Yep, most of our
supposedly easy-to-remember-hard-to-crack strategies fall pretty quickly when
we're informed that there must be a symbol - but not that one, that one, that
one, or that one - and there must be a capital letter and there must be a
number, oh and sorry your password is now too long. So now we need to remember
our standard phrase AND the fact that for THIS website we couldn't use that
symbol so we had to put in another and we had to stop after 6, 8 or 10
characters which meant we had to move the number to the front...
Passwords should
never be stored as plain-text, but as a big long hash. So
'ThisIsMyPasswordForNatWest' becomes 'a64b8d3190050e4600ed3352cb05e5fb9a54c6dc'
under a hashing system called SHA1 for instance, and you can't take that hash
and reverse it and get the password. A per-account string of random characters
should be added to the user's password too - this alone makes it virtually
impossible to crack a password. So long as no website stores your password as
plain-text then you're in the clear.
The problem is
that you can't trust websites to not store passwords as plain-text, and you
have no idea if a website is there just to suck up people's passwords and
password strategies. Or even if a company has a website and just one developer
decides to make copies of submitted passwords or figure out people's password
strategies.
Password
strategies also rely on not being popular too - if enough people use the same
prefix/suffix, or used the same 'Nellie, the elephant packed her trunk' passphrase
but substitute a single word, then it just becomes another strategy that a
hacker can add to their brute-force attack.
The Key is: Do
not trust websites to store your passwords as hashes. Passwords should never be
stored as plain-text, but as a big long hash.
Assuming it is
constructed with alphanumeric characters accessible directly from the keyboard,
your 15-character string has about 15^98 possibilities. There are around 400K
words in the Portuguese language alone (I don’t know the number for the English
Language). A properly constructed 4-word passphrase has a minimum 4^400K
possibilities, and the points about sophisticated dictionary attacks and common
phrases and other things one's read on Wikipedia (aka the internet's largest
honeypot for armchair know-it-alls) count for nothing if the passphrase itself
doesn't follow language syntax. Even if you knew the exact number of words and
characters in the passphrase, it would still be quicker on average to
alphanumeric brute force than it would to use a dictionary attack. I'll grant
you that in the real-world people don't choose good passphrases. They choose
easy to remember stuff that makes a logical statement or sentence, or some
Shakespearean guff or a line from their favourite movie or song. In that sense
your logic sort of works, i.e., if we're going to recommend any
"system" to the masses, then yours might be the better one to
recommend. (Even that is debatable, as the weak link is still the fact that you
have people choosing for themselves. Even you with your vast knowledge went
straight for some well-known footballing dirge as an example.) However, don't
try to tell those of us who know better that the mere existence of obvious
exceptions and shortcuts to cracking poorly chosen or common phrases makes a
dictionary-based passphrase less secure than 15 characters chosen from a
"dictionary" of 98.
Another piece of
advice: Serious hackers don't attack login pages (which usually have some sort
of login rate limiting in place), instead they use some sort of social
engineering attack to get inside the company’s network and get hold of the user
database. The passwords in these databases are stored in encrypted form, but
now they can test passwords using their own hardware and without any rate
limiting. Using cheap graphics cards and rainbow tables to attack the most
common hashing algorithms, they can test billions of password combinations a
second. It's only relevant to attacks where the attackers have direct access to
the user/password database and the passwords have been safely stored. That
said, there have been cases where a site has not been secured against brute
forcing.
Corollary of
this is, of course, that an attacker brute-forcing your password is often not a
problem unless it is used elsewhere (or permits privilege escalation) because
the ability to brute-force the password requires the attacker to have already
breached the website that password is for.
Bottom-Line:
password reuse is a bigger problem than individual password security. Use a
password manager and you fix both.
