Confused about using a password that "would take centuries to break"

The online calculators are basing their results on a particular set of assumptions, ones that might not apply in any one case. There is no basis for trusting the calculators to provide any insight into how an attacker might choose to break the password.

For instance, if I know that you use a pattern, and what that pattern is, then I would adjust my bruteforcing to align with the pattern. There is no way for an online calculator to account for that. There are other similar factors to take into account. "Entropy" is all about ensuring as much randomness as possible. A set pattern has much-reduced randomness, regardless of the characters used.

So, yes, do ban such obvious patterns, if that meets your goal.

I do have concerns about your method of banning these passwords, though. You might be fighting the wrong battle.


Just out of curiosity, I checked this on a very well known website(on its login page) and it stated that this would take centuries to break.

Such websites cannot be taken as gospel. Many are worthless, and even for the good ones the results must be carefully interpreted. First of all, as a general rule, a strength checker can conclusively tell you that a password is weak but cannot really prove to you that a password is strong—the password that it can't find fault in could well fall to some attack that the meter doesn't model. For some extreme examples, this Ars Technica article describes successful cracking attacks on some otherwise impressively long passphrases:

Almost immediately, a flood of once-stubborn passwords revealed themselves. They included: "Am i ever gonna see your face again?" (36 characters), "in the beginning was the word" (29 characters), "from genesis to revelations" (26), "I cant remember anything" (24), "thereisnofatebutwhatwemake" (26), "givemelibertyorgivemedeath" (26), and "eastofthesunwestofthemoon" (25).

The other thing is that just because one meter told you that it judges the password strong doesn't mean that all such meters do. For example, the zxcvbn checker, which is one of the best, thinks this is breakable in 3 hours by an offline attack if the password hashing is weak:

password:              23##24$$25%%26
guesses_log10:         14
score:                 4 / 4
function runtime (ms): 3
guess times:
100 / hour:            centuries  (throttled online attack)
10  / second:          centuries  (unthrottled online attack)
10k / second:          centuries  (offline attack, slow hash, many cores)
10B / second:          3 hours    (offline attack, fast hash, many cores)

match sequence:
'23##24$$25%%26'
pattern:               bruteforce
guesses_log10:         14

It estimates 2 minutes for 1!2@3#4$5%6^, 2@3#4$5%6^7& and a!b@c#d$e%f^ with a 10B/second attack (3 years at 10k/second), so those it thinks are even worse. (Though it does score all of them 4/4. The meter is recommending that you actually accept any of these passwords, because it estimates they're reasonably likely to resist attacks if your application has implemented slow password hashing. But its analysis actually proves they're weak to a specific attack that you should mitigate.)

Note that zxcvbn models attacks based only on general knowledge of how most users pick passwords—it doesn't have any specific knowledge about how your organization's password policies or practices might allow a specialized attack to somebody who learns them. And always remember, the tool can tell you that a password is weak, but not that it is strong—zxcvbn estimates centuries to crack Am i ever gonna see your face again?, which from the Ars article we know has actually been cracked in real life.

Now, I stand confused with the list, should I mark these particular kinds of passwords as vulnerable and disallow the users going for them, even if they take a very long time to break?

Your instinct that these passwords should be banned actually turns out to have some justification, as shown by the zxcvbn results. The problem is that you're unlikely to succeed in compiling a finite list of passwords that are similarly vulnerable, nor of patterns that an attacker might successfully exploit. For example, to catch all the passwords that zxcvbn thinks are as vulnerable as the latter three, you'd need a list with 1.2 trillion entries (10B passwords/second × 2 minutes). Not practical. Even if you try to condense things down to a small list of patterns to reject, I wouldn't count on successfully outthinking your attackers.

One thing you should definitely do is use strong password hashing, with the bcrypt or Argon2 password hash functions. This is what the zxcvbn results above call "slow hash," and it likely makes your password entries much harder to break. (But again, remember a strength checker can tell you that some password is definitely unsafe, but not that it's safe.)

Things you should consider in addition:

  • Use a small list (thousands) of passwords that are known to be very common, and forbid those. Such lists can be readily found online.
  • Use Troy Hunt's 500M+ breached password list, which also has an online API. (Make sure you read the material on k-anonymity so you don't actually send passwords to the API!)
  • Use a smart strength meter library like zxcvbn, which is a much more sophisticated alternative to pattern detection like what you're contemplating.
  • Implement a second authentication factor, so that passwords are not your only line of defense.

Guessability of passwords means knowing something about the kind of passwords people might choose. We all know "Password" is guessable because it's an English word. But to know that you need to either know English, or have a concept of how English or other related languages spell words. An alien from somewhere in the vicinity of Betelgeuse that's never been exposed to English or another human language isn't going to know that "Password" is easily guessable. In other words, patterns are somewhat subjective, which (beyond a certain level) makes them terribly difficult to predict in advance.

Similarly, for some of the passwords on your list it isn't immediately apparent what the pattern is. 1!2@3#4$5%6^ looks somewhat "random" at first glance, but you'll quickly notice that on a QWERTY keyboard, it's simply 1-6, and alternating every other character with the shift key.

In addition, if someone showed you the password CPE1704TKS you also might think it's a good password. It has 10 characters of letters and numbers, there's no determinable repeatable pattern to it, and it's not a word in any human language. You'd be wrong though, and this isn't a great password because it's the password used to launch the nuclear missiles at the end of the movie Wargames.

For this reason, using calculations of "crackability" (based on length and character selection) from a random website are largely bogus. Furthermore they depend on someone obtaining the password hashes, which itself is a major security compromise. They're doubly bogus because they imply you know how quickly a hash takes. Hashing speeds vary by many orders of magnitude depending on which algorithm you've chosen. So take "crackability" scores with a grain of salt. Most attacks on passwords these days use common passwords, or reused passwords not pilfered password hashes.

Really, this comes down to simply maintaining a list of "bad passwords" that other people have found over the years that have some sort of special meaning. My guess is that's where the security guys are coming from.