[clug] [OT] all text passwords == secure?

Scott Ferguson scott.ferguson.clug at gmail.com
Sat Aug 25 23:13:07 MDT 2012

On 26/08/12 13:06, Conrad Canterford wrote:
> On Sun, 2012-08-26 at 12:19 +1000, Scott Ferguson wrote:
>> On 26/08/12 11:46, James Ring wrote:
>>> Obligatory xkcd link: http://xkcd.com/936/
>> Um, you realise that's a joke right? ;-p   [*1]
>> [*1] don't take my word for it, but the maths in the comic strip are out
>> by a large factor in the real world.
>> Hint: the real math for the strip example is 52 x number of *alpha*
>> characters in the password
> Err - no its not. For a pure, brute-force no dictionary, attack, you are
> testing every possible combination. 

No *I* am not. I'm far too lazy to try a "pure" (all 218 character)
brute force attack - and I've never tried an incremental against more
than 12 characters, not many applications I deal with will allow a
password that long, and unfortunately most people don't use long passwords.
Like Copernicus I doubt I'm the center of the universe, so others most
likely use the same approach. :-)
And that's the problem.


1. try upper and lower case alpha only (up to 12 characters)

2. try *a* dictionary word (including obvious leet substitutions) with 1
or 2 numbers as an appendage. (eg. wordnn)

3. rinse and repeat this time using two word dictionary attack, also
with 1 or 2 numbers afterwards.

3. (for the percentage of uncracked passwords) bruteforce using all 218

The vast majority of passwords will yield to that attack. Sadly.

What is good about the XKCD strip is that the author is promoting the
use of a formula. It's lack of a formula that screws most people and
causes them to use poor passwords, and to use them for more than one
application. It's also why people use a single (weak point) email
account for recovering all their passwords.

> My probability theory is very rusty
> (that happens after 25 years) and there's probably someone on the list
> who can correct me, but surely the number of possible combinations with
> 2 characters would be 52 x 52. For 8 characters (a standard password
> length), that would be 52x52x52x52x52x52x52x52, or 53,459,728,531,456
> possible combinations. 

The mistake is to think all attacks are brute force attempts using all
218 possible characters. It - as the maths shows, is a poor investment -
so we go after the most *likely* patterns first, when those approaches
are exhausted (and mostly they will succeed) bruteforce against all
possibilities is tried. But even then the entropy calculations don't
apply because humans are predictable. eg. we 'know' the most common
answers to the question "pick a number between 1 and 10" - entropy math
doesn't allow for human bias or the stage magician would be out of work ;-p
So a blind bruteforce attack is the very last attempt. Probability math
is a poor method of risk management.

You'd be surprised how many public servants use a six of seven letter
word followed by 2 numbers. The word never changes, but they increment
the numbers when forced by the system to create new passwords.

> Increasing the range to include numerals and punctuation improves
> things, making it approximately 72 possible combinations per character
> position depending on how many punctuation characters are valid. This
> gives 722,204,136,308,736 possible combinations for 8 characters,
> 19,408,409,961,765,342,806,016 for 12 characters).
> What I think the XKCD strip is suggesting (and I've seen this proposed
> before) is that it is better to increase the password length at the
> sacrifice of diversity per character position. 25 alpha characters in
> the form proposed in the strip are easier for the human to remember than
> an 8 - 12 alpla+numerals+punctuation password, and provides
> 7,944,811,378,381,907,919,170,379,739,856,654,861,074,432 possible
> combinations - a much much harder exercise for brute force cracking.

Increased password length is a good approach - I'm not arguing against
it! :-)

Not using 'words' at all is a *better* approach.
Brute force, dictionary attacks, lucky guesses are not the only way
people gain passwords - there's also shoulder surfing, which is where
using words is especially bad as the surfer can guess unseen characters,
and increasingly hardware sniffers. All the sniffers I've seen (they
look like a USB/PS2 adaptor) don't sniff the Home, End, or Arrow
keys.... neither do some of the malware programs I've seen ;-p

A 'good' approach that defeats all those attacks I've described, and
helps people work around the reasons they adopt poor password policy is:-
Think of a word that you can associate with the password use.
Make at least one of the characters upper-case
1. Type the word into the password prompt. The cursor is now at the end
of the word.
Now think of a multi-digit number.
Use the home key to send the cursor to the start of the word.
Use the right-arrow key to move the cursor 'into' the word, maybe one or
more characters in.
2. Type one of the numbers in the multi-digit number.
Use the arrow key again and insert another of the numbers
Rinse and repeat until all the digits in the number are used.
Throw in a non-numerical, non-alpha number.

1. Test
2. Te1st
3. Te1s3t
4. Te1s3t!

It takes a little getting used to but it enables you to remember
passwords without actually remembering the password, and helps defeat
that bad practice of using one password for everything. It can also be
written down - all you need to remember is the word, the number, !, and
where you insert the components of the number.

NOTE: apparently about 40% of people write their PIN number down
somewhere. About 80% write the PIN backwards...

> Not sure how that works when you add dictionaries into the equation,
> however, and maybe that makes the XKCD form easier to crack. 
> Hope I've got the math right.

I think so.

> Conrad.

Note the comment by the author in the strip ;-p
"To anyone who understands information theory and security and is in an
infuriating argument with someone who does not (possibly involving mixed
case), I sincerely apologize."

I'll stick with my idea that the original article in the Canberra Times
was stupid. Add in just one non-alpha character "into" the words and
entropy math does apply - it's human habits that allow the shortcuts.

e.g. the 550 years at 1000 attempts per second would be necessitated if
the password was corr+cthorsebatterystaple (80-bit entrophy) instead of

Medusa, sucrack and other will make many more than 1000 attempts per
second - and some tools can achieve up to >20000000000 attempts per second

Kind regards

More information about the linux mailing list