I'm currently working on huge collection of password wordlists and noticed one trend that all wordlists share in common.
wordlist creators have scripts which they use to optimize wordlists suchs as removing duplicates, non-pritable characters, emails, comments and similar things because these often mean either a mistake or not a password one would normally make.
So your password should:
1. start with a hash # symbol, because wordlists optimization scripts optimize out comments which means your password is less likely to be in the wordlist.
2. start or end with a space, for same reason because scripts optimize these away.
3. contain a number with spaces around it, especially at the beginning because many wordlists exist which put password count at the beginning as a measure of password frequency.
This way if your password or hash ever gets exposed you're less likely to be a victim of dictionary attack.
Without providing any tips for passwords, nor having any experience with cracking or wordlists on the subject, I looked into the idea of length as a variable for password creation on a few websites that offer checking facilities for passwords.
The results follow showing the proposed passwords at the beginning of the lines, and the website responses following the dashes: ---.
The website:
https://www.security.org/how-secure-is-my-password/
provides estimated time that a password could be cracked by software:
hello --- instantly
hellohello --- 58 minutes
hellohellohello --- 1000 years
hellohellohellohello --- 15 billion years
The website:
https://www.passwordmonster.com/
provides estimated times as well:
hello --- 0 seconds
hellohello --- 0.15 seconds
hellohellohello --- 7.87 seconds
hellohellohellohello --- 7.09 minutes
hellohellohellohellohello --- 6 hours
hellohellohellohellohellohello --- 14 days
hellohellohellohellohellohellohello --- 2 years
hellohellohellohellohellohellohellohello --- 115 years
Noteworthy is the significant difference in estimations of the times taken for cracking:
For the password: hellohellohello, one is estimating 1000 years and the other, 7.87 seconds.
The website:
https://haveibeenpwned.com/Passwords
shows the number of times that a password has been seen before:
hello --- seen 397,599 times before
hellohello --- seen 67,482 times before
hellohellohello --- seen 3,688 times before
hellohellohellohello --- seen 392 times before
hellohellohellohello --- seen 1 time before
hellohellohellohellohello --- seen 6 times before
hellohellohellohellohellohello --- no pwnage found
hellohellohellohellohellohellohello --- seen 10 times before
hellohellohellohellohellohellohellohello --- no pwnage found
The website:
https://bitwarden.com/password-strength/
also provides estimated times for cracking passwords. In the case of the word "hello", and any number of repetitions of it, as in the above examples, it output:
"less than a second".
This website facility appeared sensitive to pattern, as well as length.
To test further on the bitwarden website, the following findings were output for a relatively simple sentence:
mymother --- less than a second
mymotherrides --- 2 hours
mymotherridesa --- 2 days
mymotherridesabicycle --- 44 years
mymotherridesabicyleto --- centuries
mymotherridesabicyletowork --- centuries
Checking the same sentence on
https://haveibeenpwned.com/Passwords, yielded the following results:
mymother --- 49,927 times seen before
mymotherrides --- no pwnage found
mymotherridesa --- no pwnage found
mymotherridesabicycle --- no pwnage
mymotherridesabicyleto --- no pwnage found
mymotherridesabicyletowork --- no pwnage found
I guess the conclusion from these findings supports length plus absence of pattern, as a significant factor for "good" password creation. The question arises as to the relative simplicity of a longish unique sentence having some appeal compared to a shorter password that has a more complex construction with the use of a combination of the many keyboard characters available. I guess it may be a bit naive, but fun nonetheless.