Will typing my password twice make it more secure? Or typing each character twice?

Let's try skipping theory and going straight to practice.

Will typing the same word twice (or N times) substantially help?

  • John the Ripper Jumbo has a variety of "simple rules" about this

    • d duplicate: "Fred" -> "FredFred"

    • f reflect: "Fred" -> "FredderF"

  • oclHashcat rules based attack has simple rules just for this, too

    • d Duplicate entire word d p@ssW0rd p@ssW0rdp@ssW0rd

    • pN Append duplicated word N times p2 p@ssW0rd p@ssW0rdp@ssW0rdp@ssW0rd

    • Reflect f Duplicate word reversed f p@ssW0rd p@ssW0rddr0Wss@p

  • Therefore, no, this bit of cleverness is so common it's included explicitly in both common rulesets already for use by itself, or in combination with other rules.

OR type every character twice

  • John the Ripper Jumbo has an example specifically about this in the documentation

    • XNMI extract substring NM from memory and insert into current word at I is the core rule

    • "<4X011X113X215" (duplicate every character in a short word) is the example in the documentation to cover exactly your case for short passwords

.

  • oclHashcat rules based attack has simple rules just for these kinds of attacks

    • q Duplicate every character q p@ssW0rd pp@@ssssWW00rrdd

    • zN Duplicates first character N times z2 p@ssW0rd ppp@ssW0rd

    • ZN Duplicates last character N times Z2 p@ssW0rd p@ssW0rddd

    • XNMI Insert substring of length M starting from position N of word saved to memory at position I lMX428 p@ssW0rd p@ssw0rdw0

  • Therefore, no, again, this is such a common bit of cleverness that it's called out explicitly in both major open source cracking products.

Assume that it is already 8 or 9 characters, consisting of upper and lower case, digits and one or more special characters.

The other rules in those products very likely cover everything you're doing already, and it's also likely that whatever combination you have is already included in a ruleset applied to a reasonable cracking wordlist.

  • oclHashcat alone comes with twenty five different files full of .rules, including d3ad0ne.rule with more than 35,000 rules, dive.rule with over 120,000 rules, and so on.

  • a large number of wordlists are available, some of which may include your exact password - the Openwall wordlist alone has a single 500MB file of more than 40 million words including mangled ones

  • and I'm personally aware of both small, very good wordlists (phpbb, et all) and huge, comprehensive wordlists with literally billions of entries, taking up many gigabytes of space total.

As with everyone else, you need to use try randomness or something like an entire sentence worth of personal anecdote that does NOT use words in a top 5000 list of common English words, and does use long, uncommon words (to force combinatorial attacks using much larger dictionaries).

Specifically look, for example, for words selected at (good) random included in Ubuntu's insane english ispell dictionary list that are not included in the standard english ispell dictionary, for example.


Security.StackExchange is full of questions proposing "home-brew" password strategies. The short answer is always the same: doing something to differentiate your password from the standard dictionary attacks is good - as long as

  1. Very few other people on the planet are also using your strategy. If your "home-brew" strategy turns out to be common - like replacing 'a' with '@' - then it'll get included in the standard dictionary attacks and you're back to square one.

  2. You're not being personally targeted. If you are enough of a high-value target that attackers are specifically trying to break your account, then any pattern you use is a liability because once they know your pattern (say from your leaked passwords from previous leaks) then they'll build dictionaries based on your pattern.

Another trend with this type of question here on infosec, is that someone inevitably references XKCD, so here goes. Remember that computers are good at searching databases and generating lists based on patterns. By using a simple strategy like "doubling every letter", or "the initials of the chorus of my favourite song", etc, you are using a strategy that's easy for computers to guess. The best practice for coming up with a simple password strategy is always: don't. Use a password manager like LastPass to generate and remember a 32-char random password for you. If you insist on having something that you can memorize, then the next best practice is diceware.

If you want to defy all best-practices and invent your own scheme, then I would recommend something emotion-based rather than pattern-based, or something that can be mined out of your personal information. For example a password based on "websites I like", or "TV shows I watch" would be easy to guess for anybody with access to your internet activity, but "things that remind me of ______" where you pick a very different ______ for each password could be hard to guess. (If I thought about this scheme a bit longer, I could probably argue that even this is easy enough to guess, but the point is that it's still better than something purely pattern-based.)

enter image description here


In general, no, doubling the password does not substantially increase (or decrease) your security. What it doubles is your typing effort. Doubling your password may decrease your security if it incites you to choose a shorter/easier base password so that your typing effort is not too cumbersome.

In broad terms, password security comes from its randomness, i.e. how much the attacker does not know. In the case of "doubling", this is a one-bit information (i.e. whether you applied it, or not), so, mathematically speaking, it is one extra bit of entropy. That's not much. Typing eight extra characters to gain a single bit of entropy is meagre; this is not a good bargain.

All witty tricks share the same fundamental problem: they are witty. They rely on the attacker being stupid, incompetent or archaic. This does not hold in practice, except against attackers who really are stupid, incompetent and archaic -- the gods know that they are many of them, but they are not a big problem, because they would not know what to do with your password. The attackers that you should worry about are the smart ones, who can enact substantial damage to your digital assets in a short time; these smart attackers won't be much deterred by your password doubling trick.

Consider reading this famous question to get some information about what makes a password "strong", in particular the entropy maths in that answer.

Tags:

Passwords