There's absolutely no way a five word password is better than 32 random characters. Two plain old random words, the entropy of that is less than 16 bits each, but we'll round up. One of the biggest cities in the US is probably even less useful, but let's credit it for 16 bits. And let's rate Zaphod Beeblebrox as one-in-a-million for entropy purposes.

That's 68 bits. It's somewhere between 11 and 12 random alphanumeric characters. It's unimaginably weaker than 32 random characters.

A random word is generally worth about 2 to 2.5 random characters. Sometimes that's easier to remember, sometimes it isn't.

And your example passwords are not that strong. A simple algorithm picking words just by rarity could hit "The coffee here is gross." within about 2^50 iterations, and a single consumer GPU can test about 2^48 - 2^52 hashes per day. "the", "here", and "is" are way too common. You only have two moderately random words.

> There's absolutely no way a five word password is better than 32 random characters.

That assumes the attacker knows it's a five word password, and that there are no misspellings, and that these are specifically English dictionary words in dictionary form, how you're capitalizing it, and whether or not you snuck a number or an exclamation mark in the middle. Might as well know your password at this point..

raivoissaankoha NOKANMURIT vejatti 42 cerviidoo fjelleil??

:--)

Not a single dictionary form, and not a single word spelled "correctly", but this sort of phrase is really easy for me to memorize. If you had dictionaries for all four languages involved, you still probably wouldn't get very close unless you also know to inflect these words like spoken/slangish Finnish sans umlauts. Say what, fellow Finns?

Guessing that it's English words is no harder than guessing that it's random uppercase/lowercase/numbers. So that part cancels out. Realistically you'd try all simple patterns in order of complexity. This makes cracking slower than knowing the pattern up front, but the password is already getting exponentially harder to crack every time it gets longer. The small factor of trying different simple patterns pales in comparison.

The attacker doesn't need to know how many words. They would try 1, then 2, then 3, etc.

Capitalization and tiny modifications are only worth a few bits. They can't get you anywhere near the quality of 32 random alphanumerics.

Your password example is a lot stronger. But even then I don't know if it's better than a full 32 random characters. That would mean every two characters in your password have more randomness than a completely random character with no patterns. That might be true.

> The small factor of trying different simple patterns pales in comparison.

I'm not sure I agree with that. There's an infinite number of simple patterns that one could construct, and guessing the right one from the space of all possible patterns could alone exhaust any bruteforce capability. The characters of a random password could be taken as constants that define a simple pattern according to some rule, so you can have as much entropy in the space of such patterns as you have in a randomly generated alphanumeric password; in a manner of speaking, the pattern is part of a password and by itself contributes to entropy (as long as we're talking about patterns with long enough outputs that different patterns don't have much overlap in what they spit out).

If the attacker doesn't have a huge library or eof simple patterns, then making an unbreachable passwords is very simple: just make up a new pattern, they probably won't guess it.

(Dang, now I'm tempted to make a game out of this: write a pattern generator, post a set of parameters in the public along with the md5 of the resulting pattern, and award some monies to the first person to figure it out.)

> The attacker doesn't need to know how many words. They would try 1, then 2, then 3, etc.

Sure. At what point would they exhaust their bruteforce capability or decide that they've probably got the wrong pattern and go for another one?

I hope the next pattern they choose isn't one to four random English dictionary words followed by the number of letters in the resulting phrase, expressed in binary using X for 1 and Y for 0!

> Capitalization and tiny modifications are only worth a few bits.

Five times a few bits quickly adds up though.

> Your password example is a lot stronger. But even then I don't know if it's better than a full 32 random characters. That would mean every two characters in your password have more randomness than a completely random character with no patterns. That might be true.

It's pretty hard to say since I made it up on the spot instead of randomly generating it after specifying a pattern, yeah.

But if you had just five words in different languages and you had to guess the language for each, that is quite a bit of entropy. Not enough to prevent any sort of brute force attack, but we're talking a few dozen bits at least. A quick google search shows that there are around 4000 human languages with at least 1000 speakers (https://www.infoplease.com/askeds/how-many-spoken-languages), that'd be 12 bits per word. You could guess it's got to be one of the most common 100 languages and you'd miss three languages that I used (Norwegian, Finnish, Esperanto), according to this list of top languages by native speakers: https://en.wikipedia.org/wiki/List_of_languages_by_number_of....

Of course not all words are unique across all languages, so a dictionary attack against my pattern could pick the wrong language for some word and still score the right dictionary entry.

Inflection, in the case of Finnish, proves interesting because there are ways to stack different endings and thus you can have hundreds or thousands of variations of a word, by the book. Slang and regional dialects only add to it.

> At what point would they exhaust their bruteforce capability or decide that they've probably got the wrong pattern and go for another one?

Go in increasing order of difficulty. Or estimated rarity based off of password dumps.

Something like: One character, two characters, one word, one word plus a character, one character plus a word, one modified word, three characters, etc.

"word" being a list of most common words in the united states, or something. Like you said, using many languages screws up dictionary attacks. But most passwords don't do that.

> I hope the next pattern they choose isn't one to four random English dictionary words followed by the number of letters in the resulting phrase, expressed in binary using X for 1 and Y for 0!

That would just be "four words plus five random characters".

> That would just be "four words plus five random characters".

Aye.. if you were going to pick the simplest (most bruteforceable) pattern first, you wouldn't want five random characters now, would you? I thought that's the whole point of this exercise :-) Of course I could decide to repeat that bit pattern four times and that adds no entropy if the pattern is assumed to be fixed, but then we get back to having the attacker try guess the right pattern.

Very often in these discussion people don't consider the pattern space at all as part of entropy and they only look at the entropy within the alphabet/words/variations after the pattern is fixed. I'm not sure that's right.

The pattern entropy matters, but it's much smaller than the entropy from the actual words and characters.

Don't try to outsmart the person cracking the password. Assume whatever clever scheme you come up with is relatively common. If only 0.05% of passwords use it, that's still less entropy than adding two more characters. And it's a lot safer to underestimate than overestimate.

> a single consumer GPU can test about 2^48 - 2^52 hashes per day

Surely that depends on the hashing function. Moreover, these passwords are usually used for authentication rather than encryption, making the speed of the GPU irrelevant.

Even for encryption, you should probably store a strong key on a hardware TPM and only using the weaker key to authenticate towards the TPM.

It matters for authentication. Databases are regularly leaked with password hashes in them.

You can use a bad password if the hash is good enough, or if you assume the hash can never be leaked. But you can't usually assume the hash will be good. It's safer to store a high quality password than to memorize a low quality password.

I like to also purposefully misspell words, or use some kind of alternative representation of letters, like use 'keeb0rd' instead of 'keyboard'.

Such common variations are accounted for by dictionary attackers.

Realistically, which of my passwords are accessible by such? The vast majority of my passwords are on the web. I don't think any web server is capable of receiving that many password requests to brute force the creds there.

Otherwise to get access to my PC? Let's just say that if that ever happens, having a more randomized password (and one that I can actually use) that takes a bit longer to crack won't make much of a difference, considering they already have my PC.

If you're only worried about people trying to log in via the web, you can get away with a really bad password and you don't need any fancy tricks.

If they get the drive from your PC, the difference between a medium password and a good password is not "takes a bit longer to crack". A better password is impossible to crack using current or near-future technology. The difference between 12 and 20 characters is that it takes ten million billion times longer to crack.

(Assuming you encrypt your data. If you don't then all your effort on making a half-secure password is wasted from the start.)

If you want real convenience for logging in to your PC, without compromising your security, then use a PIN that unlocks a key stored in the TPM.

It is correct if I don't know anything about you. Once I know you use a sentence, I would use a dictionary to attack your password

Even knowing nothing, any sane password cracker would attempt five letter sentences long long before they even reached 30 character alphanumerics. And 30 characters is itself more than a thousand times easier to crack than 32.