# [clug] [OT] all text passwords == secure?

Sat Aug 25 21:06:50 MDT 2012

```On Sun, 2012-08-26 at 12:19 +1000, Scott Ferguson wrote:
> On 26/08/12 11:46, James Ring wrote:
> > Obligatory xkcd link: http://xkcd.com/936/
> Um, you realise that's a joke right? ;-p   [*1]
> [*1] don't take my word for it, but the maths in the comic strip are out
> by a large factor in the real world.
> Hint: the real math for the strip example is 52 x number of *alpha*

Err - no its not. For a pure, brute-force no dictionary, attack, you are
testing every possible combination. My probability theory is very rusty
(that happens after 25 years) and there's probably someone on the list
who can correct me, but surely the number of possible combinations with
2 characters would be 52 x 52. For 8 characters (a standard password
length), that would be 52x52x52x52x52x52x52x52, or 53,459,728,531,456
possible combinations.

Increasing the range to include numerals and punctuation improves
things, making it approximately 72 possible combinations per character
position depending on how many punctuation characters are valid. This
gives 722,204,136,308,736 possible combinations for 8 characters,
19,408,409,961,765,342,806,016 for 12 characters).

What I think the XKCD strip is suggesting (and I've seen this proposed
before) is that it is better to increase the password length at the
sacrifice of diversity per character position. 25 alpha characters in
the form proposed in the strip are easier for the human to remember than
an 8 - 12 alpla+numerals+punctuation password, and provides
7,944,811,378,381,907,919,170,379,739,856,654,861,074,432 possible
combinations - a much much harder exercise for brute force cracking.

Not sure how that works when you add dictionaries into the equation,
however, and maybe that makes the XKCD form easier to crack.

Hope I've got the math right.