I think he’s overestimating how many people use the formula he gives to generate a password though. If a lot of people use a common word with l337 speak substitutions and a random two character punctuation-number string on the end, he’s right. But I don’t think that formula, vs many other variations is really that dominant.
(plus he assumes that the first letter is the only one that may or may not be capitalized that only three letters in any word will be substitutable, and that for each such letter, there’s only one possible substitution).
Lets follow the math in the comic. There are two methods of generating passwords presented. Lets calculate how many possible passwords we can generate with the two methods.
Method 1
Choose an uncommon word. In the comic he assumes a space of 65536 words or 16 bits entropy
choose to capitalize it or not. 2 choices
make a leet speek substitution for 3 of the letters. 2 choices for each letter 8 total choices. You could argue that there are a lot more than 8 choices but it won’t make much different in the end.
add some punctuation at the end 16 choices
add a number at the end 8 choices
choose to flip the number and punctuation 2 choices.
6553628168=1.3 *10[sup]8[/sup] possible passwords
Method 2
Choose 4 common English words assume 2048 words to choose from do not repeat words. 204820472046*2045=1.75[sup]13[/sup] possible pass phrases.
Method 2 has vastly more possible choices. The ease of memorization is more subjective but I think Method 2 is easier to remember.
This is very similar to what I tell people about how to create a very secure password.
My suggestion is to take the lyrics to a song you know by heart and use the first two or three lines and reduce it to letters
Oh say can you see
By the dawn’s early light
Becomes OscysBtdel
and you can leave a piece of paper in plain sight with the password hint “Key” or “Oh say”
I guess I’m not convinced that peoples random characters and letters type passwords follow formulas that are that predictable.
But in anycase, do most computer servers really let users try to log on a thousand times a second? That seems a much easier security hole to fix then making everyone either type in a long four word password or a random string of alphanumerics. Just lock a user out for an hour if they have 30 failed login attempts.
THIS. Those of you who are talking about things like “10 random characters” are missing xkcd’s point. Something like “Tr0ub4dor@3” is not just 10 random characters. It is a word, with some relatively standard modifications, which could be “easily” guessed by brute-force methods that check all common modifications to all dictionary words.
I agree people’s choices are much much easier to predict. 65000 words please it is much much less.
A big commercial site has to be a little more creative than that. If I am a mad hacker with my legion of zombie computers at my bidding I could bring down bank of america’s online banking by trying to brute force a large number of accounts from my thousands of computers by trying to log into millions of different accounts by trying all the passwords. The big websites are under attack like this all the time.
Simplicio, I am being too snarky. BOTH passwords in the comic are very good passwords, the pass phrase is better but both are better than most people use. The question is which is easier for the end user to remember.
I talked with a university IT guy about that awhile ago. He said that as soon as you implemented that, disgruntled students would keep their professors permanently locked out of their accounts with a simple script. They allow infinite login attempts, but require profs to switch passwords all the time.
Which is 66 bits of entropy, considerably better than the comic says (Munroe is apparently considering the set of “common words” to only have about 2000 members).
A very popular tactic, which accomplishes nothing at all for security. If an attacker breaks in, he’s going to change the password immediately, not wait until 90 days later. Meanwhile, you’re guaranteeing the presence of post-it notes stuck to monitors which a student could glance at during office hours.
So you use h4x0r transpositions on made-up words that are not in common dictionaries, or even the Wikipedia index. Easy to remember, hard to crack. Problem solved.
A big question is who is the bigger security risk. The mad hacker with his 10,000 zombie computers at his bidding or the 150 students the professor has that semester that come in for office hours. It is not obvious to me who is to worse threat. But a pass phrase instead of a 8 to 12 character password is better against both.
I inadvertently did the phrase thing with my password.
I worked for an online company that required changing passwords every two weeks; the only upside was that we were allowed to repeat passwords. The first was randomly generated, and for some reason was really easy for me to remember, so I switched back and forth with a variant of that for so long that I started using it, and variations, for most of my personal passwords.
The original passwords were all 3 letters followed by 5 numbers.
A couple of years go by and I meet Mr. Tao, called Defiant for simplification purposes. After about another year, I realized that the three letters of my password equated to Tao Loves Defiant. Cute! Kept using the password; even easier to remember now! Time passes and we marry.
About a month ago I realized that the 5 digits of my password are our wedding date. :eek::eek: Psychic random password generator, indeed.
A somewhat related question–why has 8 characters been decided on as the standard minimum length?
Back when people were still debating overlays vs splits for new area codes, I recall claims that human memory worked best at seven items.
I have no idea if this is true or not, though I have noticed that my preferred method of creating completely random letter/number/symbol combinations and memorizing though repetition seems to work best at 7 characters.
Probably because we’re conditioned to think that we’re protecting ourselves against hacking by a lone malicious human with a keyboard, rather than by someone determined enough to deploy a computer.
Another issue is that the password guessing difficulty is actually affected by requirements. A (sufficiently random) password that is purely alphanumeric is more or less equally as safe as a password with symbols in an environment that allows symbols in passwords. Similarly, allowing capitals actually increases security for those who don’t use capitals.
In other words, given an identical environment (let’s say alphabetic characters, capital or lower case), these expressions are relatively equally secure:
aqrzttghy
BnQrTTUvP
GHBVVJUIO
because in that environment you have to test for capitals, since they’re allowed. So a password environment that allows a larger range is inherently more secure than an environment that doesn’t allow a large variance, it can even slow down dictionary attacks since in more complex environments they’re required to take into account k00l l3tter substitoosh()nz, in addition to the usual “clever” letter swaps.
This article has been making the rounds in July and may have been the inspiration for the comic:
It basically says a longer, simple password is more secure than a shorter, complex password. And since it is easy to remember, you won’t expose it on a post-it.
(I realize others have made this point, but I wanted to include the link and some context.)
Well, I’ve more or less always assumed that if someone was determined, they would be able to hack anything I have password-protected. Just like, if someone really wants to, they could break into my house. I’m mainly hoping to deter the casual break-ins.
It’s even better, although slightly harder to remember, if you change the number so that the sentence is false. So your examples might become something like this:
Snow White and the seventeen dwarves live together in sin! –> SWat17dltis!
George Lucas should never have made those last eighty six Star Wars movies, eh? –> GLsnhmtl86SWm,e?
My first child, Stella Mae, is nine hundred twenty three years old. –> mfc,SM,i923yo.
In this day and age you really need the password app. You need to have different passwords for every thing. Or at least every thing that is likely to be attacked. Your email, banking, credit card and facebook passwords should all be different. You things that don’t matter much or are not as popular can have the same passwords. It is not that big a deal if go comics is hacked and my list of comics that are emailed every day is screwed up. But if they get my password and email address from gocomics and start logging into gmail, the big banks with my gocomics username and password it would be very bad if they gained access to these accounts. The mad hackers this summer got that sort of information from Sony. I am sure that a lot of Sony customers had to spend time sorting out banking and credit card charges based on the reuse of login names and passwords.
correcthorsebatterystaple is not in my dictionary. Not that I don’t see your point. But the requirement is that your password not be a dictionary word, not that it is made up of dictionary words. It is a subtle distinction that is easily lost in the rule of thumb advice people have to remember about a large number of things that they do in life.
Psychic random password generator, indeed.