Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>Better advice: Use a long password rather than a random password.

facepalm. You can't use both? I do. This is horrible advice if taken on face value. To be fair, the author mentions things like KeePass. Use that. Make very long, random passwords.

>See, when it comes to a brute force attack, entropy makes no difference at all, because a brute force attack is a sequential attempt at every possible password, starting with the shortest first.

I think this is the biggest misconception regarding passwords. If we're using the phrase "brute force" literally, then yes. But if I were to write a cracker, I wouldn't be limited to that. The first thing it would do is grab the low hanging fruit. Examples:

1. Regarding the post, check all variations of a single digit repeating (say up to 100 times) in 1000 attempts. That's faster than I could check all variations of 2 character alphabetic passwords.

2. Check the same thing, but with all common keys on a keyboard layout (e.g. $$$$$$): < 10,000 attempts

3. Check common words in english dictionary: ~100,000 attempts

4. Check 10,000 most commonly used passwords: 10,000 attempts

Let me stop here and say that I can check ALL of the above in less time than it would take to check all variations of 3 characters using alpha, numeric, and common special characters. To put it another way, I could grab all that low hanging fruit in a billionth the time it would take to grab all the passwords in the "weak" format (8 random characters) given by the author.

What I have come up with above is my armchair ramblings. For some people, it is THEIR JOB to break your password. Please don't think you're going to create a good password by being clever. And please stop dismissing the issue by repeating the words "brute force"



The way I see it, the author oversimplified the password examples to make a point. When it comes to the password length he first made the assumption that your password wasn't in the dictionary. Then he gives us two password examples, the first one is predictable but long, the other one is unpredictable but short, and then he goes on to tell us that the first one is safer which, assuming you are up against a brute force attack, is true.

But the examples are oversimplified and might lead to worse password if a certain group of people come across the post.

P.S. My favourite tip for passwords is not to only have a password that is as random as you can memorize and never, ever, no matter what happens, write it down anywhere.


Yes,thank you. Exactly what I was thinking. Anything you can think of as an algorithm, someone else can think of too, and then they can test that instead of going through billions of combinations.

There's only two good pieces of password advice:

Use long, randomly generated passwords (16+ characters). Don't use the same password on more than one site.

This can be accomplished with KeePass, LastPass, and there such utilities.


My LastPass master password is a randomly generated long password containing upper and lowercase letters, symbols and numbers. Yes it was difficult to memorize, but its the only password I need to remember. Everything else uses a random unique password that I don't have to remember.


> facepalm. You can't use both? I do. This is horrible advice if taken on face value.

Of course you can!

I think you are taking many of my statements much too literally and misinterpreting the perspective of this article. Of course a long, completely random password made up of multiple character sets will always be the strongest password, but that really isn't the point of this article and it really isn't the most practical advice for most users.

There is a big difference between addressing where we need to be and moving away from where we actually are. Short passwords are not strong enough no matter how random they are. Therefore, I personally would rather see users out there focus on making longer passwords rather than focusing on random passwords. The typical user is much more likely to memorize a less random but longer password than trying to memorize an 8-character random password. I didn't mean to imply that randomness is bad, and I thought that most people got that from my article.

> Let me stop here and say that I can check ALL of the above in less time than it would take to check all variations of 3 characters using alpha, numeric, and common special characters.

These are all valid points and I could have gone into great detail on all the different ways our passwords could be cracked, but that just isn't the point of the article. I also didn't cover other things such as avoiding password reuse, regularly changing passwords, etc., but that doesn't make them any less valid and I cover them regularly through my other blog posts.

> And please stop dismissing the issue by repeating the words "brute force"

Not really sure what you mean by this or what issue you think I have dismissed by mentioning brute force. Brute force attacks are by n o means dismissing anything as they have become increasingly effective with ever-increasing computing power. Nevertheless, if an attacker has to assume that you will be using all character sets, the effort to crack your password grows exponentially with the length of your password.


I guess I don't really disagree with you on that, especially if you're specifically targeting nontechnical users. However, the thought of someone reading this and choosing something like an all numeric password does freak me out because....

>Not really sure what you mean by this or what issue you think I have dismissed by mentioning brute force.

Let me explain through analogy. I've often heard the story that a company will request a penetration tests and then restrict what can be done: "you can attack using method X, but not Y. A hacker wouldn't use Y."

That's a silly perspective, right? A black hat hacker is going to use any means available. When you say brute force, you seem to be specifying the method by which attackers will come at your password (and it's certainly not just you, many other people are repeating the meme). I think that's the wrong way to look at it.

Perhaps the confusion arises because you're making the assumption that someone will use some off the shelf, automated cracking software. That's reasonable. But automated != brute force. Again, if I were to write a cracker, it would first grab low hanging fruit. I've already given examples. Having a long password doesn't save you in that situation. That's why we think in terms of entropy.

>Nevertheless, if an attacker has to assume that you will be using all character sets, the effort to crack your password grows exponentially with the length of your password.

Agreed, but my point is they don't have to make that assumption. We don't get to decide what assumptions they start with.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: