Concatenated passwords

Mr. Pedantic

Diamond Member
Feb 14, 2010
5,027
0
76
So if I have a password, abcd1234, for a website, and a second password, efgh5678, for a second website, how secure would the concatenated password, abcd1234efgh5678, be? If someone is attempting an account hack on someone, is it common practice to add combinations of already-known passwords to the password dictionary?
 

smakme7757

Golden Member
Nov 20, 2010
1,487
1
81
So if I have a password, abcd1234, for a website, and a second password, efgh5678, for a second website, how secure would the concatenated password, abcd1234efgh5678, be? If someone is attempting an account hack on someone, is it common practice to add combinations of already-known passwords to the password dictionary?
The simple fact that the thought crossed your mind should be enough to persuade you that you're not the first person to consider the possibility of concatenating two commonly used passwords.

Whether or not it's common practice to add a test for that in a cracking program depends on the software i guess.
 

mikeymikec

Lifer
May 19, 2011
19,396
12,899
136
It depends on what type of threat you're protecting against.

Eg. MooseSquirrelAardvark4965

Is a pretty secure password in terms of the chances of it getting brute-forced (assuming that the server this password is stored is set up based on best practices for password storage and hasn't already been compromised in one way or another).

Concatenating that with a similarly complex password is obviously even better from the brute-force attack end of things, however if someone who knows you was attempting to compromise your accounts and perhaps these words and numbers meant something to you, then this strategy might be easily guessable.
 

Chiefcrowe

Diamond Member
Sep 15, 2008
5,050
194
116
I wouldn't do that either.. I think that already some common passwords are being combined in various ways and used in cracking attempts since machines have become so powerful these days...
 

Mark R

Diamond Member
Oct 9, 1999
8,513
16
81
The problem with the Gibson calculator is that it seriously overestimates the strength of passwords.

The issue in the OP is whether concatenated passwords are secure. The fact is that a determined adversary will try anything that gives them an advantage over a dumb brute force search.

That means using dictionaries, and algorithms that generated "common" patterns based on dictionaries. There have been many "hacks" in the past resulting in large numbers of passwords being compromised - there are whitehat hackers, password recovery companies, etc. who have obtained these databases and used statistical analysis to work out just what dictionary words are most likely, what patterns of "obfuscation" are used (e.g. capitals, l337spk, character substitution, reversed words, concatenation, etc.) most frequently, etc. You can bet, that if "whitehat" researchers and commercial enterprises are doing this, that the "blackhats" are also doing the same.

Now, common hacking tools might not do this, but remember that "pro" hackers write their own tools and do their own research.

I can well imagine that if a determined adversary has compromised some of your passwords, the first thing that they will try is various corruptions or combinations of those.
 

KeithP

Diamond Member
Jun 15, 2000
5,662
199
106
The problem with the Gibson calculator is that it seriously overestimates the strength of passwords.

From the website..
IMPORTANT!!! What this calculator is NOT . . .

It is NOT a “Password Strength Meter.”

Since it could be easily confused for one, it is very important for you to understand what it is, and what it isn't:

The #1 most commonly used password is “123456”, and the 4th most common is “Password.” So any password attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second) as 18.52 minutes and 17.33 centuries respectively! If “123456” is the first password that's guessed, that wouldn't take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether “Password” is the magic phrase.

He then goes on a bit more explaining its purpose.

-KeithP
 

Mr. Pedantic

Diamond Member
Feb 14, 2010
5,027
0
76
The problem with the Gibson calculator is that it seriously overestimates the strength of passwords.

The issue in the OP is whether concatenated passwords are secure. The fact is that a determined adversary will try anything that gives them an advantage over a dumb brute force search.

That means using dictionaries, and algorithms that generated "common" patterns based on dictionaries. There have been many "hacks" in the past resulting in large numbers of passwords being compromised - there are whitehat hackers, password recovery companies, etc. who have obtained these databases and used statistical analysis to work out just what dictionary words are most likely, what patterns of "obfuscation" are used (e.g. capitals, l337spk, character substitution, reversed words, concatenation, etc.) most frequently, etc. You can bet, that if "whitehat" researchers and commercial enterprises are doing this, that the "blackhats" are also doing the same.

Now, common hacking tools might not do this, but remember that "pro" hackers write their own tools and do their own research.

I can well imagine that if a determined adversary has compromised some of your passwords, the first thing that they will try is various corruptions or combinations of those.

This is the answer I was looking for. Thanks!
 

Rakehellion

Lifer
Jan 15, 2013
12,181
35
91
So if I have a password, abcd1234, for a website, and a second password, efgh5678, for a second website, how secure would the concatenated password, abcd1234efgh5678, be? If someone is attempting an account hack on someone, is it common practice to add combinations of already-known passwords to the password dictionary?

Obviously the longer password is more secure than the shorter one, but it's best to avoid dictionary words altogether if that's what you're asking.
 

PrincessFrosty

Platinum Member
Feb 13, 2008
2,300
68
91
www.frostyhacks.blogspot.com
If you're using some kind of shortcut to memorize passwords easier then you're making your password weaker, that's the bottom line.

Hackers understand that users do this and they base their password cracking techniques around it to narrow the large set of all possible combinations down to some much smaller subset.

Good hackers will build dictionaries of information they think their subject is interested in which will contain words, dates, phrases, numbers, that they think are relevant to that person, including personal information, if they hack the password of a website you visit that would almost certainly be added to the dictionary and then any brute force attacks after that would likely try combinations of these dictionary words.

You'd need a pervasive attacker who really wanted to get at your data to break it though, it'd be relatively safe again passive or drive by attacks, if you're just an average joe with only personal data on the line I'd consider it safe, but I wouldn't use it for something like an admin password to protect valuable corporate assets for example.