complexity rules should be everted, but reconsider what makes it's ( password) complex and also consider it's usefulness.

[pooya87]

Yep! This graphic sure definitely over-simplified things to the point that we could probably somewhat call it inaccurate, but I guess what's important is that they dumbed it down enough and got the point across for most newbies to easily grasp. Short passwords = bad, long passwords with complexity = good.

Yeah, I just wanted to point some little details out which is good to have in mind when thinking about security. Otherwise from an average Joe's perspective the table is informative.

While i agree with flaws of the chart, how many people know the name of used algorithm (let alone how secure is it)? Using longer password by default is safer option, especially for website which need to consider available CPU resource.

Good point, and I agree that you can never go wrong with a longer password (as long as you can).
I suppose it is the author of such charts responsibility to define the lengths based on the algorithm. I believe these stats are meant for website login passwords which is not for encryption and brute forcing involves computing some key derivation function like PBKDF2 which is super fast by design.

[The Cryptovator]

Great explanation and chart. Most account hacking happens due to the use of typical passwords. This means we usually remember a few passwords which have been used on multiple sites. So in case of leak or hack data from a site, hackers gain access to other account's passwords. This is a very bad habit of humans. Also, remembering different passwords for each account is quite complicated, but we should write all the passwords on hard paper and secure them in a safe place. Otherwise, it's hard to maintain all the passwords.

[Eureka_07]

I'm glad most of my passwords could take 400+ trillion years to decipher

<snip>
Do you think it is possible to remember those passwords? Complex passwords cannot be remembered. Therefore you need to have a simple password that can be supported by 2FA.
<snip>
Saving a password on the internet is always safe if you know how to securely use the cloud or the internet.

Yep it is possible to remember those complex passwords. People have ways on how they can memorize the combination of anything, even that combination of numbers, characters, symbols, etc.
I do not agree on saving password on the internet, even in cloud, it is unsafe. If someone was able to breach its location, he could use the password on sites, apps that exists, it might costs you loss of data and money.

[Markinzo]

• Do not use words or a set of numbers as passwords
• Do not use automatic password generators, it is better to come up with a complex password yourself, it may be easier to remember it.
• Do not use a universal password to enter all sites (exchanges, wallets, etc.)
• Do not store your passwords in the cloud and on Internet sites
• Do not store your passwords in a text document on your computer desktop

[/quote]

I strongly disagree with the second statement which says complex password may be easier to remember, cause just as the word "complex" implies, it's obvious that such a password with different characters can be that easy to remember especially one has many other differwnt passwords to other operations.

I remember creating a strong lenthy password of different characters for myself all in the name of strong security, only to end up looking myself out just because I forgot where a certain character comes before the other. KInda funny but it thought me a lesson, that I had to start moderating my passwords.

[dkbit98]

Having strong password is very important, but it's best not to use same password multiple times on different websites, and you would be surprised how many people are doing that.
I would not try to remember many complex passwords, except maybe one master passwords and all other passwords should be saved in KeePass or some other open source password manager.
I think that passphrases are easier to remember and they can be very strong, considering that random is not always truly random when you are generating password.

[jerry0]

Can someone explain why it takes seconds to brute force say a 7 digit number?  So someone password is say 8090050.  You telling me it would go through each number and then find a match?  Or it would not only find the match but then log in?