Main Area and Open Discussion > Living Room

xkcd - password truth

(1/5) > >>

nudone:
This password epiphany seems to be popping up in several news articles recently. Here's xkcd's take on it.



http://xkcd.com/936/

Renegade:
YAY~!

+1 for pass-phrases~! ;D

tryandguessthismuther******! :D

Deozaan:
I like pass-phrases.  :)

worstje:
Problem with pass-phrases is that people will take way too obvious stuff. (The comic is clearly the exception!) For example, you can expect mouser to use 'I like silly acronyms.' or in kyrathaba's case 'nany 2012 hangman YEAH'. :D Or JoTo... 'Thank God It's Friday'. 8)

This is only going to work if people use unpredictable things. For one, you can expect half the xkcd readers to use 'correct horse battery staple' from now on. Or 'import antigravity'. Or other meme-ish catchphrases.

Finally, it pays off to think that mere bits of entropy are not the defining characteristic when discussing password safety and the likelihood that it may be guessed. For example, suppose a user is english. That brings it to 26 letters plus a space character, assuming the random-string-of-words-thing and that people are likely to stick to lowercase. Assume that 30 characters is a good compromise for a password one has to type in, so you get 27^30 = 2.4244 * 10^36 different permutations. Sounds good, right?

Now throw in social engineering. Psychology. User idiocy. Someone looking over someones shoulder and spotting 30 little password characters being typed, or that only lowercase letters are typed. Maybe you think out loud while you're typing! (I wouldn't, but such idiots exist...) Long story kept short: once you are able to glean just a little bit of information about the format of a password, the effective entropy in the eyes of an attack is reduced significantly. Requiring a user to put in one or two odd characters may seem difficult, it prevents predictability and also prevents a brute-force attack that uses dictionary contents as its source from speeding things up. (Think about it: there are far more strings of letters that aren't words than there are actual words.) Likewise, asking for my mothers maiden name isn't a given to gain access to my email anymore; you at least have to figure out what blend of leetspeak I throw at it. (And password recovery schemes with such fixed questions, or equally constrained answers are an equally horrid disaster, but in this case I was implying my email password might be m4rgret.) Or maybe her year of birth. Etc.

While it may be a wet-dream to expect the full 8 bits/byte (=256 'characters') to be usable in a password, reducing it as many password systems do to merely (26*2 letters +10 numbers + underscore + space) = 64 is a security disaster. Every extra bit of entropy doubles the problem space, and in case of a words and letters you can sooner think in factors of 26 or higher! Even worse, programs/websites half the time demand more than 5 and less than 12 characters. Why not allow 30 characters? All those requirements are little more than a gift for your enemies.

Anyhow, for so far that rant. My point is coming up... Pass-phrases are nice. Digits and weird characters are nice. But seperately, they are weak in the eyes of modern bruteforcing and even social engineering. One is slightly stronger than the other in different aspects, but neither is ideal. But combining them is damn orgasmic for your security. The xkcd examples would skyrocket in complexity, just try the math for yourself. :)

Renegade:
12 character limits on passwords is just idiotic. I will never understand how/why some admins come to the conclusion that they should have such small limits like that. If someone wants to have a 123 character password, all the more power to them. At the moment, I think 500 is a good limit. You need to store it, and you're pretty much going to use an nvarchar field anyways, so 500 seems good. I don't know if it could impact performance, but I somehow doubt it. People store ntext fields and blobs... 500 is nothing.

Steve Gibson has some strong password stuff, but really, it's insanely large and impossible to remember. I take it that anything over 8 random characters begins to approach insanity (the higher it goes) for casual use. 64 random characters (last I checked)... Yikes... You can only use that with something like Keypass or ALPass.

Navigation

[0] Message Index

[#] Next page