How is AAAAAAAAAAAAAAAA not a secure password? Unless you're standing over the person's shoulder, how are you going to know that their 16 letter password is all one letter?
Exactly. Enigma was cracked because the Germans applied routine practices that limited the available entropy instead of making the code harder to guess, as they intended. It's important to avoid the classic xkcd "4, guaranteed random number" issue with overused passwords, but that doesn't necessarily mean that all equally simple (as in memorable) passwords are insecure.
They do. Most decent password-dictionaries I'm aware of are based off actual password dumps from hacked sites, so they're loaded with low-mental-entropy stuff like that.
They're "dictionary" attacks because they work from a pre-selected set of values, not because they read from Merriam-Webster, cromulent though it may be.
You're not going to know anything about their password unless it's leaked in some way (e.g. maximum length on a password change screen, character set etc. or cryptographic leaks). However it's wrong to assume the approach an adversary will take when you know nothing about the adversary in question.
If I exhaust a 16 character space with alphanumeric passwords and pull out aaaaa as one, am I going to add mixed alphanumeric to my list and start again or am I going to check variants on AaAaA up to a certain length? Personally I don't know which I'd choose, it'd be dependent on the situation (but I've done both on penetration tests).
That's reasonable; but, they probably aren't going to know the length of the password either, so they might go through a great many other tests before they reach A16. Of course, the person trying to discern a person's password may follow a DFS approach before a BFS approach, and that password would be quickly compromised, but I don't see that happening.
Note: In the real world, I wouldn't encourage anyone to have that as a password. This is more of an academic curiosity.
Upvoted for recognition of the difference between academia and reality, and lack of spherical cow assumptions.
It's entirely possible that someone might stop at 14 (for example with NTLM based on an incorrect assumption that as LM stops at 14 characters, so must LM for example).
I guess the point is that security's more probabilistic than deterministic, which means that you can take some measures on a given topic up to a point, then beyond that the payoff decreases to the point where you're wearing a tin foil hat and worrying about the RF conductiveness of tin foil versus the alien ray beams it's supposed to be blocking.
Still, thanks for the interesting conversation, it's one of those things that for me makes HN really worthwhile participating in.
An important tweak to the "real world" aspect of cracking passwords -- the attacker is just as capable as the user of reading the advice you give to users when choosing passwords (and what rules you enforce).
If you say "longer is better -- nothing else matters" or "think about using a passphrase -- the added length makes your password much more secure!", and you prevent them from using passwords < 10 characters, that's going to influence the attack.
The short answer is dictionary's of existing passwords people used on actual systems exist. So "I think there fore I am." is about as bad as "AAAAAAAAAAAAAAAA" they will both probably show up within a the first billion tests of a good dictionary attack. Note: "I think, therefore I am" is the correct spelling but common misspellings don't really protect you from an actual password list. Other useful tests use all phrases in the Bible etc.
Another approach is to look for patters asdfasdfasdf is a fairly common password for a reason.
It's probably not considered secure because it's all one class of characters.
It's a lot faster to bruteforce with "uppercase characters only" vs "uppercase, lowercase, numbers, special characters".
Now, if i would be trying to get as much userpasswords of a database as i can, i'd probably start with "lowercase only" and most likely will get the biggest amount of passwords. Afterwards try "lowercase + numbers", "case insensitive + numbers"..
