“Digital Garlic” Scares Away Hackers

Time Management for Hackers | Attackers don’t bother brute-forcing passwords that are long or passwords that contain special characters.

Every one of us — hackers included — only have 24 hours in every day. So how do criminal hackers make the best use of their time when brute-forcing passwords?

Microsoft researcher Ross Bevington analyzed the usernames and passwords hackers entered from over 25 million brute-force attacks.

Here’s the breakdown of 30 days’ worth of attacks against passwords:

  • 6% attacked passwords over 10 characters in length.
  • 7% attacked passwords which included special characters.
  • 39% attacked passwords with numbers in them.
  • 0% attacked passwords with spaces.

Hackers definitely stayed away from passwords which were longer (94% of the time), and they didn’t bother spending much time cracking passwords which contained special characters (only 7% of the time).

Probably because of the common use of numbers at the end of passwords, hackers definitely honed in on digits.

But hackers didn’t even attempt brute-forcing passwords with spaces, most likely because including spaces in passwords is still fairly uncommon.

Should we include special characters (including spaces) in our passwords?

Here we have high-quality evidence collected by Microsoft at scale. It shows decisively that password length and the inclusion of special characters act like digital garlic, keeping the vampires and werewolves at bay — keeping the bad guys away from our online accounts.

By default, right out of the box, CASTALOT® Dice allow the user to create 14-character, 4-class passwords which contain two special characters, including spaces.

The “formula” for the user’s passwords is completely up to them. If they want to make their new, modern passwords even stronger — they simply roll a few more dice.

The Era Of Memorizing Passwords In Bulk To Log In To Online Accounts?

That Era is over.

So the user either writes down and securely stores their new modern password, or they type it into their password manager just once.

Here is a link to the CASTALOT® Dice landing page: www.CastalotDice.com


4-class password is a term used by password researchers to describe a password composed of four “classes” of characters: upper case letters are one class, lower case another, numbers a third class and special characters are the fourth class of characters.

— Anthony Collette

Scroll to Top