Law Enforcement Can Break 77% of 'Three Random Word' Passwords

https://www.forbes.com/sites/daveywinder/2025/04/27/now-law-enforcement-can-hack-77-of-three-random-word-passwords/

4•speckx•9mo ago

Comments

3np•9mo ago

First time I hear of this "three words" - is this actually promoted? Canonical "correct horse battery staple" is 4. 5+ truly random should still be strong.

https://xkcd.com/936/

drweevil•9mo ago

Ditto. I use 5 to 6. Also, the problem with recommending passphrases is that I don’t see a decent explanation from those recommending them as to how they work. Yes, I get that they are public key cryptography, but the details of the actual implementations (each seems different) make them confusing. And where there is confusion there is room for exploitation.

tuatoru•9mo ago

You are right, the explanation is glossed over.

Perhaps because it is so simple: what matters for passwords is length. No other complexity metric (codeset, whatever) is even in the same race.

Personally, my passphrases are seven words or more, which gets me to over 30 characters.

3np•9mo ago

Entropy is what matters, not length. OP gets this part right.

"qwertyuiopasdfghjkl" or "aaaaaaaaaaaaaaaaaabc" are not stronger than "kmY7$®f0V".

AStonesThrow•9mo ago

For a long time I used the "KeePass" family of password managers (KeePass2, DX, XC, etc.)

Their feature set seemed calibrated for the truly paranoid cypherpunks, and I rolled with it.

Then I began taking a critical look, and the first thing I noticed was that their dev team was a bunch of nobodys with creepy aliases and mostly seemed based in the E.U., definitely not USA/5 Eyes or anything.

Okay, well, critical security component is controlled by Euro-spooks, no problem...

I never seemed to have any password manager-related problems, except...

I often opted for generation of a "five word passphrase" like the xkcd recommendation, and I would go back and type in those passphrases, and they seemed almost insultingly accurate. Like if I didn't know any better, my identity or personal attributes were carefully encoded in the passwords themselves.

I am sure I was imagining things, [over-the-top with my tinfoil hats!] but eventually I moved past needing KeePass, and into the native managers offered by Microsoft/Google. Interesting times, for sure.

tuatoru•9mo ago

Use Diceware[1]; keep your passphrases on a piece of paper where you keep your other valuable pieces of paper.

Advice I got soon after discovering the internet in 1994; still valid.

1. Not the online pseudo-diceware stuff, real dice.

alganet•9mo ago

boat cucumber wire

Of course I remember.

oulipo•9mo ago

"Trump tax dumb" easier to remember

alganet•9mo ago

You don't actually know what I am talking about, do you?

Kon-Peki•9mo ago

> confirmed that “up to 77.5% of passwords,” created this way can be “cracked using a 30% common-word dictionary subset.”

Correct me if I’m wrong, but doesn’t this mean that up to 77.5% of passwords known to be exactly three words can be cracked using a 30% common-word dictionary subset?

6510•9mo ago

Shift one or more hands by one or more characters. dhigy onr ot motr hsnfd nu onr ot motr vhstsvyrtd.

What the longevity experts don't tell you

Monzo wrongly denied refunds to fraud and scam victims

They were drawn to Korea with dreams of K-pop stardom – but then let down

Show HN: AI-Powered Merchant Intelligence

Bash parallel tasks and error handling

Let's compile Quake like it's 1997

Reverse Engineering Medium.com's Editor: How Copy, Paste, and Images Work

Go 1.22, SQLite, and Next.js: The "Boring" Back End

Laibach the Whistleblowers [video]

Slop News - HN front page right now hallucinated as 100% AI SLOP

Economists vs. Technologists on AI

Life at the Edge

RISC-V Vector Primer

Show HN: Invoxo – Invoicing with automatic EU VAT for cross-border services

A Tale of Two Standards, POSIX and Win32 (2005)

Ask HN: Is the Downfall of SaaS Started?

Flirt: The Native Backend

OpenAI's Latest Platform Targets Enterprise Customers

Goldman Sachs taps Anthropic's Claude to automate accounting, compliance roles

Ai.com bought by Crypto.com founder for $70M in biggest-ever website name deal

Big Tech's AI Push Is Costing More Than the Moon Landing

The AI boom is causing shortages everywhere else

Suno, AI Music, and the Bad Future [video]

Ask HN: How are researchers using AlphaFold in 2026?

Running the "Reflections on Trusting Trust" Compiler

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse