Yet another password question, I’m afraid…
I’ve been reading up on password strength and so forth and I have a question about dictionary attacks on a password if you ladies and gentlemen would be so kind as to answer.
As far as I can tell from the documentation I’ve been reading, simply put a dictionary attack works by comparing the password hash against hashes generated from a word list with additional modifications such as o-0, 1-1 e-3 substitutions and casing changes.
Now, correct me if I am wrong, if I prefix the word with a salt then this complicates the password sufficiently that a dictionary attack is much less likely to succeeed.
Taking this further, if I create a password that consists of two randomly chosen words from a long list interspersed with random numbers and punctuation I should have a strong password that is relatively easy for a human to remember, or am I talking gibberish here?
For example, my password generator creates a password of “14Simplified%^Cheese96” which you have to agreee is a lot easier to remember than “sl&TcReq!/U9K6%-SN$8Ca”.
Now on all the password strength checkers that I’ve found and had access to, both passwords rate as “Strong”, “Very Strong” or, in the case of the Microsoft checker, “Best” but just how good is the first password given that it is based on two words?
Security is always a tradeoff – while using entirely random passwords will give you more bits of entropy, it also increases the risk that users will write it on post-it notes (resulting an illusion of security, as the weakest point won’t be in password strength anymore); a pass-phrase (from several words) with a few symbols is easier to remember, while still providing enough entropy. You’d need to make sure that the list you’re using has long words (which are not in the most common 1000 words).
Of course, “is this secure enough” depends on what you’re protecting – definitely not secure enough for Fort Knox, but it would be sufficient e.g. for an IM account.