Came across an XKCD cartoon which critiques the guidelines for passwords (“must have a capital, and a number, and a lowercase, etc”).
I don’t know anything about info technology, but I’m curious: is Randall right?
To some extent, at least, yes. You can find self-identified “experts” who contradict one another, but the people who seem to actually be experts agree with at least part of what Randall wrote.
The National Institute of Standards and Technology creates standards of various sorts for the federal government to follow. You may notice that their guidelines for passwords contradict some of the most common practices, just as this comic does.
Interesting. Thanks very much!
And of course, here’s Dilbert’s take on it:
There is something to be said for avoiding dictionary words, as that can decrease the number of attempts fairly dramatically, especially if they know that you are using them.
But replacing a single letter with a number or adding in a punctuation mark will help out immensely.
And safe to say, the actual password featured, “correcthorsebatterystaple” should probably not be used.
Definitely, but I guess the number of XKCD readers who are dumb enough to use it is minimal.
Maybe. Replacing an i/I with a 1 or an e/E with a 3 does bupkiss; the bad guys long ago added those to their attack systems.
The real point behind xkcd’s comment is that simple length adds far more power against brute forcing and against rainbow table attack than does the basic “add symbols & digits and use funky capitalization” technique. And that ultimately, the only long passwords that humans can remember are those composed of meaningful words in a sorta-meaningful (even if nonsense) sentence or jingle. At least so far, AI has shown little skill at generating the same kinds of gibberish almost-sentences that humans do.
I would think that the increase in complexity of not knowing if it’s “horse”, “hors3”, h0rse", or “h0rs3” would add at least some levels of difficulty in guessing the password, but I’m certainly no expert, so I don’t know.
When I worked for a utility company, they recommended choosing a phrase you could remember, and then using its initials. The example was “Now is the time for all good men to come to the aid of the party”, which made a password of “Nittfagmtcttaotp”. Problem with that is if you choose a common phrase, that may already be in the hacker’s dictionary, and if you choose a less common phrase, you may forget it.
Also don’t use:person, woman, man, camera, TV.
I think the point is that a computer could easily run through all of these alternatives.
Exactly. As the XKCD comic says, humans and computers have different strengths.
Using a password-strength tester, “horse” gets cracked immediately; “hors3” gets cracked in 1 millisecond. Same for the other examples. On the other hand, “correcthorsebatterystaple” would take 100 quadrillion years, according to this particular tester.
When I look at this the first thing I question is how man “common” 5-6-7 letter words are there? Googling around gives 4000+ (and 10 times that if you include rarer ones few people would likely come up with). But probably not more than 8000. At the low end that’s 2^12 options. Picking 4 of them gives you 2^48 options, So Randall Did the Math.
Supposedly many educated people know 20000+ words but I doubt that it comes anywhere close to that for most people.
While it might seem that picking words really, really cuts down the password search it is actually a pretty decent method.
There is something to be said for letting people select “simple” passwords. Unless your memory is phenomenal, you’re not going to remember Tr0ub4d&3. So you write it down. And you probably put the piece of paper you wrote it on under your keyboard. Or a post-it stuck to your monitor. You wind up with a password that may be really hard to crack, but trivial for a snoopy co-worker to find and misuse.
It’s really unfortunate that almost every system online these days forbids you from using Randall’s method. Either it can’t accept a password anywhere near that long (very common), and/or it forces you to use nonalphabetic characters, despite your four-random-word password being much tougher to crack than what they recommend.
According to the Explain xkcd page, there’s at least one major system out there that throws an amusing reject message if you attempt to use Randall’s exact correcthorsebatterystaple example as your password.
I had gotten a new computer, and was setting it up, a large part of that is importing all my passwords.
I thought to myself, the most convenient thing right here would be to be able to just print out all the passwords, but that would obviously be a massive security flaw.
And then I found where you can print out all your passwords.
Length is more important than the set of characters you choose from. Imagine two passwords, one drawn randomly from the set of all characters you can possibly type on a standard American keyboard, and the other one drawn from nothing but the digits 0-9… but the all-digits one is twice as long. Which one will be more secure? The digits, because there are less than 100 characters you can type, which means that any two digits can be translated to a character with some room left over.
Note however, that the key both here and with Munroe’s method is that the selection must be random. A lot of people will say things like “I use the XKCD method, except I make it easier to remember by picking words that make a sentence”. No! There are many fewer strings of words that make a sentence than there are total strings of words, so this makes your password much less secure. Think about typing on a phone with autocomplete, and how many fewer keystrokes you need than the actual number of characters. That number of keystrokes you actually need is a much better measure of true password complexity than just the pure length. If you actually type actually at random, then autocomplete doesn’t help at all, which means that there’s a lot more complexity there.
That was one of the first things that AI did, and nobody considered it a big deal, because it was so incredibly easy.
A lot people apparently use ‘to be or not to be that is the question’ and tbontbtitq is one of the hacks which commonly tried.
I’m not sure I agree. Here is an oversimplified computation I just did. There are 47 keys on my keyboard, meaning 94 possible characters. If you chose 8 of them at random, there are 8^{94}, approsimately 8\times 10^{84} possible passwords. Now of course, you are unlikely to choose @b*T~p|[, but you might. If you choose 4 words from the 4000 commonest English words, the number of possible passwords is 4000^4=2.56\times 10^{14}. In calculating exponentials, the exponent is much more important than the base.
Of course this supposes that the password cracker knows to use the commonest 4000 English words (of >4 letters). If it is just trying 20 letter combinations, its task is much harder.
Huh. Both my Lastpass master password and my various Hotmail account passwords are in the Correct Horse Battery Staple format, more words than that in fact, and there’s no problem with the length. (They are truly random words, painstakingly derived via literal dice throws, then carefully memorized.)
To satisfy any non-alpha requirements, I use the same simple string of characters in every password, enabling me to always remember it everywhere.