0936: "Password Strength"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

User avatar
Hoopla
Posts: 26
Joined: Tue Sep 28, 2010 3:03 am UTC

Re: 0936: "Password Strength"

Postby Hoopla » Wed Aug 10, 2011 5:23 am UTC

Wow. I could probably guess all my friends passwords if they used either of these formulas.

I personally go for minor Nordic gods.
Jahoclave wrote:Luckily they forgot the bacon, otherwise we'd be screwed.

THIS IS CARLYLE BLUMENTHAL III AND I APPROVE THIS MESSAGE!

User avatar
from canada
Posts: 84
Joined: Mon Nov 19, 2007 7:05 am UTC

Re: 0936: "Password Strength"

Postby from canada » Wed Aug 10, 2011 5:23 am UTC

TRWTF (oops I forgot what site I was on) is 1000 guesses/sec

5 wrong attempts = 1 hour lockout
really, brute force attmepts shouldn't even be a problem

jpk
Posts: 607
Joined: Sat Nov 13, 2010 7:33 am UTC

Re: 0936: "Password Strength"

Postby jpk » Wed Aug 10, 2011 5:24 am UTC

Eebster the Great wrote:
jpk wrote:One method that I used to use, and no longer use, was to pick a friend and interleave their name and phone number, or part of their phone number, ie if I have a friend Steve whose number is 555-3592, it would be S3t5e9v2e.

Most dictionary attacks now routinely include interleaving words or words and numbers. However, it still does increase the sample space considerably.


Yes, I'm aware of that... :)

Brian-M
Posts: 85
Joined: Tue Jan 18, 2011 6:31 am UTC

Re: 0936: "Password Strength"

Postby Brian-M » Wed Aug 10, 2011 5:24 am UTC

correct horse battery staple

If you took the first and last letter of each word you'd get "cthebyse", which wouldn't be too bad if you were limited to a case-insensitive letters-only password of 6 to 8 characters.

There's no reason you can't use mnemonic devices to produce hard to crack passwords that are easy to remember.

For example, "Justin Beiber sucks balls eight times a day". Easy to remember, and can be used as a mnemonic for a password like "JnBrsb8tady".

glasnt wrote:123456

No. For a true Spaceball purist, the password will always be "12345". No six.

Graff wrote:I think the best idea along these lines is the first letter of each word in a phrase. It's easy to remember and isn't susceptible to a dictionary attack that concatenates words. Make up a simple algorithm to make it unique to the website, like placing the length of the site's name and its last character at the third position, and you're golden.

Code: Select all

phrase: Everything should be made as simple as possible, but not simpler.
site: xkcd
password: esb4dmasapbns


The only problem with this is when sites require you to use numbers, odd characters, mixed case, and so on. Passwords would be a lot easier to generate if every site had the same requirements - or if they just accepted anything and let the consequences be on the password owner's head.

Damn, beaten to it. But since I already wrote this comment before checking the rest of the thread prior to pressing "submit", I'll post it anyway.
Last edited by Brian-M on Wed Aug 10, 2011 5:25 am UTC, edited 1 time in total.

User avatar
LucasBrown
Posts: 299
Joined: Thu Apr 15, 2010 2:57 am UTC
Location: Poway, CA

Re: 0936: "Password Strength"

Postby LucasBrown » Wed Aug 10, 2011 5:25 am UTC

joee wrote:OP: there's a typo in your link. http, not htpp
Fixed

User avatar
Plasma Mongoose
Posts: 213
Joined: Tue Feb 01, 2011 1:09 am UTC
Contact:

Re: 0936: "Password Strength"

Postby Plasma Mongoose » Wed Aug 10, 2011 5:26 am UTC

rapturemachine wrote:And really, how secure is Tr0ub4dor&3 when you use it for every site, like many people do? (http://xkcd.com/792/)
(#792 actually made me decide to revise my passwords to all the sites I visit at least somewhat frequently. Now, I use a different password for almost every site, and they consist of interspersed letters, numbers, and punctuation. In fact, they look a lot like troubador over there. And yes, I do remember them all :P )


This is why you use simple but not too obvious passwords for things like forums and way more sophisticated passwords for anything involving banking and other related important stuff.
A virus walks into a bar, the bartender says "We don't serve viruses in here".
The virus replaces the bartender and says "Now we do!"

ElPerezoso
Posts: 1
Joined: Wed Aug 10, 2011 5:25 am UTC

Re: 0936: "Password Strength"

Postby ElPerezoso » Wed Aug 10, 2011 5:28 am UTC

Is mispelling Troubadour a way to add entropy, or was that accidental?

Belteshazzar
Posts: 4
Joined: Fri Dec 31, 2010 3:59 pm UTC

Re: 0936: "Password Strength"

Postby Belteshazzar » Wed Aug 10, 2011 5:28 am UTC

I've seen sites that won't even let you create a password without special characters, numbers, and mixed case but won't let you use anything longer than 12 or 15 characters. What a bunch of farcical security theater.

Though concatenating four common words may not be the safest password practice ever, I think most of those dismissing the idea out of hand are off base (either that or you have extremely small working vocabularies and underestimate the number of common words...). There are probably ~8000 common words in English, and log base 36 of 8000^4 is basically 10- i.e. it's about as good as a 10-character fully random alphanumeric password. (Randall's notes about the entropy of the passwords are surely more informed than my back-of-napkin calculation here; I wish he'd posted more of the details of how he arrived at those values so as to help some of these naysayers see what he's talking about.)

A couple of people have mentioned passphrase initialisms; though I imagine everyone here has already heard the Bruce Schneier Fact on the topic (http://www.schneierfacts.com/fact/27) I'll quote it anyway:
Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.

User avatar
chaoztheory1
Posts: 7
Joined: Wed Apr 07, 2010 3:25 pm UTC
Location: Lordaeron, US - West
Contact:

Re: 0936: "Password Strength"

Postby chaoztheory1 » Wed Aug 10, 2011 5:37 am UTC

I have no trouble remembering what passwords I have, I just have trouble remembering which passwords go to what account.
This is doubly so when you can tick on "remember me".
If I forget my xkcd password, I may have to make a new account. Not that it matters much, that is.
Humans are the strangest creatures on earth. We drink the milk of other animals.

If there was ever a time to not get hit by a bus coming out of the computer, this is not it.

TheBlackCat
Posts: 14
Joined: Mon Jan 21, 2008 5:23 pm UTC

Re: 0936: "Password Strength"

Postby TheBlackCat » Wed Aug 10, 2011 5:39 am UTC

I think the first password is much easier to remember. I read it once and had it. The second I read a bunch of time and still can't remember. Still, using a single word is stupid.

maxh
Posts: 66
Joined: Thu Jul 22, 2010 12:14 am UTC

Re: 0936: "Password Strength"

Postby maxh » Wed Aug 10, 2011 5:42 am UTC

jpk wrote:Oh, no... now we're going to have a bunch of people resorting to easily guessed passwords because [they think?]* Randall said so...

(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

Not necessarily. One of my passwords (for an account that's now dead) was made up of ninety-two characters totaling fourteen words (one of which the made up compound "assballs" (yeah, it had lots of profanity) and one of which was a four-word hyphenation) and punctuation making up a phrase. Now, assuming someone knows I did that and limits their search to letters and basic punctuation, there's approximately a sixty-option space for each of those ninety-four characters, at 1000 guesses a second, even assuming only the ninety-four character passwords are searched, would take about 3 * 10^107 years to search. Especially considerin the life of the account in question, that's definitely safe. But your hypothesis is that someone limiting their search space to English words would be more able to get the password. Ignoring punctuation, and counting "assballs" as two words (since that's the only way a word-based search would come up with it), there are now effectively fifteen characters. But the English language has over 600000 words (based on the number of entries in the second edition Oxford English Dictionary). Even rounding everything in calculations down, that would (at the same speed and with known length) take around 1*10^705344 years. In practical terms, both of these exceed most estimates for the end of the universe, but at least theoretically a concatenated-English-words limit would actually make the job harder.
Last edited by maxh on Wed Aug 10, 2011 5:55 am UTC, edited 1 time in total.

User avatar
YttriumOx
Posts: 33
Joined: Mon Jun 02, 2008 8:08 pm UTC
Location: Hannover, Germany
Contact:

Re: 0936: "Password Strength"

Postby YttriumOx » Wed Aug 10, 2011 5:43 am UTC

I tend to use a variant of the following method for password generation:
1) Take a moderately long non English word or short non English phrase. e.g. "mein frosch ist grün" (real world: I use a language I know well that is significantly less spoken that German, and I use a word or phrase that is relevant to the site for me)
2) Then capitilise and remove special characters that are unsupported by stupid systems both according to the rules of the language. e.g. "Mein Frosch ist gruen" (real world: the language I use has some rather unexpected rules to people that don't speak it)
3) Then use a simple substitution cypher on all letters. e.g. "Zrva Sebfpu vfg tehra" (real world: I don't use rot13, but instead something else I know well that I can do in my head and isn't as simple as rot13)
4) Then use a second substitution cypher on all non-u vowels to "l33t" style them. e.g. "Zrv4 S3bfpu vfg t3hr4" (real world: the substituion cipher I use at step 3 results in more vowels, but otherwise this step is the same)
5) I then add a symbol at the end of each word, following a pattern that relates to the word itself. e.g. "Zrv4$ S3bfpu^ vfg# t3hr4%" (real world: I don't just count the letters and press that number with shift like I did here)

This tends to result in passwords that will have no meaning to anyone but myself, are very easy for me to re-calculate in my head if I forget them (rare, but it does happen on less frequented sites), is difficult to shoulder surf, and contains both sufficient entropy and length to avoid the majority of brute force cracking attempts.

I tried using a piece of software once to store my passwords and generate "long secure random strings", but I found it annoyed me too much having to open this program and type my master password each time just to let me copy/paste a different password. Plus I'm not sure I could come up with a master password that I can remember that would be any more secure than my current passwords, and it is less secure for shoulder surfers.
I wrote a book... shameless self-promotion inside the spoiler tag.
Spoiler:
Dropping Acid: A Beginner's Guide to the Responsible Use of LSD for Self-Discovery
Available on Amazon as both paperback and Kindle eBook.
You can also be a 'fan' on facebook.

User avatar
vrek
pigasm!
Posts: 281
Joined: Mon Nov 20, 2006 7:49 pm UTC

Re: 0936: "Password Strength"

Postby vrek » Wed Aug 10, 2011 5:44 am UTC

Maybe you guys can explain something to me...why is it that my password matters more then how strict the password policy of the site is? Should the real time it takes to crack a password be inversely proportional to the strictness of the password policy? For example say a site's policy is a password has to be between 8-12 chars long and include one number. That would be of average strength to most people but that means that to crack it you can eliminate all combinations of less then eight chars, more then 12 chars, all dictionary words, anything without a number. Wouldn't it be a lot more secure to have no policy at all as to how strong the password has to be? That would mean that any cracker would have to try every single possibility, he couldn't skip any of them cause they each could be the password. How many crackers do you think even check for a password like the single lone letter a ?
Didn't I tell you tomorrow that time is not linear?

Verator666: I get hot unicorn furry sex AND YOU DON'T!!

maxh
Posts: 66
Joined: Thu Jul 22, 2010 12:14 am UTC

Re: 0936: "Password Strength"

Postby maxh » Wed Aug 10, 2011 5:51 am UTC

vrek wrote:How many crackers do you think even check for a password like the single lone letter a ?

At 1000 guess/sec, even checking every Unicode character ever would take about twenty minutes. Using only ASCII, it's less than a second. Either way, checking the one-character passwords is an incredibly tiny fraction of the time compared to the rest of the search, so why not try?

Randomness
Posts: 38
Joined: Sat Mar 20, 2010 8:22 pm UTC

Re: 0936: "Password Strength"

Postby Randomness » Wed Aug 10, 2011 5:54 am UTC

So, spelling was may worst subject (I once spelled answer->annqswler, causing my teacher much confusion), the places that you enter passwords have no spellcheck.
I wonder how long it would take someone relying on dictionary hacks to figure out my passwords, without help from a keylogger to learn typing habits (yes I know if they had a keylogger in they wouldn't need to force it).

endolith
Posts: 229
Joined: Tue Jan 01, 2008 2:14 am UTC
Location: New York, NY
Contact:

Re: 0936: "Password Strength"

Postby endolith » Wed Aug 10, 2011 5:56 am UTC

Isn't the second password easier to guess because of dictionary attacks?

jpk
Posts: 607
Joined: Sat Nov 13, 2010 7:33 am UTC

Re: 0936: "Password Strength"

Postby jpk » Wed Aug 10, 2011 5:57 am UTC

vrek wrote:Maybe you guys can explain something to me...why is it that my password matters more then how strict the password policy of the site is? Should the real time it takes to crack a password be inversely proportional to the strictness of the password policy? For example say a site's policy is a password has to be between 8-12 chars long and include one number. That would be of average strength to most people but that means that to crack it you can eliminate all combinations of less then eight chars, more then 12 chars, all dictionary words, anything without a number. Wouldn't it be a lot more secure to have no policy at all as to how strong the password has to be? That would mean that any cracker would have to try every single possibility, he couldn't skip any of them cause they each could be the password. How many crackers do you think even check for a password like the single lone letter a ?



You are correct, as far as that goes. The explcit policy does serve to guide the cracker to the correct solution space. However, the implicit password policy that would guide the user in the absence of an explicit (enforceable) one is significantly weaker than the enforceable one.

ks_physicist
Posts: 230
Joined: Wed Jun 27, 2007 10:09 am UTC

Re: 0936: "Password Strength"

Postby ks_physicist » Wed Aug 10, 2011 6:04 am UTC

No one will guess that my password is 1q2w3e4r.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26826
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Wed Aug 10, 2011 6:09 am UTC

vrek wrote:For example say a site's policy is a password has to be between 8-12 chars long and include one number. That would be of average strength to most people but that means that to crack it you can eliminate all combinations of less then eight chars, more then 12 chars, all dictionary words, anything without a number. Wouldn't it be a lot more secure to have no policy at all as to how strong the password has to be?
No, because not having the policy would result in too many people having short dictionary words without any numbers.

And I think you're severely overestimating the portion of passwords that are ruled out by this policy. The number of possible passwords that are fewer than 8 characters, or a dictionary word, or which don't contain any numbers, is tiny compared to the number that do comply with your example policy.

Hoopla wrote:I personally go for minor Nordic gods.
Which I suspect there are somewhat fewer of than English words...
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

PowerJoe
Posts: 2
Joined: Wed Aug 10, 2011 6:11 am UTC

Re: 0936: "Password Strength"

Postby PowerJoe » Wed Aug 10, 2011 6:18 am UTC

My method: Pick a Hebrew word, and type the corresponding keys, so the English password appears random. For complying with non-alphanumeric requirements, choose words with ת, ץ, or ף, which are on the ',', '.' and ';' keys respectively.

Con: Need to speak Hebrew, which I do!

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26826
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Wed Aug 10, 2011 6:25 am UTC

PowerJoe wrote:My method: Pick a Hebrew word, and type the corresponding keys, so the English password appears random. For complying with non-alphanumeric requirements, choose words with ת, ץ, or ף, which are on the ',', '.' and ';' keys respectively.

Con: Need to speak Hebrew, which I do!
Con: Now everyone with access to a Hebrew word list and some basic programming skills can brute-force your passwords...
---
Regarding the comic itself, I think this is a pretty damn good technique as long as the system you're using lets you use it. As someone else already pointed out, a random four-word phrase from among the few thousand most common English words gets you a password as hard to brute-force (even for someone who knows exactly how you picked your password) as a 10-character long completely random alphanumeric string.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

David Marseilles
Posts: 1
Joined: Wed Aug 10, 2011 6:03 am UTC

Re: 0936: "Password Strength"

Postby David Marseilles » Wed Aug 10, 2011 6:27 am UTC

Result 1 on google for "password strength calculator": http://askthegeek.us/pwd_meter/index.htm
Max of 16 characters allowed, can't test randall's string. "correct horse ba" registers a score of 0 (lower than "cor" which scores higher than "corr") and is characterized as very weak. I also wasn't able to test my preferred password: "your momma is so fat her blood type is ragu"

Result 2 on google for "password strength calculator": https://www.microsoft.com/security/pc-security/password-checker.aspx
Registers "correct horse battery staple" as the best strength, despite the associated link warning you not to use any dictionary words in your password. The link is hilarious reading though.
Using "correct horse ba" as compared to the GNU checker at the first link still registers as Strong (second best strength available).

My method: not telling other people my method. :wink:

cptjeff
Posts: 44
Joined: Thu Sep 03, 2009 4:42 am UTC

Re: 0936: "Password Strength"

Postby cptjeff » Wed Aug 10, 2011 6:45 am UTC

cheeseheadtotherescue wrote:we're sorry, your password must be between 6 and 10 characters and may not include any of the following special characters !@#$%^&*(){}-=+\|/><,.":;'[].
.
.
.
*cries*



My frigging bank won't allow me to use special characters. You would think out of all the institutions out there that would take care to allow more secure passwords, banks would be about #1 on the list. Apparently not.

maxh
Posts: 66
Joined: Thu Jul 22, 2010 12:14 am UTC

Re: 0936: "Password Strength"

Postby maxh » Wed Aug 10, 2011 6:47 am UTC

http://howsecureismypassword.net/ says the chbs password would take about two nonillion years. Good enough.

ijuin
Posts: 1150
Joined: Fri Jan 09, 2009 6:02 pm UTC

Re: 0936: "Password Strength"

Postby ijuin » Wed Aug 10, 2011 6:48 am UTC

I think that the discussion thus far has illustrated that the biggest obstacle to password security is the low limit on password length. If an eight-character password has X possible permutations, then a sixteen-character password has X^2 possible permutations.

Let's say for example that we use four-letter blocks of characters, each of which represent the first four letters of an English word. Let's assume for the sake of argument that there are one thousand reasonable combinations of four letters. (26^4 gives about 460 thousand possibilities, but many of these can not spell anything that is phonetically valid in any human language, such as "sbpk")

Thus:

8 characters (2 blocks) = 1 million combinations
16 characters (4 blocks) = 1 trillion combinations
32 characters (8 blocks) = 1 trillion trillion combinations (10^24)
64 characters (16 blocks) = 10^48 combinations (about ten billion times the total address space of IPv6)
128 characters (32 blocks) = 10^96 combinations (a trillion trillion times more than the number of protons in the visible universe)

If instead of using complex passwords, we use simple but very long passwords, then the number of permutations becomes prohibitive even with a dictionary attack that limits the search space to the vocabulary of one human language. A sentence that is one line long (using the old-style 80-characters-per-line standard) will be fundamentally impossible for a non-quantum computer to crack even if the entire mass of the visible universe were turned into a computer with each molecule a separate transistor performing operations as fast as the laws of physics permit.

Unfortunately, however, far too many people will choose "catch phrases" or famous quotes to be their "password sentence", which again will cut the total search space down to a few million. Once again we are stuck with the problem that nothing that a human brain can regard as meaningful can be sufficiently obscure that nobody else could ever think of it, because that very obscurity reduces the sense of "meaningfulness" to the password-user.

kekrre
Posts: 2
Joined: Fri Feb 25, 2011 5:28 am UTC

Re: 0936: "Password Strength"

Postby kekrre » Wed Aug 10, 2011 6:48 am UTC

vrek wrote:Maybe you guys can explain something to me...why is it that my password matters more then how strict the password policy of the site is? Should the real time it takes to crack a password be inversely proportional to the strictness of the password policy? For example say a site's policy is a password has to be between 8-12 chars long and include one number. That would be of average strength to most people but that means that to crack it you can eliminate all combinations of less then eight chars, more then 12 chars, all dictionary words, anything without a number. Wouldn't it be a lot more secure to have no policy at all as to how strong the password has to be? That would mean that any cracker would have to try every single possibility, he couldn't skip any of them cause they each could be the password. How many crackers do you think even check for a password like the single lone letter a ?


Also don't forget that not all of your passwords are for websites. Something like an encrypted file that leaks out, an image of your HDD or a list of hashed passwords can be worked at at will, and you'll appreciate the security there (maybe). It'd be a lot more secure to have a higher password length caps on all websites, and to have the password requirements explicitly stated (say, <18 characters, 1 special character, mixed case alphanumeric) rather than to have no length specified and a non-transparent truncating scheme, or a site that disallows special characters.

Since you can't know how the website stores your password, if they salt their passwords, who they'll share that password with, who in the company has access to the passwords, etc, you shouldn't trust really expect to be able to trust a non-random password generating scheme to more than one web site, no matter how secure you think they might be. If your generating algorithm is obvious enough, systematic and someone cares enough, they might be able to figure out other password to other accounts.

Randall's word list appears to have 2000 words. The actual entropy of a concatenated word list is MUCH higher (117.5 bits, 7.4E24 years for knowing the -exact- password length given and that it contains only lower case letters) than the theoretical minimum, which assumes the attacker has a copy of your word list -and- knows at what password length to start guessing. If they don't know the number of words used, you can add the estimated time to brute force a password of shorter word lengths to your estimate breakthrough time. Working off a dictionary of words 3-6 letters long will yield a MUCH MUCH higher entropy/word and a MUCH MUCH MUCH (triple-much, arbitrary scale) higher time to exhaust all password combinations, as long as your word selection is sufficiently random (or esoteric), than you would expect using common words.
A diceware word list has 6^5 words (7776) and offers 12.9 bits per word for a known word list. At 1,000,000 guesses/second (not a good practice to assume your attacker's capabilities, so I'm aiming higher than the strip), it would take ~108 years for a 4-word diceware, >826,000 years for a 5-word diceware and 6 billion years for a 6-word diceware password, assuming your attacker knows which diceware word list you're working from. At the 1,000 guesses/second mentioned in the article, a 4-word diceware password would be good for 108,000 years. A 7 or 8 word password, even from a given list, should be able to withstand quantum computer attacks by the NSA in the semi-distant future (assuming that a brute-force password attack is the attack of choice). One time, I tried to calculate how large a text file would be that would contain enough random characters (all ASCII valid), in sequence, to cover a diceware-generated password. It was big.

Of course, if you're working with long concatenated word passwords, it can get difficult to remember the different passwords you're using for each and every site (right?), so you would use a password database, and lock that up with your own 7 or 8 word diceware password. But using a password database defeats the purpose of using a diceware-style password for everything except account passwords you may need to share/enter frequently (e.g. social network, something else, idk), so for high security stuff like your bank, you might as well use a random password generator anyway (especially since the bank I use truncates passwords to 12 characters). You could build a random password by using a cryptographically secure random password generator... or you could just flip coins, roll dice, etc.

And you have to assess how much you care about the password, how much other people will care, more likely routes of attack (e.g. an attacker capable of 1 brute force attack with 1 wrench per second > 1,000,000,000 password/second supercomputer) etc. Plus keep in mind that a systematic password generator based off of your word list might stumble upon your words (i.e. the theoretical maximum guessing time only occurs if your password happens to be the last one generated by their password generator system), but it's not probable at all for even small word lists (but neither is expecting a password to take you through 500 years),

User avatar
cjmcjmcjmcjm
Posts: 1158
Joined: Tue Jan 05, 2010 5:15 am UTC
Location: Anywhere the internet is strong

Re: 0936: "Password Strength"

Postby cjmcjmcjmcjm » Wed Aug 10, 2011 6:49 am UTC

Of interest: http://www.whatsmypass.com/the-top-500- ... f-all-time
I'm surprised there aren't more Van Halen references and no racial slurs in the list.

D~~n! Y'all're posting fast tonight!
frezik wrote:Anti-photons move at the speed of dark

DemonDeluxe wrote:Paying to have laws written that allow you to do what you want, is a lot cheaper than paying off the judge every time you want to get away with something shady.

TomeWyrm
Posts: 3
Joined: Wed Oct 06, 2010 5:00 am UTC

Re: 0936: "Password Strength"

Postby TomeWyrm » Wed Aug 10, 2011 6:52 am UTC

I wish more sites would state their password policy so I wouldn't have to make laughably insecure passwords, or use a generator.

Luckily, I do use a generator. Keepass is amazing, and protects me from most of the password pitfalls that plague the average user. I'm sorry, but I'm not remembering 50-100 passwords, and no derivative algorithm would last long enough. Hell most of my security questions are stupidly laughable if anyone knows even the remotest bit of information about me. Either the answer changes over time, or it's public knowledge. Wow, I need to know my target's aunt's name... a few minutes on Google and voila, account hacked.

Oh and as for weak password policies? Try ICQ. 6-8 character, case-insensitive alphanumeric-only. Must have at least one letter and number. At least that was the policy last time I looked. People smarter than I can figure out how badly that reduces the time to crack a password.

Actually more banks should use two-factor authentication, rather than merely increasing password strength via policy change.

Azkyroth
Posts: 65
Joined: Mon Jun 29, 2009 6:35 am UTC

Re: 0936: "Password Strength"

Postby Azkyroth » Wed Aug 10, 2011 6:54 am UTC

It occurs to me that you could make an extremely secure password by memorizing a series of operations that would produce a longish string of seemingly arbitrary numbers and converting that to hex, then entering the result. Am I missing something important here?

User avatar
Qwert
Posts: 73
Joined: Sun Feb 10, 2008 4:09 am UTC
Location: Elsewhere

Re: 0936: "Password Strength"

Postby Qwert » Wed Aug 10, 2011 6:55 am UTC

It really bugs me when admins set password requirements by character use. if I have a password like "i4teuynv894yo8jtdu7r" (~104 bits) it is more secure than "Password." (~59 bits), period and "P" be damned.
2 is not equal to 3, not even for large values of 2.
- Grabel's Law
Talent hits a target no one else can hit; Genius hits a target no one else can see.
- Arthur Schopenhauer

izomiac
Posts: 3
Joined: Mon Nov 23, 2009 5:28 pm UTC

Re: 0936: "Password Strength"

Postby izomiac » Wed Aug 10, 2011 6:56 am UTC

I'm glad that someone finally pointed the problem with "strong" passwords out. The human mind is wired to find connections between things, so generating or remembering something with high entropy is quite difficult. IIRC, the average person uses about 200 different words each day, 900 words in total, and knows about 2,000 - 3,000 if they're highschool educated, 8,000 - 10,000 if college educated. (Shakespeare used something like 20,000.)

If asked to generate a password, the base word is likely going to be a common noun, and unlikely to be terribly original. The techniques we use to strengthen it are psychologically-random, thus low entropy. (Psychologically-random numbers are what people say when asked for a random number, so 13, 17, 6 rather than 1, 5, 10.) Typing two lowercase alphabetic characters is usually faster and always more secure than using a single special (single-byte) character.

With large password databases publicly available, the next generation of brute force techniques are going to be quite scary indeed. It wouldn't surprise me if "guesses needed to encompass 99% of Gawker's database" might be the next benchmark for them.

Knaeve
Posts: 1
Joined: Wed Aug 10, 2011 6:52 am UTC

Re: 0936: "Password Strength"

Postby Knaeve » Wed Aug 10, 2011 7:04 am UTC

Related: I've always mistrusted password retrieval that hinged on a "security question," so in place of my first pet's name or what have you, I would always just type in a profane insult.

That was never a problem, until the day I found I couldn't log into the site through which I manage my 401(k). On that day, I had to tell the nice, very helpful phone support lady to go fuck herself.

She reset the password for me, but also made me change my security question answer, which I guess that's only fair.

User avatar
ConMan
Shepherd's Pie?
Posts: 1691
Joined: Tue Jan 01, 2008 11:56 am UTC
Location: Beacon Alpha

Re: 0936: "Password Strength"

Postby ConMan » Wed Aug 10, 2011 7:04 am UTC

endolith wrote:Isn't the second password easier to guess because of dictionary attacks?

No. Dictionary attacks rely on having a list of likely passwords, preferably with some information on the structure of the password to limit the possibilities. To dictionary attack the second method, you need to build a dictionary of all four- (and probably one-, two- and three-, but that doesn't actually make a huge difference) word phrases of all words in a base dictionary, which as Randall points out is a pretty huge space. It's essentially the length of the dictionary (here approximately 2000 words) to the fourth power.

You could also build the "dictionary" of all passwords of the first kind, and it would be remarkably smaller - it's the size of your original dictionary, multiplied by the number of ways you might complicate that one word. Those ways, in the example Randall gives, are capitalising the first letter (which doubles your sample space), "l33tifying" some of the letters (here there are three l33table letters, so there are 8 ways to change some, all or none of them), and adding another digit and punctuation symbol at the end (which adds on a factor of 16 for the punctuation, 8 for the digit, and 2 for the possibility that they could be in either order). This gives you a password that's somewhere between a two- and three-word pass phrase with no modifications. The point being, that if you force people to pick a password that "contains upper and lower case letters, as well as numbers and punctuation symbols", then a lot of them are going to just do this.
pollywog wrote:
Wikihow wrote:* Smile a lot! Give a gay girl a knowing "Hey, I'm a lesbian too!" smile.
I want to learn this smile, perfect it, and then go around smiling at lesbians and freaking them out.

piton
Posts: 3
Joined: Wed Aug 10, 2011 7:03 am UTC

Re: 0936: "Password Strength"

Postby piton » Wed Aug 10, 2011 7:13 am UTC

It's funny that the first format is almost required by my electric public utility company, the password has to have one punctuation and two digits.

forest_of_leaves
Posts: 2
Joined: Wed Aug 10, 2011 7:13 am UTC

Re: 0936: "Password Strength"

Postby forest_of_leaves » Wed Aug 10, 2011 7:18 am UTC

If you want easy to generate but random passwords, take a look at Diceware: http://world.std.com/~reinhold/diceware.html
All you need is a die and the wordlist.

Each word is 12.9 bits of entropy, and they recommend you use 5 words for a total of 64.5 bits of entropy.

Wes Janson
Posts: 34
Joined: Thu Feb 14, 2008 6:54 am UTC

Re: 0936: "Password Strength"

Postby Wes Janson » Wed Aug 10, 2011 7:21 am UTC

Christ, has everyone's brains been sucked out of their heads lately?

When was the last time that anyone here was the subject of a brute-force cracking attempt?



I'll wait for the clamor to die down in a minute. To quote Stross,

Didn't they know that the only unhackable computer is one that's running a secure operating system, welded inside a steel safe, buried under a ton of concrete at the bottom of a coal mine guarded by the SAS and a couple of armoured divisions, and switched off? What did they think they were doing?”


There's no way to be perfectly safe against a seriously dedicated adversary. Every time one of my friends starts bragging about how unbreakable his or her password is, I always like to point out that they're never going to hold up to five minutes of vaguely competent torture. If the stakes are high enough to warrant massive brute-force attempts, then why not a kneecapping or two as well, eh?

Believing in perfect security is the quickest way to destroy oneself with complications, inefficiency, and sheer stupidity.

AdamW
Posts: 10
Joined: Wed Aug 30, 2006 11:34 pm UTC

Re: 0936: "Password Strength"

Postby AdamW » Wed Aug 10, 2011 7:28 am UTC

Wes Janson wrote:Christ, has everyone's brains been sucked out of their heads lately?

When was the last time that anyone here was the subject of a brute-force cracking attempt?


Anyone who runs a Wordpress site, or an ssh server (especially if it's actually on port 22 and allows password login...) probably gets several a week.

Like a couple other people mentioned I use a password manager and have it generate random alphanumeric passwords of 12 characters (since so many sites have maximum lengths and won't let you use punctuation). The funny thing I find is that even such a password is surprisingly easy to memorize - I actually have several of the completely randomly generated passwords that I have to enter by hand (rather than copy/paste) every so often memorized.

maxh
Posts: 66
Joined: Thu Jul 22, 2010 12:14 am UTC

Re: 0936: "Password Strength"

Postby maxh » Wed Aug 10, 2011 7:32 am UTC

izomiac wrote:IIRC, the average person uses about 200 different words each day, 900 words in total, and knows about 2,000 - 3,000 if they're highschool educated, 8,000 - 10,000 if college educated. (Shakespeare used something like 20,000.)

You do remember correctly, but unfortunately what you remember is incorrect. The average person knows around eighty thousand words (though the number of words they often use may be much lower).

thelonesoldier
Posts: 9
Joined: Wed Aug 10, 2011 7:34 am UTC

Re: 0936: "Password Strength"

Postby thelonesoldier » Wed Aug 10, 2011 7:37 am UTC

Am I really stupid and missing something, or is all this brute force discussion made moot by the fact that most websites lock you out for 5 - 60 minutes after ~5 failed password attempts?

rewolff
Posts: 5
Joined: Wed Aug 10, 2011 6:19 am UTC

Re: 0936: "Password Strength"

Postby rewolff » Wed Aug 10, 2011 7:38 am UTC

I have always used my last name as the account name. So at one point in time I searched for a password that hashed to my first name. Since then I've been using passwords that can be considered "randomly" chosen from 8 lowercase letters". At over 37 bits of entropy these perform better than most "according-to-the-rules" passwords (which come in at about 28 bits as Randall calculated in his strip).

Still my form of password is usually rejected in high-security applications in favor of the less secure mixed case hard-to-remember convoluted stuff....

Re: Number of words: as a rule-of-thumb you learn about 1000 words per year, ending up at around 20000 at age 20. Out of a total of about 80000 to 100000 words in a modern language.


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: Moose Anus and 99 guests