# [clug] [OT] all text passwords == secure?

Ivan Lazar Miljenovic ivan.miljenovic at gmail.com
Sat Aug 25 23:12:13 MDT 2012

```On 26 August 2012 13:06, Conrad Canterford <conrad at watersprite.com.au> wrote:
> On Sun, 2012-08-26 at 12:19 +1000, Scott Ferguson wrote:
>> On 26/08/12 11:46, James Ring wrote:
>> > Obligatory xkcd link: http://xkcd.com/936/
>> Um, you realise that's a joke right? ;-p   [*1]
>> [*1] don't take my word for it, but the maths in the comic strip are out
>> by a large factor in the real world.
>> Hint: the real math for the strip example is 52 x number of *alpha*
>
> Err - no its not. For a pure, brute-force no dictionary, attack, you are
> testing every possible combination. My probability theory is very rusty
> (that happens after 25 years) and there's probably someone on the list
> who can correct me, but surely the number of possible combinations with
> 2 characters would be 52 x 52. For 8 characters (a standard password
> length), that would be 52x52x52x52x52x52x52x52, or 53,459,728,531,456
> possible combinations.
>
> Increasing the range to include numerals and punctuation improves
> things, making it approximately 72 possible combinations per character
> position depending on how many punctuation characters are valid. This
> gives 722,204,136,308,736 possible combinations for 8 characters,
> 19,408,409,961,765,342,806,016 for 12 characters).
>
> What I think the XKCD strip is suggesting (and I've seen this proposed
> before) is that it is better to increase the password length at the
> sacrifice of diversity per character position. 25 alpha characters in
> the form proposed in the strip are easier for the human to remember than
> an 8 - 12 alpla+numerals+punctuation password, and provides
> 7,944,811,378,381,907,919,170,379,739,856,654,861,074,432 possible
> combinations - a much much harder exercise for brute force cracking.
>
> Not sure how that works when you add dictionaries into the equation,
> however, and maybe that makes the XKCD form easier to crack.
>
> Hope I've got the math right.

I think part of what XKCD was proposing was that if the common
password form is l33t-like character substitutions in words, then
using an alternate form would decrease the odds of your password being
cracked because it isn't as expected.

My approach to passwords lies more to English phonetic forms of
foreign words/phrases and _then_ performing the character
substitutions.  I've also heard things like taking a line from a song
and taking the first character of every word, etc. (relatively easy to
remember, but dictionary attacks won't work on it).

>
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

--
Ivan Lazar Miljenovic
Ivan.Miljenovic at gmail.com
http://IvanMiljenovic.wordpress.com
```