Accounts are rarely brute forced these days.
It’s almost always a leaked, unsalted hash table.
Ñōt göñńå hêlp mùçh
Use commas in your passwords so they break the .csv file when they get breached.
inb4 it breaks the site you try to login to instead
or “not allowed”
Adding “'; drop table users --” is probably the safest way to for those sites.
huge red flag, that means they’re worried it’ll break when they try to store it or manipulate it as plain text.
It would marginally decrease the chance of your password being brute forced, which is likely the last way your password would ever get hacked, and most services have rate limiting to make this impossible or overwhelmingly unlikely anyway. So I’m gonna say no, not even slightly.
Use a password manager. Use the longest possible password the site will allow. Create a passkey and store it in the password manager if the site supports passkeys. Enable 2FA.
It’s not about which characters you use, it’s about how long of a password you use. “correct horse battery staple” and all that.
For today’s lucky ten thousand:
And for those who don’t know where the “lucky ten thousand” comes from:
Wouldn’t it be possible to attack with a dictionary?
Dictionary attacks usually contain a dictionary of common passwords. To use a dictionary for this, you’d have to use a word dictionary instead of a password one. And then you’re back to combinatorics.
4 words, where each word is in the dictionary: N^4. However the N here is way bigger than the amount of ASCII characters. Especially if each of the words may be of a different language. If N is larger than 16384, then it has more combinations than a random 8 ASCII character password. 16384 = sqrt(sqrt(128^8)). Quick Google search says English has more than 1 million words.
Therefore even if you know that the user generated their password using this method and used a dictionary attack tailored for this method, it would still be harder to break than a random 8character password.
https://internationalenglishtest.com/blog/how-many-words-are-in-the-english-language/
According to recent studies, the average adult native English speaker knows between 20,000 and 35,000 words
I mean sure it might still work, but would make more sense to grasp for some trickier words, like fantasy character names etc.
The thing is to have a program randomly select the words for you. That way the words are not related between them, and you aren’t limited by only the words you know.
Random words, one misspelled, occasional symbols.
Correct-horse7battery,stapple
If your password can be brute forced then you’re just not trying.
Even if you just tried word combinations of the 1000 most common English words (which for the record, none of those four belong to), you’d have a trillion possible combinations. If you try all the one-, two- and three-word-combinations first because you don’t know how many words it’s gonna be, you’re about a billion guesses in before you even get to the actual solution space. If I mix in words from other languages, or less common words, the combinatorics get even worse, even if you knew what to try in the first place.
According to a word list generated from OpenSubtitles in 2018, staple would be #18878, so you’d have to use something on the size order of the top 20k, which would be an upper boundary of 160 quadrillion, not counting trying less than four words. I don’t know what the best order for trying the words would be or how to calculate the rank of that combination within that order, but I’m pretty sure that “a fucking long time” is the most apt descriptor of how long it’d take.
By comparison, the 44 bit entropy the comic mentions is “just” 17 Trillion combinations for an upper boundary, or 2048^4. I’d venture a guess and say that that’s far below the lower boundary for the other option.
Second the PWM, but use 2FA or passkeys with a set of duplicate Yubikeys instead. Even with just 2FA TOTP codes, they are stored on the physical key. I have 4 of them in different places all duplicated. I sleep soundly at night lol
Greatly decreases your chances to enter it from different devices
Know the alt code on Windows. On a Mac it’s just like a phone, hold the letter and hit the number that corresponds with the accent you want. Look up how to do it on Linux. Not such an impediment.
Assuming your device has a numpad…
True — that would be a limitation of using a physical keyboard to input the password on someone else’s Windows computer. In many ways, you can use the on-screen keyboard. If you’re logging into Windows, it might be a problem. However, if you’re on their Windows machine, you could just use charmap.exe.
I forgot game consoles. Xbox and Switch have access to accents as well. I imagine PlayStation does as well, but my last PlayStation was a PS3 (still own it).
it is all fine and good until youe bios decides that it wants to change how to handle keyboard layouts in the password input prompt or grub decides your keyboard is a US ANSI keyboard for no reason
I assume you have had this issue before then lol
More than once
You guys use passwords without a password manager in 2026?
password mañager
It’s been so long since I’ve seen the old iOS login screen that I thought you were registering for The Beatles dot com.
The correct spelling of my name has an accent letter., its been working pretty effectively for keeping people from finding me on social media.
My mom gave me this spelling cause it was “French” and fancy.
No I’m not French and have no evidence than anyone in my family has French ancestry.
Anywho. Yes. Accents are a great way to hide yourself on social media as well as add an extra layer to password security
I also have my social media location as another country.
Is your social media account’s location in France?
No but I should do that. I can’t believe I didn’t think of that.
U people use passwords without the full utf8 table?
I once tried using null on my password, went as well as expected
That’s all fine and dandy until your app decides to default to ISO-8859-1.
Happened at work. Customers could log in via web or use an email client. On the website we used UTF-8. But depending on operating system settings the email client would use UTF-8 or windows-1252 or iso-8859-15 or for our international customers some even more obscure (to us) ones.
As a native of language that falls into two different windows charesets, the iso and utf I support death penalty for anyone still not using utf8 for everything and everywhere.
No. No human is trying trillions of combination to brute force an attack. A machine does it, the machine will try all symbols and lettera.
any brute force attack will use a dictonary based on know passwords and the usage frequency, if people are unlikely to use “accented letters” in their passwords it increase the time taken to bruteforce
Dunno why people are down voting you. Password lists have been around since forever, and anybody trying to brute force will start with one. Why cycle through “A”, “AA”, “AAA”, “AAAA”, etc first when you’re far more likely to score a hit faster with a list?
Text: use an accented letter
Image: shows a different, unique letter.
As a Spaniard I feel this is rage bait. Like calling Q an accented O.
For people who don’t natively speak languages other than English, letters you’d get by long-pressing on a mobile keyboard or would need other modifiers or methods to type on a computer keyboard will seem like accented letters at best, special characters at worst.
As a German, to whom äöü are separate letters from aou, I feel your pain, but I’m guessing you can see where people are coming from.
Don’t worry, it’s just a meme. I’m choosing to die on this stupid hill for the sake of it.
While I’m at it, in Spanish we don’t have äö, but we do have ü, and in our case, it is literally just a ü with 2 dots, not a different letter. Same thing for áéíóú.
As in, two dots to mark that it’s pronounced as a separate vowel rather than merging with the previous one? Idk what the proper term is
It’s pronounced the same as a regular u. It is the same letter.
They are weird rules, but in Spanish we have these rule:
If a word has a “Q”, the next letter must always be a silent u. That is, you write a “U” but don’t pronounce it. And after that “U”, always comes a vowel.
Similarly, if after a “G” comes a “E” or “I”, it is pronounced differently depending on if there is a silent “U” after the “G”.
However, sometimes we want a non silent U after a Q or a G. In that case, we write “ü”.
So u and ü are literally the same letter in spanish. We call the 2 dots “diéresis”, maybe it’s similar in German.
However, sometimes we want a non silent U after a Q or a G. In that case, we write “ü”.
Then it’s similar concept: the letter combination qu is pronounced differently than q-u separately, and the diéresis indicates that they should be pronounced separately.
In German, Diärese refers to the separate pronunciation of vowels, so the concept rather than the indicator. The indicator is called Trema, but it’s rarely used in German itself anymore. You just have to learn how things are pronounced, because of course we have to make things difficult. Can’t have learning German be easy, can we?
Ñ is not a letter, and even though at some point recently it was part of the alphabet its standing has always been flaky. It is technically just a spicy n with an accent.
De hecho la virgulilla (~) es un tipo de tilde. Aunque ahora que lo pienso, no sé sí la RAE tendrá un asiento para la Ñ… me decepcionaría si no fuera así.
RAE about ñ:
-
Decimoquinta letra del abecedario español. Su nombre es femenino: la eñe (pl. eñes). Representa el fonema consonántico nasal palatal /ñ/.
-
Esta letra nació de la necesidad de representar un nuevo fonema, inexistente en latín. En cada una de las lenguas romances se fue fijando una grafía distinta para representarlo, como gn en italiano y francés, ny en catalán o nh en portugués. El castellano medieval escogió el dígrafo nn, que se solía representar abreviadamente mediante una sola n con una rayita más o menos ondulada encima; así surgió la ñ, adoptada también por el gallego y el vasco. Esa rayita ondulada se llama tilde, nombre dado también al acento gráfico (→ tilde1)
EDIT: it is true that Spanish is not the only language so it shouldn’t be the one to decide if it is a letter or not. Since I only know 2 languages that used it, I checked the other one: basque.
According to euskaltzaindia:
ñ letra (eñe) ñ letra (eñe)
Zenbait jendek uste du [ñ] hots bustia <in> bikotearen ondorio dela beti, eta ñ letrarik ez dela euskaraz. Ez da hala. Erreparatu adibide hauei: ñabardura, ñaka, ñañan egin, ñaño, ñimiño… hitzei; -ño atzizkiaz eraturikoei: andereño, haurño, xoriño, gazteño, maiteño…; mailegatuei: piñoi, txanpiñoi, erresiñol, giñol…; zenbait herri-izeni: Abadiño (abadiñar), Oñati (oñatiar), Armiñon (armiñondar), Iruñea, Urdiñarbe (urdiñarbetar)…; zenbait ponte-izeni: Eñaut, Beñat, Iñaki, Garbiñe, Eguzkiñe, Zuriñe… [EH; 17. araua] (→ letra; → kontsonante busti-palatalen grafia eta ahoskera)
Definitivamente no era mi día…
Gracias por la corrección, se me fue.
And yeah, the RAE is not the ultimate authority on… really anything.
Appreciated the info on basque too!
RAE is by definition the ultimate authority on the Spanish language in Spain though.
-
My tip: mix languages. Defeats dictionary attacks. Hello28Adios@ for example. English word. Number. Spanish word. Symbol.
Next level is to still use a capital letter but not the first letter. Or the last. So then you have heLlo23aDios@ — much much much more secure.
Fyi. I keep all my user names and passwords in an address book. A physical one.
In my house. That is locked. In a drawer. Not sitting on the computer or near it.
Someone would literally have to break in physically, find the address book, and then flip through it to even realize what it was.
I also have codes for some user accounts. So instead of writing them out I give myself a hint as to which one I used. I generally use a variation of 3 ones. With different slight changes.
For my bank account access and the email account associated with it I only have hints. Not an actual user or email. So it can’t be bypassed with a password reset.
These are both unique though and neither are the same as each other nor anything similar to all the other user name variants I use for other accounts.
Well, you also won’t be able to log in from any computer with a US keyboard layout, so…
you could easily use ASCII code or copy the letter from Wikipedia/online
