Why is Gbt3fC79ZmMEFUFJ a weak password?












275















On https://passwordsgenerator.net/, it says




Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword




The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the second one.



Indeed, the only problem I see with it at the moment is that it doesn't have any special symbols. Is that enough for a password to be considered weak?










share|improve this question


















  • 215





    Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

    – Daniel Alder
    Jan 11 at 2:11






  • 3





    Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted

    – Rory Alsop
    Jan 11 at 13:21













  • // , @DanielAlder, I've been burned by the domain lookup example. I didn't know it applied to Passwords! I would make that a separate StackExchange post, because it is valuable information.

    – Nathan Basanese
    Jan 18 at 18:14






  • 2





    Perhaps add the full paragraph? I.e. include the introductionary "5. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ." it becomes obvious that tbe topic is dictionary words (and not anything else, like entropy, length, application specific etc).

    – flindeberg
    Jan 19 at 12:51






  • 1





    Side note, if you're thinking of using this site - Any password generated on a system outside your control is potentially a weak password. Use a local password manager of known repute (i.e. doesn't transmit the passwords you generate to an online repository)

    – Caius Jard
    2 days ago


















275















On https://passwordsgenerator.net/, it says




Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword




The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the second one.



Indeed, the only problem I see with it at the moment is that it doesn't have any special symbols. Is that enough for a password to be considered weak?










share|improve this question


















  • 215





    Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

    – Daniel Alder
    Jan 11 at 2:11






  • 3





    Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted

    – Rory Alsop
    Jan 11 at 13:21













  • // , @DanielAlder, I've been burned by the domain lookup example. I didn't know it applied to Passwords! I would make that a separate StackExchange post, because it is valuable information.

    – Nathan Basanese
    Jan 18 at 18:14






  • 2





    Perhaps add the full paragraph? I.e. include the introductionary "5. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ." it becomes obvious that tbe topic is dictionary words (and not anything else, like entropy, length, application specific etc).

    – flindeberg
    Jan 19 at 12:51






  • 1





    Side note, if you're thinking of using this site - Any password generated on a system outside your control is potentially a weak password. Use a local password manager of known repute (i.e. doesn't transmit the passwords you generate to an online repository)

    – Caius Jard
    2 days ago
















275












275








275


40






On https://passwordsgenerator.net/, it says




Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword




The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the second one.



Indeed, the only problem I see with it at the moment is that it doesn't have any special symbols. Is that enough for a password to be considered weak?










share|improve this question














On https://passwordsgenerator.net/, it says




Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword




The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the second one.



Indeed, the only problem I see with it at the moment is that it doesn't have any special symbols. Is that enough for a password to be considered weak?







passwords






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 10 at 16:39









EuRBamarthEuRBamarth

1,252236




1,252236








  • 215





    Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

    – Daniel Alder
    Jan 11 at 2:11






  • 3





    Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted

    – Rory Alsop
    Jan 11 at 13:21













  • // , @DanielAlder, I've been burned by the domain lookup example. I didn't know it applied to Passwords! I would make that a separate StackExchange post, because it is valuable information.

    – Nathan Basanese
    Jan 18 at 18:14






  • 2





    Perhaps add the full paragraph? I.e. include the introductionary "5. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ." it becomes obvious that tbe topic is dictionary words (and not anything else, like entropy, length, application specific etc).

    – flindeberg
    Jan 19 at 12:51






  • 1





    Side note, if you're thinking of using this site - Any password generated on a system outside your control is potentially a weak password. Use a local password manager of known repute (i.e. doesn't transmit the passwords you generate to an online repository)

    – Caius Jard
    2 days ago
















  • 215





    Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

    – Daniel Alder
    Jan 11 at 2:11






  • 3





    Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted

    – Rory Alsop
    Jan 11 at 13:21













  • // , @DanielAlder, I've been burned by the domain lookup example. I didn't know it applied to Passwords! I would make that a separate StackExchange post, because it is valuable information.

    – Nathan Basanese
    Jan 18 at 18:14






  • 2





    Perhaps add the full paragraph? I.e. include the introductionary "5. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ." it becomes obvious that tbe topic is dictionary words (and not anything else, like entropy, length, application specific etc).

    – flindeberg
    Jan 19 at 12:51






  • 1





    Side note, if you're thinking of using this site - Any password generated on a system outside your control is potentially a weak password. Use a local password manager of known repute (i.e. doesn't transmit the passwords you generate to an online repository)

    – Caius Jard
    2 days ago










215




215





Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

– Daniel Alder
Jan 11 at 2:11





Just a little warning to everyone (after reading the good answers below): Don't google your just-generated random password to find out if it is already in use. Thechnically, there might be a collision. But the higher risk is that the search term is saved in some form which makes it a dictionary word immediately (same for other search engines). For the same reason you should avoid domain lookups as soon you had a good idea for a new name - especially not on unknown pages...

– Daniel Alder
Jan 11 at 2:11




3




3





Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted

– Rory Alsop
Jan 11 at 13:21







Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted

– Rory Alsop
Jan 11 at 13:21















// , @DanielAlder, I've been burned by the domain lookup example. I didn't know it applied to Passwords! I would make that a separate StackExchange post, because it is valuable information.

– Nathan Basanese
Jan 18 at 18:14





// , @DanielAlder, I've been burned by the domain lookup example. I didn't know it applied to Passwords! I would make that a separate StackExchange post, because it is valuable information.

– Nathan Basanese
Jan 18 at 18:14




2




2





Perhaps add the full paragraph? I.e. include the introductionary "5. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ." it becomes obvious that tbe topic is dictionary words (and not anything else, like entropy, length, application specific etc).

– flindeberg
Jan 19 at 12:51





Perhaps add the full paragraph? I.e. include the introductionary "5. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ." it becomes obvious that tbe topic is dictionary words (and not anything else, like entropy, length, application specific etc).

– flindeberg
Jan 19 at 12:51




1




1





Side note, if you're thinking of using this site - Any password generated on a system outside your control is potentially a weak password. Use a local password manager of known repute (i.e. doesn't transmit the passwords you generate to an online repository)

– Caius Jard
2 days ago







Side note, if you're thinking of using this site - Any password generated on a system outside your control is potentially a weak password. Use a local password manager of known repute (i.e. doesn't transmit the passwords you generate to an online repository)

– Caius Jard
2 days ago












9 Answers
9






active

oldest

votes


















488














I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



[Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]






share|improve this answer





















  • 2





    Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

    – Rory Alsop
    Jan 11 at 13:24





















71














As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.






share|improve this answer



















  • 4





    Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

    – Rory Alsop
    Jan 11 at 13:25





















66














There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 6216, or about 95 bits of entropy. This is massive, and can't be brute forced.



So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbolslength). For an alpha-numberic with variable case, this is simply log2(6216), or about 95.



The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.






share|improve this answer





















  • 7





    Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

    – a CVn
    Jan 13 at 6:11











  • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

    – Steve Sether
    Jan 14 at 4:56













  • If it doesn't appear on haveibeenpwned, isn't that more likely to mean that nobody's used it, rather than giving any indication of password quality? Lots of people with good passwords have been pwned because of security breaches on the server side.

    – craq
    Jan 15 at 18:00











  • Also note that if you go high enough your calculator might not support x^y so you may have to use another identity of logarithms and do y * log(x)/log(2). For a double-precision float with base 62 you would find that 62^171 is calculable but 62^172 is Infinity, so that's probably well within the bounds needed by this question/answer, but if your calculator happens to do single-precision floats then 62^21 would be calculable but 62^22 would be Infinity, which is still within the bounds of reasonable expectation for passwords maybe.

    – CR Drost
    Jan 16 at 21:32













  • I think this is a much better answer than the accepted answer. The accepted answer doesn't really make any sense at all—if the reason the password is weak isn't explained in the book, it's just silly to assume being published is the reason the author intended.

    – only_pro
    Jan 18 at 20:59



















46














It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
This is most pronounced on a QWERTZ keyboard:



Characters of the password shown on a QWERTZ keyboard



Image based on KB Germany.svg from Wiki Commons.



Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.






share|improve this answer





















  • 5





    I don't know if this is really clustered, or just a coincidence. Let's assume it is. If you only use your clustered pattern, which I count at 37 possible symbols, you're still going to get about 83 bits of entropy, or about 10^25. That's still a massive search space, and likely far exceeds the entropy of 99.9+% of peoples passwords. If you could somehow guess passwords at a trillion possibilities/second, it'd still take 300,000 years to search all possibilities.

    – Steve Sether
    Jan 18 at 19:23



















37














The complete paragraph is:





  1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



GBT, 3f, C79, Zm, MEF, UFJ.



However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.






share|improve this answer



















  • 1





    As I stated in my answer, I actually did try to contact the website owner, and there is no contact information anywhere on the website or in the Whois lookup.

    – TheHansinator
    Jan 20 at 2:19



















20














This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 6216 = (48 × 1027) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 968 = (7 × 1015). This is a massive difference.



The reason for this confusion is the example is oversimplifying the basic advice to use a capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 9616.






share|improve this answer

































    13














    While Gbt3fC79ZmMEFUFJ is certainly a poor choice of password now, seeing that your question has generated a lot of activity on Stack Exchange and has thus widely published the password, I don't think there is any discernible reason we can pin down for why it would be bad in the first place, because, quite frankly, the website that you have cited is terrible.



    The source that you're drawing from appears to be a loosely organized list of security tips of low to middling quality. Some of the tips are good (e.g. use 2-step authentication whenever possible, lock your computer and mobile phone when you leave them), but some of them have been questioned by security experts (e.g. change your passwords every 10 weeks, use at least one uppercase/lowercase/number/symbol) and quite a few seem downright paranoid (e.g. tip 22, which states that if you have a WiFi router in your home, nearby attackers can detect what passwords you're typing in because of changes in the WiFi signal from moving your hands, and that using an on-screen keyboard with random layouts will mitigate this).



    And while it is probably not an issue that most of the tips are poorly proofread (with many spelling errors and punctuation inconsistencies), it is an issue that absolutely none of the tips are cited, and that the whole website is anonymous. There are no quotes from security experts, no articles that we can read up on for further information or discussion. And the website contains absolutely no author information - nowhere on the website, or even in the website's Whois registration, is there any way to contact the author or even know who they are.



    This essentially means that we have little to no way of determining how good of a tip "Gbt3fC79ZmMEFUFJ is a weak password" is, or what it even means. We certainly have no way to contact the author of this website and ask them ourselves, and I actually doubt that it would even be useful to do so. I think that we are best off ignoring this suggestion, taking way only the fact that Gbt3fC79ZmMEFUFJ should not be used because we talked about it at such length.



    TL;DR: Passwordsgenerator.net is bad - just ignore it.





    As an addendum, you may be interested in some other things I found when I was inspecting the website itself, to get better context on what it was and perhaps find more information on it. What I found wasn't very pleasant:




    • The website provides an option (default checked, but still) to not generate the password on the server. I did look at the source code and the network traffic view in the Dev Tools window, and it does, in fact, honor this request, but there's no way to tell that it actually does that without reading it.

    • The generator users Math.random()! Math.random() is a cryptographically insecure random number generator, making the generated passwords surprisingly predictable and actually far fewer in number than you'd be led to believe - for instance, if your implementation of Math.random() has only 32 bits of state, then regardless of what settings you use, only 4 billion unique passwords can be generated, which means that any number of characters beyond 7 or so is meaningless. A true random password generator should instead use the window.crypto.getRandomValues() call instead, which sources every single bit of the password from a true entropy source somewhere in the computer.

    • The password generator is also placed on the page strangely - the code for the generator itself is minimized, but the code for configuring it is not. It almost appears as if the website author copied the minimized password module from another source, such as another website.

    • The website also tries to use Google Ads for some odd reason. It doesn't actually invoke them - it just has a signature at the bottom for adding the Google Ads ID to the window object - but any presence of actual ads will also potentially compromise any data entered into the page, even if the page is served over HTTPS.






    share|improve this answer

































      7














      Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




      "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




      If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.






      share|improve this answer



















      • 3





        But then my question is: why didn't the website just provide the correct recommendation: Use your password manager to generate passwords instead of picking something weak. ?

        – NH.
        Jan 15 at 22:13



















      0














      Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



      In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 6216 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 7216.



      Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.






      share|improve this answer
























        protected by Rory Alsop Jan 13 at 13:38



        Thank you for your interest in this question.
        Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



        Would you like to answer one of these unanswered questions instead?














        9 Answers
        9






        active

        oldest

        votes








        9 Answers
        9






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        488














        I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



        TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



        So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



        [Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]






        share|improve this answer





















        • 2





          Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

          – Rory Alsop
          Jan 11 at 13:24


















        488














        I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



        TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



        So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



        [Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]






        share|improve this answer





















        • 2





          Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

          – Rory Alsop
          Jan 11 at 13:24
















        488












        488








        488







        I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



        TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



        So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



        [Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]






        share|improve this answer















        I was curious about the same thing, so I put Gbt3fC79ZmMEFUFJ into Google, and lo! and behold it found something that wasn't just a paraphrase of "Don't use this password" advice — the password itself was embedded in example source code that showed how you could send a password to a server! (link to page, and screenshot below)



        TcHmi.Server.UserManagement.addUser('newUser', 'Gbt3fC79ZmMEFUFJ' function(data) {})



        So I think the real goal of that advice is not that Gbt3fC79ZmMEFUFJ is a mysteriously weak password because of the keyboard layout or because of low entropy or because it doesn't include symbols or Unicode or emoji or whatever: It's simply to remind you that you should never use a password that's been published somewhere, especially one published as an "example" password!



        [Update: This is intentionally a screenshot and not simply a code snippet; the content of the code is far less important than seeing how it appeared verbatim on somebody's website!]







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 11 at 16:18









        Tyzoid

        1628




        1628










        answered Jan 10 at 20:58









        Sean WerkemaSean Werkema

        2,566239




        2,566239








        • 2





          Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

          – Rory Alsop
          Jan 11 at 13:24
















        • 2





          Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

          – Rory Alsop
          Jan 11 at 13:24










        2




        2





        Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

        – Rory Alsop
        Jan 11 at 13:24







        Comments are not for extended discussion; this conversation has been moved to chat. You can continue your conversations there, but further comments here will be deleted.

        – Rory Alsop
        Jan 11 at 13:24















        71














        As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



        But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.






        share|improve this answer



















        • 4





          Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

          – Rory Alsop
          Jan 11 at 13:25


















        71














        As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



        But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.






        share|improve this answer



















        • 4





          Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

          – Rory Alsop
          Jan 11 at 13:25
















        71












        71








        71







        As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



        But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.






        share|improve this answer













        As you noticed, it doesn't have any symbols, which makes it weaker than a password of similar length which does, but there's no other 'obvious' defect with this password. A password does not have to use symbols to be strong, as long as it's long enough (obligatory XKCD link).



        But, now that this password appears in plain text on a website (dedicated to passwords), it's likely that some attackers will include it in their dictionary. After all, there might be users less proficient in English, or audacious types, who still use this password since it looks random and reasonably long. In this way, saying "Gbt3fC79ZmMEFUFJ is a weak password" is some kind of self-fulfilling prophecy.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 10 at 16:45









        GlorfindelGlorfindel

        1,0991721




        1,0991721








        • 4





          Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

          – Rory Alsop
          Jan 11 at 13:25
















        • 4





          Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

          – Rory Alsop
          Jan 11 at 13:25










        4




        4





        Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

        – Rory Alsop
        Jan 11 at 13:25







        Comments are not for extended discussion; this conversation has been moved to chat. Further comments will be deleted.

        – Rory Alsop
        Jan 11 at 13:25













        66














        There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 6216, or about 95 bits of entropy. This is massive, and can't be brute forced.



        So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



        The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



        If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbolslength). For an alpha-numberic with variable case, this is simply log2(6216), or about 95.



        The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.






        share|improve this answer





















        • 7





          Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

          – a CVn
          Jan 13 at 6:11











        • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

          – Steve Sether
          Jan 14 at 4:56













        • If it doesn't appear on haveibeenpwned, isn't that more likely to mean that nobody's used it, rather than giving any indication of password quality? Lots of people with good passwords have been pwned because of security breaches on the server side.

          – craq
          Jan 15 at 18:00











        • Also note that if you go high enough your calculator might not support x^y so you may have to use another identity of logarithms and do y * log(x)/log(2). For a double-precision float with base 62 you would find that 62^171 is calculable but 62^172 is Infinity, so that's probably well within the bounds needed by this question/answer, but if your calculator happens to do single-precision floats then 62^21 would be calculable but 62^22 would be Infinity, which is still within the bounds of reasonable expectation for passwords maybe.

          – CR Drost
          Jan 16 at 21:32













        • I think this is a much better answer than the accepted answer. The accepted answer doesn't really make any sense at all—if the reason the password is weak isn't explained in the book, it's just silly to assume being published is the reason the author intended.

          – only_pro
          Jan 18 at 20:59
















        66














        There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 6216, or about 95 bits of entropy. This is massive, and can't be brute forced.



        So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



        The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



        If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbolslength). For an alpha-numberic with variable case, this is simply log2(6216), or about 95.



        The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.






        share|improve this answer





















        • 7





          Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

          – a CVn
          Jan 13 at 6:11











        • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

          – Steve Sether
          Jan 14 at 4:56













        • If it doesn't appear on haveibeenpwned, isn't that more likely to mean that nobody's used it, rather than giving any indication of password quality? Lots of people with good passwords have been pwned because of security breaches on the server side.

          – craq
          Jan 15 at 18:00











        • Also note that if you go high enough your calculator might not support x^y so you may have to use another identity of logarithms and do y * log(x)/log(2). For a double-precision float with base 62 you would find that 62^171 is calculable but 62^172 is Infinity, so that's probably well within the bounds needed by this question/answer, but if your calculator happens to do single-precision floats then 62^21 would be calculable but 62^22 would be Infinity, which is still within the bounds of reasonable expectation for passwords maybe.

          – CR Drost
          Jan 16 at 21:32













        • I think this is a much better answer than the accepted answer. The accepted answer doesn't really make any sense at all—if the reason the password is weak isn't explained in the book, it's just silly to assume being published is the reason the author intended.

          – only_pro
          Jan 18 at 20:59














        66












        66








        66







        There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 6216, or about 95 bits of entropy. This is massive, and can't be brute forced.



        So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



        The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



        If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbolslength). For an alpha-numberic with variable case, this is simply log2(6216), or about 95.



        The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.






        share|improve this answer















        There is nothing wrong with this password, other than it being published somewhere on the internet. The password is 16 characters of varying upper case, lower case, and numbers. This equates to a search space of 6216, or about 95 bits of entropy. This is massive, and can't be brute forced.



        So why did the author of this website consider it a bad password? Being published on the internet is unlikely to be the reason. A list of "good passwords" is also included, which are obviously also published on the internet, making them immediately "bad passwords" using this line of thinking.



        The most likely scenario is the author doesn't understand password entropy, and thinks that passwords MUST contain special characters. This is simply false. Entropy is a function of the number of possible symbols, AND length.



        If generated at random, the entropy (in bits) can be calculated by log2(number-of-symbolslength). For an alpha-numberic with variable case, this is simply log2(6216), or about 95.



        The rub is of course most passwords are NOT generated at random, so this simple formula isn't often useful.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 2 days ago









        forest

        34.4k16113118




        34.4k16113118










        answered Jan 11 at 18:27









        Steve SetherSteve Sether

        17k53565




        17k53565








        • 7





          Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

          – a CVn
          Jan 13 at 6:11











        • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

          – Steve Sether
          Jan 14 at 4:56













        • If it doesn't appear on haveibeenpwned, isn't that more likely to mean that nobody's used it, rather than giving any indication of password quality? Lots of people with good passwords have been pwned because of security breaches on the server side.

          – craq
          Jan 15 at 18:00











        • Also note that if you go high enough your calculator might not support x^y so you may have to use another identity of logarithms and do y * log(x)/log(2). For a double-precision float with base 62 you would find that 62^171 is calculable but 62^172 is Infinity, so that's probably well within the bounds needed by this question/answer, but if your calculator happens to do single-precision floats then 62^21 would be calculable but 62^22 would be Infinity, which is still within the bounds of reasonable expectation for passwords maybe.

          – CR Drost
          Jan 16 at 21:32













        • I think this is a much better answer than the accepted answer. The accepted answer doesn't really make any sense at all—if the reason the password is weak isn't explained in the book, it's just silly to assume being published is the reason the author intended.

          – only_pro
          Jan 18 at 20:59














        • 7





          Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

          – a CVn
          Jan 13 at 6:11











        • Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

          – Steve Sether
          Jan 14 at 4:56













        • If it doesn't appear on haveibeenpwned, isn't that more likely to mean that nobody's used it, rather than giving any indication of password quality? Lots of people with good passwords have been pwned because of security breaches on the server side.

          – craq
          Jan 15 at 18:00











        • Also note that if you go high enough your calculator might not support x^y so you may have to use another identity of logarithms and do y * log(x)/log(2). For a double-precision float with base 62 you would find that 62^171 is calculable but 62^172 is Infinity, so that's probably well within the bounds needed by this question/answer, but if your calculator happens to do single-precision floats then 62^21 would be calculable but 62^22 would be Infinity, which is still within the bounds of reasonable expectation for passwords maybe.

          – CR Drost
          Jan 16 at 21:32













        • I think this is a much better answer than the accepted answer. The accepted answer doesn't really make any sense at all—if the reason the password is weak isn't explained in the book, it's just silly to assume being published is the reason the author intended.

          – only_pro
          Jan 18 at 20:59








        7




        7





        Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

        – a CVn
        Jan 13 at 6:11





        Addendum: If your calculator doesn't have a dedicated log2(), you can get the same result by doing log(x^y)/log(2), where log() is log10.

        – a CVn
        Jan 13 at 6:11













        Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

        – Steve Sether
        Jan 14 at 4:56







        Thanks! I remembered learning in a math class many years ago that converting from one log to another was possible, but for life of me I couldn't remember how.

        – Steve Sether
        Jan 14 at 4:56















        If it doesn't appear on haveibeenpwned, isn't that more likely to mean that nobody's used it, rather than giving any indication of password quality? Lots of people with good passwords have been pwned because of security breaches on the server side.

        – craq
        Jan 15 at 18:00





        If it doesn't appear on haveibeenpwned, isn't that more likely to mean that nobody's used it, rather than giving any indication of password quality? Lots of people with good passwords have been pwned because of security breaches on the server side.

        – craq
        Jan 15 at 18:00













        Also note that if you go high enough your calculator might not support x^y so you may have to use another identity of logarithms and do y * log(x)/log(2). For a double-precision float with base 62 you would find that 62^171 is calculable but 62^172 is Infinity, so that's probably well within the bounds needed by this question/answer, but if your calculator happens to do single-precision floats then 62^21 would be calculable but 62^22 would be Infinity, which is still within the bounds of reasonable expectation for passwords maybe.

        – CR Drost
        Jan 16 at 21:32







        Also note that if you go high enough your calculator might not support x^y so you may have to use another identity of logarithms and do y * log(x)/log(2). For a double-precision float with base 62 you would find that 62^171 is calculable but 62^172 is Infinity, so that's probably well within the bounds needed by this question/answer, but if your calculator happens to do single-precision floats then 62^21 would be calculable but 62^22 would be Infinity, which is still within the bounds of reasonable expectation for passwords maybe.

        – CR Drost
        Jan 16 at 21:32















        I think this is a much better answer than the accepted answer. The accepted answer doesn't really make any sense at all—if the reason the password is weak isn't explained in the book, it's just silly to assume being published is the reason the author intended.

        – only_pro
        Jan 18 at 20:59





        I think this is a much better answer than the accepted answer. The accepted answer doesn't really make any sense at all—if the reason the password is weak isn't explained in the book, it's just silly to assume being published is the reason the author intended.

        – only_pro
        Jan 18 at 20:59











        46














        It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
        This is most pronounced on a QWERTZ keyboard:



        Characters of the password shown on a QWERTZ keyboard



        Image based on KB Germany.svg from Wiki Commons.



        Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
        You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



        I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.






        share|improve this answer





















        • 5





          I don't know if this is really clustered, or just a coincidence. Let's assume it is. If you only use your clustered pattern, which I count at 37 possible symbols, you're still going to get about 83 bits of entropy, or about 10^25. That's still a massive search space, and likely far exceeds the entropy of 99.9+% of peoples passwords. If you could somehow guess passwords at a trillion possibilities/second, it'd still take 300,000 years to search all possibilities.

          – Steve Sether
          Jan 18 at 19:23
















        46














        It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
        This is most pronounced on a QWERTZ keyboard:



        Characters of the password shown on a QWERTZ keyboard



        Image based on KB Germany.svg from Wiki Commons.



        Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
        You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



        I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.






        share|improve this answer





















        • 5





          I don't know if this is really clustered, or just a coincidence. Let's assume it is. If you only use your clustered pattern, which I count at 37 possible symbols, you're still going to get about 83 bits of entropy, or about 10^25. That's still a massive search space, and likely far exceeds the entropy of 99.9+% of peoples passwords. If you could somehow guess passwords at a trillion possibilities/second, it'd still take 300,000 years to search all possibilities.

          – Steve Sether
          Jan 18 at 19:23














        46












        46








        46







        It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
        This is most pronounced on a QWERTZ keyboard:



        Characters of the password shown on a QWERTZ keyboard



        Image based on KB Germany.svg from Wiki Commons.



        Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
        You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



        I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.






        share|improve this answer















        It looks like the password is made up of runs of randomly typed characters on a QWERTZ/QWERTY/AZERTY keyboard that are highly clustered together.
        This is most pronounced on a QWERTZ keyboard:



        Characters of the password shown on a QWERTZ keyboard



        Image based on KB Germany.svg from Wiki Commons.



        Here, the coloured keys are those of the password with the hue indicating its position in the password (going from blue to green).
        You see that the characters cluster together, and this is even more pronounced for characters of similar hue (i.e. characters that are are close to each other in the password). In addition to that, the clusters seem to clump near the home position on the keyboard.



        I must admit that I am not knowledgeable enough about password cracking software / password databases to say definitively whether or not such clusters are taken into account, but it is at least something that I noticed myself when I try to type random characters on the keyboard that they don’t actually come out very random in the end. And if I have noticed that, probably some author of some password database has, too.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 12 at 10:52









        Wrzlprmft

        10314




        10314










        answered Jan 10 at 20:30









        Jörg W MittagJörg W Mittag

        58547




        58547








        • 5





          I don't know if this is really clustered, or just a coincidence. Let's assume it is. If you only use your clustered pattern, which I count at 37 possible symbols, you're still going to get about 83 bits of entropy, or about 10^25. That's still a massive search space, and likely far exceeds the entropy of 99.9+% of peoples passwords. If you could somehow guess passwords at a trillion possibilities/second, it'd still take 300,000 years to search all possibilities.

          – Steve Sether
          Jan 18 at 19:23














        • 5





          I don't know if this is really clustered, or just a coincidence. Let's assume it is. If you only use your clustered pattern, which I count at 37 possible symbols, you're still going to get about 83 bits of entropy, or about 10^25. That's still a massive search space, and likely far exceeds the entropy of 99.9+% of peoples passwords. If you could somehow guess passwords at a trillion possibilities/second, it'd still take 300,000 years to search all possibilities.

          – Steve Sether
          Jan 18 at 19:23








        5




        5





        I don't know if this is really clustered, or just a coincidence. Let's assume it is. If you only use your clustered pattern, which I count at 37 possible symbols, you're still going to get about 83 bits of entropy, or about 10^25. That's still a massive search space, and likely far exceeds the entropy of 99.9+% of peoples passwords. If you could somehow guess passwords at a trillion possibilities/second, it'd still take 300,000 years to search all possibilities.

        – Steve Sether
        Jan 18 at 19:23





        I don't know if this is really clustered, or just a coincidence. Let's assume it is. If you only use your clustered pattern, which I count at 37 possible symbols, you're still going to get about 83 bits of entropy, or about 10^25. That's still a massive search space, and likely far exceeds the entropy of 99.9+% of peoples passwords. If you could somehow guess passwords at a trillion possibilities/second, it'd still take 300,000 years to search all possibilities.

        – Steve Sether
        Jan 18 at 19:23











        37














        The complete paragraph is:





        1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




        So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



        GBT, 3f, C79, Zm, MEF, UFJ.



        However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



        In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.






        share|improve this answer



















        • 1





          As I stated in my answer, I actually did try to contact the website owner, and there is no contact information anywhere on the website or in the Whois lookup.

          – TheHansinator
          Jan 20 at 2:19
















        37














        The complete paragraph is:





        1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




        So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



        GBT, 3f, C79, Zm, MEF, UFJ.



        However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



        In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.






        share|improve this answer



















        • 1





          As I stated in my answer, I actually did try to contact the website owner, and there is no contact information anywhere on the website or in the Whois lookup.

          – TheHansinator
          Jan 20 at 2:19














        37












        37








        37







        The complete paragraph is:





        1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




        So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



        GBT, 3f, C79, Zm, MEF, UFJ.



        However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



        In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.






        share|improve this answer













        The complete paragraph is:





        1. Do not use any dictionary word in your passwords. Examples of strong passwords: ePYHc~dS*)8$+V-' , qzRtC{6rXN3NRgL , zbfUMZPE6`FC%)sZ. Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword.




        So it looks like it should be an example of a bad password because it uses "dictionary words". At first sight, I cannot recognize any words there. However, I tried to look up its parts on Wikipedia (English), and it looks like there are articles for all of its parts.



        GBT, 3f, C79, Zm, MEF, UFJ.



        However, this would be pretty far-fetched. It would be like saying that, considering Wikipedia as your dictionary for words, a six-word passphrase would be insecure. No way! A six-word passphrase with random entries from Wikipedia would be very secure.Of course you can say that that password is now insecure because it's written on the internet, but that would have been true of every other possible example then, even for the examples of strong passwords. I also tried looking it up on haveibeenpwned, and the result was: "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned". Another explanation, which is probably the real reason why that example was given, is that the password can be found online in some code if you Google it (see here), as was pointed out in another answer. So by "dictionary password", the authors maybe meant "any password that has ever been written somewhere, including the internet". However this is yet again nonsensical advice: how are you supposed to follow that advice? Should you start looking up your password in lots of places (including Google, maybe even leaving traces in history), just to be sure it doesn't already appear anywhere? That doesn't sound like a great thing to do.



        In conclusion: it's a bad example and it's been given in the wrong context. People are going to see that and interpret it like "oh, there are no symbols, I should use symbols". The real reason why it's been included in that list is unknown though, and there appear to be no explanations that truly make sense. If someone felt like wasting some time, they could try contacting the owner of that website and ask them.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 10 at 22:29









        reedreed

        2,5732621




        2,5732621








        • 1





          As I stated in my answer, I actually did try to contact the website owner, and there is no contact information anywhere on the website or in the Whois lookup.

          – TheHansinator
          Jan 20 at 2:19














        • 1





          As I stated in my answer, I actually did try to contact the website owner, and there is no contact information anywhere on the website or in the Whois lookup.

          – TheHansinator
          Jan 20 at 2:19








        1




        1





        As I stated in my answer, I actually did try to contact the website owner, and there is no contact information anywhere on the website or in the Whois lookup.

        – TheHansinator
        Jan 20 at 2:19





        As I stated in my answer, I actually did try to contact the website owner, and there is no contact information anywhere on the website or in the Whois lookup.

        – TheHansinator
        Jan 20 at 2:19











        20














        This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



        So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 6216 = (48 × 1027) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 968 = (7 × 1015). This is a massive difference.



        The reason for this confusion is the example is oversimplifying the basic advice to use a capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 9616.






        share|improve this answer






























          20














          This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



          So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 6216 = (48 × 1027) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 968 = (7 × 1015). This is a massive difference.



          The reason for this confusion is the example is oversimplifying the basic advice to use a capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 9616.






          share|improve this answer




























            20












            20








            20







            This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



            So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 6216 = (48 × 1027) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 968 = (7 × 1015). This is a massive difference.



            The reason for this confusion is the example is oversimplifying the basic advice to use a capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 9616.






            share|improve this answer















            This is a misleading statement. "Gbt3fC79ZmMEFUFJ" is a strong password in practice. It won't be caught by anything but a brute force attack on it (no dictionary words) and it's sixteen characters, which is way above the common standards I see (8 or 6). This password might only be considered weak if the attacker somehow knew no symbols were used. If the account this password is attached to publicly says "only numbers and cap/lowercase letters" then this password might seem weaker for the sake of making an example, but it's actually still better than an 8 digit password.



            So, for a 16 character password using capital letters, lowercase letters, and 0-9 digits, entropy is 6216 = (48 × 1027) vs using an 8 characters password with all symbols (we'll even assume 96, not 72 characters) is 968 = (7 × 1015). This is a massive difference.



            The reason for this confusion is the example is oversimplifying the basic advice to use a capital, lowercase, digit, and symbol. In actuality, the length of the password is far more critical and also in practice the attacker would not be able to know that the full character set wasn't used and would actually still have to brute force 9616.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 2 days ago









            forest

            34.4k16113118




            34.4k16113118










            answered Jan 10 at 21:20









            bashCypherbashCypher

            1,570215




            1,570215























                13














                While Gbt3fC79ZmMEFUFJ is certainly a poor choice of password now, seeing that your question has generated a lot of activity on Stack Exchange and has thus widely published the password, I don't think there is any discernible reason we can pin down for why it would be bad in the first place, because, quite frankly, the website that you have cited is terrible.



                The source that you're drawing from appears to be a loosely organized list of security tips of low to middling quality. Some of the tips are good (e.g. use 2-step authentication whenever possible, lock your computer and mobile phone when you leave them), but some of them have been questioned by security experts (e.g. change your passwords every 10 weeks, use at least one uppercase/lowercase/number/symbol) and quite a few seem downright paranoid (e.g. tip 22, which states that if you have a WiFi router in your home, nearby attackers can detect what passwords you're typing in because of changes in the WiFi signal from moving your hands, and that using an on-screen keyboard with random layouts will mitigate this).



                And while it is probably not an issue that most of the tips are poorly proofread (with many spelling errors and punctuation inconsistencies), it is an issue that absolutely none of the tips are cited, and that the whole website is anonymous. There are no quotes from security experts, no articles that we can read up on for further information or discussion. And the website contains absolutely no author information - nowhere on the website, or even in the website's Whois registration, is there any way to contact the author or even know who they are.



                This essentially means that we have little to no way of determining how good of a tip "Gbt3fC79ZmMEFUFJ is a weak password" is, or what it even means. We certainly have no way to contact the author of this website and ask them ourselves, and I actually doubt that it would even be useful to do so. I think that we are best off ignoring this suggestion, taking way only the fact that Gbt3fC79ZmMEFUFJ should not be used because we talked about it at such length.



                TL;DR: Passwordsgenerator.net is bad - just ignore it.





                As an addendum, you may be interested in some other things I found when I was inspecting the website itself, to get better context on what it was and perhaps find more information on it. What I found wasn't very pleasant:




                • The website provides an option (default checked, but still) to not generate the password on the server. I did look at the source code and the network traffic view in the Dev Tools window, and it does, in fact, honor this request, but there's no way to tell that it actually does that without reading it.

                • The generator users Math.random()! Math.random() is a cryptographically insecure random number generator, making the generated passwords surprisingly predictable and actually far fewer in number than you'd be led to believe - for instance, if your implementation of Math.random() has only 32 bits of state, then regardless of what settings you use, only 4 billion unique passwords can be generated, which means that any number of characters beyond 7 or so is meaningless. A true random password generator should instead use the window.crypto.getRandomValues() call instead, which sources every single bit of the password from a true entropy source somewhere in the computer.

                • The password generator is also placed on the page strangely - the code for the generator itself is minimized, but the code for configuring it is not. It almost appears as if the website author copied the minimized password module from another source, such as another website.

                • The website also tries to use Google Ads for some odd reason. It doesn't actually invoke them - it just has a signature at the bottom for adding the Google Ads ID to the window object - but any presence of actual ads will also potentially compromise any data entered into the page, even if the page is served over HTTPS.






                share|improve this answer






























                  13














                  While Gbt3fC79ZmMEFUFJ is certainly a poor choice of password now, seeing that your question has generated a lot of activity on Stack Exchange and has thus widely published the password, I don't think there is any discernible reason we can pin down for why it would be bad in the first place, because, quite frankly, the website that you have cited is terrible.



                  The source that you're drawing from appears to be a loosely organized list of security tips of low to middling quality. Some of the tips are good (e.g. use 2-step authentication whenever possible, lock your computer and mobile phone when you leave them), but some of them have been questioned by security experts (e.g. change your passwords every 10 weeks, use at least one uppercase/lowercase/number/symbol) and quite a few seem downright paranoid (e.g. tip 22, which states that if you have a WiFi router in your home, nearby attackers can detect what passwords you're typing in because of changes in the WiFi signal from moving your hands, and that using an on-screen keyboard with random layouts will mitigate this).



                  And while it is probably not an issue that most of the tips are poorly proofread (with many spelling errors and punctuation inconsistencies), it is an issue that absolutely none of the tips are cited, and that the whole website is anonymous. There are no quotes from security experts, no articles that we can read up on for further information or discussion. And the website contains absolutely no author information - nowhere on the website, or even in the website's Whois registration, is there any way to contact the author or even know who they are.



                  This essentially means that we have little to no way of determining how good of a tip "Gbt3fC79ZmMEFUFJ is a weak password" is, or what it even means. We certainly have no way to contact the author of this website and ask them ourselves, and I actually doubt that it would even be useful to do so. I think that we are best off ignoring this suggestion, taking way only the fact that Gbt3fC79ZmMEFUFJ should not be used because we talked about it at such length.



                  TL;DR: Passwordsgenerator.net is bad - just ignore it.





                  As an addendum, you may be interested in some other things I found when I was inspecting the website itself, to get better context on what it was and perhaps find more information on it. What I found wasn't very pleasant:




                  • The website provides an option (default checked, but still) to not generate the password on the server. I did look at the source code and the network traffic view in the Dev Tools window, and it does, in fact, honor this request, but there's no way to tell that it actually does that without reading it.

                  • The generator users Math.random()! Math.random() is a cryptographically insecure random number generator, making the generated passwords surprisingly predictable and actually far fewer in number than you'd be led to believe - for instance, if your implementation of Math.random() has only 32 bits of state, then regardless of what settings you use, only 4 billion unique passwords can be generated, which means that any number of characters beyond 7 or so is meaningless. A true random password generator should instead use the window.crypto.getRandomValues() call instead, which sources every single bit of the password from a true entropy source somewhere in the computer.

                  • The password generator is also placed on the page strangely - the code for the generator itself is minimized, but the code for configuring it is not. It almost appears as if the website author copied the minimized password module from another source, such as another website.

                  • The website also tries to use Google Ads for some odd reason. It doesn't actually invoke them - it just has a signature at the bottom for adding the Google Ads ID to the window object - but any presence of actual ads will also potentially compromise any data entered into the page, even if the page is served over HTTPS.






                  share|improve this answer




























                    13












                    13








                    13







                    While Gbt3fC79ZmMEFUFJ is certainly a poor choice of password now, seeing that your question has generated a lot of activity on Stack Exchange and has thus widely published the password, I don't think there is any discernible reason we can pin down for why it would be bad in the first place, because, quite frankly, the website that you have cited is terrible.



                    The source that you're drawing from appears to be a loosely organized list of security tips of low to middling quality. Some of the tips are good (e.g. use 2-step authentication whenever possible, lock your computer and mobile phone when you leave them), but some of them have been questioned by security experts (e.g. change your passwords every 10 weeks, use at least one uppercase/lowercase/number/symbol) and quite a few seem downright paranoid (e.g. tip 22, which states that if you have a WiFi router in your home, nearby attackers can detect what passwords you're typing in because of changes in the WiFi signal from moving your hands, and that using an on-screen keyboard with random layouts will mitigate this).



                    And while it is probably not an issue that most of the tips are poorly proofread (with many spelling errors and punctuation inconsistencies), it is an issue that absolutely none of the tips are cited, and that the whole website is anonymous. There are no quotes from security experts, no articles that we can read up on for further information or discussion. And the website contains absolutely no author information - nowhere on the website, or even in the website's Whois registration, is there any way to contact the author or even know who they are.



                    This essentially means that we have little to no way of determining how good of a tip "Gbt3fC79ZmMEFUFJ is a weak password" is, or what it even means. We certainly have no way to contact the author of this website and ask them ourselves, and I actually doubt that it would even be useful to do so. I think that we are best off ignoring this suggestion, taking way only the fact that Gbt3fC79ZmMEFUFJ should not be used because we talked about it at such length.



                    TL;DR: Passwordsgenerator.net is bad - just ignore it.





                    As an addendum, you may be interested in some other things I found when I was inspecting the website itself, to get better context on what it was and perhaps find more information on it. What I found wasn't very pleasant:




                    • The website provides an option (default checked, but still) to not generate the password on the server. I did look at the source code and the network traffic view in the Dev Tools window, and it does, in fact, honor this request, but there's no way to tell that it actually does that without reading it.

                    • The generator users Math.random()! Math.random() is a cryptographically insecure random number generator, making the generated passwords surprisingly predictable and actually far fewer in number than you'd be led to believe - for instance, if your implementation of Math.random() has only 32 bits of state, then regardless of what settings you use, only 4 billion unique passwords can be generated, which means that any number of characters beyond 7 or so is meaningless. A true random password generator should instead use the window.crypto.getRandomValues() call instead, which sources every single bit of the password from a true entropy source somewhere in the computer.

                    • The password generator is also placed on the page strangely - the code for the generator itself is minimized, but the code for configuring it is not. It almost appears as if the website author copied the minimized password module from another source, such as another website.

                    • The website also tries to use Google Ads for some odd reason. It doesn't actually invoke them - it just has a signature at the bottom for adding the Google Ads ID to the window object - but any presence of actual ads will also potentially compromise any data entered into the page, even if the page is served over HTTPS.






                    share|improve this answer















                    While Gbt3fC79ZmMEFUFJ is certainly a poor choice of password now, seeing that your question has generated a lot of activity on Stack Exchange and has thus widely published the password, I don't think there is any discernible reason we can pin down for why it would be bad in the first place, because, quite frankly, the website that you have cited is terrible.



                    The source that you're drawing from appears to be a loosely organized list of security tips of low to middling quality. Some of the tips are good (e.g. use 2-step authentication whenever possible, lock your computer and mobile phone when you leave them), but some of them have been questioned by security experts (e.g. change your passwords every 10 weeks, use at least one uppercase/lowercase/number/symbol) and quite a few seem downright paranoid (e.g. tip 22, which states that if you have a WiFi router in your home, nearby attackers can detect what passwords you're typing in because of changes in the WiFi signal from moving your hands, and that using an on-screen keyboard with random layouts will mitigate this).



                    And while it is probably not an issue that most of the tips are poorly proofread (with many spelling errors and punctuation inconsistencies), it is an issue that absolutely none of the tips are cited, and that the whole website is anonymous. There are no quotes from security experts, no articles that we can read up on for further information or discussion. And the website contains absolutely no author information - nowhere on the website, or even in the website's Whois registration, is there any way to contact the author or even know who they are.



                    This essentially means that we have little to no way of determining how good of a tip "Gbt3fC79ZmMEFUFJ is a weak password" is, or what it even means. We certainly have no way to contact the author of this website and ask them ourselves, and I actually doubt that it would even be useful to do so. I think that we are best off ignoring this suggestion, taking way only the fact that Gbt3fC79ZmMEFUFJ should not be used because we talked about it at such length.



                    TL;DR: Passwordsgenerator.net is bad - just ignore it.





                    As an addendum, you may be interested in some other things I found when I was inspecting the website itself, to get better context on what it was and perhaps find more information on it. What I found wasn't very pleasant:




                    • The website provides an option (default checked, but still) to not generate the password on the server. I did look at the source code and the network traffic view in the Dev Tools window, and it does, in fact, honor this request, but there's no way to tell that it actually does that without reading it.

                    • The generator users Math.random()! Math.random() is a cryptographically insecure random number generator, making the generated passwords surprisingly predictable and actually far fewer in number than you'd be led to believe - for instance, if your implementation of Math.random() has only 32 bits of state, then regardless of what settings you use, only 4 billion unique passwords can be generated, which means that any number of characters beyond 7 or so is meaningless. A true random password generator should instead use the window.crypto.getRandomValues() call instead, which sources every single bit of the password from a true entropy source somewhere in the computer.

                    • The password generator is also placed on the page strangely - the code for the generator itself is minimized, but the code for configuring it is not. It almost appears as if the website author copied the minimized password module from another source, such as another website.

                    • The website also tries to use Google Ads for some odd reason. It doesn't actually invoke them - it just has a signature at the bottom for adding the Google Ads ID to the window object - but any presence of actual ads will also potentially compromise any data entered into the page, even if the page is served over HTTPS.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Jan 18 at 19:52

























                    answered Jan 16 at 2:22









                    TheHansinatorTheHansinator

                    2715




                    2715























                        7














                        Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




                        "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




                        If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.






                        share|improve this answer



















                        • 3





                          But then my question is: why didn't the website just provide the correct recommendation: Use your password manager to generate passwords instead of picking something weak. ?

                          – NH.
                          Jan 15 at 22:13
















                        7














                        Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




                        "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




                        If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.






                        share|improve this answer



















                        • 3





                          But then my question is: why didn't the website just provide the correct recommendation: Use your password manager to generate passwords instead of picking something weak. ?

                          – NH.
                          Jan 15 at 22:13














                        7












                        7








                        7







                        Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




                        "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




                        If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.






                        share|improve this answer













                        Most people have been distracted by the strength/entropy of the password (it looks like something most password managers would spit out). The reason why the top answer's find makes your password weak is that it is almost certain to be part of a database of known passwords




                        "It's vastly different than it was [before] because of these massive password lists," said Rob Graham, CEO of penetration testing firm Errata Security. "We never had a really large password list to work from. Now that we do, we're learning how to remove the entropy from them. The state of the art of cracking is much more subtle in that before we were guessing in the dark."




                        If someone has a data breach, crackers will start with the known list of passwords and work backwards from there. That's why password managers are the new standard of security: you generate a random and unique password every time.







                        share|improve this answer












                        share|improve this answer



                        share|improve this answer










                        answered Jan 11 at 16:09









                        MachavityMachavity

                        2,369619




                        2,369619








                        • 3





                          But then my question is: why didn't the website just provide the correct recommendation: Use your password manager to generate passwords instead of picking something weak. ?

                          – NH.
                          Jan 15 at 22:13














                        • 3





                          But then my question is: why didn't the website just provide the correct recommendation: Use your password manager to generate passwords instead of picking something weak. ?

                          – NH.
                          Jan 15 at 22:13








                        3




                        3





                        But then my question is: why didn't the website just provide the correct recommendation: Use your password manager to generate passwords instead of picking something weak. ?

                        – NH.
                        Jan 15 at 22:13





                        But then my question is: why didn't the website just provide the correct recommendation: Use your password manager to generate passwords instead of picking something weak. ?

                        – NH.
                        Jan 15 at 22:13











                        0














                        Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



                        In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 6216 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 7216.



                        Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.






                        share|improve this answer






























                          0














                          Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



                          In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 6216 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 7216.



                          Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.






                          share|improve this answer




























                            0












                            0








                            0







                            Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



                            In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 6216 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 7216.



                            Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.






                            share|improve this answer















                            Strong or weak is somewhat arbitrary as it's based on length of time it would take to randomly guess it, which is a function of the entropy of the password. You can make it take longer by increasing character length, or increasing the pool of characters that can be in the password.



                            In the example you provide that's just upper/lower/digits, so that's a character set of 62. There are 16 characters, so that's 6216 guessable combinations. Adding special symbols (let's just say 10), that puts the combinations up to 7216.



                            Trying every single combination is a bit naive, but it's the most expensive attack, so you have a baseline to operate against.







                            share|improve this answer














                            share|improve this answer



                            share|improve this answer








                            edited 2 days ago









                            forest

                            34.4k16113118




                            34.4k16113118










                            answered Jan 10 at 16:59









                            SteveSteve

                            12.1k22855




                            12.1k22855

















                                protected by Rory Alsop Jan 13 at 13:38



                                Thank you for your interest in this question.
                                Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



                                Would you like to answer one of these unanswered questions instead?



                                Popular posts from this blog

                                Mario Kart Wii

                                The Binding of Isaac: Rebirth/Afterbirth

                                What does “Dominus providebit” mean?