It seems that might still be useful if you’re worried about spies - such as, for example, a student monitoring his professor’s email, hoping he emails himself a copy of the next quiz. In that case, the intruder isn’t going to change the password: that would give away that he’s listening in.
I have two tiers of passwords. I have a standard reasonably strong 9-character password and a standard long passphrase for sights where I consider hacking annoying but not necessarily damaging. I use it across sites but if my “Message Board A” account got hacked I’m not too bothered if that means they also get into “Food Diary Tool B”.
For more important sites I use a long passphrase as possible where it is three words long (uncommon words such as something like Boeinggobsmackedshiitake) then for each site I create a fourth part of the phrase using a non-obvious formula that uses the Website’s domain name (or application name) as an input. Then I put that new word (which is essentially random letters but not something I actually have to memorize) in either the 2nd, 3rd, or 4th spot in the sequence. So my SDMB password might end up being BoeinggobsmackedORSOPODshiitake but all I have to memorize is “3” for 3rd spot.
And if somehow I forget that, the relatively few possibilities means I can get it in few enough attempts that I don’t get locked out.
Obviously if such a password is acquired from two different sites anybody comparing will see the commonality and significantly reduce the guesses necessary for a third site, but if that happens I figure I have bigger problems.
Beyond that, any other obvious issues I might be missing?
The point is that this is not easy to remember.
I barely glanced at the comic yesterday, and today I still remember the passphrase (though upon looking, I got the word order wrong–no matter, I could brute-force that problem in minutes). The only thing I remember about the h4x0r password is that it wasn’t based on the word trombone.
The passphrase is better. And if you’re thinking about using a longer word list, don’t: just use 6 words from the short list if you really need more entropy. Does anyone really think they can spell every word in that list of 98,000?
I think that goes back to the early days of computers which used 4 bytes for a word size. You end up with a lot of things that are multiples of 4. As someone mentioned above, 8 characters are the maximum length for a password on some systems.
A lot of things are still implemented as fixed length fields within a fixed length record. I can still remember when records were designed to fit on an eighty character or 96 character punch card.
Even today, A lot of fields have arbitrary limits so you can get the fields to fit on a printed report.
Can I use Shoehorn Butterhorse?
Yes, the xkcd comic is correct; the leet-speak password is easier to crack than the one composed of English words. The comic already explains why, but for further details, check out Diceware and How Big is Your Haystack?. The former site presents an easy to use but very good method for generating passphrases from random combinations of English words; it includes extensive information (including a FAQ) on why this method works better than a seemingly random password. The latter site allows you to actually enter a password or passphrase in an input box and it will print out some statistics on how long it would take to crack with a brute-force algorithm. (It’s all done in JavaScript so whatever you type in is not being transmitted over the Internet.) Yes, dictionary-based attacks can cut down the search space, but for long passphrases the savings is not significant; see the Diceware page for details.
Here is the output of the Haystack page for the password and passphrase given in the xkcd article:
Your calculation for method 2 assumes that the cracker knows what method of password creation you are using. As demonstrated by this thread, there are a multitude of methods to create good and reasonably recallable passwords. If we all used the same method, the ability to crack passwords would become trivial, but if we all choose a different one of all good methods, the brute force search by character may be the most efficient.
Personally, I like to use two+ words with a symbol between, and optional symbols on either end, and capitalization of whole words or the first letters:
>>KICK&PUNCH<<
HulkH8radioactiveGOO
PIGS/wWINGS!
This topic was brought up at Ask Metafilter as well, and in it xkcd explains his reasoning.
Surely you could just lock out the IP address? I mean, obviously the computer can switch IP addresses by whatever means, but it’s not like they can get unlimited or instantaneous switches. Or am I missing something obvious?
Are you kidding? I’ll bet there are a lot of eight string passwords out there like this:
12345678
or
abcdefgh
Really, there is no underestimating human stupidity. Those Nigerian princes are still finding fish out there I’m sure. Porn sites are still getting customers by using every fricking keyword imaginable and then doing that little trick with the hash mark that kindasorta disables the “Back” button.
I really, really hate letter substitution passwords, because they are so hard to remember. In practise, this degrades security, as people often have to resort to writing them down. Pass phrases are a much better solution in the real world.
h4x0r transpositions are trivial to crack – it’s just a dictionary attack that tries each word both straight and with the standard h4x0r transpositions. Nonexistent made-up words are a bit better (assuming you don’t forget how to spell them).
Something along the lines of the technique in Larry Mudd’s post (first letters of a phrase, retaining capitalizations* and punctuation and converting number words to numerics) is a lot stronger and fits in a limited-length password space.
*My usual system is to treat all nouns as capitalized, a la German usage, which avoids the need to select a phrase that includes an already-capitalized word.
Possibly of interest here, or at least amusement: an xkcd password generator, inspired by the recent strip.
Quoth Jragon:
Not true. The cracker doesn’t need to try every possible password; it only needs to keep trying until it succeeds. And since many people do restrict themselves to lower-case letters, even if they don’t need to, any well-designed password cracker will try those first (or at least, before the more complicated ones-- It probably tries the standard lists like “password”, the username, the name of the site, etc. first).
It’s sort of like how Feynman was able to speed up his brute-force safe-cracking techniques, on average, by arranging his method so he tried numbers which could be dates first.
I’m not sure if it is clear to everyone, but the math in the comic assumes that the password convention is known. The hacker knows (a) is a word followed by two numbers/punctuation marks with some minor variations and that (b) is four common words all lowercase, without variations.
But if you use a string of dictionary words, then aren’t we really looking at each dictionary word as a character? So if your dictionary is (say) 2000 words long, and you use four dictionary words, then your complexity is really only 2000^4.
It appears you misread the comic strip. It states that the “troubador” example is HARDER to remember.
Exactly, but 2000^4 is roughly 2^44 (16T vs. 17.5T). In the comic he doesn’t calculate the exact number of combinations, he ‘estimates’ them by determining how much storage space they require and then calculating the number of combinations from that.
I don’t think I have the terms exactly right, but it is the idea behind his math.
In II Gyan II’s link, the author describes how he estimates the number of bits of entropy for each component. I think he is using this to estimate non-linear distributions of combinations.
Yes, and 2000^4 is a big number (16 trillion) (or 17.59 trillion since the dictionary used is 2,048 words).
Four words selected out of 2,048 is 2^112^112^11*2^11 = 2^44 = 2,048^4 = 17.59 trillion.
In the other pattern he shows (the complex one) he has the uncommon word coming from a list of 65,536 words (2^16), another 2^1 options from initial capitalization, 2^3 from character subsitutions, 2^4 from possible punctuation at the end, 2^3 from a number at the end and 2^1 from what order the punctuation and number are in.
Which is 2^162^12^32^42^3*2^1 = 2^28 = “only” 268 million.
I don’t think he’s claiming that the strip is saying that, but that it’s what the xkcd strip is really trying to debunk rather than the relative strength of the two passwords.
The strip was saying “It’s okay to use correcthorsebatterystaple, because it’s not only stronger but easier to remember despite being longer.” That’s two myths in one.