[clug] [OT] all text passwords == secure?

Kim Holburn kim.holburn at gmail.com
Sun Aug 26 02:20:00 MDT 2012


xkcd has a degree in physics and many if not most of his cartoons have a basis in maths or science.

Here the password strength cartoon is explained:
http://www.explainxkcd.com/2011/08/10/password-strength/

Here is a short article on password entropy:
http://www.archonmagnus.com/articles/security/passwordEntropy.php

Some more background reading:
https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength
https://www.grc.com/haystack.htm
http://www.baekdal.com/insights/password-security-usability

The critical thing to take from this is that password length gives you more entropy much quicker than increasing the size of the character sets.

I was signing on to a website recently and they suggested that a password should be 5 words.  The problem is that if there is a relationship between the words - ie a phrase - then you need a longer password, a phrase lowers the information entropy.

If you want some up-to-date reading this is from this weekend:

http://arstechnica.com/security/2012/08/passwords-under-assault/

> Why passwords have never been weaker—and crackers have never been stronger
> 
> Thanks to real-world data, the keys to your digital kingdom are under assault.

> The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.


On 2012/Aug/26, at 3:12 PM, Ivan Lazar Miljenovic wrote:

> On 26 August 2012 13:06, Conrad Canterford <conrad at watersprite.com.au> wrote:
>> On Sun, 2012-08-26 at 12:19 +1000, Scott Ferguson wrote:
>>> On 26/08/12 11:46, James Ring wrote:
>>>> Obligatory xkcd link: http://xkcd.com/936/
>>> Um, you realise that's a joke right? ;-p   [*1]
>>> [*1] don't take my word for it, but the maths in the comic strip are out
>>> by a large factor in the real world.
>>> Hint: the real math for the strip example is 52 x number of *alpha*
>>> characters in the password
>> 
>> Err - no its not. For a pure, brute-force no dictionary, attack, you are
>> testing every possible combination. My probability theory is very rusty
>> (that happens after 25 years) and there's probably someone on the list
>> who can correct me, but surely the number of possible combinations with
>> 2 characters would be 52 x 52. For 8 characters (a standard password
>> length), that would be 52x52x52x52x52x52x52x52, or 53,459,728,531,456
>> possible combinations.
>> 
>> Increasing the range to include numerals and punctuation improves
>> things, making it approximately 72 possible combinations per character
>> position depending on how many punctuation characters are valid. This
>> gives 722,204,136,308,736 possible combinations for 8 characters,
>> 19,408,409,961,765,342,806,016 for 12 characters).
>> 
>> What I think the XKCD strip is suggesting (and I've seen this proposed
>> before) is that it is better to increase the password length at the
>> sacrifice of diversity per character position. 25 alpha characters in
>> the form proposed in the strip are easier for the human to remember than
>> an 8 - 12 alpla+numerals+punctuation password, and provides
>> 7,944,811,378,381,907,919,170,379,739,856,654,861,074,432 possible
>> combinations - a much much harder exercise for brute force cracking.
>> 
>> Not sure how that works when you add dictionaries into the equation,
>> however, and maybe that makes the XKCD form easier to crack.
>> 
>> Hope I've got the math right.
> 
> I think part of what XKCD was proposing was that if the common
> password form is l33t-like character substitutions in words, then
> using an alternate form would decrease the odds of your password being
> cracked because it isn't as expected.
> 
> My approach to passwords lies more to English phonetic forms of
> foreign words/phrases and _then_ performing the character
> substitutions.  I've also heard things like taking a line from a song
> and taking the first character of every word, etc. (relatively easy to
> remember, but dictionary attacks won't work on it).
> 
>> 
>> Conrad.
>> 
>> 
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
> 
> 
> 
> -- 
> Ivan Lazar Miljenovic
> Ivan.Miljenovic at gmail.com
> http://IvanMiljenovic.wordpress.com
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request 





More information about the linux mailing list