• yetAnotherUser@discuss.tchncs.deEnglish
          2·
          6 days ago

          That’s not a great password though.

          It only contains the letters b, d, e, f, g, h, j, k, n, o, r, and v. That’s barely better than using numbers only - especially considering some letters are only used once, like e, g and v.

          Even worse, nearly ALL the letters are pressed using your index finger (on a QWERTY [or derivatives]) layout when touch typing. Only d, e, o and k aren’t. The letter distribution is therefore clustered in the center of the keyboard. I assume they typed using a phone keyboard with their thumbs aimed for the center. You can tell because there is a “left-right” pattern in the letter order.

          I will be using “L” for “to the left of previous letter”, “R” for “to the right of previous letter”, “N” for “roughly same position as previous letter” (roughly same := 0 horizontal distance between letters. For example, neighboring letters are always roughly the same) and “S” for “starting letter” to illustrate it. The resulting “derivative” (because this measures the change in direction) for the password is:

          SLRLRLRLRRLRLRLNRLNNRLNRLRLRLRLLRNLN

          For a truly random 36 digit password generated by my password manager (using only lower letters), you get:

          Password: hohjesedinsaeubuudqgdjhzvmgapepeuusc

          “Left-right derivative”: SRLNLNNNRLLNRRLRNLRRLLRLRLRNLR

          An “RL” pattern is somewhat expected, even for a truly random password because you expect the next letter of a password to be on the opposite side (as there are more letters there). However, this pattern should not hold for long and deviations should be common. This is not the case with the user-made password though, where the patterns is hardly interrupted at all.

          The sole positive aspect is the length of the password which makes cracking it much harder.

          Tl;dr: Don’t use it as a password.

          • apotheotic (she/her)@beehaw.orgEnglish
            2·
            6 days ago

            Honestly the variety of letters doesn’t matter much because your attacker isn’t going to be able to thin their dictionary unless they have pre existing knowledge of which letters are in your password, right?

            The alternating pattern and being clustered on the index finger is valid though and something someone could easily use to initially narrow their search.

            For clarity - I use much more secure password schemes than a random lowercase keysmash and wouldn’t actually use this, but thanks for the writeup!

            • yetAnotherUser@discuss.tchncs.deEnglish
              2·
              6 days ago

              I think you could thin your dictionary if you know there are only so many different letters being used. You could ignore all passwords with more than N different letters.

              To be fair, once you start worrying about any of this with a password that long, you are probably attempting to protect yourself from a state entity. No one will ever spend this amount of (computational) effort on you unless you have a large target on your back.

              Don’t worry though, I wasn’t suggesting you’d use this password. But once you spend 30 minutes analayzing some random keysmash as if it were used as a password, you basically have to comment about it. Something something sunken costs.

              • apotheotic (she/her)@beehaw.orgEnglish
                3·
                5 days ago

                Sure! But how would you know that there’s only n letters being used? I guess you could make your search start from all passwords with only 1 letter for the entire length of the password, then 2, then 3 etc if you think its likely that they haven’t used a strong password.

                You mean you aren’t being targeted by the state for your posts in femcel memes? You need to femcel harder! /j