Is it possible to use exotic characters to make passwords stronger?

Question:

Microsoft Word has many hidden symbols and foreign language letters that can
be accessed by using the Alt key and three or four keypad numbers. Can these be
used to create a more difficult to crack password?

In this excerpt from
Answercast #97 I look at the added safety that may come from using bizarre and exotic characters in a password.

]]>
<![CDATA[

Exotic characters for strong passwords

Well, the short answer is yes, but the real answer is no. And let me explain why.

First let’s talk about what those characters are. You and I are used to a character set that consists of 26 letters, upper and lowercase, ten digits and then a few special characters. Usually it’s less than 128 different characters.

In reality, there are thousands and thousands of different characters. Especially when you start including languages that don’t even use the same alphabet we use. Ultimately, computers are capable of representing these. Many programs are capable of using different characters from different languages that require these kinds of obscure keystrokes, or even different keyboards.

Computer character sets

And by the way it’s not a “Word thing” it’s a Windows thing. It’s a computer thing. This isn’t restricted to Word at all.

What it really boils down to is; what software actually supports these large character sets? Word happens to be one of them.

Can you use them in passwords?

The same issue applies to the places you might need to use a password.

You will find, I think, that most online resources want your password to be letters, numbers and a few special characters. Anything outside of that range, they’re just not going to accept.

Yes, it might make for a stronger password but the fact is that most of the internet is based on those 26 letters, ten numbers, upper and lowercase and a few special characters and that’s it; that’s all they’ll support.

Make a stronger password

As it turns out, there’s a better way to make your password stronger.

That is to not use different characters, but to use more of the characters you already have available to you. By that I mean, simply, that a longer password is almost always better than a more complex password. With “enough” being longer enough.

I’ve got an article that compares the two; compares what it means to have a longer password.

I strongly recommend that. Instead of investigating these alternative characters, you simply make your password longer.

Support for exotic characters

Now, if you are in a circumstance where you know the software that is using these passwords does support these bizarre characters from different character sets – then by all means go ahead and use them. They’ll make things more secure if you can remember them, and if you can remember to type them.

Also, you will always need to be at a computer that knows how to enter those characters. That’s another thing too. If you ever try to access one of these things via say, a smartphone or a tablet or something like that, you may not have the ability to type the characters that you were able to type on your PC.

But assuming that everything is correct and it supports these characters then sure; it adds more characters to the mix and it’s unlikely to be a character that hacker is going to try in a brute force attack.

Ultimately I think, for most people, in almost every case, it’s much better to simply make a longer password with more characters than it is to try and get fancy with these kinds of techniques.

(Transcript lightly edited for readability.)

Next from Answercast 97- Am I scanning for malware too often?

11 comments on “Is it possible to use exotic characters to make passwords stronger?”

I’ve recently been to a site that does not even accept shift characters, so unless it is on the keyboard or num-pad you are out of luck. Also, I’ve hit the ‘too long’ error message a few times over the past 12 months – some sites simply are not keeping ‘up with the times’ with regards to security.

i use Google Chrome and it has “do you want Google Chrome to remember your password?” i have one tower computer, i`m the only one who uses it, and i have remote access turned off. is it safe to let it remember my password?

Many experts are now recommending that you use a password phrase rather than a series of semi-random characters. For one thing, a phrase can be long, but still be easily remembered and easy to enter. Compare

p1%&crz@k9*

to the phrase

Open the pod bay doors, Hal.

The phrase contains upper and lower case letters, spaces AND punctuation, yet is easy to remember. Also, being a longer password, it is more difficult to crack.

TheGrandRascal

March 27, 2021 at 9:49 am

“I’m sorry, Dave. I’m afraid I can’t do that.” 🙂
Reply
Mark Jacobs (Team Leo)

March 28, 2021 at 3:08 am

The problem with that passphrase is that popular phrases are often included in rainbow tables and dictionary attacks.
Open&the pod bay doors, Hal@ would be literally millions of times more secure
Reply

to Glen:
I have had friends lose access to accounts, simply because they let their computer remember the passwords.
The scenario goes something like this:
They tick the box, that says “remember my password”.
They subsequently forget what the password is, because they don’t need to type it any more.
Something happens to the computer, or the software (something as simple as an update, or a crash) and it “forgets” what the password is.

Typing in the password is tedious, but it makes you remember it. And if anything happens to the machine, or you need to access online services from somewhere else, you know the password.

Yes, I’ve heard ALL the arguments about using “stronger” passwords, and some of them do have merit. But over the years, the LIKELIHOOD of yours being found out is unlikely based on one simple rule. Do not SHARE your password with another person. Simple. I’ve been using the same password on multiple sites for years and have yet to encounter a single incident of problems. What I do run into, often, is that I’m supposed to choose my “own” password, and then the site demands so many parameters that it slides into the abyss of absurdity. It MUST contain at least one letter, one digit, one cap, one “special” character and none in certain sequences, until it’s really somebody else’s password rather than mine. And every site is different in its requirements. Plus, it continually changes as new sites are added. Let me use my own password and I’ll suffer the consequences for MY choice. I shouldn’t suffer the consequences because YOUR site chooses to keep changing the parameters.

@Glen,
Here’s a good article from Leo on letting your browser remember passwords:
Is it safe to let my browser remember passwords?

“In this excerpt from Answercast #97 I look at the added safety that may come from using bazaar and exotic characters in a password.”

Or even bizarre characters. 😉

@198kHz
Good catch. I fixed it.

@Reverend Jim
“Open the pod bay doors, Hal.” is a known phrase that might be programmed into a dictionary attack bot. I’d recommend something more of a nonsense nature that only makes sense to you.