A single word can be transformed in so many ways to create the password. With an
ID: 659403 • Letter: A
Question
A single word can be transformed in so many ways to create the password. With any word of length l there are l! different permutations. Appending digits and symbols to the word create alphanumeric password. Even the leet transformations(replacing a with @ etc) can be applied to create passwords. The number of such transformations are enormous but only few are memorable and used. The leak of password database leaks provide insights into most common tricks used by the creators of the passwords. But some transformations might be tricky and not known to the attacker yet, because they might not be popular or might not be available in the leaked database . So my question is "Can such tricky and memorable transformations be identified without depending on the or analysing the breached data ?"
My point is that security through obscurity is not going to help. Some human created passwords might be secure only because the tricks are unknown. Understanding such set of tricks, will eventually lead to better strength meters and therefore better sense of security. It will also help to identify if the humans can create secure passwords at all or not? and end the cat and mouse game between the attackers and us? May be it can also imply the replacing the password scheme for authenticating with some other schemes, I am no expert to tell, but these are my concerns.
Explanation / Answer
No; by definition, you cannot identify a trend without data.
However, anything that you or I or anybody else can come up with can also be thought of by an attacker. In general, you cannot assume that the attacker cannot or will not find out what method you are using. This is called 'security through obscurity' and is a common trap that people fall into.