> Note the part where the example says "squash:club", not "n!mGgl342r0nin"
Sure, the example I gave was more complex, but I was specifically referring to the "We recommend choosing a word or phrase that means something to you, and then adding one or two numbers or symbols, like "!" or "+"." being terrible advice.
It's not great advice, but they are on the right track.
> Password guessing and cracking is part of my job
Same here.
> GP is right: the advice is absolutely terrible.
It was just worded badly.
> Maybe it's just leetspeak for something a million fans know, in which case it would be in my dictionary by virtue of downloading Wikipedia and other cracked password lists and the leetspeakify rules will find it in a matter of hours or days for a typical leaked hash (this looks like a domain admin password we might find on a workstation they logged into).
Sure, there are tons of domain specific dictionaries, but that's really more useful for people that are targeting an individual and know something about them, or are just going to go through every dictionary they can. Most attackers are not doing that.
And besides, it's not about ensuring the password can never be cracked, that's not a great goal considering the compromise it would take - the goal is to delay brute forcing enough so that you can change passwords after you have an alert that a site has been breached.
Sure, the example I gave was more complex, but I was specifically referring to the "We recommend choosing a word or phrase that means something to you, and then adding one or two numbers or symbols, like "!" or "+"." being terrible advice.
It's not great advice, but they are on the right track.
> Password guessing and cracking is part of my job
Same here.
> GP is right: the advice is absolutely terrible.
It was just worded badly.
> Maybe it's just leetspeak for something a million fans know, in which case it would be in my dictionary by virtue of downloading Wikipedia and other cracked password lists and the leetspeakify rules will find it in a matter of hours or days for a typical leaked hash (this looks like a domain admin password we might find on a workstation they logged into).
Sure, there are tons of domain specific dictionaries, but that's really more useful for people that are targeting an individual and know something about them, or are just going to go through every dictionary they can. Most attackers are not doing that.
And besides, it's not about ensuring the password can never be cracked, that's not a great goal considering the compromise it would take - the goal is to delay brute forcing enough so that you can change passwords after you have an alert that a site has been breached.