So is a long password of repeating characters good or not?

The problem is that we don’t know what approach hackers are using to break your password. So, to be safe, the best password is both long and complex.

//
In a recent newsletter, you answered someone’s question about passwords. I didn’t understand your answer. Could you clarify with an outright, direct, plain, clear answer? The person was asking about passwords, an idea he had, and would it just be safer to use repeating letters as passwords? I couldn’t understand if you were saying it was good and safer as it was harder to hack with hacking software or just the opposite. I don’t understand the explanation about how hacking software works and I don’t need to. Just the answer to that question about a series of same letters would be sufficient enough for me to know what would be good to do or not to do.

As direct, plain, and clear as I can be, the answer is no, you should not use a password that is a single repeating character.

In my defense, the answer really isn’t that simple or that easy. It actually does require a little bit of thought. The problem is that it’s a very complex topic. And there aren’t always simple yes-or-no answers.

Password examples

So let’s say you’ve got a password of 16 repetitions of the letter x. Now that kind of password is great to foil certain types of hacking attacks; for instance, those that simply try all possible combinations of letters and numbers. That’s because the password is long. So “long” is good; longer is always better than shorter.

Now, those 16 repetitions of the letter x are a bad password if you’re attempting to foil other types of hacking attacks, such as attacks that simply start by trying common patterns. Because this is such a very simple, potentially common pattern, it could be very quickly hacked.

Extracting a PasswordThe problem is that we don’t know which approach hackers are using or they’ll use something else entirely. So, the point that I was trying to make and I suspect that I didn’t make clearly was simply this: the best password is both long and complex.

Complexity doesn’t have to be random letters. If your password is long enough, it could be complex by selecting random words that are easy for you to remember but result in  a long password.

There are 7 comments:

  1. Mark Mann Reply

    I would think (I’m no expert) that no matter what password you have, it depends on how the hacker goes about doing his thing whether or not it is easy. Using a date of birth or loved one’s name might be easy for someone who knows you, but harder for a stranger, Would any hacker for example expect a 3 letter/number password? In most cases the minimum is 4 characters, so can the hackers tell how many characters they should be trying with? Some websites insist on having at least one number or letter in an eight character password for example. This already limits the number of searches a hacker would have to do, as he can rule out all the same character combinations and all the combinations having all letters or all numbers. Unless you have a concerted effort to get the password by a professional hacker, I would think that any password can be hard to crack for someone who doesn’t know it. Of course the hackers reading this are probably laughing at me now, but if you can tell me why I’m wrong I’d appreciate it.

    • Mark Mann Reply

      Ok so I read the Haystack article and my question has been pretty much answered, so I will be making a change or two to my passwords. Glad to say I was partly (fractionally) right in that the hacker has no idea how long the password is. Can they really search at a trillion guesses a second? How does the website or whatever confirm that fast that they have the correct password? Wouldn’t it fly right by before getting the confirmation. And don’t the websites usually block any access after 3 failed attempts at entering a password?

      • Mark Mann Reply

        another thought. Won’t hackers be going all out to hack the GRC Password Haystack calculator? Millions of people are probably checking their password there, so it would be a goldmine for password collectors.

        • Leo Reply

          Actually any good random password generator like that won’t give the hackers any information. The password isn’t “calculated” – you’re simply given a random string to use as your password. It’s SO random that there’s no way to know what you got, or to use the generator in any way that would let them figure it out.

      • Leo Reply

        The three trillion attempts per second is an example of an off-line attack. This is what happens when a hacker actually sneaks in and steals the database of user accounts and encrypted passwords. (Most large-scale hacks you hear about are exactly this, these days.) They then hack the encrypted passwords and if successful they then come back to the original site and login.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise an comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.