On Wed, 11 Jan 2012 18:09:40 -0500
"Mike Edenfield" <kut...@kutulu.org> wrote:
> > I agree. Longer pass{words,phrases} only increases the difficulty
> > of the problem, but not significantly so.
>
> After I read the aforementioned xkcd comic, my main question was how
> he defined the various bits of entropy for each "thing" done to a
> password. That seemed to be a crucial determining factor in why the
> "common words" password appeared so much harder than the "goofy
> gibberish" one. Some seemed more obvious to me than others.
>
> I'm also curious, using the latest modern password-cracking
> techniques, if his assessment really is accurate. As in, which of the
> following two passwords would take longer to crack:
>
> #purpl3.R$!n#
>
> dovesymbolcarprince
Interesting questions. Randall doesn't provide answers so though. I
suppose he knows his audience and assumes we'll understand the gist of
what he's getting at and not demand full proof from him - it's his
comic, not his PhD thesis :-)
I noticed something about your first sample password, and it reveals a
lot, I hinted at it in my reply to Dale. Look at the pattern one must
type to enter that password (assuming a qwerty keyboard):
A symbol, a partial word, then 7 nonsense symbols. The pattern of those
symbols is highly significant - composed entirely of keystrokes in the
upper left area and lower right area of the keyboard with a few Shifts
thrown in for good measure. Almost as if you dropped both hands on the
keyboard and wiggled your fingers without moving the entire hand much.
How much entropy? A truck load less than you think!
And how often do you think people will do that (or something similar)
when creating passwords? How easy will it be for a dev with a clue to
write cracker software that takes such biases
into account?
The second example looks better - four words that have no obvious
connection with each other and will not usually be found together.
Hence not much in the way of predictable pattern that I can see.
Personally, I advocate using smart password generators like apg. The
password truly is a random distribution of junk, but one that can be
pronounced (a key factor in remembering it). It's not too hard to
expand that to also use whole words, then you'd get a passphrase
without your own inherent bias in it. Just be careful that you don't
end up with a password containing the *developer's* own inherent
bias :-)
--
Alan McKinnnon
alan.mckin...@gmail.com
