On Wed, Aug 10, 2011 at 07:12:07AM -0700, Perry E. Metzger wrote: > Today's XKCD is on password strength. The advice it gives is pretty > good in principle...
. . . unless the person trying to crack the password treats the password as a "passphrase" like the user does, and uses combinations of common words rather than strings of random letters to try to crack the password. The problem is that "~44 bits of entropy" here assumes the person trying to crack the password is using the simplest possible means of brute force cracking, and is not clever enough to consider the possibility that there may be patterns of character selection based on terms in the English language. The "correct horse battery staple" example imposes patterns on password generation that do not exist in, say, "gCac2 RY9%sK%/3Q2!P}>p2?'H1q?". I find it frankly shocking that most of the people in the world trying to come up with a clever trick to get around using strong passwords simply do not think about the fact that when the characters in your password have predictable relationships to one another (e.g., Y9%sK as a pattern appears in no natural language word, but horse certainly does appear, and is a predictable relationship between characters), that cuts into the effective randomness of the string of characters you use. A collection of words does *not* produce as many bits of entropy as people seem to think. I also find it frankly shocking that it seems like nobody in the world has heard of a password manager. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
Description: PGP signature
_______________________________________________ The cryptography mailing list email@example.com http://www.metzdowd.com/mailman/listinfo/cryptography