Hi everyone !
Some days ago, I stumbled upon this strip from xkcd : http://www.xkcd.com/936/
Can someone with knowledge of the mentioned entropy bit theory and the state of password cracking confirm this ? I thought that dictionary attacks made this kind of passwords impractical, but if it actually works... Well, sufficient to say I have some ideas for a few very long, very easy to remember, and very hard to guess passwords...
(And websites which still use 8-char passwords (which sadly includes my bank's one) be damned !)
Robust passwords
Robust passwords
Last edited by Neolander on Sat Aug 13, 2011 3:54 am, edited 1 time in total.
-
Combuster
- Member
- Posts: 9301
- Joined: Wed Oct 18, 2006 3:45 am
- Libera.chat IRC: [com]buster
- Location: On the balcony, where I can actually keep 1½m distance
- Contact:
Re: Robust passwords !
I don't know the dictionary sizes for each of such things, but patching a word with leetspeak-like substitutions gives you something like #possible words * 2^length of word (assuming that on average each letter can be substituted or not), and just concatenating two of such words yields #possible words ^ 2; the latter is more efficient when #possible words > 2^length of word. For example with 16-character words, you'd have like 65000 substitutions, while it'll be obvious that there are more out there than that.
Conclusion: 2 words give more possible passwords (and a harder time cracking them) than one word with substitutions.
'
That said, 8-character password "garbage" (like piping /dev/random into base64 which gives 64^8 = 2^48 combinations) gives more passwords than all possible combinations of 4 simple words according to xkcd definitions (which defines simple words as the 2048 most used nouns). In the meantime, I've also showed why a *good* 8-character password is quite sufficient actually. Just try not to replace those 8 characters with p-a-s-s-w-o-r-d
The only thing entropy is used for is to reduce combinations to their 2-log, so you can say you have 60 bits of entropy instead of saying that your system allows for 1000000000000000000 unique combinations.
Conclusion: 2 words give more possible passwords (and a harder time cracking them) than one word with substitutions.
'
That said, 8-character password "garbage" (like piping /dev/random into base64 which gives 64^8 = 2^48 combinations) gives more passwords than all possible combinations of 4 simple words according to xkcd definitions (which defines simple words as the 2048 most used nouns). In the meantime, I've also showed why a *good* 8-character password is quite sufficient actually. Just try not to replace those 8 characters with p-a-s-s-w-o-r-d
The only thing entropy is used for is to reduce combinations to their 2-log, so you can say you have 60 bits of entropy instead of saying that your system allows for 1000000000000000000 unique combinations.
Re: Robust passwords !
But your bank while lock your account when the false password is entered three times in a row. So even if you only use numbersNeolander wrote:(And websites which still use 8-char passwords (which sadly includes my bank's one) be damned !)
there is only an 0.000003% change that they guess you password before the account get locked.
50₰
Re: Robust passwords !
Actually, I don't think that's the case. At least there was no warning about such in the provided documentation, and when you type a wrong password it shows nothing like "N tries remaining". Not ready to experiment and see if my account actually gets locked while I'm abroad, though.MasterLee wrote:But your bank while lock your account when the false password is entered three times in a row. So even if you only use numbers
there is only an 0.000003% change that they guess you password before the account get locked.
Re: Robust passwords
Sure, but can you easily remember 8 3-digit decimal numbers (or 2-digit hex numbers) and type non-printable ASCII characters on your keyboard ?Combuster wrote:That said, 8-character password "garbage" (like piping /dev/random into base64 which gives 64^8 = 2^48 combinations) gives more passwords than all possible combinations of 4 simple words according to xkcd definitions (which defines simple words as the 2048 most used nouns). In the meantime, I've also showed why a *good* 8-character password is quite sufficient actually. Just try not to replace those 8 characters with p-a-s-s-w-o-r-d
I thought the author's point was that substitutions were generally only adding 10 digits (and sometimes 26 caps) to the character set, and commonly followed some highly predictable schemes.
-
Combuster
- Member
- Posts: 9301
- Joined: Wed Oct 18, 2006 3:45 am
- Libera.chat IRC: [com]buster
- Location: On the balcony, where I can actually keep 1½m distance
- Contact:
Re: Robust passwords
I mentioned base64 for a reasonNeolander wrote:can you easily remember 8 3-digit decimal numbers (or 2-digit hex numbers) and type non-printable ASCII characters on your keyboard
But yes, all my passwords (except for the very old or generated by others) are randomized, and except for the few I use less than once a year I can remember them by heart. But then again, I often type in phone numbers because it's faster than looking the name up in my cellphone's dictionary. It's probably one of those cases where your mileage may vary.
Re: Robust passwords
One hint I was given quite some time ago regarding "how to come up with secure passwords":
"The # key on my 2007 keyboard is stuck since 2009."
"T#kom27kbiss29"
- Think up a (lengthy) sentence, which might be nonsense but should be easy to remember. Should contain some numbers and punctuation.
- Take the initial letters of the sentence, the numbers, and the punctuation.
- If you feel paranoid, screw it up a bit.
- Voila, "secure" and easy-to-remember password.
"The # key on my 2007 keyboard is stuck since 2009."
"T#kom27kbiss29"
Every good solution is obvious once you've found it.