Is it true that it would be much better (in terms of minimizing automated guessability) to have a password like “correcthorsebatterystaple” than “Tr0ub4dor@3”? Even if the 1337-speak altered word weren’t a standard English word?
I found it hard to believe. On the other hand, I’m definitely somebody who doesn’t know information theory.
Why is is so hard to believe that a 25 character password is much better than a 11 character password.
What trips me up is the longer one being made of common English words, all lower case, with no numbers or symbols. I guess that doesn’t matter?
If length is all there is to it, why aren’t we encouraged to use nothing but long chains of words, rather than mixes of upper and lower case letters, numbers, and symbols?
Is that really the question here? For me, the real myth is that supposedly something like the example in the comic (Tr0ub4dor) is easier to remember, but it’s not. I have one of those (that I can’t easily change) for a work email system, and half the time I type it in wrong.
A lot of systems (sadly) still only support 8 characters (or at least minimal characters). I’ve found very few that support 25+ character passwords. Why this is is beyond me. That may account for the mixed case/non-alpha requirements in place now.
It does matter if it was 25 characters of haxor stuff it would be much stronger than than the 44 bits of entropy.
I don’t know about you but people have been pushing the idea of pass phrases instead of passwords for years and years.
You can figure it out with simple math.
Tr0ub4dor@3 contains 11 characters. Each character can contain a-z, A-Z, 0-9, and 31 punctuation characters accessible from the keyboard, for a total of 26+26+10+31 = 93 possible characters. So 93[sup]11[/sup], or 9393939393939393939393 = 4.5x10[sup]21[/sup].
correcthorsebatterystaple has 25 characters. Each character can be a-z for 26 possible characters. 26[sup]25[/sup] = 2.37x10[sup]35[/sup], fourteen orders of magnitude greater than Tr0ub4dor@3.
We’re always told “don’t use dictionary words, EVAR.” So why are you surprised that people are confused about this?
Me, I keep a password app to store all my passwords - but I have to remember enter them there in the first place. :smack: Let me have 25+ character passwords and I’ll be all over passphrases.
It’ll depend on the password-guessing process and on the method by which the words (in either case) are chosen.
Both passwords have less entropy than that. You’re starting from the set of words in a dictionary, and a dictionary word only has as many bits as the log of the number of words in the dictionary.
And I’ve always had that belief myself. And not just for statistical security, either. The more context to the language the easier it is to remember. That’s the nature of human cognition. For example, a password for The Straight Dope could be something extremely easy to remember, like: “whyareyouwastingyourtimewiththatwebsite” (or, as my girlfriend repeatedly says, “porquegastastantoenesavaina”), and I’d just like to see that be cracked with automated guessing.
You math is too simple. For a phase a given letter is not independent from the letters surrounding it as in your analysis. You are vastly over estimating the protection afforded by a pass phrase. Assuming a pool of 2048 words that can repeat. There are only 1.75[sup]13[/sup] choices.
From a character level lets say there is a-z, A-Z, 0-9 and (shifted)0-9. That’s… 72 characters.
But, the dictionary has a lot more than 72 words. Usually 10’s of thousands.
So in the example, even there are only 4 words, isn’t is still harder to brute force? Replace one of the dictionary words with something non-dictionary and I’d think it’d be quite solid.
“correcthorsebatterystaple” is better against a brute force attack – however, it is much less secure against a dictionary attack. We generally talk about suggesting good conventions, and in general you want conventions that are going to be the most secure. If you put it about that concatenating a small number of common words is good security, and people start doing it en masse, that would be trivially easy to exploit.
Anyway, good security locks out an account for a set interval after a relatively small number of wrong guesses, so either method is practically the same.
I like to suggest reduced pass phrases, which are relatively secure and easy to remember.
Include proper nouns, numbers, and punctuation in your seed phrase.
Reduce the phrase to initial letters, keeping the proper nouns capitalized, and using numerals for numbers.
EG:
Snow White and the seven dwarves live together in sin! --> SWat7dltis!
George Lucas should never have made those last three Star Wars movies, eh? --> GLsnhmtl3SWm,e?
My first child, Stella Mae, is two years old. --> mfc,SM,i2yo.
They are easy to remember, and although they look awkward at a glance, after you hunt-and-peck them the first half-dozen times, they become easy to type in quickly. And ain’t no-one gonna guess them.
The common words dictionary on my computer has 98,000 words. So for a string of four words: 98,000^4=9.2E19. So two orders of magnitude less of a search space then 10 random characters.
I think the XKCD guy is wrong in this case.
Many password entry programs that I encounter have limitations that severely reduce security, and they are forced to rely upon being able to stop or slow down a password guesser before many tries.
Even my bank allows only 8 chars max, and doesn’t allow any special characters or spaces, so “purple monkey dishwasher” is out. The maxim about not using dictionary words is probably valid when you have only 8 chars.
I think we’re with the same bank - either that or more than one huge financial institution has stupid password rules. They’re the ones I loathe the most in this respect.
Ironically, they’re one of the few passwords that I put an extra password protection on in my password-listing app. That particular password has a dozen characters including special characters in it, so it is far more secure than the password it’s protecting. 
Some of you seem to be overlooking that the comic is saying the computer guessing system is intelligent enough to realized that $ is often substituted for S, 0 for O, 4 or @ for A, etc.
Okay, so.
A brute force attack is foiled by a longer password.
A dictionary attack is foiled by random characters.
So couldn’t something like hitchhikersguide2thegalaxy cut through both?