On Wed, 11 Jan 2012 18:09:40 -0500 "Mike Edenfield" <kut...@kutulu.org> wrote:
> > I agree. Longer pass{words,phrases} only increases the difficulty > > of the problem, but not significantly so. > > After I read the aforementioned xkcd comic, my main question was how > he defined the various bits of entropy for each "thing" done to a > password. That seemed to be a crucial determining factor in why the > "common words" password appeared so much harder than the "goofy > gibberish" one. Some seemed more obvious to me than others. > > I'm also curious, using the latest modern password-cracking > techniques, if his assessment really is accurate. As in, which of the > following two passwords would take longer to crack: > > #purpl3.R$!n# > > dovesymbolcarprince Interesting questions. Randall doesn't provide answers so though. I suppose he knows his audience and assumes we'll understand the gist of what he's getting at and not demand full proof from him - it's his comic, not his PhD thesis :-) I noticed something about your first sample password, and it reveals a lot, I hinted at it in my reply to Dale. Look at the pattern one must type to enter that password (assuming a qwerty keyboard): A symbol, a partial word, then 7 nonsense symbols. The pattern of those symbols is highly significant - composed entirely of keystrokes in the upper left area and lower right area of the keyboard with a few Shifts thrown in for good measure. Almost as if you dropped both hands on the keyboard and wiggled your fingers without moving the entire hand much. How much entropy? A truck load less than you think! And how often do you think people will do that (or something similar) when creating passwords? How easy will it be for a dev with a clue to write cracker software that takes such biases into account? The second example looks better - four words that have no obvious connection with each other and will not usually be found together. Hence not much in the way of predictable pattern that I can see. Personally, I advocate using smart password generators like apg. The password truly is a random distribution of junk, but one that can be pronounced (a key factor in remembering it). It's not too hard to expand that to also use whole words, then you'd get a passphrase without your own inherent bias in it. Just be careful that you don't end up with a password containing the *developer's* own inherent bias :-) -- Alan McKinnnon alan.mckin...@gmail.com