Why is Gbt3fC79ZmMEFUFJ a weak password?












162















On https://passwordsgenerator.net/, it says




Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword




The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the second one.



Indeed, the only problem I see with it at the moment is that it doesn't have any special symbols. Is that enough for a password to be considered weak?










share|improve this question







New contributor




EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 79





    Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

    – Daniel Alder
    Jan 11 at 2:11






  • 1





    Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Jan 11 at 13:21






  • 1





    Though as mentioned in the accepted answer it's for a published passwordbut it may have a meaning it some other language too, other languages got their alphabet mapped to the same keyboard, so someone can change the language of the OS and then type in the same keyboard witch will result in meaningless word in English, but it has meaning in the keyboard's second language

    – yekanchi
    18 hours ago








  • 2





    Even without the correct answer by Sean Werkema, it becomes a bad choice for a password the instance someone publishes it as an example for a bad password. - Because: Published password...

    – Alexander Kosubek
    6 hours ago


















162















On https://passwordsgenerator.net/, it says




Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword




The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the second one.



Indeed, the only problem I see with it at the moment is that it doesn't have any special symbols. Is that enough for a password to be considered weak?










share|improve this question







New contributor




EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 79





    Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

    – Daniel Alder
    Jan 11 at 2:11






  • 1





    Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Jan 11 at 13:21






  • 1





    Though as mentioned in the accepted answer it's for a published passwordbut it may have a meaning it some other language too, other languages got their alphabet mapped to the same keyboard, so someone can change the language of the OS and then type in the same keyboard witch will result in meaningless word in English, but it has meaning in the keyboard's second language

    – yekanchi
    18 hours ago








  • 2





    Even without the correct answer by Sean Werkema, it becomes a bad choice for a password the instance someone publishes it as an example for a bad password. - Because: Published password...

    – Alexander Kosubek
    6 hours ago
















162












162








162


19






On https://passwordsgenerator.net/, it says




Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword




The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the second one.



Indeed, the only problem I see with it at the moment is that it doesn't have any special symbols. Is that enough for a password to be considered weak?










share|improve this question







New contributor




EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












On https://passwordsgenerator.net/, it says




Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword




The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the second one.



Indeed, the only problem I see with it at the moment is that it doesn't have any special symbols. Is that enough for a password to be considered weak?







passwords






share|improve this question







New contributor




EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Jan 10 at 16:39









EuRBamarthEuRBamarth

684226




684226




New contributor




EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






EuRBamarth is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 79





    Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

    – Daniel Alder
    Jan 11 at 2:11






  • 1





    Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Jan 11 at 13:21






  • 1





    Though as mentioned in the accepted answer it's for a published passwordbut it may have a meaning it some other language too, other languages got their alphabet mapped to the same keyboard, so someone can change the language of the OS and then type in the same keyboard witch will result in meaningless word in English, but it has meaning in the keyboard's second language

    – yekanchi
    18 hours ago








  • 2





    Even without the correct answer by Sean Werkema, it becomes a bad choice for a password the instance someone publishes it as an example for a bad password. - Because: Published password...

    – Alexander Kosubek
    6 hours ago
















  • 79





    Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

    – Daniel Alder
    Jan 11 at 2:11






  • 1





    Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Jan 11 at 13:21






  • 1





    Though as mentioned in the accepted answer it's for a published passwordbut it may have a meaning it some other language too, other languages got their alphabet mapped to the same keyboard, so someone can change the language of the OS and then type in the same keyboard witch will result in meaningless word in English, but it has meaning in the keyboard's second language

    – yekanchi
    18 hours ago








  • 2





    Even without the correct answer by Sean Werkema, it becomes a bad choice for a password the instance someone publishes it as an example for a bad password. - Because: Published password...

    – Alexander Kosubek
    6 hours ago










79




79





Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

– Daniel Alder
Jan 11 at 2:11





Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

– Daniel Alder
Jan 11 at 2:11




1




1





Comments are not for extended discussion; this conversation has been moved to chat.

– Rory Alsop
Jan 11 at 13:21





Comments are not for extended discussion; this conversation has been moved to chat.

– Rory Alsop
Jan 11 at 13:21




1




1





Though as mentioned in the accepted answer it's for a published passwordbut it may have a meaning it some other language too, other languages got their alphabet mapped to the same keyboard, so someone can change the language of the OS and then type in the same keyboard witch will result in meaningless word in English, but it has meaning in the keyboard's second language

– yekanchi
18 hours ago







Though as mentioned in the accepted answer it's for a published passwordbut it may have a meaning it some other language too, other languages got their alphabet mapped to the same keyboard, so someone can change the language of the OS and then type in the same keyboard witch will result in meaningless word in English, but it has meaning in the keyboard's second language

– yekanchi
18 hours ago






2




2





Even without the correct answer by Sean Werkema, it becomes a bad choice for a password the instance someone publishes it as an example for a bad password. - Because: Published password...

– Alexander Kosubek
6 hours ago







Even without the correct answer by Sean Werkema, it becomes a bad choice for a password the instance someone publishes it as an example for a bad password. - Because: Published password...

– Alexander Kosubek
6 hours ago












8 Answers
8






active

oldest

votes


















305














I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



[Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]






share|improve this answer










New contributor




Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1





    Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

    – Rory Alsop
    Jan 11 at 13:24





















39














As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.






share|improve this answer



















  • 2





    Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

    – Rory Alsop
    Jan 11 at 13:25





















31














It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
This is most pronounced on a QWERTZ keyboard:



Characters of the password shown on a QWERTZ keyboard



Image based on KB Germany.svg from Wiki Commons.



Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.






share|improve this answer





















  • 7





    Any random password is going to contain clusters. You need some sort of statistical test to know whether the password contains unexpected amounts of clusters or not.

    – immibis
    2 days ago






  • 4





    Besides, clustering is only an issue if the attacker has reason to believe there is clustering, and where that clustering physically exists. If the characters of the password are truly chosen at random, and just happen to use characters that are physically close to each other on some particular keyboard layout, I don't see how that by itself could possibly help someone deduce the password.

    – a CVn
    yesterday











  • Even if you knew ahead of time that the generation process was "choose randomly from this cluster of keys (and include both upper and lower case versions of the letter keys)", there are still >2^72 passwords of this length, more than enough to be secure.

    – Daniel Wagner
    yesterday





















24














There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 62^16, or about 95 bits of entropy. This is massive, and can't be brute forced.



So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbols^length). For an alpha-numberic with variable case, this is simply log2(62^16), or about 95.



The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.






share|improve this answer
























  • Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

    – a CVn
    yesterday











  • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

    – Steve Sether
    8 hours ago













  • Funny enough I put Gbt3fC79ZmMEFUFJ into haveibeenpwned.com/Passwords and its never been in a breach, so in many cases it would have been a good password... until this conversation :D

    – Skuld
    4 hours ago



















17














The complete paragraph is:





  1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



GBT, 3f, C79, Zm, MEF, UFJ.



However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.






share|improve this answer



















  • 2





    It would be still usefull advide that we could follow, if we interpret it as: "Don't use a normally strong password that you found somewhere on a website." But thats really not apparent or even indicated by the original.

    – Lichtbringer
    Jan 11 at 3:00






  • 12





    Wikipedia has all 2-characters combinations and almost all 3-characters combinations, so your argument of using Wikipedia as a dictionary for an alphanumeric password seems weak.

    – Cœur
    Jan 11 at 5:45








  • 2





    Those strong password examples are no longer strong passwords.

    – Wildcard
    2 days ago



















12














This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 62^16 = ( 48 x 10^27 ) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 96^8 = (7 x 10^15 ). This is a massive difference.



The reason for this confusion is the example is oversimplifying the basic advice to use a Capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 96^16.






share|improve this answer

































    4














    Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




    "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




    If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.






    share|improve this answer
























    • It didn't come up when I searched for it in haveibeenpwned.com's database.

      – browly
      2 days ago





















    1














    Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



    In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 62^16 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 72^16.



    Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.






    share|improve this answer






















      protected by Rory Alsop 23 hours ago



      Thank you for your interest in this question.
      Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



      Would you like to answer one of these unanswered questions instead?














      8 Answers
      8






      active

      oldest

      votes








      8 Answers
      8






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      305














      I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



      TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



      So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



      [Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]






      share|improve this answer










      New contributor




      Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 1





        Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

        – Rory Alsop
        Jan 11 at 13:24


















      305














      I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



      TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



      So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



      [Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]






      share|improve this answer










      New contributor




      Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 1





        Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

        – Rory Alsop
        Jan 11 at 13:24
















      305












      305








      305







      I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



      TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



      So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



      [Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]






      share|improve this answer










      New contributor




      Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



      TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



      So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



      [Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]







      share|improve this answer










      New contributor




      Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this answer



      share|improve this answer








      edited 2 days ago









      Tyzoid

      1628




      1628






      New contributor




      Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      answered Jan 10 at 20:58









      Sean WerkemaSean Werkema

      1,116127




      1,116127




      New contributor




      Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Sean Werkema is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      • 1





        Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

        – Rory Alsop
        Jan 11 at 13:24
















      • 1





        Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

        – Rory Alsop
        Jan 11 at 13:24










      1




      1





      Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

      – Rory Alsop
      Jan 11 at 13:24







      Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

      – Rory Alsop
      Jan 11 at 13:24















      39














      As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



      But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.






      share|improve this answer



















      • 2





        Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

        – Rory Alsop
        Jan 11 at 13:25


















      39














      As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



      But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.






      share|improve this answer



















      • 2





        Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

        – Rory Alsop
        Jan 11 at 13:25
















      39












      39








      39







      As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



      But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.






      share|improve this answer













      As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



      But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Jan 10 at 16:45









      GlorfindelGlorfindel

      7631721




      7631721








      • 2





        Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

        – Rory Alsop
        Jan 11 at 13:25
















      • 2





        Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

        – Rory Alsop
        Jan 11 at 13:25










      2




      2





      Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

      – Rory Alsop
      Jan 11 at 13:25







      Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

      – Rory Alsop
      Jan 11 at 13:25













      31














      It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
      This is most pronounced on a QWERTZ keyboard:



      Characters of the password shown on a QWERTZ keyboard



      Image based on KB Germany.svg from Wiki Commons.



      Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
      You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



      I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.






      share|improve this answer





















      • 7





        Any random password is going to contain clusters. You need some sort of statistical test to know whether the password contains unexpected amounts of clusters or not.

        – immibis
        2 days ago






      • 4





        Besides, clustering is only an issue if the attacker has reason to believe there is clustering, and where that clustering physically exists. If the characters of the password are truly chosen at random, and just happen to use characters that are physically close to each other on some particular keyboard layout, I don't see how that by itself could possibly help someone deduce the password.

        – a CVn
        yesterday











      • Even if you knew ahead of time that the generation process was "choose randomly from this cluster of keys (and include both upper and lower case versions of the letter keys)", there are still >2^72 passwords of this length, more than enough to be secure.

        – Daniel Wagner
        yesterday


















      31














      It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
      This is most pronounced on a QWERTZ keyboard:



      Characters of the password shown on a QWERTZ keyboard



      Image based on KB Germany.svg from Wiki Commons.



      Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
      You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



      I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.






      share|improve this answer





















      • 7





        Any random password is going to contain clusters. You need some sort of statistical test to know whether the password contains unexpected amounts of clusters or not.

        – immibis
        2 days ago






      • 4





        Besides, clustering is only an issue if the attacker has reason to believe there is clustering, and where that clustering physically exists. If the characters of the password are truly chosen at random, and just happen to use characters that are physically close to each other on some particular keyboard layout, I don't see how that by itself could possibly help someone deduce the password.

        – a CVn
        yesterday











      • Even if you knew ahead of time that the generation process was "choose randomly from this cluster of keys (and include both upper and lower case versions of the letter keys)", there are still >2^72 passwords of this length, more than enough to be secure.

        – Daniel Wagner
        yesterday
















      31












      31








      31







      It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
      This is most pronounced on a QWERTZ keyboard:



      Characters of the password shown on a QWERTZ keyboard



      Image based on KB Germany.svg from Wiki Commons.



      Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
      You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



      I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.






      share|improve this answer















      It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
      This is most pronounced on a QWERTZ keyboard:



      Characters of the password shown on a QWERTZ keyboard



      Image based on KB Germany.svg from Wiki Commons.



      Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
      You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



      I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited 2 days ago









      Wrzlprmft

      10314




      10314










      answered Jan 10 at 20:30









      Jörg W MittagJörg W Mittag

      41947




      41947








      • 7





        Any random password is going to contain clusters. You need some sort of statistical test to know whether the password contains unexpected amounts of clusters or not.

        – immibis
        2 days ago






      • 4





        Besides, clustering is only an issue if the attacker has reason to believe there is clustering, and where that clustering physically exists. If the characters of the password are truly chosen at random, and just happen to use characters that are physically close to each other on some particular keyboard layout, I don't see how that by itself could possibly help someone deduce the password.

        – a CVn
        yesterday











      • Even if you knew ahead of time that the generation process was "choose randomly from this cluster of keys (and include both upper and lower case versions of the letter keys)", there are still >2^72 passwords of this length, more than enough to be secure.

        – Daniel Wagner
        yesterday
















      • 7





        Any random password is going to contain clusters. You need some sort of statistical test to know whether the password contains unexpected amounts of clusters or not.

        – immibis
        2 days ago






      • 4





        Besides, clustering is only an issue if the attacker has reason to believe there is clustering, and where that clustering physically exists. If the characters of the password are truly chosen at random, and just happen to use characters that are physically close to each other on some particular keyboard layout, I don't see how that by itself could possibly help someone deduce the password.

        – a CVn
        yesterday











      • Even if you knew ahead of time that the generation process was "choose randomly from this cluster of keys (and include both upper and lower case versions of the letter keys)", there are still >2^72 passwords of this length, more than enough to be secure.

        – Daniel Wagner
        yesterday










      7




      7





      Any random password is going to contain clusters. You need some sort of statistical test to know whether the password contains unexpected amounts of clusters or not.

      – immibis
      2 days ago





      Any random password is going to contain clusters. You need some sort of statistical test to know whether the password contains unexpected amounts of clusters or not.

      – immibis
      2 days ago




      4




      4





      Besides, clustering is only an issue if the attacker has reason to believe there is clustering, and where that clustering physically exists. If the characters of the password are truly chosen at random, and just happen to use characters that are physically close to each other on some particular keyboard layout, I don't see how that by itself could possibly help someone deduce the password.

      – a CVn
      yesterday





      Besides, clustering is only an issue if the attacker has reason to believe there is clustering, and where that clustering physically exists. If the characters of the password are truly chosen at random, and just happen to use characters that are physically close to each other on some particular keyboard layout, I don't see how that by itself could possibly help someone deduce the password.

      – a CVn
      yesterday













      Even if you knew ahead of time that the generation process was "choose randomly from this cluster of keys (and include both upper and lower case versions of the letter keys)", there are still >2^72 passwords of this length, more than enough to be secure.

      – Daniel Wagner
      yesterday







      Even if you knew ahead of time that the generation process was "choose randomly from this cluster of keys (and include both upper and lower case versions of the letter keys)", there are still >2^72 passwords of this length, more than enough to be secure.

      – Daniel Wagner
      yesterday













      24














      There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 62^16, or about 95 bits of entropy. This is massive, and can't be brute forced.



      So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



      The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



      If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbols^length). For an alpha-numberic with variable case, this is simply log2(62^16), or about 95.



      The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.






      share|improve this answer
























      • Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

        – a CVn
        yesterday











      • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

        – Steve Sether
        8 hours ago













      • Funny enough I put Gbt3fC79ZmMEFUFJ into haveibeenpwned.com/Passwords and its never been in a breach, so in many cases it would have been a good password... until this conversation :D

        – Skuld
        4 hours ago
















      24














      There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 62^16, or about 95 bits of entropy. This is massive, and can't be brute forced.



      So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



      The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



      If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbols^length). For an alpha-numberic with variable case, this is simply log2(62^16), or about 95.



      The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.






      share|improve this answer
























      • Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

        – a CVn
        yesterday











      • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

        – Steve Sether
        8 hours ago













      • Funny enough I put Gbt3fC79ZmMEFUFJ into haveibeenpwned.com/Passwords and its never been in a breach, so in many cases it would have been a good password... until this conversation :D

        – Skuld
        4 hours ago














      24












      24








      24







      There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 62^16, or about 95 bits of entropy. This is massive, and can't be brute forced.



      So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



      The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



      If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbols^length). For an alpha-numberic with variable case, this is simply log2(62^16), or about 95.



      The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.






      share|improve this answer













      There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 62^16, or about 95 bits of entropy. This is massive, and can't be brute forced.



      So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



      The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



      If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbols^length). For an alpha-numberic with variable case, this is simply log2(62^16), or about 95.



      The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered 2 days ago









      Steve SetherSteve Sether

      16.5k53465




      16.5k53465













      • Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

        – a CVn
        yesterday











      • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

        – Steve Sether
        8 hours ago













      • Funny enough I put Gbt3fC79ZmMEFUFJ into haveibeenpwned.com/Passwords and its never been in a breach, so in many cases it would have been a good password... until this conversation :D

        – Skuld
        4 hours ago



















      • Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

        – a CVn
        yesterday











      • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

        – Steve Sether
        8 hours ago













      • Funny enough I put Gbt3fC79ZmMEFUFJ into haveibeenpwned.com/Passwords and its never been in a breach, so in many cases it would have been a good password... until this conversation :D

        – Skuld
        4 hours ago

















      Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

      – a CVn
      yesterday





      Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

      – a CVn
      yesterday













      Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

      – Steve Sether
      8 hours ago







      Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

      – Steve Sether
      8 hours ago















      Funny enough I put Gbt3fC79ZmMEFUFJ into haveibeenpwned.com/Passwords and its never been in a breach, so in many cases it would have been a good password... until this conversation :D

      – Skuld
      4 hours ago





      Funny enough I put Gbt3fC79ZmMEFUFJ into haveibeenpwned.com/Passwords and its never been in a breach, so in many cases it would have been a good password... until this conversation :D

      – Skuld
      4 hours ago











      17














      The complete paragraph is:





      1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




      So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



      GBT, 3f, C79, Zm, MEF, UFJ.



      However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



      In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.






      share|improve this answer



















      • 2





        It would be still usefull advide that we could follow, if we interpret it as: "Don't use a normally strong password that you found somewhere on a website." But thats really not apparent or even indicated by the original.

        – Lichtbringer
        Jan 11 at 3:00






      • 12





        Wikipedia has all 2-characters combinations and almost all 3-characters combinations, so your argument of using Wikipedia as a dictionary for an alphanumeric password seems weak.

        – Cœur
        Jan 11 at 5:45








      • 2





        Those strong password examples are no longer strong passwords.

        – Wildcard
        2 days ago
















      17














      The complete paragraph is:





      1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




      So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



      GBT, 3f, C79, Zm, MEF, UFJ.



      However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



      In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.






      share|improve this answer



















      • 2





        It would be still usefull advide that we could follow, if we interpret it as: "Don't use a normally strong password that you found somewhere on a website." But thats really not apparent or even indicated by the original.

        – Lichtbringer
        Jan 11 at 3:00






      • 12





        Wikipedia has all 2-characters combinations and almost all 3-characters combinations, so your argument of using Wikipedia as a dictionary for an alphanumeric password seems weak.

        – Cœur
        Jan 11 at 5:45








      • 2





        Those strong password examples are no longer strong passwords.

        – Wildcard
        2 days ago














      17












      17








      17







      The complete paragraph is:





      1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




      So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



      GBT, 3f, C79, Zm, MEF, UFJ.



      However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



      In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.






      share|improve this answer













      The complete paragraph is:





      1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




      So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



      GBT, 3f, C79, Zm, MEF, UFJ.



      However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



      In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Jan 10 at 22:29









      reedreed

      2,3122520




      2,3122520








      • 2





        It would be still usefull advide that we could follow, if we interpret it as: "Don't use a normally strong password that you found somewhere on a website." But thats really not apparent or even indicated by the original.

        – Lichtbringer
        Jan 11 at 3:00






      • 12





        Wikipedia has all 2-characters combinations and almost all 3-characters combinations, so your argument of using Wikipedia as a dictionary for an alphanumeric password seems weak.

        – Cœur
        Jan 11 at 5:45








      • 2





        Those strong password examples are no longer strong passwords.

        – Wildcard
        2 days ago














      • 2





        It would be still usefull advide that we could follow, if we interpret it as: "Don't use a normally strong password that you found somewhere on a website." But thats really not apparent or even indicated by the original.

        – Lichtbringer
        Jan 11 at 3:00






      • 12





        Wikipedia has all 2-characters combinations and almost all 3-characters combinations, so your argument of using Wikipedia as a dictionary for an alphanumeric password seems weak.

        – Cœur
        Jan 11 at 5:45








      • 2





        Those strong password examples are no longer strong passwords.

        – Wildcard
        2 days ago








      2




      2





      It would be still usefull advide that we could follow, if we interpret it as: "Don't use a normally strong password that you found somewhere on a website." But thats really not apparent or even indicated by the original.

      – Lichtbringer
      Jan 11 at 3:00





      It would be still usefull advide that we could follow, if we interpret it as: "Don't use a normally strong password that you found somewhere on a website." But thats really not apparent or even indicated by the original.

      – Lichtbringer
      Jan 11 at 3:00




      12




      12





      Wikipedia has all 2-characters combinations and almost all 3-characters combinations, so your argument of using Wikipedia as a dictionary for an alphanumeric password seems weak.

      – Cœur
      Jan 11 at 5:45







      Wikipedia has all 2-characters combinations and almost all 3-characters combinations, so your argument of using Wikipedia as a dictionary for an alphanumeric password seems weak.

      – Cœur
      Jan 11 at 5:45






      2




      2





      Those strong password examples are no longer strong passwords.

      – Wildcard
      2 days ago





      Those strong password examples are no longer strong passwords.

      – Wildcard
      2 days ago











      12














      This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



      So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 62^16 = ( 48 x 10^27 ) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 96^8 = (7 x 10^15 ). This is a massive difference.



      The reason for this confusion is the example is oversimplifying the basic advice to use a Capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 96^16.






      share|improve this answer






























        12














        This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



        So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 62^16 = ( 48 x 10^27 ) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 96^8 = (7 x 10^15 ). This is a massive difference.



        The reason for this confusion is the example is oversimplifying the basic advice to use a Capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 96^16.






        share|improve this answer




























          12












          12








          12







          This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



          So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 62^16 = ( 48 x 10^27 ) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 96^8 = (7 x 10^15 ). This is a massive difference.



          The reason for this confusion is the example is oversimplifying the basic advice to use a Capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 96^16.






          share|improve this answer















          This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



          So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 62^16 = ( 48 x 10^27 ) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 96^8 = (7 x 10^15 ). This is a massive difference.



          The reason for this confusion is the example is oversimplifying the basic advice to use a Capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 96^16.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 days ago

























          answered Jan 10 at 21:20









          bashCypherbashCypher

          885113




          885113























              4














              Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




              "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




              If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.






              share|improve this answer
























              • It didn't come up when I searched for it in haveibeenpwned.com's database.

                – browly
                2 days ago


















              4














              Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




              "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




              If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.






              share|improve this answer
























              • It didn't come up when I searched for it in haveibeenpwned.com's database.

                – browly
                2 days ago
















              4












              4








              4







              Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




              "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




              If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.






              share|improve this answer













              Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




              "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




              If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered 2 days ago









              MachavityMachavity

              2,331619




              2,331619













              • It didn't come up when I searched for it in haveibeenpwned.com's database.

                – browly
                2 days ago





















              • It didn't come up when I searched for it in haveibeenpwned.com's database.

                – browly
                2 days ago



















              It didn't come up when I searched for it in haveibeenpwned.com's database.

              – browly
              2 days ago







              It didn't come up when I searched for it in haveibeenpwned.com's database.

              – browly
              2 days ago













              1














              Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



              In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 62^16 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 72^16.



              Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.






              share|improve this answer




























                1














                Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



                In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 62^16 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 72^16.



                Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.






                share|improve this answer


























                  1












                  1








                  1







                  Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



                  In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 62^16 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 72^16.



                  Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.






                  share|improve this answer













                  Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



                  In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 62^16 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 72^16.



                  Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 10 at 16:59









                  SteveSteve

                  12.1k22855




                  12.1k22855

















                      protected by Rory Alsop 23 hours ago



                      Thank you for your interest in this question.
                      Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



                      Would you like to answer one of these unanswered questions instead?



                      Popular posts from this blog

                      Knooppunt Holsloot

                      Altaar (religie)

                      Gregoriusmis