Is there any study on whether generating hard passwords work

[Don]

I like to read about security stuff and a common thing I see recommended over and over again is create super hard passwords that are really easy to remember, like say take a phrase: "Prince of Tennis is a crazy manga about people playing tennis." Take first letter of each thing you get POTIACMAPPT, apply some leet-speak transofmratino and you might get P0T!4CM4PPT which is clearly a pretty strong password. But really, can you actually remember this? I'll probably forget what this phrase is tomorrow, and sure I just made one up on the spot but I don't think there are that easily memorable quotes out there (and if so you'd think people can just make a dictionary attack on quotes). But even if you never forget a quote, are you always going to remember that you changed an A to a 4, or an I to a ! instead of 1? There's no doubt a password like POT!4CM4PPT is strong but I'm not sure how anyone without exceptional memory can memorize such a password.

And of course if you follow the standard good advise of using a variety of passwords then you got to remember a phrase for every password as well as what transformation you applied each time. I'm seeing a lot of realistic studies that suggests just writing your password down in a place you can physically access is probably a better way because you're never going to remember all these passwords to begin with and if the password is written on something you carry around, it's not that different from a token. Sure you can't revoke it if someone stole the sheet of paper with the password on it but you'd still realize that you better not use those old passwords anymore.

[Lox]

I use the "make up a phrase and then take the first letter of each word to make your password" scheme and it works really well and it's easy to remember after you use the passwords a few times. I probably have about 10 different passwords memorized like that and the ones that I don't remember yet are inside of a password database that also has a password that I memorized.

Yeah, someone could starting building a dictionary of common phrases that could generate passwords, but that would a) have way too many possibilities to be effective and b) still wouldn't be a risk for me because my phrases only make sense to me and aren't common.

I have a pretty good memory and I have had zero issues with this technique because the repetition of using the phrases eventually causes the phrases to stay in my head.

[Don]

The real problem I have with phrases is that leetspeak transformation is rarely uniform, but is often needed due to different complexity requirements. For example a password like POTIACMAPPT is probably secure enough by itself since it's not a word in any language, and its length is beyond what most brute force attack would do and I'm sure I can remember that phrase if I use it on a regular basis. However you might run into a site that requires lower case letters, and then one that requires a number and another that requires special characters, so maybe you end up with P0T!4CMAPPT but then at some point you could forget that you changed a capital O to 0 instead of lowercase o, especially if you're constantly doing this and putting variations in it.

Of course, if you're not doing any fancy leetspeak transformation then this method works pretty well, though I've seen studies that suggest a password like Awesome!!!!!! is actually pretty safe too because that easily exceeds the length for most dictionary attack length despite the fact that it is a dictionary word.

[Flip]

Im in the habit of using a date ill never forget and then adding AZ! to the end just so it meets whatever insane requirements the particular site makes me conform to. Probably not the strongest, but i really dont give a shit.

[Don]

Im in the habit of using a date ill never forget and then adding AZ! to the end just so it meets whatever insane requirements the particular site makes me conform to. Probably not the strongest, but i really dont give a shit.

But what happens if the site asks you to change your password 2 months later? Do you do 12345AZ! to 23456AZ! or change the ending, or something else? The biggest problem I have is stuff that requires you to change your password constantly (usually right after I finally memorized it), or unusual complexity requirements. Studies suggest something like 'Awesome!!!!!' is actually pretty secure, but I've seen sites where your password is limited to 8 letters. In that case your password becomes 'Awesome!' which is probably very unsecure so you'd have to think of a new one.

[Shrinweck]

I have three different multi-digit numbers I use that I won't forget and a couple jumbled words with random capitals that I throw in as well. If it isn't something I access on a weekly basis then I forget fairly often which particular combination I used for a particular site, but I've gotten pretty good at using certain combinations for certain things lately (games get a jumbled word that I used to spell correctly as a password since I was 8, while more secure things like my bank get jumbled letters that don't spell anything meaningful in the first place). As long as it gives me ~5 tries I almost never get locked out. This works for me since I can either switch the word or the numbers and the algorithm sites sometimes use to make sure you don't use a variation of the same password can't keep up. I'm glad sites don't make you throw in punctuation on a regular basis yet, that stuff screws me up. My dad randomizes punctuation with something like eight to twelve characters which I don't even fucking begin to imagine how he remembers.

xkcd did an interesting comic on this recently where the joke is four completely random words strung together is a stronger password than 1337-ifying some random word.

[Flip]

I also have a word i'll never forget that i'll tack 12! to the end of it. Swapping between those two hasnt been a problem, I havent seen an environment that makes you change your password every 6 months (and not being able to repeat the last 3 used passwords) in a long time. I think that 'switching your password often is safer' mantra that IT used to follow has been debunked.

[Lox]

I convert my passwords using a common sense system that I like. For example, I just make sure that my sentences always have both numbers and various capitalization and usually special characters. I make sure that certain words always get replaced with numbers and that I use proper punctuation and capitalization. I could make a sentence like "If I go 2 Walmart 2 buy something, then I always make sure 2 get a hot dog!" That'd become "IIg2W2bs,tIams2gahd!". It meets the requirements of any possible password and I can remember that because I like hot dogs.

[Don]

There are some sites that actually enforce less complex password which really messes me up. You can come up with say a 12 letter password that has number, upper case, lower case, and special symbol and commit to memory with whatever method works for you, but then if you hit a site where password is only max 8 letter what happens there? I guess you can truncate it but then maybe you mess up some other complexity requirement if your number is say at the end of the password but the site requires a number.

Of course constantly changing password is painful too, even if you're just tacking on a number at the end of the password, since after a while you might forget if you're now on 'password8' or 'password9', especially if the site has a long history and you've exhausted the numbres 0-9 but still can't repeat it.

[SineSwiper]

The Dude Speaks:


The Dude Has Spoken! You All Little Script Kiddies Can Go Back To Your Mom's Basement And Let Me Generate Long Passwords With No Special Characters!

[Oracle]

And then there is the fact that brute-forcing a password on a front end of a website or a corporate login won't work, because it will ~99% of the time flag suspicious activity/lock the account. Therefore you would THEN need to actually compromise the system storing all of the password hashes, which you will probably have to throw a rainbow table at to get anywhere on cracking the hashes.

Secure your authentication infrastructure.

[Don]

Except that password has no number/caps/punctuation so is most likely going to fail as a valid password. It's probably too long too, since most sites limit the length of the password too.

And I agree it is pretty silly. It's hard for me to imagine anyone cracking password would attempt to put 4 random 7 letter words together first over just even brute forcing the first 8 letters. If there are a million 7 letter words that's a 1 trillion trillion, whereas 1 trillion is probably more than enough to brute force most 8 letter or less combinations out there. Again, I recall study show a password like Awesome!!!!!! is pretty secure just because no sane password cracking system starts out by trying to figure out a 12 letter combination password, and that's obviously a very trivial example.