Because its wrong.
1. The premise is wrong. The idea is a human should be able to remember the
password. I (and most people who will see the comic) have a lot of accounts. In
my case I have over 100 different accounts. I can't remember that many unique 4
word permutations.
2. It doesn't account for genuine need for password restrictions. Some banks
for example require passwords to be all numerical because they are entered on
the phone as well.
3. The math is wrong. It measures entropy as if each letter was chosen
independently. This is fineish if the scheme is unknown but a lot of people use
this scheme now. Humans are bad at random, take the 10,000 most popular words
and a significant number of passwords will be comprised entirely of words in
that list. Since we know the scheme the most passwords will fit into a search
space of 10000^4
See also:
http://www.troyhunt.com/2011/08/im-sorry-but-were-you-actually-trying.html
http://pinetik.blogspot.com/2011/11/xkcd-936-password-strength-and-why-this.html
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
On Sep 5, 2013, at 4:09 AM, Marius Gedminas <[email protected]> wrote:
> On Wed, Sep 04, 2013 at 04:38:32PM -0400, Donald Stufft wrote:
>> On Sep 4, 2013, at 3:20 PM, Dag Sverre Seljebotn
>> <[email protected]> wrote:
>>> On 09/04/2013 04:59 PM, Antoine Pitrou wrote:
>>>> Then please add helpful guidelines as to how people can choose a safe
>>>> and easy to remember password /or passphrase/. Most people aren't password
>>>> experts, and the current one-line message isn't useful.
>>>
>>> A link here should do the trick (which succinctly sums up this entire
>>> thread):
>>>
>>> https://xkcd.com/936/
>>
>> I hate that comic :|
>
> Why?
>
> Marius Gedminas
> --
> You can't have megalomania. *I* have megalomania.
> -- Joe Bednorz
> _______________________________________________
> Distutils-SIG maillist - [email protected]
> https://mail.python.org/mailman/listinfo/distutils-sig
_______________________________________________
Distutils-SIG maillist - [email protected]
https://mail.python.org/mailman/listinfo/distutils-sig
