## Clarification, rationale or citation for this section

I have a question regarding this section: "moving from never changing one's password to changing the password on every authenticate attempt (pass or fail attempts) only doubles the number of attempts the attacker must make on average before guessing the password in a brute force attack - one gains much more security just increasing the password length by one character than changing the password on every use."

It appears wrong to me, expected guessing time would actually be infinite for the second approach. Can someone clarify, or provide a rationale or citation for this section? --Bananarama9000 (talk) 12:15, 27 March 2015 (UTC)

Maximum guessing time would be infinite for the second approach, but not expected guessing time.
Consider a two character 0-9 password. It has possible values ranging from 00 to 99 -- so there is a 1% chance of getting it on the first guess, a 50% chance of getting it by the 50th guess, and a 100% chance of getting it by the 100th guess. More importantly, if you have guessed wrong 50 times your odds of getting it on the next guess is 2%, if you have guessed wrong 90 times your odds of getting it on the next guess is 10%, and if you have guessed wrong 99 times your odds of getting it on the next guess is 100%.
Now consider the case where it changes after every guess. Now each guess has a 1% chance of being right no matter how many bad guesses you have made already. And there is tiny chance that you might be really unlucky and guess wrong a million or even a billion times in a row. So it's stronger, but not by much.
I didn't calculate it out to see if it is exactly twice as strong, but that seems about right. However, even if I did, that would be WP:OR (see WP:CALC). We really need a citation to a reliable source backing up that particular claim. --Guy Macon (talk) 15:04, 28 February 2016 (UTC)

Hello fellow Wikipedians,

I have just added archive links to one external link on Password strength. Please take a moment to review my edit. If necessary, add `{{cbignore}}` after the link to keep me from modifying it. Alternatively, you can add `{{nobots|deny=InternetArchiveBot}}` to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

An editor has reviewed this edit and fixed any errors that were found.

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

If you are unable to use these tools, you may set `|needhelp=<your help request>` on this template to request help from an experienced user. Please include details about your problem, to help other editors.

Cheers.—cyberbot IITalk to my owner:Online 06:31, 15 January 2016 (UTC)

Checked. --Guy Macon (talk) 15:10, 28 February 2016 (UTC)

In my opinion, this would not be a good addition for two reasons:
[1] Although I personally really like grc.com and use some of the tools there regularly, there are a boatload of websites that calculate password complexity (and by an amazing coincidence also just happen to also have some commercial product for sale). If we allow a link to one, it wouldn't be fair to exclude the others, and the article could very well end up being 90% external links, at which point they all would be removed per WP:LINKFARM.
[2] Like all such websites, grc.com relies upon an easy-to-put-on-a-webpage mathematical method, whereas real attackers use more sophisticated methods. For example, grc.com claims that...
```  D0g.....................
```
...is stronger than...
```  PrXyc.N(n4k77#L!eVdAfp9
```
...which in the real world is completely untrue. No rational attacker is going to attempt a brute-force exhaustive search of all 23 or 24 character passwords before trying a dictionary attack. I just checked, and my password-cracking dictionary already contains both "D0g" and "....................." (Along with "P1g", "........", "\\\\\\\\\\\\", etc.) and would find "D0g....................." in seconds. My dictionary also contains all variants of "<-><-><-><->" "[*][*][*][*]" (as well as "*.**.**.**.*", "~@~~@~~@~~@~", etc.) up to 64 characters. It had "^-^" through "^-^^-^^-^^-^" but would have missed longer repetitions of "^-^". I just added those.
The password padding idea, while clever, results in a password that can be found in a few minutes by anyone running a dictionary attack with a large dictionary on a cluster of fast PCs. --Guy Macon (talk) 14:42, 28 February 2016 (UTC)
Interesting. Let's invent a hard-to-guess password now, like this:
kwxt02158PTMwmtu5574PTKmaoZ400
kwxt......02158P#########TMwmtu557....................4PTKmaoZ400
The second password with the padding is obviously more secure. I used full stops (periods) and hash signs (aka number signs). These passwords and others like them are too hard for most people to memorise. The grc page suggests that padding allows passwords to be easy-to-remember AND longer, given that longer passwords are more secure. I think the article should include a link to that page and mention its suggested padding method, but within the article and not as an external link to avoid `WP:LINKFARM`. I have seen links to the grc.com website on other Wikipedia articles, so it should be okay.
By the way, I can't help wondering how hard it can be to crack passwords of more than 20 characters? If the padding allows users to extend their passwords beyond 20 characters, this alone is more secure and better than using weak passwords and makes it harder for dictionary attacks to succeed in a reasonable time? MetalFusion81 (talk) 00:48, 29 February 2016 (UTC)
If your 20 character password is something like 8!Hiplg#+X+f\$4M+n^QH (20 characters) then the grc.com page gets it right; 11.5 thousand trillion centuries to guess assuming one hundred trillion guesses per second.
In fact, 8!H+4plg#Xi+ (12 characters) will take 1.4 hundred million centuries to guess.
If you stick with a-z, qjbrsmbkmwdjwsnzquxs (20 characters) would still still take 66 thousand centuries.
Alas, qjbjwrnbksdmsmwz (16 characters) would take 14.4 years and qjbmbkrnsdjw (12 characters) would take 16.5 minutes, so length matters.
In fact, length matters a lot more than including numbers, capital letter or punctuation marks does, because adding one character makes the number of guesses the attacker has to make 26 times larger and adding 4 characters makes the number of guesses the attacker has to make 456,976 times larger.
On the other hand, a long password like SecretPasswordSecretPasswordSecretPassword would be quickly cracked on an ordinary PC using a modern password-guessing program. Those 42 characters are useless against a password guessing program that [A] has "SecretPassword" in its dictionary (which it will) and [B] tries all dictionary words repeated twice and three times (which it will).