665 comments

[ 1.3 ms ] story [ 285 ms ] thread
> Did he really use uppercase letters or even special chars?

Why would he not? I'm obviously missing something here.

In the early days of unix, people didn't take passwords that seriously and often shared them.
I would have borrowed "/.,/.," a long time ago had I heard about it sooner. That is just way too convenient.
My first password ever was qazwsx and I used it until I learned that it's included in "known" password text files and thus instantly crackable.

However, I wonder how safe it is to take an "easy" password like /.,/.,/., and then add a bunch of exclamation points to the end, so that it's both long and not part of a dictionary.

I'm sure password crackers are advanced enough to first try taking common passwords and then adding human modifications to make them more secure.

But something like MyDogRules###########! seems like it could be very secure, actually.

best practices have changed from using a complex password with lots of upper/lower and symbols to use something longer but easier to remember. More strength from misspellings and a few symbols

My Fav0riT Pas%werd

is actually pretty solid compared to

df22@$Fasdf

because the latter is more crackable

I really like the logic behind this one: https://www.xkcd.com/936/

It also doesn't require any special characters and its quite easy to remember.

The only knock on this strategy is that the more people adopt it the less effective it becomes (crackers will just start trying combinations of common words). The up-side is there are more 4-word combinations in English using only the 10,000 most common words than in any 8-character password, so even if crackers targeted the strategy specifically it's more costly to crack.
Misspelling and using a few character replacements makes a dictionary attack much more difficult. You don't have to make it too hard on yourself, just a few changes to make a really secure password.
I remember reading a blog post about how something like "aaaaaaaaaaaaaaaaaaaa…" with sufficient 'a's was actually perfectly secure since it wasn't included in any of the common cracklists or hash leaks. I think the number of 'a's was somewhere in the 30s. Obviously bruteforcing it would take absurdly long, too.*

The problem is, after I've committed a long passphrase into muscle memory, it probably takes me less time to type a 40-character phrase than count 40 individual keypresses of a button hoping I don't miscount.

* Assuming nobody is stupid enough to make a depth-first password cracking program. "I'm down to a billion 'a's now. I should be ready to try a 'b' any minute now!"

This article from 2013 shows some impressive password-generating techniques that cracked secure-looking passwords like momof3g8kids. It doesn't specifically give an example like MyDogRules###########!, but it seems reasonable they could get it by similar methods of concatenating multiple password fragments.

[0]https://arstechnica.com/information-technology/2013/05/how-c... (OK, the passwords were hashed only with MD5)

So I guess what they're saying is if they just use older password technology and they get hacked, you're screwed.
My brother used to use asdfghjkl;' as a password so he could just drag his finger across the keyboard from the a key to the enter key. The original swipe to unlock!
You often had to share your password in the real world. I've worked on systems where you were only allowed to login at one terminal at a time. If you are back and forth from your desk to the lab it is nice to know another password when you forget to logout in one location.
I guess, to enter the Unix password you need physical access to a machine. If they have access to a machine and can crack a lowercase password, a harder password will not necessarily save you. So at least you can make it easier for you to type.
In fact, the system where the password originates from (3BSD) was released in 1979 and had commands like net(1) for "execute a command on a remote machine" - given a password was provided. Since quite the early days Unix has been designated as a multi-user time-sharing OS for large expensive computers.
The early days of mainframes had some groups of individuals who advocated for no passwords or just your username again as a password: https://www.oreilly.com/openbook/freedom/ch07.html
In the future, there won't be any need for passwords.
In the future there will be no identity theft because we all will have one identity. Resistance is futile...
you're confusing mainframes with UNIX microcomputers, and 1983 wasn't early.

Also, I rememebr when FSF hosted UNIX machines at MIT that you could telnet into without a password. It was a total mess.

Cliff Stoll's The Cuckoo's Egg grapples with this a bit. The fine line between open systems that anyone can use, and closed systems that protect your privacy and data.

It's obviously a settled question these days, but back in the 70s and 80s, this was a bit of a hot topic.

I disagree. I don't think this is at all settled, and in fact is a bit topic right now. The debate has just moved on past personal passwords.

For example, chat systems. Do you want an open one where anyone can get on with a minimum of fuss and participate? Or do you want an open one, with controls to manage spam and harassment so that people are able to be open while using it?

(I work at Mozilla, where we are moving off of IRC because, while it encourages participation from any rando who comes by, it is inaccessible to a number of people because they will be attacked if they log in. Many have moved over to Slack, which is very much closed (but open). Not to mention the channels that have been abandoned because they are overrun with spam, which makes them inaccessible or at least useless to everyone. As someone who does not get harassed, I don't really like either of those points on the spectrum even though IRC works great for me if I don't think about the people who are no longer there.)

Why not make an anti-spam/harassment ITC bot, and Take Back The Web from Slack?

It's really hard for me to understand what Mozilla's mission is these days.

(comment deleted)
Typing on a teletype is painful at the best of times. One reason why common Unix commands are so short.

Edit: Yes I have used a teletype, connected to an Elliott computer, I believe it was a 903 or at least it looked very much like this: http://www.computinghistory.org.uk/det/32480/Elliott-903

Stupid question but how do you actually type on that thing? I don't see anything resembling a keyboard.
I'm shocked at how well the old hashing stood up; sure, it's totally crackable today, but a well-picked password still took 4+ days to crack on modern hardware, which is remarkable. (Granted, it doesn't sound like they did anything fancy like throwing a hundred cloud instances at it or something; I'm not saying you should use DES today:) )
30 years ago I cracked everyone’s Unix password on an old Sun computer.

It didn’t take long because everyone had a password that was in the dictionary.

Needless to say, people were not happy with the messenger.

No good deed goes unpunished.
More specifically, pointing out someone else's stupidity is rarely welcome.
Many, many years ago when I was in college at the University of Rochester, I found a paper in the computing lab with the root passwords for about twelve machines at Stanford. I emailed them and told them I'd destroyed it but that they should be much more careful. I got yelled at.
Just curious, did you get yelled at because you destroyed the only copy of their password memory aid? ;)
If they were keeping their only copy at an unrelated University thousands of miles away, they had more problems than I thought ;)

I'm actually not sure anymore what the details of their return email was, as it was over 25 years ago. But it was basically, "We will report you to law enforcement if you contact us again."

They must've been really embarrassed to send that kind of response.
I had both experiences in high school. One situation -> bad result. The other I was made a quasi IT fixer - they put me to work (Novel Netware and other stuff). I would be called out of class to fix things. Since I was naturally super interested in how everything worked together and all the features and the librarians or VP or teachers were not it worked out. At the time I took it reasonably seriously.

In hindsight some teacher must have spoken up for me to come up with the solution when they were trying to come up with an appropriate response.

Novell Netware - blast from the past.

I had to go apologise to IT (who could barely keep a straight face) at college for sending a message from 'God' saying "I saw what you did last night and it disgusted me".

I thought it was going to just the lab but since I was poking around in something I really didn't understand I manage to send it out site wide.

Fortunately they saw the funny side.

I sent more than one message from God by telnet to <mail server> 25. Good times!

Around the same time, someone at my school made a much, much worse semi-accidental prank. Semi-accidental because he didn't think it would work. See, the campus list serve was setup to only allow certain senders to send messages. Makes sense, only a few top administrators should be able to do that. This person theorized that a simple <smtp: from> hack, using an authorized person's email, might circumvent the restriction. He was right! Unfortunately, rather than "test 1 2 3" or something, he sent a message, from the president, that all classes had been cancelled. Had he stopped there, maybe it would have been chalked up to a prank. But he went further: The president would be using this free time to, um, entertain amorous visitors at their leisure. So, yeah, expelled. His excuse, when interviewed by the student newspaper, was "I didn't think it would work."

I send unauthenticated email on port 25, every semester, in front of my students, as part of a discussion on internet application protocols. I can't use "God", because the addresses are validated, but I do send "from" the school's IT director. I even give them the commands to do it themselves (along with a strict talking to about how it's not truly anonymous because their network access is authenticated).

I've been able to do it at every university I've studied or worked at.

That's funny - I was going to post that I was first exposed to this thirty years ago when my password was cracked on an old Sun computer! I didn't complain, it was a wake up call. (You weren't at OUCS were you?)
I remember in middle school using "arena" as a password.

"No one will ever guess this!"

At my middle school the default password for all accounts was "linux". The school was Windows (Win2k) only ;) it was around 2006/2007) I had access to a dozent Teacher accounts from oder ones who never used a Computer.

Actually that was the first time that i heard the word Linux and learned the meaning just few years later.

Ah, I remember doing that. Not quite 30 years ago, but jeez, getting close. Funny, it helped me remember some of the professor's wives names, and for some reason I can remember the husband-hunting Italian lady's password (amici) while I've forgotten both her name, her thesis project and everything else about her.

It was actually decently well received by the department head; he sent out a memo to the staff to not use their wives names for emails and looked like an early computer security innovator in the physics department.

I got myself and my best friend in high school fired from a fairly good gig because I cracked some dumb passwords and a CEO took it the wrong way. I still don't think he fully forgave me for it.
30 years ago you could just sniff the passwords on the local subnet because everyone was using telnet and ftp in the clear.
20 years ago you could also sniff passwords for all Windows users in the same subnet as you. Windows used the NTLM scheme which was known to be weak even back then. An AMD K6 running overnight cracked almost all of them at my university's lab, including the Active Directory domain admin.
An NT hash can be used as a credential all by itself, no need to crack those ;)
This must have been a popular pastime in the 90s as I did the same thing for my university's security on their new, centralized student accounts server. This effort was further aided by there being a predictable salt used for the password hashes that indicated which passwords were still set to the (again, predictable) default pattern. They were kind not to kick me out and not fire me as I was both a student and part time employee in their networking services department.
Inherited a system at current (for a few more weeks) employer (recently written so no excuse) that had used a weak hash for the password, I pointed out to my boss how bad it was and that it shouldn't have happened, he didn't pay a great deal of attention.

So I threw the OpenMP variant of John the Ripper at it (I'd just built a 8C/16T Ryzen machine and was curious) it broke ~80% of the passwords in under an hour and all of them over an afternoon of not been in use.

Went to see the boss and gave him the list of passwords including his (which was one of the weaker ones) - he gave me the time to fix it and some other glaring security issues.

The more things change the more they stay the same.

I know enough about security to know that I really don't know about security.

Reminds me of a security issue we had on our linux servers at a former employer. Short of it is, one could run any command as another non-root user without having sudo access or knowing the user's password. rsh access was inadvertently left wide open on thousands of servers.

A coworker and I stumbled into this one morning when I was helping him figure out how to remotely invoke a linux command from a windows gui. I don't recall why we were using rsh as we'd normally ssh into our servers. As we sat there trying to figure out how to enter the password, we decided to just try and run the command w/o a password. We were shocked when it just worked - we were never prompted for a password. When I reported this to my director, he asked me how bad it was. I was like, watch this: I sent an email as the CEO to him saying "you're fired.". He immediately went to our infrastructure team to get it fixed. Fun times...

Had I done this to any of my bosses I'd have been fired
> I know enough about security to know that I really don't know about security.

I'm not sure anyone ever gets past this point. There's way too much for any person to know and not enough hours in a day or days in a year or years in a lifetime to master everything. Even when it comes to computers in general at some level it just becomes magic to me. I might be able to point to a chip and say "that's the sound chip" or "that's a math co-processor", and even write software for it, but I have no idea what goes on inside and I wouldn't know where to even start trying to build one from scratch.

That’s my feeling as well, I try to follow best practices at the level I work at and hope everyone on the levels below me did the same.
You can't really blame them... it was called a pass "word".
25 years ago I didn't need to crack anyone's unix passwords- they were all broadcasting them in cleartext every few minutes because they were using eudora or some other mail client, and I had converted an old sun workstation I found into a packet sniffer.
Would this suggest that 3DES with a sufficiently long password is still safe for now?
Doubt it. It took 4 days for just one top of the line GPU. Any dedicated attacker will have farms to parallelize it even further. It’s not exactly linear, but with just 4 GPUs (~$4000; well within the reach of any dedicated attacker), that’s one day. Not to mention the fact that GPUs have still been roughly following Moore’s Law in terms of performance.

It’s probably safe from the casual attacker who just downloads a password list and runs a one word dictionary attack, but for a dedicated attacker, let alone a nation state, it’s not secure.

TL;DR: Just use AES. Even an ASIC isn’t powerful enough for that. Searching the entire key space would take more energy than the universe has. Compare that to DES that can have its entire key space searched in a few days.[0]

Edit: you said triple DES, not single. My point still stands. DES, even 3DES, is not secure. If I can crack a DES password in 4 days, I can crack a 3DES password in 12. AES with a strong password is virtually uncrackable.

[0]: https://en.wikipedia.org/wiki/EFF_DES_cracker

3DES is a little more secure than plain DES (but still worse than AES)
> If I can crack a DES password in 4 days, I can crack a 3DES password in 12

It's multiplicative, not additive. 3DES is about 2^56 times as difficult to crack as DES. (Not 2^112 times because there is an attack that effectively limits it to twice the effective bits of DES, rather than the three times you might expect at first).

It's more complicated than this, because there are known attacks against 3DES. It's at most 2^28 times more complex, AFAIK, but there are probably better attacks than the few I know.
Are any of these attacks relevant to password cracking?
> there is an attack that effectively limits it to twice the effective bits of DES

* Meet-in-the-Middle attack.

https://en.wikipedia.org/wiki/Meet-in-the-middle_attack

This attack is surprisingly simple, if you encrypt the message twice by

    ciphertext = encrypt(encrypt(message, key1), key2)
Then,

    decrypt(ciphertext, key2) == encrypt(message, key1)
An important security property all symmetric ciphers should offer is immunity to chosen-plaintext attack, if the attacker controls "message", it shouldn't make the cipher more easy to crack.

But in this case, the attacker can obtain all the 2^56 possible encryption of message by enumerating key1, put it in a lookup table (assume the table-lookup time is O(1)) , then we can try all possible decryption of ciphertext by enumerating key2. Then compare it with the lookup-table for a match, bingo!

If key is 56-bit, the attacker gets 2^56 outputs for the left side, 2^56 outputs for the right side, total number of operations is 2 x 2^56 == 2^57, not 2^112.

To increase the security claim to 2^112, we need triple encryption, not double encryption, thus 2DES is never used.

The idea that simple double-encryption doesn't work because of such a simple attack shocked a lot of newcomers.

> It's multiplicative, not additive. 3DES is about 2^56 times as difficult to crack as DES. (Not 2^112 times because there is an attack that effectively limits it to twice the effective bits of DES, rather than the three times you might expect at first).

If you’re using 3 different keys, yes, that makes sense. But if you’re just keystretching one key, wouldn’t it just take 3 times as long because you encrypt, decrypt, encrypt (3 processes)?

This is mostly irrelevant in the context of password hashing however. We're simply feeding passwords into a blackbox at X/s until we get a match. 3DES runs at approximately X/3 compared to DES. If it takes 4 days to feed a bajillion passwords into DES, it takes 12 days to feed the same number into 3DES.
It might be relevant, because the original asker said "with a sufficiently long password". (Implicitly: with a password longer than 8 characters that the original DES scheme would allow.)
This suggests you don't understand how DES-based crypt() worked, so let's take both angles here:

1. Would it be safe to build a password hash like crypt() based on 3DES today?

Maybe, kind of, it depends, don't do this. "Based on" is key here. You'd have to come up with some way to try to use 3DES in this fashion, just as the developers of Unix crypt() used DES. Basically you're trying to build a cryptographic hash out of a primitive that's not really intended for that purpose, you also need to add more salt than the Unix team did back then, and then you need it to run very slowly, preferably on everybody's hardware not just the generic (likely x86-64) general purpose CPU you're using. Lots of people already built _good_ ways to do password hashing in the 21st century, and if none of those are available somehow you should just use PBKDF2 with SHA256 and a nice big iteration count and that'll be tolerable.

2. Oh, I didn't realise, I just meant is 3DES fine for encryption?

You should not do this. The main thing wrong with DES is the key size is too small, which 3DES fixes (effective key size with full 3DES is 112 bits, which is very short today but probably not the biggest hole in whatever security system you're building). But the next biggest thing wrong with it is that it's a block cipher with a small block size, 64-bits. 64-bits is small enough that bad guys may be able to collide your blocks and set fire to everything. To avoid this: Don't use 64-bit block ciphers, go get a real cipher like AES that uses 128-bit blocks. Done. Why are you still here? Could it be secure if you can defuse the collision risk (e.g. you only encipher very small amounts of data)? Sure, but now you're defining the problem to make the choice of primitive look safe, which is always a terrible idea.

Thanks for the great answer. I am not familiar with DES but the reason I wondered about this is because I saw that some VPN hardware devices still has 3DES as an option and even as the default encryption algorithm. I was really baffled by this because I had assumed that 3DES has completely fallen out of favor. So I guess the company isn't choosing sensible defaults. But at the time, I thought maybe they knew something I didn't (although I still switched the algorithm to AES since there's no reason not to).
> I'm shocked at how well the old hashing stood up; sure, it's totally crackable today, but a well-picked password still took 4+ days to crack on modern hardware, which is remarkable

It's not because the hash is strong, but the password itself is strong (if the attackers don't know additional information about chess). The sole purpose of using a strong <del>hash or a</del> KDF on password is making low-entropy passphrase harder to crack by increasing the cost of every round, especially for cryptographic purposes. But if the passphrase is already strong (6 random words from the Diceware wordlist), you can use MD5, and I won't be surprised if it takes one year to crack. Having 10 random words is guaranteed to be uncrackable under all circumstances, because it's literally a 128-bit key.

If your password has 80-bit of entropy, it makes even listing all possible passwords (without any hashing or encryption) a difficult job. Symmetric encryption works in a similar way, it's secure not because of the computational resources it takes, but the number of possible keys it has.

What is the moral of the story? Consider to use a password manager!

> But if the passphrase is already strong (6 random words from the Diceware wordlist), you can use MD5...

Is this actually true? Note that you don't need the actual password, just a hash collision.

MD5 is vulnerable to collision attacks, which allows the attacker to control both messages, m and m', and find a case where h(m) == h(m').

But if a hash, h(m), is given, finding m' where h(m) == h(m') is much more difficult, it's known as a second-preimage attack. "Image" basically means "output", "preimage" means "input", "second-preimage attack" means "find another input that has the same output already given here".

Wikipedia says a preimage attack against full MD5 still requires 2^123.4 steps (2009), only a theoretical possibility. Second-preimage should be much harder.

I don't know if there are improvements, but it's still extremely difficult. Well, of course it's not to say that you should use MD5.

A second-preimage attack is where you want to find m' where h(m) == h(m')... and you know m already. This is not very useful for password hashing; it would give you a second password that would also work to log into the account, but what's the point of that if you already know the first password? The relevant attack for password hashing is a regular preimage attack, where you don't know m (and it would be acceptable to find either m itself or any other string that hashes to the same value).
You don't need to know m, just h(m) which is commonly found in database breaches
That's just a "pre-image attack". A "second pre-image attack" is a different scenario, not relevant to password-hashing for the reasons grandparent described, where you already know a pre-image, and must find a different one.
It doesn't seem like it should be obviously true to me. If the hash algorithm was rot13 it would be pretty easy to determine the password from the hash regardless of the strength of the password
Yep, you need both the input and hash to be strong.

A weak hash reveals information about its input, narrowing the search space. In the example case of md5 or rot13, you can use this to compute collisions for a given hash.

Also, a hash that is lightning-quick to compute is faster to brute force. That's why bcrypt has a tunable "cost" factor - to make the hashing take longer and make guessing the password slower.

I used ambiguous language, "strong hash".

I should've used "strong KDF" rather than "strong hash", a hash can be strong for other purposes, but makes a poor KDF for hashing passwords, such as single-round SHA-256.

In the ideal world, if your password is a random word with 128-bit entropy, no strong KDF is needed, there's no need for PBKDF2, bcrypt, or Argon2, a single round of SHA-256 is sufficient.

> In the example case of md5 or rot13

MD5 still has strong preimage/second-preimage resistance, unlike ROT-13.

But nobody uses random 128-bit strings as passwords, here's how key stretching and cost-factor comes to play.

Can ROT-13 really be called a hash though? It's literally an ancient chipher.
By the plain* meaning of "hash", it can't, it's a symmetric cipher.

* Where "plain" excludes a technical or mathematical definition that might include e.g. troll_hash(x) { return 9; }

All ciphers are also hashes.

Using chaining, encipherment of the last block is also a hash of the whole input.

Secure hashes are optimized for different characteristics than typical ciphers, but with enough headroom and time each can fill in for the other.

Of course some are not very good, for either use.

You could argue that ROT13 accidentally has second-preimage resistance because given m, you won't be able to find n≠m where ROT13(n)=ROT13(m). :-)
Some quick (and uninformed) mental maths makes this ~22 random alphanumeric characters:

26 (a-z) + 26 (A-Z) + 10 (0-9) = 62 characters This which can be represented with (just under) 6 bits of information. (2^6 = 64). And 128/6 < 132/6 = 22.

I'd guess quite a few people who use password managers use password this length...

Rot13 is not a hashing algorithm. A hashing algorithm is a one-way function where many entities in the input domain map to the same entity in the output codomain. This means if you have the hash you can't determine the input with out making a guess.

Rot13 is a function with a one to one mapping between the domain and codomain. If you have the output you can apply a function to get the input.

But you don't care about finding the original password. You only care about finding a string that after applying the hash function, gives the same out.

That's why you can have a hash function like h(x) = 0, whose value gives you no information about x, and still not being able to use it.

Not sure why the downvotes. Comradesmith's assessment of rot13 is absolutely correct. Clearly rot13 is more like PGP, in that you can recover the plain text from cypher text.
Really it's because of a mixture of the two. The traditional DES-based crypt is basically a really early KDF - it was intentionally designed to be slow in order to thwart brute-forcing attacks. (Of course, since it was based on the speed of late-70s computers and had a limited password length, it's pretty feasable to brute force with modern hardware.)

MD5 wouldn't be invented for another decade or two...

And "Good news — no pwnage found!" On Troy Hunt's https://haveibeenpwned.com/Passwords

Which shows that it is fairly strongly "unique", since no-one else has used it and been pwned (or he hasn't reused it and been pwned).

I hope this site is not fishing for passwords ...
If you have JavaScript enabled, the cleartext password is hashed in the browser and the hash is truncated, and a list based on the truncated hash is retrieved to be checked against - the only information leaked is that you searched for one password amongst many. Read Troy's articles about how fishing is protected against - I have written the above from memory.

You can download all the hash files if you wish to run purely locally.

Also the site hosting Troy's list is Cloudflare. Cloudflare act as a https proxy for a large number of sites, so they already have access to a large number of passwords.

Its quite truthworthy. Its run by Troy Hunt (known security researcher) and : "When you search Pwned Passwords The Pwned Passwords feature searches previous data breaches for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP per the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover what the original password was." from https://haveibeenpwned.com/Privacy
My only concern with the site is some privacy implications. I entered a friend's email just to check for him and it wasn't validated at all, and I found out a few sites he had accounts with. Nothing too concerning was revealed, but privacy for its own sake is a valid goal IMO.
Are you gonna fire Troy?
Yes, of course.

Actually, I don't understand your comment.

I'm just alluding to the people that got fired and expelled for involving themselves with "passwords" in the comments above.
As far as I know hibp specifically hides sensitive breaches (such as the Ashley Madison one) to non-verified access. Also, he basically only shows public data; your privacy was already gone back when the original company failed to secure their servers.
Understood, it's a small complaint, the data is already out there on the web and it's not his fault. But there is value in aggregation or the site wouldn't exist. It makes it easier to just put a few emails in there and see what shows up for fun or malice.

It's great that sensitive breaches are apparently hidden but I'd be wary of judging for other people what is sensitive. Some like Ashley Madison are obvious, others less so.

Yes - the 4 days is cool... you’d hope if some where had been hacked with your pass you would be notified within that timeframe
>Since the DES-based crypt(3) algorithm used for these hashes is well known to be weak (and limited to at most 8 letters)

>ZghOT0eRm4U9s:p/q2-q4!

How is that 8 letters?

The part before : is the hash, the part after is the cracked 8 character password.
still 13 characters...

edit: LOL, I guess I'm a little dumb today

(comment deleted)
"p/q2-q4!" is the password, "ZghOT0eRm4U9s" is the password's hash. "p/q2-q4!" is 8 characters.
Very easy to type as well
The password is p/q2-q4! which is 8 characters.
p/q2-q4!

That is the password. 8 characters.

(comment deleted)
(comment deleted)
(comment deleted)
(comment deleted)
Honestly, that confused me too. I really thought the whole password was that long.
Same here, thought it strange they could brute-force such a long password! Even with MD5.
Lol I‘m familiar with chess notation but was so confused by this that I was googling to see what chess move uses a “Z” :(
Ditto. I was like, I get the pawn moving from Queen 2 to Queen 4, but what’s that stuff before the colon?
A slight nitpick with the article - `p/q2-q4` (more commonly written as "1. d4" in modern times) is not the Closed Game, it's just the first move of it. There are many, many other lines after 1. d4 besides just 1. ..d5, most of them quite open!
It is the beginning of the closed game, which is what the article says.

Seems like a vacuous nitpick.

Uh, okay, technically true, touché.

But it's "the beginning" of roughly 50% of all chess games ever played. It seems very strange to call out one particular line it _might_ end up being the beginning of.

It's also "the beginning" of game 2 of the 1929 Bogoljubov-Alekhine world championship match, among millions of others, after all.

Using one potential endpoint as the point of reference to anchor to is a classically human thing to do. It doesn’t particularly matter that they chose Closed or Bogol-Alek. It just matters that they conveyed their thought to others with enough accuracy to get the point across.

Asking the question “why did they think of Closed first and not, for example, Bogol-Alek?” is to ask why someone sees a porcupine in a Rorschach blot. Everyone’s mind has different memory anchors, and they are not produced reliably or with regard for logic and reason.

It still worked, though :)

Pedantry might as well be correct: calling q2-q4 "the beginning of a closed game" hides the fact that it's also the beginning of many other validated openings: https://en.wikibooks.org/wiki/Chess_Opening_Theory/1._d4

Advancing the queen's pawn 2 squares is a very common first move in chess at all levels. It's disingenuous to call this the beginning of any one of the specific possible openings in the above list.

And calling "It was the best of times" the beginning of a famous Dickens quote hides the fact that it's also the beginning of many other valid English sentences, I suppose.

There is nothing incorrect about the article's statement.

Context is everything, and I think your example only highlights how unhelpful it is to specify that q2-q4 is the beginning of the closed game.

I think most English speakers would agree that Dickens' A Tale of Two Cities is a notable outlier of what is expected after "It was the best of times." That's the exact work of literature that popularized the phrase.

By contrast, mention q2-q4 to any "chess speaker" and they won't be specifically prompted to think of the closed game at all.

Yeah that's bullshit. If you tell a chess player 1.d4 then d5 is going to be one of the first things that comes to mind. Even if they prefer a different response, like Nf6, d5 is certainly going to be prompted.
Not if you play chess. 1. d4 is played probably more than half the time in professional games. It can lead to lots of different openings, closed and open (but not at the same time).
Really? I though 1. e4 was more common. TIL!
e4 is more common. d4 is second.
> (but not at the same time)

Nice reference.

Is it? I mean, I'm not a chess expert, but can we actually call a chess game open or closed from only the first move?
1.d4 d5 is called the Closed Game. It's the name of the opening, just like the Ruy Lopez or the Benko Gambit.
oh, today i learned there are opening moves called the "Open Game" and the "Closed Game" and there are also "open" and "closed" games in chess.
I am not a strong player, so I could be wrong, but my understanding is that 1. d4 d5 games tend to be more closed than 1. e4 e5 games, because it's less easy for the center pawns to get taken (because they are defended by the queens).

If any stronger player wants to comment, I'd be interested to know whether this is indeed the main reason 1. d4 d5 games tend to lead to more closed positions.

Closed game is 1. d4 d5. There are quite a few opening lines that start with 1. d4, but do not continue into the closed game.
Which does not change the fact that 1. d4 is the beginning of the closed game.
Yes, and the history of American football starts at Big Bang :)
(comment deleted)
Ken Thompson is a top poster. Busted.
He’s probably a bit peeved he has to use a new password. ;)
Offtopic. Many teams use mailing lists. That UX always scared me. Is anybody know good tutorials on how to getting started to use this kind of interfaces?
Each reply has its own page, just click next/prev to follow the thread (or jump using the tree at the bottom)
I'd recommend finding a mailing list conversation about a topic you know and then hitting all the buttons (there are only a few). you should be able to figure out the links from context
A decent email client will display these as a foldable hierarchy, sort of like HN or Reddit's posting interface, just with the body of the posts hidden. With that and full text search it's not so hard. It's the web interfaces that are a bit bulky.
A lot of them will use an algorithm similar to this one https://www.jwz.org/doc/threading.html
(comment deleted)
Great read! Just noting that the website redirects you to an obscene (but funny) image if this site is the Referer. Disable Referer before clicking or copy the link into the toolbar manually.
Somebody got very salty at the brogrammers over here...
Haha, I completely forgot about that, sorry.
Incidentally, forgetting I had inverted colors for nighttime reading, to me the image looked like a fuzzy peach colored microphone or something similar. Took me a while to figure out how it was obscene! :)
This is a common refrain, mailing lists do need a lot of instructions at the bottom to make sense — email wasn't made for groups. It's like 'group' SMS, your phone might provide you with a single chat window with all your friends, but what it really is doing is just sending a separate SMS to every one of the recipients.

So you need the 'the manual' attached to every message to make sure people get it right. Looks downright scary sometimes though, especially the prospect of getting swiped at by UNIX greybeards if you do it wrong.

Incidentally, I'm working on a modern version of this whole page in a Reddit-like interface. (https://aether.app) It doesn't solve all of the pains of listserv, but it does help with most, including this one you mentioned.

> email wasn't made for groups

I've always wondered why people didn't use newsgroups instead of mailing lists.

It's likely a combination of bad UX, complex set-up, flaky delivery and having no great interface to manage the groups, memberships, unsubscribes. At least that's the parts we're trying to fix.
"Any sufficiently complicated group communication system contains an ad-hoc, informally-specified, bug-ridden, slow implementation of half of Usenet."
I wish. Over Microsoft Teams, I would take that any day of the week.
uhh... including Usenet?

hmm.. Looks like the Morris Corollary won't work on this version.

Google Groups (kinda) solves this problem. On the viewing side, the app is pretty decent, and then you can still receive / reply through email if desired.

A good example group - https://groups.google.com/forum/#!forum/tiddlywikidev

I wish Apache projects would move more towards something like this.

Google groups is freaking awful!

It actually was decent in the beginning but with each change google broke more features and made the UI far less usable. Not to mention, you force anyone you want in your group to create a google account.

> It's like 'group' SMS, your phone might provide you with a single chat window with all your friends, but what it really is doing is just sending a separate SMS to every one of the recipients.

Most modern phones use MMS Group messaging for groups larger than two. It's more efficient and flexible than SMS.

> Incidentally, I'm working on a modern version of this whole page in a Reddit-like interface. (https://aether.app) It doesn't solve all of the pains of listserv, but it does help with most, including this one you mentioned.

> Try for free for 14 days

No.

You can use Google Groups as either a mailing list or via the web. It's pretty handy and easy to administer if you don't mind outsourcing that to Google.
For the most part, you wouldn't use the web interface, which exists mostly for archival/search-engine purposes. You use a plain email program, and get used to hitting "reply all" instead of "reply" (this will have it be "To:" the person you're replying to, and will "Cc:" the mailing list address), you send a regular email to the mailing list address when you want to start a new thread. A halfway decent email program will thread the replies, like HN does.
The interface is email. You know how to use your email client, right?
As an internet old-timer, I initially thought this was a joke, but then realized that it's entirely reasonable for a whole "generation" of internet users to grow up without using mailing lists, and that indeed they may seem scary at first!
I was able to log into his facebook and twitter accounts using that same password!

Edit: Ha ha, this is a bad joke!

Uh oh. No 2FA? Definitely send him an email about that.
not a bad joke at all actually, but HN is just too far all up their own asses
I'm disappointed that it followed a pattern like that, since that's supposed to make it easier to brute-force guess.
It seems likely that someone will write an archaic chess notation pattern engine into the crackers now that this has been discovered and shared widely.
I agree, but didn't seem to help in this case though :-)
Yes, any sort of logic is weaker than random characters. But this was a long long time ago, hence the weak passwords. Computers couldn't crack things that fast. Today, recommendations are still based on what we expect computers will be able to crack in the foreseeable future.

I remember a teacher used the password "music". We had every user's password in plaintext. This was useful when installing a new Windows domain controller and setting all the passwords (about 30 employees in the school) instead or copying hashes or letting them set their own passwords. In hindsight, I find it batshit crazy that some stupid intern (me) walked around the school with a sheet of paper with literally everyone's password on it, logging into people's systems where necessary or potentially forgetting the sheet somewhere. I'm not saying this never happens anywhere in the world anymore, but I do think security mindset changed in the last decades.

On the other hand, being admin on a system is not that different. Sure, you don't have users' passwords, but you can still do arbitrary stuff in their name. Very large organizations will have some sort of system that logs this stuff and that you can't tamper with, but in a lot of places you could easily cover your tracks.
I would argue that having passwords made up by users and having access to a user's work account is a little different. In the former case, I see what kind of password they use and can guess that they reuse the password (or a variant) elsewhere. I can also take knowledge if I get fired, but my admin permissions are revoked.
circa 1995:

Teacher had password written on the BACK of the clipboard they carried around everywhere.

Said teacher's password was 'qwerty'.

(Yes, it worked)

Wow, I didn't expect the thread to go this far
Seems hard to remember. Could it be a collision?
It's a chess move
And an extremely common one.
oh! I thought the whole thing was the password, apparently the first part is the hash
It's a chess opening, in an older notation. But for someone into chess in the 70s, it wouldn't be hard to remember.
(comment deleted)
So he moved on from chess to Go?
I laughed here. Thank you kind human!
i deduced my dad's password when I was a middle-schooler. The uni micro had a teletype and although it did not echo password characters, if you mistyped your password, it would print the mistyped password, and knowing a bit about my dad, I could figure out what the correct password was. I logged in and sent himself an email reminding him to use a better password.
That's just a bad system design, not your dad's fault really:

"You're password 'huntet2' is invalid"

unless the password is just random characters, anyone can guess how it was mistyped.

Hell, even if it was just random characters, one could just assume that it's one character-off from the real password, and try shifting each character around.

Even better if you can find it mistyped two different ways.
To be precise, in the case of a patterned password (i.e., dictionary word or something a human can recognize), it leaks all but about 2-3 bits, assuming the human can work out the most likely mistake as in your example, and we assume it's a simple error like a nearby key or simple character flip.

If it's a random password, it may still leave 2-3 bits per character as it becomes much harder to know where the error is (e.g., if "j9^vl4JO" is wrong, what is the correct password?), but if you have your hands on two independent errors, which is reasonably likely, that pretty much collapses to 1-2 bits tops even in the random case (e.g., if you also have "k9^vl4JP" that pretty much nails it down to either the first and last being "j P" or "k O").

It is a truly terrible idea!

>e.g., if "j9^vl4JO" is wrong, what is the correct password?

Shouldn't that remain utterly trivial to brute though? If we're assuming all the standard face keys+shifted, I think that's 94 characters. If it's fully unknown then search space is 94^8 or about 6E15, not good but if it's an adaptive hash sizable. But if it's only a one character error, wouldn't you just brute through each of the 8 one by one with only 94 each? That'd reduce it to just 752 possibilities at worst which is so low someone determined could even do it by hand, even ignoring any obvious psychology like the likelihood that the special character isn't the mistake and probably the only special character too.

Certainly not quibbling that it's an awful idea. I don't even like "password hints" so many systems still seem to have, they should be random!

Yes. I'm just demonstrating with an example that a less structured password is less damaged. It is still something I'd consider "burned" in real life, though.
You don't think the special character could be a mistake?

Seems plausible the correct password might be j(6vl4JO...

>You don't think the special character could be a mistake?

Not that it makes any real difference here with such a small search space, but in this scenario (known typo, information revealed) it's less likely. Remember, we're considering a human typing something out on a keyboard, so the probabilities aren't fully random. If we're trying to use probabilities to cut down the search space further, a caret character requires shifting well away from the home row (shift-6 US standard qwerty) so it's more likely to represent active intent. Perhaps it could be % or & (shift-5/shift-7), but if you know someone is trying to type a password out and has made a typo then a left/right neighbor with shifting preserved is an easy place to start guessing.

Obviously, this whole thing is such an awful idea and breaks everything so badly that it's all kind of theoretical anyway, hopefully no software has had behavior like this for a long time. And any actual brute force program today has far more sophisticated pattern attacks based on the enormous corpus of password leaks and knowledge there now is, which is why it's foolish to try to try to be clever with passwords rather then just generating something fully randomized.

My dad's fault was to bring the printout home and leave it in a public location.
>if you mistyped your password, it would print the mistyped password,

That's incredibly useful. Stand next to someone, casually chatting, while they enter their password. Just before they hit [ENTER], stab a key -- say, a 'z'. Boom, it prints their password with an extra 'z' at the end.

Sure, they'd be aware of it and likely change their password. But still. A more common use case would be to hang around and wait for them to inevitably typo the password. If you see that enough, you'll get a really good idea about what it's supposed to be, or at least give you enough of the password to make figuring out the missing part trivial.

I've never done anything malicious with the knowledge, but I've totally learned people's passwords just by watching their fingers type. I make an effort to have passwords that would be difficult for a human to nail down while watching them typed quickly in real time. The ubiquity of cameras has me reconsidering input and/or authentication mechanisms, though.
One good thing about using dvorak I guess
Especially with blank caps; securing keys through obscuring keys.
At one point I considered learning Dvorak and then having a password that was using the Dvorak key layout but on a Qwerty keyboard.

But I only made it maybe a month into my Dvorak-learning efforts. Just not enough benefit for the added hassle.

Our high school's library computer (in the 90s) logged failed log-ins in a file readable by anyone. Just the username, not the attempted passwords, but the return key on that computer was not reliable and a very common error was that the return key didn't register leading to "usernamepassword" being in the log.
I watched a variation on this in a lecture hall, when the head of school attempted to log into the system and types UsernamePassword into the username field with a big projector running.
I remember guessing the admin password of the router back in high school so I could port forward a Minecraft server
It makes me happy to read this. I cracked the admin pass at my school for a really trivial reason, I think I wanted to adjust the audio panning. By default it was set 80% left to compensate for the school's cheap headsets.

Possibly, I also wanted to disable the spyware / remote access they had on all the computers. There no experience quite like having your control of the mouse cursor taken away by an invisible, omnipotent sysadmin. Hilariously, they wouldn't even run a logout command remotely, but actually go to the start menu to do it, I think to make a point.

Interestingly enough, this password does not show up on haveibeenpwnd!
That's actually pretty surprising.
should be there in a couple of hours though
Probably a dearth of chess passwords in their database. Try haveibeenpawnd.
That cracked me up
I don't understand. Please help.
haveibeenpawnd -> pawn, as in chess pawn.
The poster was making a pun, replacing pwnd with pawnd, with pawn as the chess piece.
what’s even cooler, he removed the chess punctuation!
(comment deleted)
It has pawn in it.
I used to dabble in Chess when I was younger so I feel extra dumb now. Thanks!
Wow, you deserve the comment of the day.
That's what you get for a game where king white hat tries to capture king black hat by keeping him in check.
disappointed he didn't use algebraic notation. Could have been: e4e5f4ef
Wouldn't that be easier to crack, since it doesn't have any special characters?
And it would be easier to crack this way.
Algebraic notation wasn't in common use in the US until the 80s. 3BSD was released in 1979.
Thompson is a person of class, hence opening with the queen's pawn. The Kings Gambit accepted is too brutish.
If you can find a good link about why algebraic notation is better, it would make an excellent HN post of its own today.
But then he would have a more easily crackable password
I use a diceware[0] passphrase for my Keepass database. I was inspired heavily by XKCD comic 936[1]. My only issue with password managers is that they are a single point of failure and are juicy targets for hackers, so I usually vet them and audit them thoroughly before I use them. I am one of those rare people that actually looks at the source code of password managers to look for flaws in the implementation (I sometimes spot flaws and duly report them to the maintainers).

One caveat to diceware I never liked is how it wears out the keyboard over time as you have to type the same passphrase each time to open the vault (You would be surprised how many times I need to do this each day). I sometimes have to lock my database to avoid evil maid attacks when in a hotel for example. Of course I go through about three keyboards a year because of this, but I don't mind the cost if it gives me a crispy fresh keyboard each time. And did I mention I don't own merely one encrypted database, but many depending on different contexts and different devices?

[0] https://en.wikipedia.org/wiki/Diceware

[1] https://www.xkcd.com/936/

Your switches/keycaps must be kind of crappy if there's that much wear on them from typing the same thing often
So you're saying that if I get access to your current keyboard or any of your former ones, I can get all of the keys used in typing your master password just by looking at the wear pattern? Hey, thanks for the tip!
I guess you could switch keycaps at a much lower cost, depending on your keyboard model. If those are blank, randomly shuffling them around might be enough as well (if you can do without the new keyboard, and don't think that an attacker would look at the keyswitches wear.

This is also something I see quite often on mobile phones with a pin/pattern unlock: you can often infer the pin from the wear pattern, or the grease marks on the screen if the phone was used recently.

My keycap wear pattern more or less mirrors the letter frequency in the languages I write.

This bothers me because I prefer to use slightly embarrassing passphrases. I do that because it creates a secondary incentive not to disclose them.
Does that mean that it is embarrassing and can be tied to you or that it is just embarrassing to say? If the first, then wouldn't you risk being pwned and having that used against you?
I’m guessing the latter. Not saying my password is 8o0b7fOr2060+9
I worked with someone who had to share a password to solve a major outage. (Yes, I know...)

It was a rude comment about a colleague.

Want better password hygiene in the workplace? Encourage rude passwords!
Password rule N+1: "A password must contain at least one word from our list of banned URLs."

At a former job I could not go to one of global corp Tata sites, because tata.

Good luck finding out where Penistone or Scunthorpe are...
Oh no not that embarrassing. I don't record private secrets into my passwords. They're more like "I never told Cindy I loved her." with Cindy being a now-dead cat. My embarrassment threshold is low :-)
I would avoid doing that, invariably they end up in dumps with your name and email next to them.

One of the more interesting things about reused "unique" passwords is they can serve as a fingerprint to link accounts you may not otherwise be able to attribute to the same account/individual.

You missed the "slightly" part of the embarrassing. You can find other more embarrassing things I wrote when you search for my email-address. Re-use of slightly embarrassing passwords is not worse than re-use of any other unique password.

Also https://www.xkcd.com/137/

It's probably actually easier to learn vulgar passwords. Well vulgar anything really, it's a memorization trick we were taught in school to find a way to relate boring things to sex. Probably anything that has strong emotional valence works.
Yup, Moonwalking with Einstein explains this phenomenon well. I know I'll never forget 'Sex On Hard Concrete Always Hurts The Orgasmic Areas', which my Maths teacher passed on ~30 years ago.
we always preferred the "Some Old Hippy Caught At Home Tripping On Acid"

I won't repeat the one we were told to remember Resistor color codes.

In college my roommate and I made our wifi password something like a fart joke. Perfectly fine to tell to our close friends, but kinda embarrassing.

One day, at the end of the semester, our female neighbor knocked on our door and asked if she could use our wifi since she was moving out the next day and had already canceled her Internet.

I would have been happy to share with her, but I couldn't bring myself to tell her the password. Instead I just said my roommate was "really weird about sharing our wifi" and apologized.

I don't think that incident ever actually made me change the password though.

(comment deleted)
the most amusing thing is the exclamation mark on such a banal opening move.
It's been decades. That means "Check!" right?
Nope, it means "good move". Check is +
(comment deleted)
Exclam! Generally a good move, perhaps even unexpectedly so. Double exclam, !!, being a brilliant move, especially one with flair like a sacrifice. Triple exclam is reserved for the games of Emory Tate. ;)
Emory Tate must have been extraordinary..?
It's similar to English actually. It's commentary, rather than semantics.

! is good move.

? is dubious move.

If you want to carried away double/triple those.

At least in modern usage, giving the exclam to signal "I prefer this opening move" isn't uncommon, so it's not a stretch to think that it was done in the seventies too. Also it rounds the whole thing out nicely to eight characters.
"Now I need to change my password on all websites that I use >:/"
>Did he really use uppercase letters or even special chars? (A 7-bit exhaustive search would still take over 2 years on a modern GPU.)

>took 4+ days on an AMD Radeon Vega64

I don't understand. The author first claims that it would take 2 years on a modern GPU to brute force a 7 bit password with special characters but then he is helped by Nigel Williams that cracked it on 4 days on an AMD Radeon Vega64

Did Nigel Williams used a better technique? Is AMD Radeon Vega64 much faster than a "modern GPU"? Did the author overstimated the difficulty?

> (those familiar know the hash-rate fluctuates and slows down towards the end)

Could someone explain this to me, why does it slow down towards the end?

I'm curious too, could it be due to the way the search space is explored in parallel?
I don't know for sure, but these Radeon GPUs are power hungry and hot. It could be just that after multiple days the entire computer is heat soaked and goes through more thermal throttling than even the "steady state" GPU tests that most gamers do (a few hours).

It might also be cruft building up over time with small memory leaks or imperfect memory management.

This is what I thought too, the heat simply becomes overwhelming and the unit has to underclock to prevent melting.
I think the "towards the end" part is the misleading one. The software has no idea where the end is or it would just jump there. Since the run took 4 days slowing down due to throttling would happen pretty fast as the card reaches a thermal equilibrium. Certainly wouldn't take days to do it.

It's more likely the explanation above of something (not heat) accumulating over time and slowing down the processing.

(comment deleted)
For some context of how hashcat works with GPUs:

https://hashcat.net/wiki/doku.php?id=frequently_asked_questi...

Then:

https://hashcat.net/wiki/doku.php?id=frequently_asked_questi...

It isn’t running a single thread at 100% GPU use until the end, it has to partition up the search space and balance how it creates possible passwords on the CPU, on the GPU, and based on the kind of attack patterns you asked for - and when it’s getting to the end of the search space, some of the search space partitions are done and the remaining ones aren’t enough to load the GPU fully, so hash throughout drops.

I suspect it's because the farther down the rule list you go, the more complicated the rules get.

Password cracking often uses rule lists to modify known passwords lists in some way (adding 123 to the end, for example). These get more complicated towards the end so they take more operations.

He would have had to expend quite some calories to type that out every time on an ancient keyboard with chunky keys and massive travel.
Uphill! Both ways!

How many fewer calories do I burn when typing on a low-travel keyboard rather than an old mainframe keyboard?

Probably not very many. According to XKCD What If? [1] a modern keyboard takes around 2 millijoules to press a key. Typing a full novel would take a few kilojoules. Even if an old mainframe keyboard took 10x more power to press the keys you would save less than a AA battery worth of energy over writing a full novel.

[1] https://what-if.xkcd.com/102/

Using some conversions from an internet site, one AA battery is 1.3e4 Joules and a human requires 8.4e6 Joules per day, so about 133 seconds of energy saved per 6 months of novel, or two lost seconds of calorie burning exercise every three days.

(Lots of sketchy napkin math here)

I can just say that attempting to even begin learning to play bass guitar had me exercising the fingers for two–three hours before they stopped feeling like wooden sticks on the strings. Almost every day. I.e. mashing the keyboard is no workout at all.

This means, however, that a typewriter would likely noticeably exhaust a modern keyboard jockey, though not in eight characters (hopefully). But dunno about teletypes.

I don’t understand why the author thought it would take years to find this password, as opposed to something closer to the four days it actually took.
They said an exhaustive 7-bit search would take that long.

Edit: That would be 128^8 =~ 72 quadrillion DES hashes.

Which works out to 2.2 years at the rate that the actual password was cracked (1GH/s).
That's the probabilistic aspect of password cracking :-). In addition, I'm not sure if it's 2 years with 2014 GPUs (when he did the initial cracking), or today's GPUs.
I had a password for an old school system (which I wrote) that was "any 21 characters where the 21st character is a 'z'". People would watch me type it (mashing 20 keys then the 'z') and be amazed I could remember a password that long.
Such a funny idea. I’d would have loved to see people’s faces when you typed it in.
You password is "the21stcharacterisa'z"
Hey that's actually a neat idea! You could expand upon that system by having it only check the 2nd, 5th, 10th, Nth etc. characters.

So people could type in different gobbledegook each time between the characters that matter.

To further defeat keyloggers, shoulder snoopers etc., let each valid character be an option from a set of two or more characters.

So, if my password is: Any 8 characters, but 2nd character must be A/B/C/x/y/z, and the 6th must be !/@/# then I could type:

    9A4jc@23

    #C(@$!as

    oxo!c#-1
or any other valid combinations to get in.

How more secure would something like that* generally be compared to static passwords?

* (Of course this is a simplified example for illustration. In practice you'd use more characters/options.)

> How more secure would something like that generally be compared to static passwords?

It's not secure at all. If someone knows the rules of the system, the entropy on that is tiny, because it's basically a 2 letter password with only 6/3 options.

The only security would be from the obscurity of the attacker not knowing the password rules.

> because it's basically a 2 letter password with only 6/3 options.

That was obviously an oversimplified example to explain the rules.

In practice you could make it as obscure as you want, while keeping it easy for you to remember.

Like the sentences I just typed here. No limit on the number of characters. I could enter different long sentences each time, as long as the characters at specific positions match certain sets.

There is no way that "use a (proper) subset of the characters for bits of entropy" is going to beat "use all the characters for bits of entropy". Almost by definition, the second is going to have more entropy.

You're not getting anywhere, because people trying to guess your password don't have to guess your scheme. All you're doing is making it easier for them. There is no sense in which you are making it harder.

In the optimum case, you'd require them to get the right characters in the slots you're counting, but to not use the wrong characters in the slots you're not counting, thus demonstrating that they actually know the scheme in question and aren't just getting lucky. There would be exactly one character you'd accept in the slot you're counting, and there would be exactly one character they could use to indicate they understand your pattern in the slots you're not counting. This maximizes the chance they have proved to be in possession of your password, rather than just getting lucky because you didn't count their misses. This is, of course, simply using a password normally.

That's just the same thing as a password, though. Even a short password is still just ensuring that specific characters are in specific positions. The only situation where this would be useful is against people with physical or viewable access to the password being typed.
And they would almost certainly know the password rules, because anyone making an account would have to be told the rules in order to understand what was happening.
Unless the rules were unique and hidden for each user!

    User1: 1,3,7,10,12,15
    User2: 2,3,5,8,10,13
I think we’re on to something big.
It's complicated enough for people to remember 8 character long passwords, good luck with an additional level of complexity.
Each user could provide their own rules.
If I had a key logger on your system, I'd just try;

    9A4jc@23
Bam. Access granted.
If you had a keylogger, it wouldn't really matter how good your authentication scheme is…
Keyloggers aren’t very useful when authentication uses TOTPs from a hardware token.
TOTPs from a hardware tokens aren't very useful if system doesn't support TOTP as an auth backend.
But if each of those is a valid password, how does it defeat keyloggers or shoulder snoopers in any way? They just have to type in the same password.

Now, if the rules were totally secret, you could make it such that each time you used a password, it was no longer valid. That would defeat the keylogger, while still allowing you to remember your 3 special characters. But of course you can't ever assume your rules are secret (security by obscurity and all that).

> You could expand upon that system by having it only check the 2nd, 5th, 10th, Nth etc. characters

A bank I use does something like this. On account creation you give it a long key string and on subsequent log-in it asks for three different characters (e.g. the 4th, 3rd and 9th characters) from the string.

(comment deleted)
I discovered that's the way my banking app actually worked until only a few updates ago. The password was originally limited to 8 characters (why this was the case for an online bank password is beyond me) but the app would allow you to enter more characters into the password input. It only accepted the first 8 characters though so anything you entered after those was ignored. I discoveres this when I mistyped my password adding an extra.character at the end and hitting submit without thinking and was amazed and kind of worried to find it still worked.
When I was living in Puerto Rico for work, the local credit union I was using had this same problem. Although the tooltip and messaging on the page said 8-16 chars, only the first 8 were used, and from my testing it had to be case insensitive.

I promptly updated my direct deposit with my employer and used my more secure off-island bank as the destination for the majority of my pay, and had only the minimum required to avoid fees and act as spending money put in that acct.

This was the case for Vanguard for a long time... also, it wasn't case sensitive. I'm not sure when it changed, but I think it was in the last couple years.
I’ve had the goddamn Citibank _require_ that I use a password 6 or 7 characters long on one of their systems. This year (2019).
What system is this? I had used a 20+ character password on their website using my password manager to enter it every time. One day they said the password was wrong, which was unlikely since the password manager was entering it. I ended up doing a password reset and set it to something shorter like 15 characters, and then it worked. I don't know if they truncate or not, but they've definitely allowed much longer passwords than 6 or 7 characters. I've hit this issue with their website more than once so I know they've fixed it and re-broken it a few times in the past.
I think it was the one for showing you the pin of a corporate credit card.
Another bank I had around 3 years ago used only the 5 first characters, and these 5 first had to be numbers.

I guess anyone can just hack a password in like 1 second on a phone or something?

It's more fun when they limit you to X characters (no special characters!) while choosing the password but let you input any number of characters when logging in, and failing you when you typed too many.
You can "impress" people this way still, just by surreptitiously typing Ctrl-u to clear what you've typed so far.
I'm guilty of that. I tend to mistype my passwords a lot, since I try to keep them pretty complicated, but since I usually realize quickly enough to imperceptibly hit Ctrl-U and retype in a smooth motion, I just let onlookers believe that my password is very, very long.
How did they crack it in 4 days if ”a 7-bit exhaustive search would still take over 2 years on a modern GPU”? Is that overstating it?
They got lucky/narrowed the search space. Just because it will take me 2 years to evaluate all the possibilities, doesn't mean I won't immediately hit aaaaaaaa
Specifically, we can conjecture they narrowed the search space to "lowercase+numbers+a few symbols", excluding uppercase letters.
I guess that cracking this specific password could be said to have been parallelized over multiple individuals over the years, and it wouldn't surprise me if it had burnt multiple years of processor time. In the end, someone had to get lucky when picking their search space/exploration parameters :-)
(comment deleted)