When generating a brain wallet, you MUST use something like DICEWARE and have at least 96 bits of entropy. Only then will you be "safe".
Your password had very low entropy - it was just a matter of time. Repeating words in patterns does NOTHING against an attack.
Password123 and the same repeated 10x is worthless.
I know that Password123 is literally worthless, but are you saying that a stronger password such as YankeeDoodle123 is useless too?
surely a password like YankeeDoodle123YankeeDoodle123YankeeDoodle123 would be very unlikely to be hacked?? and three times the password would mean at least 3x the difficulty to hack no? if hackers need to combine every password in multiples of three they must be doing 3x the work (which is already a lot in the case of YankeeDoodle123!?)
Hey. Sorry for the loss. Also, no moral lectures from me. But I'd like to chime in, if you allow, because the line above is quite a bit of a misconception.
Basically, "3 times the effort" is nothing in computing. You are aiming for exponential increase in difficulty when setting good passwords. Here are a few more details...
Thinks of it as follows: imagine the attacker has a dictionary of common words, and a method to combine words from that dictionary in a reasonable* way. Now, "Yankee" is one word. "Doodle" is another word. Even "123" could be considered a word, since it's such a common string of numbers, together with "111", "789", and a few others.
Say that dictionary of words (and sort-of-words, like "123") has 10k entries in total. Probably not the exact right number, but let's assume it for a moment. Leaving capitalization of words aside (which we can in your example, because you just capitalized the first letters of a word, which only effectively doubles the size of our hypothetical dictionary), a single 3 word combination out of that 10k word dictionary represents one out of 10k^3 possible combinations.
I didn't look up the latest developments in the last 2 or 3 years, but a 2012 result I found reports an offline brute force attack (using rainbow tables) running at a speed of 350 billion passwords per second. Therefore:
A 3 word combo out of a 10k dictionary would take about 3 seconds to find.Let that sink in for a moment.
Now here's how to solve the problem, and still use, in principle, a similar method to yours, one that is easier for humans to remember than random ASCII characters:
Don't repeat the same combo. Doing so is useless, and doesn't add any substantial security.In your example, "YankeeDoodle123" can be seen as one phrase (that the attack described above could find in 3 seconds). To get from "YankeeDoodle123" to "YankeeDoodle123YankeeDoodle123YankeeDoodle123", i.e. the 3 times repetition will take only minimal additional time (constant, or almost constant), assuming the attacker knows a) he just needs to, verbatim, repeat the phrase, and b) he can stop the repetitions after testing about 5 or so repetitions per phrase, since most humans don't enter passwords of 100 or more characters.
Here's a much safer example password, still using a dictionary based method:yankee colour doodle resulting table parsley under chair (without the spaces)
Only slightly harder to remember in my view, but a lot better. Even assuming you took the words from a smaller dictionary of only 5k words, using 8 different entries from that dictionary means the attack mentioned above would take
10^12 years to brute force it. In other words, impossible. **
Take home message: For reasonably safe passwords, use the xkcd method ***
(but don't even think of using the same words used in the comic)
* "reasonable" here means: by an algorithm that is trying to capture how we, human users, set non-random passwords.
** no guarantees on that. it assumes you picked the 8 words randomly from the dictionary, which humans are notoriously bad at. But in any case, much better than repeating a phrase inside a password.
*** I know, xkcd didn't invent it, just described it nicely imo.