0936: "Password Strength"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Tue Aug 23, 2011 9:42 pm UTC

TheGrammarBolshevik wrote:What's the advantage of this over KeePass? Easier to audit the code?
That, and the fact that in a pinch I can use it on someone else's computer if I need to. If I trust that person and re-skim through the source to verify that it's not phishing, it's equally easy to use on any machine running Firefox (since that particular implementation is, unfortunately, browser specific).

Vash wrote:The main problem is that the comparison is wrong. It is much better if your password is not a word. That is what the strictest security advice suggests.
That is the advice because 1) you can fit more entropy into fewer characters that way, and some sites limit the size of the password you can use, and 2) it is unlikely that a person allowed to choose their own words will pick something with sufficiently high entropy, because we're bad and randomness.

In any case, correcthorsebatterystaple is *not* a word. It's four of them, chosen randomly. Which means that the total entropy is four times the entropy of each individual word.

The "logic" people keep using to criticize Randall's suggestion as being vulnerable to a dictionary attack is just as ridiculous as the following:
Your password obviously should not be just a 1 or a 0, as those passwords are stupidly easy to break. Therefore, your password should not consist of a concatenated string of random choices (with replacement) from the set {0,1}.

1,000 guesses per second is also a drastic underestimate when pretty much anyone can easily buy the hardware and software to do almost 3,000,000 guesses per second.
True. But of course if you'd read even just the most recent page or so of this thread, you'd see that the estimate wasn't intended for the scenario where you have your own machine on which to brute force a password at your leisure.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

holocron
Posts: 4
Joined: Tue Aug 23, 2011 9:46 pm UTC

Re: 0936: "Password Strength"

Postby holocron » Tue Aug 23, 2011 9:49 pm UTC

I showed this comic to my advisor and he suggested we change our password generation program at the university.

Here's what I came up with :mrgreen:

Enjoy,
Vance

Code: Select all

#!/usr/bin/python
# Date: 23Aug2011
# Author: Vance Morris
# Email: vance<dot>morris<at>gmail<dot>com
# This program generates a file of 100 random passwords, ready to use.
# The format for each password is <Word><Word><Word><Number><SpecChar>
# An example would be YellowElephantCounting3@
# The default output file is named passwords.txt


"""
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
"""
import os, re, random

DICTIONARY = "/usr/share/dict/words"
PASSFILE   = "./passwords.txt"
CHARS      = "~!@#$%^&*()_+-={}[];:<>,./?"
WORDS      = []
REGEX      = re.compile('[a-z]{6,8}$')

def isValid(s):
  if REGEX.match(s):
    return True
  else: return False

def loadDictionary():
  with open(DICTIONARY,'rb') as f:
    while True:
      l = f.readline()
      if not l: break
      l = l.rstrip()
      if isValid(l):
        l = l.capitalize()
        WORDS.append(l)

def makePassword():
  w = ""
  num = random.randint(0,9)
  char = CHARS[random.randint(0,len(CHARS)-1)]
  for x in xrange(0,3):
    w += WORDS[random.randint(0,len(WORDS)-1)]
  return w + str(num) + char
 

def writeFile(s):
  with open(PASSFILE,'a') as f:
    f.write(s+"\n")

# main
if (os.path.isfile(DICTIONARY)):
  loadDictionary()
else:
  print "Dictionary file not found at "+DICTIONARY+"\n"

for x in xrange(0,100):
  writeFile(makePassword())

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Tue Aug 23, 2011 9:56 pm UTC

I was going to say only using three words might be suboptimal, but I guess that with the 8 or so additional bits from the number-character combination at the end and the fact that /usr/share/dict/words is rather bigger than 2000 words, it probably works out to similar entropy.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

holocron
Posts: 4
Joined: Tue Aug 23, 2011 9:46 pm UTC

Re: 0936: "Password Strength"

Postby holocron » Tue Aug 23, 2011 10:16 pm UTC

I am only using words that contain a through z and are between 6 and 8 characters in length.
This gives me 27,975 words to work with.
The number of 6 character words is 7351.
The number of 7 character words is 10036.
The number of 8 character words is 10588.

Let's assume that each character is 8 bits, including the appended number and special character, this gives between 64 and 80 bits of entropy.

EDIT: Fixed that, thank you.
Last edited by holocron on Wed Aug 24, 2011 1:07 pm UTC, edited 1 time in total.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Tue Aug 23, 2011 11:04 pm UTC

holocron wrote:Let's assume that each character is 8 bits
That's an overestimate, even correcting the byte/bit error, because characters in English words have far fewer than 8 bits of entropy. Even completely random letters are only about 4.7, because you're choosing from just 26 instead of the full 256 ASCII set.

And with the word count, we can just figure it out directly: Your method gives 27975^3*10*27 possible passwords, or 52.4 bits of entropy. Which is still pretty good, but definitely not as high as even the lower bound of your estimate.

It is, coincidentally, quite close to the amount of entropy Randall's method would give if, like yours, it added a digit and special character to the end. The number of ways to pick 3 words with replacement from 27,975 is only slightly more than the number of ways to pick 4 from 2000. So I guess it comes down to whether you find it easier to remember 3 less common words or 4 more common ones.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
Eebster the Great
Posts: 3463
Joined: Mon Nov 10, 2008 12:58 am UTC
Location: Cleveland, Ohio

Re: 0936: "Password Strength"

Postby Eebster the Great » Wed Aug 24, 2011 2:20 am UTC

Vash wrote:The main problem is that the comparison is wrong. It is much better if your password is not a word.

Round and round and round we go . . .

scarletmanuka
Posts: 533
Joined: Wed Oct 17, 2007 4:29 am UTC
Location: Perth, Western Australia

Re: 0936: "Password Strength"

Postby scarletmanuka » Wed Aug 24, 2011 3:40 am UTC

Anonymously Famous wrote:
gmalivuk wrote:Yeah, someone has already mentioned in this thread how easy it would be to set up a "free password generation" website and then store all the passwords to hack people's accounts at random.

I'm sure I must have read that, but with several hundred posts on this thread it's easy to forget what has been brought up.

There's also "Password Reuse".

User avatar
Vash
Posts: 488
Joined: Sat Jan 22, 2011 9:14 pm UTC
Location: The planet Gunsmoke

Re: 0936: "Password Strength"

Postby Vash » Wed Aug 24, 2011 5:43 am UTC

gmalivuk wrote:That is the advice because 1) you can fit more entropy into fewer characters that way, and some sites limit the size of the password you can use, and 2) it is unlikely that a person allowed to choose their own words will pick something with sufficiently high entropy, because we're bad and randomness.

In any case, correcthorsebatterystaple is *not* a word. It's four of them, chosen randomly. Which means that the total entropy is four times the entropy of each individual word.

The "logic" people keep using to criticize Randall's suggestion as being vulnerable to a dictionary attack is just as ridiculous as the following:
Your password obviously should not be just a 1 or a 0, as those passwords are stupidly easy to break. Therefore, your password should not consist of a concatenated string of random choices (with replacement) from the set {0,1}.


Well, that's all valid.

True. But of course if you'd read even just the most recent page or so of this thread, you'd see that the estimate wasn't intended for the scenario where you have your own machine on which to brute force a password at your leisure.


I can't read. That's why I use the internet.

Stacey
Posts: 1
Joined: Wed Aug 24, 2011 9:43 am UTC

Re: 0936: "Password Strength"

Postby Stacey » Wed Aug 24, 2011 9:48 am UTC

Best password ever: 00000001

ROFL

superluser
Posts: 16
Joined: Wed Aug 17, 2011 5:36 am UTC

Re: 0936: "Password Strength"

Postby superluser » Wed Aug 24, 2011 11:21 am UTC

TheGrammarBolshevik wrote:Still, it would be foolish to get your password from a server-side program just based on the trust you give an anonymous person on the Internet.


If I were listening to that advice, I'd probably never have gotten my Mr T name. (note for the humor impaired: I do not recommend using real data to generate your Mr T name)

holocron
Posts: 4
Joined: Tue Aug 23, 2011 9:46 pm UTC

Re: 0936: "Password Strength"

Postby holocron » Wed Aug 24, 2011 1:27 pm UTC

gmalivuk wrote:
holocron wrote:And with the word count, we can just figure it out directly: Your method gives 27975^3*10*27 possible passwords, or 52.4 bits of entropy. Which is still pretty good, but definitely not as high as even the lower bound of your estimate.


Thank you for that bit of information.
With social engineering, a skilled hacker could determine the pattern and crack these passwords very quickly. Without the pattern knowledge, wouldn't the amount of entropy jump to 4.7^20 for three 6-char words or 4.7^26 for three 8-char words?

holocron
Posts: 4
Joined: Tue Aug 23, 2011 9:46 pm UTC

Re: 0936: "Password Strength"

Postby holocron » Wed Aug 24, 2011 1:39 pm UTC

cryptographer wrote:I agree with the strip that ordinary words give more entropy per unit of memorization effort. But I'd be curious what other people here think. The following 10 passwords each have exactly 64 bits of entropy, if you know the algorithm generating each one:

1. y#WK6qAFUct
2. JIb Varb cOF jiW
3. 2a01 e073 862c 2a5e
4. 10753 57459 34348 10846
5. cap ion take wow kudo irk
6. gyb beec mov bog fup geec
7. (215) 253-7163, (319) 137-9466 x537
8. Alaska amen breast crust reward hectic
9. May 2, 1885 1:21:7, August 2, 1934 18:16:14
10. 0010101000000001111000000111001110000110001011000010101001011110

So which is the easiest to memorize? Which is the hardest? For me, number 8 is the easiest, and number 10 is the hardest. I could memorize 8 in just a few minutes, by breaking them into two sentences, each of which uses 3 of the words, and visualizing a bizarre picture for each sentence. And I'd probably remember it for years. I think number 1 would take a LOT more effort, and I'd have to review it frequently or I'd forget it.

But what do all of you think?


This. I posted before reading through a good number of posts. Thanks!

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Wed Aug 24, 2011 2:09 pm UTC

holocron wrote:With social engineering, a skilled hacker could determine the pattern and crack these passwords very quickly.
No, not if it's a remotely good random number generator. It's got 52 bits of entropy, even if the attacker does determine the method and the exact list of words.

If it could be cracked very quickly by someone who knows the pattern, then it's a shitty algorithm. Relying on security through obscurity is generally not a good idea.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

TheInsomniac
Posts: 4
Joined: Tue Apr 05, 2011 4:38 pm UTC

Re: 0936: "Password Strength"

Postby TheInsomniac » Wed Aug 24, 2011 7:49 pm UTC

So many thoughts on this subject:

1) I work at a very big company, on a large team. I saw our adminstrative assistant open up a Rolodex of passwords, off her desk, the other day. I know she also has passwords for managers and the like.
2) "Surely you're joking, Mr. Feynman!" has some great stories about the "security" at Los Alamos during the Manhattan Project. In those days it was combo locks on file cabinets that were the issue. The situation in #1 demonstrates that not much has changed in security.
3) I had to sign up for a password at the account page of a major company recently. It had one of those "password strength" raters. It refused all of my standard passwords, mostly because of character issues or because the number string was 4 digits. I think it barged on 4-digit strings,because those so often are things like years that are easy to guess. Regardless, I ended up only being able to use the weakest of all of my standard passwords, which I came up with in the '90s when I was a teenager.

ITs are failing us.

AndyClaw
Posts: 4
Joined: Sat Aug 20, 2011 2:37 am UTC

Re: 0936: "Password Strength"

Postby AndyClaw » Thu Aug 25, 2011 1:09 am UTC

Thanks, Randall, for bringing this to more people's attention. Super annoying password policy at work: not allowed to have any more than two letters or numbers in a row, not allowed to have two of the same character in a row, and must use at least one letter, number, and special character. The result is probably a bunch of short passwords that would be easy to crack.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Thu Aug 25, 2011 1:44 am UTC

Is it also limited by length? Because if not, just stick a ! or something between each character of an actually secure password.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

Isil`Zha
Posts: 8
Joined: Mon Aug 15, 2011 2:08 pm UTC

Re: 0936: "Password Strength"

Postby Isil`Zha » Sat Aug 27, 2011 10:30 pm UTC

Insert random unicode into your passwords, it significantly increases the keyspace, and I know of no brute-force cracker that even attempts to search higher than the ASCII keyspace. Meaning it will literally never brute force your password.

At one point at my previous job we pulled the SAM database and ran l0phtcrack against it. Every single password was broken within a week. Except mine. Mine was unbreakable. :mrgreen:

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Sun Aug 28, 2011 12:02 am UTC

Isil`Zha wrote:Insert random unicode into your passwords
Sure, and then be unable to login quickly and securely on another computer.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
Jorpho
Posts: 6279
Joined: Wed Dec 12, 2007 5:31 am UTC
Location: Canada

Re: 0936: "Password Strength"

Postby Jorpho » Sun Aug 28, 2011 12:40 am UTC

Well, ALT+[four numpad characters] can pop up something outside of the ASCII keyspace, right? That's an interesting idea.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Sun Aug 28, 2011 12:42 am UTC

How is that more effective than just including "alt0151" or whatever at that point in your password? With the added benefit that it'll still work for password fields that don't accept full unicode input.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
Jorpho
Posts: 6279
Joined: Wed Dec 12, 2007 5:31 am UTC
Location: Canada

Re: 0936: "Password Strength"

Postby Jorpho » Sun Aug 28, 2011 3:45 am UTC

As Mr. Isil`Zha just suggested, if there are characters outside the ASCII character range that are not used by brute force crackers, then actually using ALT+0151 will make a password unbreakable by such crackers.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Sun Aug 28, 2011 3:54 am UTC

It seems rather foolish to rely on the assumption that attackers will never use the characters you're using.

Once again, the entropy values that have been discussed through most of this thread refer to the difficulty of cracking a password *after* knowing the algorithm used to generated it. And knowing someone has a unicode character in their password means we *will* include those in our search. At which point it turns out this method isn't any more secure than just typing the code for the same character.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

mric
Posts: 67
Joined: Tue Aug 03, 2010 4:17 pm UTC

Re: 0936: "Password Strength"

Postby mric » Sun Aug 28, 2011 8:14 am UTC

"I needed a password 8 characters long so I picked Snow White and the Seven Dwarves."

(Recently voted funniest joke of the 2011 Edinburgh Fringe)

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Sun Aug 28, 2011 1:39 pm UTC

Recently told in this thread, too. :-P
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
Splarka
Posts: 48
Joined: Thu Apr 12, 2007 10:24 am UTC

Re: 0936: "Password Strength"

Postby Splarka » Sun Aug 28, 2011 7:26 pm UTC

Thomas Baekdal's take on password usability. From 2007. Sure looks familiar. (@twitter)

I hate it when people steal ideas from Randall without crediting him. Stupid time travelers!
HTTP/1.1 - 203

User avatar
TheGrammarBolshevik
Posts: 4878
Joined: Mon Jun 30, 2008 2:12 am UTC
Location: Going to and fro in the earth, and walking up and down in it.

Re: 0936: "Password Strength"

Postby TheGrammarBolshevik » Sun Aug 28, 2011 8:16 pm UTC

Yes, I'm sure that Randall read that article in 2007 and then sat on it for four years in order to plagiarize that god-awful explanation of a well-understood idea.
Nothing rhymes with orange,
Not even sporange.

Katifer Dragonite
Posts: 9
Joined: Mon Jul 25, 2011 12:11 am UTC

Re: 0936: "Password Strength"

Postby Katifer Dragonite » Fri Sep 02, 2011 6:17 am UTC

Just out of interest, what would be the strength of a password made of four random Latin words? I bet that they don't do dictionary attacks on dead languages.

scarletmanuka
Posts: 533
Joined: Wed Oct 17, 2007 4:29 am UTC
Location: Perth, Western Australia

Re: 0936: "Password Strength"

Postby scarletmanuka » Fri Sep 02, 2011 9:04 am UTC

Katifer Dragonite wrote:Just out of interest, what would be the strength of a password made of four random Latin words?

The same as for English words, assuming a similarly sized word list. Once again - the strength is determined by assuming that the attacker knows the system you are using to choose your password. So for that system, we do in fact have to assume the attacker is doing a dictionary search with Latin words.

alokito
Posts: 1
Joined: Fri Sep 02, 2011 9:51 am UTC

Re: 0936: "Password Strength"

Postby alokito » Fri Sep 02, 2011 10:19 am UTC

I was thinking, it may be better to use 4 random names for two reasons,

1) Names are easier to remember than common words, particularly when in a sequence
2) There are a whole lot of them. Apparently there are books with up to 100k available on Amazon

Assuming you could get a text file with all of them, you would get over 16 bits of entropy per word, and over 66 bits total for only 4.
A random string with mixed-case letters, numbers and symbols only has about 77 chars, or over 6 bits of entropy per character, which means you would need a totally random string of 10 characters to equal the entropy in four random names. That seems a lot harder to remember.

BTW, I wrote a java implementation of the comic with a GUI program that includes some stats to make it easy to play with these ideas for less technical people than xkcd readers, you can check it out by searching for alokito on github (I'm still a no-link noob here).

bigjeff5
Posts: 127
Joined: Tue Nov 10, 2009 3:59 am UTC

Re: 0936: "Password Strength"

Postby bigjeff5 » Mon Sep 05, 2011 12:17 am UTC

alokito wrote:I was thinking, it may be better to use 4 random names for two reasons,

1) Names are easier to remember than common words, particularly when in a sequence
2) There are a whole lot of them. Apparently there are books with up to 100k available on Amazon


The problem with that is that unfamiliar names are not easy to remember at all. For most people the list of familiar names is probably in the neighborhood of 200-300, tops (and I think I am being very generous there - I don't think I know that many myself). Most names people are familiar with are the names they hear repeated over and over again - that's why they are easier to remember than all the words in the English language - there aren't many of them that you have to remember!

So if you are only using names you are familiar with (to make it easier to remember) the hacker just needs to take into account the region of the world you live in and he can chop his list down to the 1,000 or so most common names for the area. This leaves you significantly worse off than Randall's list of the top 2000 most common words. If he knows more about where you are from he can cut it down even more, completely destroying the entropy (and obviously, the security) of your system.

User avatar
Vash
Posts: 488
Joined: Sat Jan 22, 2011 9:14 pm UTC
Location: The planet Gunsmoke

Re: 0936: "Password Strength"

Postby Vash » Mon Sep 05, 2011 12:33 am UTC

TheGrammarBolshevik wrote:Yes, I'm sure that Randall read that article in 2007 and then sat on it for four years in order to plagiarize that god-awful explanation of a well-understood idea.


I don't know if that's the only place it has been explained. It is always possible for someone to read something, forget about reading it, and then use the idea years later. I almost didn't want to say it, though. It might be pretty unlikely. I don't know how accessible that website is. That would help to clarify.

User avatar
TheGrammarBolshevik
Posts: 4878
Joined: Mon Jun 30, 2008 2:12 am UTC
Location: Going to and fro in the earth, and walking up and down in it.

Re: 0936: "Password Strength"

Postby TheGrammarBolshevik » Mon Sep 05, 2011 1:19 am UTC

Ahh, fuck. Yeah, I totally retract that completely serious and not ironic post.
Nothing rhymes with orange,
Not even sporange.

User avatar
Vash
Posts: 488
Joined: Sat Jan 22, 2011 9:14 pm UTC
Location: The planet Gunsmoke

Re: 0936: "Password Strength"

Postby Vash » Mon Sep 05, 2011 1:41 am UTC

TheGrammarBolshevik wrote:Ahh, fuck. Yeah, I totally retract that completely serious and not ironic post.


I was contesting the point you seemed to be making with sarcasm, but if you were making no point, then I suppose I stand corrected.

User avatar
TheGrammarBolshevik
Posts: 4878
Joined: Mon Jun 30, 2008 2:12 am UTC
Location: Going to and fro in the earth, and walking up and down in it.

Re: 0936: "Password Strength"

Postby TheGrammarBolshevik » Mon Sep 05, 2011 2:19 am UTC

I was making a point with sarcasm, but whatever you were trying to contest wasn't it.
Nothing rhymes with orange,
Not even sporange.

User avatar
Vash
Posts: 488
Joined: Sat Jan 22, 2011 9:14 pm UTC
Location: The planet Gunsmoke

Re: 0936: "Password Strength"

Postby Vash » Mon Sep 05, 2011 2:30 am UTC

TheGrammarBolshevik wrote:I was making a point with sarcasm, but whatever you were trying to contest wasn't it.


Yeah, I wanted to correct that. I think I know your point now.

superluser
Posts: 16
Joined: Wed Aug 17, 2011 5:36 am UTC

Re: 0936: "Password Strength"

Postby superluser » Wed Sep 07, 2011 12:53 am UTC

bigjeff5 wrote:The problem with that is that unfamiliar names are not easy to remember at all. For most people the list of familiar names is probably in the neighborhood of 200-300, tops (and I think I am being very generous there - I don't think I know that many myself). Most names people are familiar with are the names they hear repeated over and over again - that's why they are easier to remember than all the words in the English language - there aren't many of them that you have to remember!

So if you are only using names you are familiar with (to make it easier to remember) the hacker just needs to take into account the region of the world you live in and he can chop his list down to the 1,000 or so most common names for the area. This leaves you significantly worse off than Randall's list of the top 2000 most common words. If he knows more about where you are from he can cut it down even more, completely destroying the entropy (and obviously, the security) of your system.


Just use names from Pynchon novels. You'll probably top 2000, and it would be very difficult to forget Cherrycoke Oedipa Eggslap Chunko.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26767
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Wed Sep 07, 2011 1:01 am UTC

Perhaps, though I suspect still much easier to misremember that than something from a list of actual common words, like "correct horse battery staple".
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

jpk
Posts: 607
Joined: Sat Nov 13, 2010 7:33 am UTC

Re: 0936: "Password Strength"

Postby jpk » Wed Sep 07, 2011 5:25 am UTC

So one of my passwords expired towards the end of last week, and I thought I'd give this a try. Did the reset, used four common words, had to insert a digit to keep the algorithm happy, so I used digits as separators.

I remembered the digits, but the words themselves were completely gone by the time the system prompted me for a refresher.
I'm not playing that game again. It was embarrassing having to ask for a reset after just a few hours.

User avatar
Isaac5
Posts: 5
Joined: Mon Feb 01, 2010 1:24 pm UTC

Re: 0936: "Password Strength"

Postby Isaac5 » Thu Sep 08, 2011 2:47 am UTC

How does one calculate this?

User avatar
Eebster the Great
Posts: 3463
Joined: Mon Nov 10, 2008 12:58 am UTC
Location: Cleveland, Ohio

Re: 0936: "Password Strength"

Postby Eebster the Great » Thu Sep 08, 2011 4:17 am UTC

Isaac5 wrote:How does one calculate this?

The entropy of a password-generating scheme is the binary log of the total number of passwords it can generate.


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: Bing [Bot], cephalopod9 and 49 guests