noscript.com For all your anti Hacker and anti Malware needs.

What's the security level of a password that isn't a dictionary phrase, but is really common? i.e. something like TANSTAAFL, where everyone knows it, but a computer thinks it isn't a real word.

What about if it's a phrase like that that's restricted to a subset of the population?

Good question - some of the others may be better equipped - but here's my 2 cents.

That ^^ chunk of letters isn't common - not an acronym I know of, and it's not a real word. The script doing the hacking/attack has a database attached of things to try - the number combos (example, a 4 digit pin code = 10000 possible combos) or the dictionary attack would have a commonly used set of words/acronyms.

It is known that the longer the password, the harder it is to break. TANSTAAFL wouldn't be something I'd have as a password - because it's all letters.

As most websites and companies now require -use numbers in combination with letters.

A brute force attack would kind of be like this: A a AA aa AAA aaa AAAA aaaa AAAa...etc. but wouldnt necessarily add numbers.


And, MOST of the time NOW - hacking is done for money. It used to be a common status achievement "Hey look at me, I have skillz cuz I is B L337 -I h4ck3d a Website". Nowadays it's more geared towards identity theft and fraud and money - why waste time on a hackjob if it doesn't pay?

The subculture aspect would be useful if a person was doing a malicious personal attack on the machine, having a knowledge of possible combos to use on the passwords.

That's my opinion. The letter combo is good for starters, throw numbers and case changes in the middle and you've got something that's pretty damn good.

Cutenoob

I wouldn't have used TANSTAAFL (which is apparently restricted to the SF subculture) on its own, but I'm always uncomfortable using dictionary words as a basis for passwords. For obvious reasons I'm not going to post them here, but some of the pass phrases I use already have numbers in them before I decide to 133t them into more secure passwords. I just got worried, because they were fairly straightforward.

Although I had IT approve of c0mput3r at one point... says a lot about other people's passwords.