Choosing passwords more resilient to brute force attacks

Question

To increase the number of attempts required for a brute force attack to succeed, is it best to choose passwords that are not only long, but that are also weighted towards higher valued numerical characters and towards alphabetical characters near the end of the alphabet?

Or do brute force attacks often use algorithms that don't increment (approximately) alphanumerically?

Answer 1

Brute forcing programs often do not start at A and go to Z. John the Ripper takes the character set you give it, and sorts them by frequency of use in passwords, and brute forces in a way that more likely passwords are tried first, and it works well for passwords that are close to English. You would be better off using the most commonly used letters slightly less, and commonly avoid commonly used bigraphs and trigraphs like 'ed' and 'ing', but it is not worth the trouble. The point of having random passwords is that there is no password scheme an attacker can discover that makes brute forcing the password easy/easier. With your scheme, someone could start at the reverse of the alphabet and work forwards, maybe because they saw one of your passwords you used at another site. For further reading, google "jtr incremental"

Answer 2

Adding one more character to the set from which you choose your password, or to the password has a much bigger impact than choosing letters at end of alphabet.

You wouldn't feel any more comfortable that a violent psychopath had keys to your house just because there were 20 more keys on the keyring and he didn't know which one was your house key.