OSDev.org

Hi everyone !

Some days ago, I stumbled upon this strip from xkcd : http://www.xkcd.com/936/

Can someone with knowledge of the mentioned entropy bit theory and the state of password cracking confirm this ? I thought that dictionary attacks made this kind of passwords impractical, but if it actually works... Well, sufficient to say I have some ideas for a few very long, very easy to remember, and very hard to guess passwords...

(And websites which still use 8-char passwords (which sadly includes my bank's one) be damned !)

I don't know the dictionary sizes for each of such things, but patching a word with leetspeak-like substitutions gives you something like #possible words * 2^length of word (assuming that on average each letter can be substituted or not), and just concatenating two of such words yields #possible words ^ 2; the latter is more efficient when #possible words > 2^length of word. For example with 16-character words, you'd have like 65000 substitutions, while it'll be obvious that there are more out there than that.

Conclusion: 2 words give more possible passwords (and a harder time cracking them) than one word with substitutions.
'
That said, 8-character password "garbage" (like piping /dev/random into base64 which gives 64^8 = 2^48 combinations) gives more passwords than all possible combinations of 4 simple words according to xkcd definitions (which defines simple words as the 2048 most used nouns). In the meantime, I've also showed why a *good* 8-character password is quite sufficient actually. Just try not to replace those 8 characters with p-a-s-s-w-o-r-d


The only thing entropy is used for is to reduce combinations to their 2-log, so you can say you have 60 bits of entropy instead of saying that your system allows for 1000000000000000000 unique combinations.

Neolander wrote:(And websites which still use 8-char passwords (which sadly includes my bank's one) be damned !)

But your bank while lock your account when the false password is entered three times in a row. So even if you only use numbers
there is only an 0.000003% change that they guess you password before the account get locked.

MasterLee wrote:But your bank while lock your account when the false password is entered three times in a row. So even if you only use numbers
there is only an 0.000003% change that they guess you password before the account get locked.

Actually, I don't think that's the case. At least there was no warning about such in the provided documentation, and when you type a wrong password it shows nothing like "N tries remaining". Not ready to experiment and see if my account actually gets locked while I'm abroad, though.

Combuster wrote:That said, 8-character password "garbage" (like piping /dev/random into base64 which gives 64^8 = 2^48 combinations) gives more passwords than all possible combinations of 4 simple words according to xkcd definitions (which defines simple words as the 2048 most used nouns). In the meantime, I've also showed why a *good* 8-character password is quite sufficient actually. Just try not to replace those 8 characters with p-a-s-s-w-o-r-d

Sure, but can you easily remember 8 3-digit decimal numbers (or 2-digit hex numbers) and type non-printable ASCII characters on your keyboard ?

I thought the author's point was that substitutions were generally only adding 10 digits (and sometimes 26 caps) to the character set, and commonly followed some highly predictable schemes.

Neolander wrote:can you easily remember 8 3-digit decimal numbers (or 2-digit hex numbers) and type non-printable ASCII characters on your keyboard

I mentioned base64 for a reason

But yes, all my passwords (except for the very old or generated by others) are randomized, and except for the few I use less than once a year I can remember them by heart. But then again, I often type in phone numbers because it's faster than looking the name up in my cellphone's dictionary. It's probably one of those cases where your mileage may vary.

One hint I was given quite some time ago regarding "how to come up with secure passwords":

• Think up a (lengthy) sentence, which might be nonsense but should be easy to remember. Should contain some numbers and punctuation.
• Take the initial letters of the sentence, the numbers, and the punctuation.
• If you feel paranoid, screw it up a bit.
• Voila, "secure" and easy-to-remember password.

Example:

"The # key on my 2007 keyboard is stuck since 2009."

"T#kom27kbiss29"