| 1 |
On Wed, 11 Jan 2012 18:09:40 -0500 |
| 2 |
"Mike Edenfield" <kutulu@××××××.org> wrote: |
| 3 |
|
| 4 |
> > I agree. Longer pass{words,phrases} only increases the difficulty |
| 5 |
> > of the problem, but not significantly so. |
| 6 |
> |
| 7 |
> After I read the aforementioned xkcd comic, my main question was how |
| 8 |
> he defined the various bits of entropy for each "thing" done to a |
| 9 |
> password. That seemed to be a crucial determining factor in why the |
| 10 |
> "common words" password appeared so much harder than the "goofy |
| 11 |
> gibberish" one. Some seemed more obvious to me than others. |
| 12 |
> |
| 13 |
> I'm also curious, using the latest modern password-cracking |
| 14 |
> techniques, if his assessment really is accurate. As in, which of the |
| 15 |
> following two passwords would take longer to crack: |
| 16 |
> |
| 17 |
> #purpl3.R$!n# |
| 18 |
> |
| 19 |
> dovesymbolcarprince |
| 20 |
|
| 21 |
Interesting questions. Randall doesn't provide answers so though. I |
| 22 |
suppose he knows his audience and assumes we'll understand the gist of |
| 23 |
what he's getting at and not demand full proof from him - it's his |
| 24 |
comic, not his PhD thesis :-) |
| 25 |
|
| 26 |
I noticed something about your first sample password, and it reveals a |
| 27 |
lot, I hinted at it in my reply to Dale. Look at the pattern one must |
| 28 |
type to enter that password (assuming a qwerty keyboard): |
| 29 |
|
| 30 |
A symbol, a partial word, then 7 nonsense symbols. The pattern of those |
| 31 |
symbols is highly significant - composed entirely of keystrokes in the |
| 32 |
upper left area and lower right area of the keyboard with a few Shifts |
| 33 |
thrown in for good measure. Almost as if you dropped both hands on the |
| 34 |
keyboard and wiggled your fingers without moving the entire hand much. |
| 35 |
|
| 36 |
How much entropy? A truck load less than you think! |
| 37 |
|
| 38 |
And how often do you think people will do that (or something similar) |
| 39 |
when creating passwords? How easy will it be for a dev with a clue to |
| 40 |
write cracker software that takes such biases |
| 41 |
into account? |
| 42 |
|
| 43 |
The second example looks better - four words that have no obvious |
| 44 |
connection with each other and will not usually be found together. |
| 45 |
Hence not much in the way of predictable pattern that I can see. |
| 46 |
|
| 47 |
Personally, I advocate using smart password generators like apg. The |
| 48 |
password truly is a random distribution of junk, but one that can be |
| 49 |
pronounced (a key factor in remembering it). It's not too hard to |
| 50 |
expand that to also use whole words, then you'd get a passphrase |
| 51 |
without your own inherent bias in it. Just be careful that you don't |
| 52 |
end up with a password containing the *developer's* own inherent |
| 53 |
bias :-) |
| 54 |
|
| 55 |
|
| 56 |
-- |
| 57 |
Alan McKinnnon |
| 58 |
alan.mckinnon@×××××.com |
Archives