Is it mingebiscuit?
No, but they're good live.
The reason "HORSE" is less secure than "HOR5E" is because you can complete the rest of the word from the starting few letters, because the words architecture is set by the English language layout.
Except that crackers are well versed in the notion of letter substitution. It's trivial to include 0 (zero) alongside o and O in a dictionary attack.
3) It's not like in the films where you can brute force a password any longer. Pretty much all systems will not allow repeated and rapid password entries without flagging an attack attempt, so even say 100 possible combinations of password are pretty secure in reality
Where this falls down is when you're not actually attacking live accounts. In the two cases mentioned previously, the user database was compromised meaning that the hackers had an offline copy of usernames and password hashes. Any login delays or automatic lockouts are immediately moot.
Now, the passwords were encrypted (hashed), but using MD5. MD5's flaw here is that it's cryptographically fast - it's easy to compute MD5 hashes. With a modest PC you can brute-force a six-character password in as many seconds, an eight-character password in a couple of hours. How many folk have passwords longer than eight characters? Statistically few, I'd wager.
Pffff! You can decrypt MD5 online no need for a PC.
maxtorque: I think at least some of the analysis is also based on how hard it is to get to your password if a hacker gets hold of the hashed/encrypted version of it.
In the good ol days of NT passwords that Cougar mentioned you'd have [url= https://en.wikipedia.org/wiki/L0phtCrack ]L0phtCrack[/url] banging away trying dictionary and rainbow table attacks.
Something like "HORSE" would be found almost instantly as it is a simple dictionary word, "HOR5E" would be found seconds later as it is a standard letter substitution.
Edit: as Cougar has explained while I was typing..
Pffff! You can decrypt MD5 online no need for a PC.
You can decrypt many MD5 hashes simply by Googling the hash.
In the good ol days of NT passwords that Cougar mentioned you'd have L0phtCrack banging away trying dictionary and rainbow table attacks.
Indeed (that's what I was referring to earlier when I was talking about password audits).
This is doubly easy because of the way NT stored passwords. Essentially, passwords were encrypted in six-character chunks. So our correcthorsebatterystaple would be held as CORREC THORSE BATTER YSTAPL E. And as discussed, you can brute-force six-character passwords with a broken biscuit.
Looking forward to Pissgibbon getting so popular my very corporate employer is forced to add it to the list of easily guessed passwords we aren't ment to use.
I wasn't sure whether to post this here or on the "women in tech" thread, but this seems to be a little less "men are good with computers because they have a penis." So, in the context of your password on a Post-It in a desk drawer being fine, have a read of this.
https://twitter.com/HydeNS33k/status/895318837758877696
Like that Cougar.
[s]Cheating[/s] Watching her tweet feed and still she got in. 😀
I've visited plenty of similar client sites: biometric fingerprint scanners and RFID tags? Just wait for someone to hold the door open for you.