[Cryptography] Today's XKCD is on password strength.

2011-08-10 Thread Perry E. Metzger
Today's XKCD is on password strength. The advice it gives is pretty
good in principle...

http://xkcd.com/936/

-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Today's XKCD is on password strength.

2011-08-10 Thread Steve Furlong
On Wed, Aug 10, 2011 at 10:12 AM, Perry E. Metzger pe...@piermont.com wrote:
 Today's XKCD is on password strength. The advice it gives is pretty
 good in principle...

 http://xkcd.com/936/

For a single password on a system with flexible rules, it's good advice.

Real world, with a dozen non-reused passwords needed on systems with
limited password lengths, not so much. correct stable horse battery?

-- 
Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Today's XKCD is on password strength.

2011-08-10 Thread Adam Fields

On Aug 10, 2011, at 10:12 AM, Perry E. Metzger wrote:

 Today's XKCD is on password strength. The advice it gives is pretty
 good in principle...
 
 http://xkcd.com/936/

You still need a password manager to remember which of the dozens of 
easily-remembered passwords you used, so you might as well just use the 
20-character random generator they all have. Not bad for a stopgap if you're 
caught needing to make one up on the fly though.

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Today's XKCD is on password strength.

2011-08-10 Thread Tim Dierks
On Wed, Aug 10, 2011 at 10:12 AM, Perry E. Metzger pe...@piermont.comwrote:

 Today's XKCD is on password strength. The advice it gives is pretty
 good in principle...

 http://xkcd.com/936/


FWIW,
http://tim.dierks.org/2007/03/secure-in-browser-javascript-password.html

 - Tim
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Today's XKCD is on password strength.

2011-08-10 Thread Chad Perrin
On Wed, Aug 10, 2011 at 07:12:07AM -0700, Perry E. Metzger wrote:
 Today's XKCD is on password strength. The advice it gives is pretty
 good in principle...

. . . unless the person trying to crack the password treats the password
as a passphrase like the user does, and uses combinations of common
words rather than strings of random letters to try to crack the password.
The problem is that ~44 bits of entropy here assumes the person trying
to crack the password is using the simplest possible means of brute force
cracking, and is not clever enough to consider the possibility that there
may be patterns of character selection based on terms in the English
language.

The correct horse battery staple example imposes patterns on password
generation that do not exist in, say, gCac2 RY9%sK%/3Q2!P}p2?'H1q?.

I find it frankly shocking that most of the people in the world trying to
come up with a clever trick to get around using strong passwords simply
do not think about the fact that when the characters in your password
have predictable relationships to one another (e.g., Y9%sK as a pattern
appears in no natural language word, but horse certainly does appear, and
is a predictable relationship between characters), that cuts into the
effective randomness of the string of characters you use.  A collection
of words does *not* produce as many bits of entropy as people seem to
think.

I also find it frankly shocking that it seems like nobody in the world
has heard of a password manager.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]


pgpL4IG0kw4R2.pgp
Description: PGP signature
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography