Is grouping characters for easier SmartPhone entry weak?

I thought it might simply entering passwords in SmartPhones (so I’m not having to jump from character type entry screen to character type entry screen every few characters) if the characters were grouped by type. For example, assume you generate a password: !BzD6VVPKJYFy!ppL8mWLw&

Would it severely/significantly weaken the password if rearranged the password so all the numbers were grouped together, followed by all the special characters, followed by all the upper case letters, followed by all the lower case letters? e.g. the above would become 68!!&BDVVPKJYFLWLzyppmw

I saw a YouTube claiming this significantly weakens the password but didn’t say why.

In a word, yes. In more words, maybe but it depends.

The goal is for your password to withstand an attack. If you make it easier to remember or enter, you make it easier for your attacker to potentially brute force it. It NEEDS to be truly unpredictable if you’re making assumptions based on how people describe password entropy.

You’re better off, most probably, going for something less random, but much longer, that you could type easily. For example a pass phrase, something like: “WHEN the sun went down; the MOON came up; We danced in the moonLIGHT all NIGHT##########”

Steve Gibson actually did a really deep dive on the factors that effect the strength of a password on the most recent SN episode (#905). I believe the relevant part starts around 1:26 - 1 - LastPass Aftermath, LastPass vault de-obfuscator, LastPass iteration count folly - YouTube

Brute force becomes easier when the attacker knows the password pattern and size. Therefore it is OK, as long the attacker has no clue that the password is ordered with a specific size.

1 Like

That is why I couldn’t understand the YouTube saying this results in a weak password. The people attempting to crack the password wouldn’t know the character types are arranged, nor how long each character type’s section is.

Thanks. I suppose that taking a randomly generated password and reorganizing it doesn’t really affect the entropy too much, and, I could always just lengthen it to a few more characters to offset any possible loss of entropy.

1 Like