Main menu

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
So - Everyone is talking about this:

And I have a problem with what everyone is saying - How XKCD gets "it".

As much as I really appreciate the humor in this comic, the fact that just changing passwords to 3-5 Random words doesn't make it any harder for a computer to brute force the password, actually, it probably makes it easier - Lets think about this.

When you want to brute for a password at most you have 26 Letters (Times 2), 10 Digits, and a smattering of non-letters/numbers (we'll say about 20 or so) this gives you a total of 82 possible items times the length of the password.

Now, lets look at the "solution": Oxford Dictionaries Guesses around 250,000 words in the dictionary - I'm going to say that most people wouldn't know MOST of those words, but we'll work with that number for now.

Possible Normal "passwords" with a length of 8: 2,044,140,858,654,976
Possible Word "Passwords" with a length of 3: 15,625,000,000,000,000

While I would hazard to say that looks impressive - I can't say my self I know 250,000 words to use in my password - I'm willing to bet that number would be a lot lower for the general populace.

I'm going to predict the future here and say most password crackers will start using the already available dictionary lists, and brute forcing passwords by concatenating the words, just like we already brute force letters, numbers and special characters.

One needs to combine the two solutions - Use Multiple words, Subsitute letters and words where available and keep the length: "Gue$$MyP@ssw0rd"
Frank Breedijk (@seccubus) Made a much better and well formed reply to this article - Check it out please!


0 #1 Dave Radcliffe 2011-08-18 05:28
I think that you misunderstood. His point was that people don't really choose random passwords. They pick an uncommon word and then change it in predictable ways to produce a random-looking password. This results in passwords like Tr0ub4dor&3 that are difficult to remember, but easy for a computer to guess.

He explains that it would be much better to pick a random passphrase consisting of four common words. If a dictionary of 2000 common words is used, then this will produce 2000^4 different passwords, which is 44 bits of entropy -- more than enough to defeat most brute-force attacks.

You could obtain an equivalent level of security by picking seven random characters, assuming that they were truly random and not just random-looking. But most people find such passwords to be difficult to remember.

Add comment

Security code