xkcd

by **LucasBrown** » Wed Aug 10, 2011 4:03 am UTC

Alt text: "To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize."

:shock:

changes password

by **lingomaniac88** » Wed Aug 10, 2011 4:05 am UTC

Now I won't be able to get "correct horse battery staple" out of my head.

by **glasnt** » Wed Aug 10, 2011 4:05 am UTC

What's the guess that next year, the top passwords in use will be:

123456
password
correcthorsebatterystaple
654321
...

by **KShrike** » Wed Aug 10, 2011 4:05 am UTC

What the frick? How'd he get my password!!!

by **Drooling Iguana** » Wed Aug 10, 2011 4:06 am UTC

So now I'm going to have to change all my passwords to correct horse battery staple.

I guess it's a small price to pay for security, but I'm going to miss hunter2.

by **ShuRugal** » Wed Aug 10, 2011 4:08 am UTC

Drooling Iguana wrote:So now I'm going to have to change all my passwords to correct horse battery staple.

I guess it's a small price to pay for security, but I'm going to miss hunter2.

I'm not entirely certain how sad it is that i laughed aloud at that, but i am certain that there is a non-zero degree of sad involved somewhere.

by **jpk** » Wed Aug 10, 2011 4:12 am UTC

Oh, no... now we're going to have a bunch of people resorting to easily guessed passwords because [they think?]* Randall said so...

(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

*edited this in and out about four times... if this is a troll on his part, I give him great props for his deadpan... )

by **Jorpho** » Wed Aug 10, 2011 4:13 am UTC

Teehee, hunter2. I laugh to further intimidate those who don't get the joke. (I was going to write something along the lines of "squeamish ossifrage".)

And I am posting in the first place because this is pretty damn cool – assuming it's legit, and why wouldn't it be?

by **KShrike** » Wed Aug 10, 2011 4:14 am UTC

jpk wrote:Oh, no... now we're going to have a bunch of people resorting to easily guessed passwords because they think Randall said so...

(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

I think he's just trolling us. To be honest, you could always include a random character somewhere to screw it up.

"correct pony ba|ttery staple"

Boom, now the algorithm won't see it.

by **Alex-J** » Wed Aug 10, 2011 4:15 am UTC

I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal). As long as your pissed off friend/boy/girlfriend can’t get into something that’s important to you by typing “password”. Honestly, how many people want to mess-up your xkcd forum account? The password is only there so someone can’t, on a complete whim, decide to be you.
(but if you like making nerdy arch-enemies, watch out)

On an unrelated note my friend has had a 42-letter password for his laptop for years. Apparently he's far ahead of the game.

by **Kaldra** » Wed Aug 10, 2011 4:21 am UTC

My employer (who shall remain nameless) has somewhat silly password requirements. Exactly 8 characters, only numbers and lowercase letters. Which (at 1000 guesses/sec) would take up to 89.4 years if it were completely random, but it rarely is. Luckily we require a PGP pass phrase to turn the computer on, but the account passwords on their own aren't terribly secure

by **cheeseheadtotherescue** » Wed Aug 10, 2011 4:22 am UTC

we're sorry, your password must be between 6 and 10 characters and may not include any of the following special characters !@#$%^&*(){}-=+\|/><,.":;'[].
.
.
.
*cries*

by **TaylorP** » Wed Aug 10, 2011 4:24 am UTC

Haha, I liked this one. My passwords are somewhere in between, in that they have at least one number and capital letter, but they're also composed out of somewhat meaningful couple of words. It's not like any of my accounts are worth the time it would take to guess the password, though.

BTW Alex-J, your forum avatar is great.

by **jpk** » Wed Aug 10, 2011 4:28 am UTC

Alex-J wrote:I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal).

Do you really think J. Random Loser actually uses a more secure password for their gmail account than they do for their xkcd forum account? I don't.
And guess how much trouble I could get into if I have your primary email account... the one that all of your other accounts send password resets to...

by **dysprog** » Wed Aug 10, 2011 4:28 am UTC

Well the the gibberish is not that hard to remember if you use the same one for 10+ years.
Never to change it even that skeezy website emailed it back to you in plaintext, or that time you had a virus.
And use it on every website you visit, from your bank to facebook, to HotChicksEatingIceCeamInThePool.com

ummm... I'll be riiight back

<changes password.>

by **ConMan** » Wed Aug 10, 2011 4:29 am UTC

My standard disclaimer about the strength of passwords is that no matter how strong it may be algorithmically, a password is immediately weak once it's used as an example of a strong password (which I expect means I am "explaining the joke" of Drooling Iguana's post). Particularly if you have draconian password requirements on a system, and so have to demonstrate a kind of password that will fit the rules - for a big enough system, I can practically guarantee that a sizeable number of users will take that example password and use it.

by **Rephistorch** » Wed Aug 10, 2011 4:30 am UTC

Personally, I have a sucky password for things like forums (which I could care less if they got hacked), I have a moderate password for things like personal info without credit card data, and then I have a mecha-sheeva password for all things financial.

By the way using the ~2^44 is way less secure than actually using an 8 character password that is more random than a simple character appending and substitution. If you make an anagram of a phrase you like, make it upper and lower case, add numbers and symbols in random places, it's far more secure than a common english word mash-up. Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

by **Eredian** » Wed Aug 10, 2011 4:32 am UTC

I found a dictionary containing 118620 words quite easily. Assuming you use at least one unique word in there your password would be closer to log2(118620) * 4 =~ 64 bits of entropy.

To have only 28 bits of entropy with that solution your password would have to be findable by a dictionary containing only 128 words. That seems quite unlikely.

by **Briantho2010** » Wed Aug 10, 2011 4:34 am UTC

Having done some brute force password cracking this comic isn't truthful to real life from my experience. When brute forcing a password you can do various types of attacks but the larger the pool of characters for each character of a password, the higher total # of password possibilities. Example. A 5 character all lower case password provides 11,881,376 possibilities whereas a 5 character password using upper case, lower case and 0-9 produces 916,132,832 possibilities. That password would be potentially 77.10 times harder to crack using brute force methods than first example.

by **joee** » Wed Aug 10, 2011 4:34 am UTC

OP: there's a typo in your link. http, not htpp

Damn, now I want to change all my passwords.

by **Alex-J** » Wed Aug 10, 2011 4:35 am UTC

jpk wrote:
Alex-J wrote:I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal).

Do you really think J. Random Loser actually uses a more secure password for their gmail account than they do for their xkcd forum account? I don't.
And guess how much trouble I could get into if I have your primary email account... the one that all of your other accounts send password resets to...

Most things that are important to me (ie: not my robozzle account) when asked to reset my password require you to answer one of those security questions you had to make when you created your account.

But I do see your point.

by **Unknownlight** » Wed Aug 10, 2011 4:36 am UTC

Or you can just think of one, perfect, amazing password, and use LastPass for everything else.

You can have a fifty-digit stream of random characters for your bank account password if you want.

by **Se7enLC** » Wed Aug 10, 2011 4:37 am UTC

Oh, where to start...

1). Most sites have a maximum password length, somewhere in the 10-15 character range. If you're lucky, the password will get truncated when it is set AND when you enter it, so you won't even notice that the extra bits are falling on the floor. Some sites *cough* NewEgg *cough* will truncate when you set the password but WON'T truncate when you enter it, so when you type EXTRA characters, it thinks your password is wrong. Irritating

2). A complex password with few characters is hard to remember (at first), but really fast to type when you get used to it. If you lock your screen every time you leave your desk, you're going to get pretty sick of typing a paragraph about horse batteries.

3). A lot of places will require capital, lowercase, numbers, and symbols anyway.

by **black_hat_guy** » Wed Aug 10, 2011 4:40 am UTC

I would have posted before, but I forgot my password.

by **Rashkavar** » Wed Aug 10, 2011 4:44 am UTC

So why 11 bytes per word regardless of the word length? The password I use for higher security things is a 30 letter sentence - I was wondering how long the brute force calculation for that would take, but without a consistent bytes-per-letter, I can't calculate it.

by **KShrike** » Wed Aug 10, 2011 4:46 am UTC

Se7enLC wrote:Oh, where to start...

Most sites have a maximum password length, somewhere in the 10-15 character range.

Those sites piss me the hell off! Like you wouldn't believe how much they piss me the hell off!

by **Wilhelm** » Wed Aug 10, 2011 4:47 am UTC

That's it. I can't get that phrase out of my head.

Randall, put the words "correct horse battery staple" on a shirt, with the last panel (minus the words on the bottom) on the back- or gods help me, I will.

by **Graff** » Wed Aug 10, 2011 4:47 am UTC

I think the best idea along these lines is the first letter of each word in a phrase. It's easy to remember and isn't susceptible to a dictionary attack that concatenates words. Make up a simple algorithm to make it unique to the website, like placing the length of the site's name and its last character at the third position, and you're golden.

Code: Select all: phrase: Everything should be made as simple as possible, but not simpler. site: xkcd password: esb4dmasapbns

The only problem with this is when sites require you to use numbers, odd characters, mixed case, and so on. Passwords would be a lot easier to generate if every site had the same requirements - or if they just accepted anything and let the consequences be on the password owner's head.

by **Lem0n** » Wed Aug 10, 2011 4:49 am UTC

I'd say a good yet easy to remember password is something like: bbbbbhunter2cccccddddd

entropy (in the sense generally used) is not really necessary, as long as most "bruteforcers" aren't trying to do
of course, if it gets common to repeat many letters in a password, bruteforcers will start to try that, but even then it's not easy (how many letters? which ones? in which position? case sensitive?)

by **Vebyast** » Wed Aug 10, 2011 4:51 am UTC

Just use KeePass. One don't-care password for your hardware, one high-power password for your KeePass database, and then max-length random passwords everywhere else (including your TrueCrypt volumes, of course). Doesn't even matter if they limit you to 8 characters; nobody ever tries high ASCII.

by **jpk** » Wed Aug 10, 2011 4:53 am UTC

Rephistorch wrote:By the way using the ~2^44 is way less secure than actually using an 8 character password that is more random than a simple character appending and substitution.

One method that I used to use, and no longer use, was to pick a friend and interleave their name and phone number, or part of their phone number, ie if I have a friend Steve whose number is 555-3592, it would be S3t5e9v2e. This has two main advantages:
1) The pattern generated has semantic content for me - I can't forget the two elements that make it up, and they are strongly associated for me. In addition, I don't have any trouble typing interleaved words, so it's hard for me to mistype.
2) Part of the pattern is arbitrary: there isn't enough data to recover the phone number part unless you know me and start guessing at which friend is the key for this password.

It's also difficult to target in a dictionary attack, unless it becomes common enough that it's worth targetting this pattern, in which case it's no better than friend's name plus some digits, which is pretty bad. (how many names would exhaust 80% of the English-language namespace? around 100? That number * 10^5 is the size of your search space. That's tiny.)

Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.

by **Eternal Density** » Wed Aug 10, 2011 5:08 am UTC

brb, changing the password on my luggage.

by **Rephistorch** » Wed Aug 10, 2011 5:13 am UTC

jpk wrote:
jpk wrote: Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.

Which is of course what I meant. It's pretty easy to memorize if you type it often enough and maybe even create a mnemonic for yourself. I actually don't think anything can ever be truly random, but possibly so improbable to predict as to be as close as you're gonna get.

by **Eebster the Great** » Wed Aug 10, 2011 5:15 am UTC

Rashkavar wrote:So why 11 bytes per word regardless of the word length? The password I use for higher security things is a 30 letter sentence - I was wondering how long the brute force calculation for that would take, but without a consistent bytes-per-letter, I can't calculate it.

I guess the assumption is that you are choosing it from a list of around 2000 random words and the attacker has access to the same list, and first searches only for pure (unsubstituted) English words off that list. It isn't a realistic scenario, but maybe a reasonable worst-case one.

jpk wrote:One method that I used to use, and no longer use, was to pick a friend and interleave their name and phone number, or part of their phone number, ie if I have a friend Steve whose number is 555-3592, it would be S3t5e9v2e. This has two main advantages:
1) The pattern generated has semantic content for me - I can't forget the two elements that make it up, and they are strongly associated for me. In addition, I don't have any trouble typing interleaved words, so it's hard for me to mistype.
2) Part of the pattern is arbitrary: there isn't enough data to recover the phone number part unless you know me and start guessing at which friend is the key for this password.

It's also difficult to target in a dictionary attack, unless it becomes common enough that it's worth targetting this pattern, in which case it's no better than friend's name plus some digits, which is pretty bad. (how many names would exhaust 80% of the English-language namespace? around 100? That number * 10^5 is the size of your search space. That's tiny.)

Most dictionary attacks now routinely include interleaving words or words and numbers. However, it still does increase the sample space considerably.

by **rapturemachine** » Wed Aug 10, 2011 5:17 am UTC

And really, how secure is Tr0ub4dor&3 when you use it for every site, like many people do? (http://xkcd.com/792/)
(#792 actually made me decide to revise my passwords to all the sites I visit at least somewhat frequently. Now, I use a different password for almost every site, and they consist of interspersed letters, numbers, and punctuation. In fact, they look a lot like troubador over there. And yes, I do remember them all

)

by **Steve the Pocket** » Wed Aug 10, 2011 5:20 am UTC

jpk wrote:(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

I think the point is that both passwords are based on simple formulae, as are the programs used to crack them, and that even if the second formula became the new common one, it would still be really tough to crack compared to the first. Trying every word in the English language once is one thing, but getting the right four in the right order would require [total number of words]^4 guesses. So if, for example, there were only 1,000 words to pick from, and it took one second to run through them all as Randall assumes, guessing any four in any order would take 1,000,000,000 seconds — over 30 years. Fun how permutations work, eh?

Rephistorch wrote:Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

Yep. That's what I've been doing since I was a kid. I even wrote an app to generate such strings automatically, with a switch to disable keyboard characters if some stupid website refuses to accept them. Also, that would actually be 68^8 on a US English keyboard.

by **cjmcjmcjmcjm** » Wed Aug 10, 2011 5:20 am UTC

I've got some good password memorization skills. Mostly, I have important passwords for things that have my debit card number and other sensitive info, an unimportant password for everything else, and an old password for things that bitch at punctuation and longer than 8-12 chars. Yeah, all my uni records are under an old password. No, I'm not sharing. No, I'm not sharing my FB password because I also use it for Twitter.

Also Correct Horse Battery Staple sounds like an indie band naem.

by **jpk** » Wed Aug 10, 2011 5:21 am UTC

Rephistorch wrote:
jpk wrote:
jpk wrote: Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.

Which is of course what I meant. It's pretty easy to memorize if you type it often enough and maybe even create a mnemonic for yourself. I actually don't think anything can ever be truly random, but possibly so improbable to predict as to be as close as you're gonna get.

I figured that was what you meant, just wanted to confirm.
I've always figured the correct way to handle passwords is to give people a handful of strong generated passwords to choose from, and let them learn them. Then, don't make them change them over and over, let them actually learn them. Changing passwords for security only makes sense if you know the password has been cracked. Changing the password every three months (or whatever) is idiotic: it enforces weak passwords, and no cracker is going to spend weeks on your password, so at any given time, they're dealing with only one (weak) password, unless you happen to hit it lucky and hit the three-month change while they're actually running their brute-force attack. Moronic.

by **Aikanaro** » Wed Aug 10, 2011 5:22 am UTC

What I often do if I need a strong password that has numbers and letters, is I use the production number of something from a bit of geekdom that will stick in my head. For example:

Type-40

I'm reasonably certain that that's decently strong, and if it's not, you can just add in more details about it, such as Type-40TimeTravelCapsule

EDIT: Other possibilities, if you're me, include such things as DLN-001. 50 bonus points to anyone other than Marzipan who gets that one (-50 bonus points to Marzipan if he DOESN'T get that one).

by **Solandri** » Wed Aug 10, 2011 5:23 am UTC

Graff wrote:
Code: Select all
phrase: Everything should be made as simple as possible, but not simpler. site: xkcd password: esb4dmasapbns

The only problem with this is when sites require you to use numbers, odd characters, mixed case, and so on.

That's the method I recommend to friends and family. If the site requires odd characters, just do what you did for the number - capitalize the nth letter, and toss a # or & in next to the number and you have most cases covered.

Problem is, after explaining this to friends and family, I find they still use the simple 1-word or 1-word + number method. I'm starting to think a password generator like KeePass or the ones that come with fingerprint scanners are the only practical answer. People are not just resistant to hard-to-remember passwords, they're also resistant to hard-to-type passwords. The generators do the typing of the hard-to-type hard-to-remember for you, making it much more likely to be used.

Also keep in mind that you're supposed to use a different password for every site (or at least the important ones). My dad typed his password into a phising email, and unfortunately it was the password he used for everything including bank accounts. It took a few days to hit all the sites he could think of where he had accounts, and change every password. Having a different password for each account is still hard to do with memorized passwords. But using a generator makes it easy.

The main drawback of the generator in my experience is that if you lose access to the machine(s) with the generator installed, you're locked out of all your accounts. I keep my email as a memorized password, so worst-case I can reset the password on an account and get in that way.

Who is online