HACKER Q&A
📣 _justinfunk

Which password is more secure?


If I ask my password manager to generate a 20 character password with lowercase, uppercase, symbols, and numbers... it gives me a password like:

`nNqP4nnvMs!HCL@*z3cm`

In real world use-cases, is that a more secure password than:

`aaaaaaaaaaaaaaaaaaaa`

Theoretically speaking, does it have a lower entropy than the first password? How does the entropy calculation know that the 20 'a' characters weren't randomly generated from the same set of characters that generated the first password?

  👤 PaulHoule Accepted Answer ✓
It depends on the threat.

If you randomly generated passwords like the first one you will get passwords like 'a'20 unless the system has a filter to prevent that. (My quasi-random passwords something fail arbitrary tests because they might be lacking a number or having a \ or " character that isn't allowed or something...)

Practically the 'a' 20 password is only going to be a problem if a password cracker tries it. Really I don't know what the state of the art for cracking is today.

Back in the 1990s, before shadow passwords were widespread, I used to try decrypting unix passwords all the time and used a few different lists. The two things that worked were the empty string and password same as the user name. I used the "Phrack 200" and another list of 8000 and don't think I ever got a hit.

👤 pwg
#2 is less secure, not because of entropy per se., but because it will already be present in existing password test files and/or is trivial to create and test (i.e., JohnTheRipper's ability to generate test candidates based upon patterns).
👤 landa
The second password can be compressed almost to nothing, whereas the first password can't be compressed at all. This to me says that the first password is a lot more secure.

https://en.wikipedia.org/wiki/Kolmogorov_complexity

👤 Tomte
The entropy is calculated with knowledge of the process that generated the password.
👤 Slow_Hand
I have a question about brute-force password cracking or any method that involves rapidly testing a hundred or more possible passwords:

What prevents someone from securing the system by putting a limit on the number of login attempts before the application requires a cool down time before it will allow additional attempts?

I can't be the first person to have thought of this, so would someone please explain why is this not a viable security strategy?

👤 arh68
In theory, they could be seen as equivalent. In practice, they're not. Your "2,154" speaks to that.
👤 eimrine
If this is a password for online service with captchas after each wrong try, #2 is enough strong.
👤 joshxyz
Definitely the one with 2fa.