Ask HN: How secure would this password be, practically speaking?

7 points by andrewstuart2 ↗ HN
So I currently have a rule for myself that I don't let any new passwords be shorter than my previous password. As you may guess, my passwords are getting quite long after a few years of having to change every N days. This got me thinking.

I know it's low entropy, but as a guess on how most modern brute force attacks work, I was wondering how secure something like this would be, both conceptually and practically:

1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaaaaaaa

4 comments

[ 3.2 ms ] story [ 22.8 ms ] thread
I would say fairly secure based on length

Here is the reason:

1. It is 101 characters. If I was brute force attacking I'd imagine I'd target passwords <32 characters. Probably more like 8-16.

2. It has [a-zA-Z0-9]. This isn't bad, but isn't optimal. Add some symbols or non ASCII characters to really screw up brute force attacks.

3. If for some reason this is the password on a system that is not hashing but encrypting and using a cipher in ECB then it is definitely not secure.

Honestly if this was a password on a giant list I'd skip it and move on to easier targets.

Not at all. I always use a password cracker that starts with a dictionary attack based on every word posted on HN. 1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaaaaaaa will now be one of the fist passwords to go.