Slightly off topic but since al the computer experts seem to be here I'll ask. Just how random are randomly generated passwords?
For example. we had forgot a password from a major department store rewards program. We requested a password to log in so we could reset a new one. It gave us about a 10 digit sequence of numbers and letters, some cap, some lower case. It also happened to be the exact same password a company gave us for a router login when we were updating our network just 3 weeks earlier.
How can that happen?
I would have bought a lottery ticket.
That is an incredible coincidence, especially considering the passwords were from two different companies, and for two different products.
And this is where I don't understand how more complex passwords are "stronger"
Ignoring simple words from the dictionary, how is mY48r&eThrO2%* any more secure than 11111111111111?
I understand that the first is harder to guess, and more secure from a brute force attack, but I intentionally made the 2nd one ludicrously simple to show the point... I could have used any 14-character term.
Yes, the first contains random upper case and lower case, numbers, and three special characters.... but from a hackers viewpoint, he has a blank.
He doesn't know whether my password has 3 characters or 23 (other than network policy dictating a minimum of 8).
He doesn't know if my password is alpha, numeric, alphanumeric, has special characters, or has upper case (other than network policy dictating that the password contain one or more of each).
It's all ones and zeros.
What is the difference in attempting to guess or hack:
mY48r&eThrO2%*
my48rðro2%*
my48r5ethro252
myhbrsethroszs
mybrothersnose
I get it, if the hacker knows the password is 14 lower case letters, he can limit his search to 14 character combinations comprised of lower case letters and make quick work of it... but he doesn't know that.
I read a network security article a couple of years ago that touched on this. It said that complex passwords only make passwords difficult to remember, which leads to poor security tactics such as using the same password for multiple accounts, or storing passwords in an online "wallet" or even worse, plain text file. It suggested that the best passwords are nonsense phrases such as H*rse42W*n1D*ggie. All special characters substitute for the same vowel, each word is capitalized, and the entire password forms a rather silly sentence, making it easy to remember, yet just as hard to hack as J*dtk42G%g1D&ttob... which I defy anyone to remember