As direct, plain, and clear as I can be, the answer is no, you should not use a password that is a single repeating character.
In my defense, the answer really isn’t that simple or that easy. It actually does require a little bit of thought. The problem is that it’s a very complex topic. And there aren’t always simple yes-or-no answers.
Become a Patron of Ask Leo! and go ad-free!
Password examples
So let’s say you’ve got a password of 16 repetitions of the letter x. Now that kind of password is great to foil certain types of hacking attacks; for instance, those that simply try all possible combinations of letters and numbers. That’s because the password is long. So “long” is good; longer is always better than shorter.
Now, those 16 repetitions of the letter x are a bad password if you’re attempting to foil other types of hacking attacks, such as attacks that simply start by trying common patterns. Because this is such a very simple, potentially common pattern, it could be very quickly hacked.
The problem is that we don’t know which approach hackers are using or they’ll use something else entirely. So, the point that I was trying to make and I suspect that I didn’t make clearly was simply this: the best password is both long and complex.
Complexity doesn’t have to be random letters. If your password is long enough, it could be complex by selecting random words that are easy for you to remember but result in a long password.
Steve Gibson at Gibson Research has an interesting page that does a good job of explaining the difference between password complexity and length: https://www.grc.com/haystack.htm
http://xkcd.com/936/
It’s certainly a good start for most people for teaching them how to generate a password.
I would think (I’m no expert) that no matter what password you have, it depends on how the hacker goes about doing his thing whether or not it is easy. Using a date of birth or loved one’s name might be easy for someone who knows you, but harder for a stranger, Would any hacker for example expect a 3 letter/number password? In most cases the minimum is 4 characters, so can the hackers tell how many characters they should be trying with? Some websites insist on having at least one number or letter in an eight character password for example. This already limits the number of searches a hacker would have to do, as he can rule out all the same character combinations and all the combinations having all letters or all numbers. Unless you have a concerted effort to get the password by a professional hacker, I would think that any password can be hard to crack for someone who doesn’t know it. Of course the hackers reading this are probably laughing at me now, but if you can tell me why I’m wrong I’d appreciate it.
Ok so I read the Haystack article and my question has been pretty much answered, so I will be making a change or two to my passwords. Glad to say I was partly (fractionally) right in that the hacker has no idea how long the password is. Can they really search at a trillion guesses a second? How does the website or whatever confirm that fast that they have the correct password? Wouldn’t it fly right by before getting the confirmation. And don’t the websites usually block any access after 3 failed attempts at entering a password?
another thought. Won’t hackers be going all out to hack the GRC Password Haystack calculator? Millions of people are probably checking their password there, so it would be a goldmine for password collectors.
Actually any good random password generator like that won’t give the hackers any information. The password isn’t “calculated” – you’re simply given a random string to use as your password. It’s SO random that there’s no way to know what you got, or to use the generator in any way that would let them figure it out.
The three trillion attempts per second is an example of an off-line attack. This is what happens when a hacker actually sneaks in and steals the database of user accounts and encrypted passwords. (Most large-scale hacks you hear about are exactly this, these days.) They then hack the encrypted passwords and if successful they then come back to the original site and login.
Oops!
y..password,” then your safe: go ahead and change the passphrase, entering the complete version this time.
[ Hey, Leo, how about adding “Edit Post” links so we can correct our mistakes?! ]