| 1 |
On Mon, Feb 4, 2019 at 8:21 AM Neil Bothwick <neil@××××××××××.uk> wrote: |
| 2 |
> |
| 3 |
> On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote: |
| 4 |
> |
| 5 |
> > > https://xkcd.com/936/ |
| 6 |
> > |
| 7 |
> > Not strictly true ... the crackers would probably use rainbow tables |
| 8 |
> > attacks first. Also, it isn't fair to compare an 11 character passwd |
| 9 |
> > against a 25 character passwd. For the *same* number of characters |
| 10 |
> > used in any given passwd, a random lower/upper/numerical/symbol passwd |
| 11 |
> > will provide an exponentially higher degree of difficulty in cracking |
| 12 |
> > it with brute force, than one which uses only lower case dictionary |
| 13 |
> > words. Anyway, these days many attacks are focused on OS or hardware |
| 14 |
> > vulnerabilities which have been baked in by design, rather than brute |
| 15 |
> > force attacks. |
| 16 |
> |
| 17 |
> I'm not sure xkcd is meant to be taken that seriously... |
| 18 |
> |
| 19 |
|
| 20 |
IMO xkcd has treated the situation more seriously than some of the |
| 21 |
replies here... |
| 22 |
|
| 23 |
Obviously words from a dictionary have less entropy per character than |
| 24 |
random characters do, but the xkcd cartoon already takes this into |
| 25 |
account. |
| 26 |
|
| 27 |
For the same number of bits of ENTROPY a random password provides the |
| 28 |
exact same level of security as one based on words. |
| 29 |
|
| 30 |
To obtain that entropy through words requires more characters of |
| 31 |
course. However, the whole point of the cartoon is that our brains |
| 32 |
are much better at remembering words than random characters, since we |
| 33 |
have a big chunk of grey matter evolved to do exactly that which is |
| 34 |
more sophisticated than any computer on the planet so far. |
| 35 |
|
| 36 |
Now, if you have some brain-dead software which only accepts 8 |
| 37 |
character passwords then you would obviously do better to use random |
| 38 |
characters (truly random - not picking the most pleasing-looking |
| 39 |
random password out of a list) than to try to cram one or two words in |
| 40 |
there. Likewise, if you're using a password manager and want to |
| 41 |
maximize entropy per bit of storage/transmission then random passwords |
| 42 |
are better since words provide no utility. |
| 43 |
|
| 44 |
However, if you want to obtain the highest number of bits of entropy |
| 45 |
for a password that is memorized, xkcd makes a compelling argument |
| 46 |
that you're better off with a longer password composed of words, |
| 47 |
because they let you cram more entropy into your brain. Two bits from |
| 48 |
a dictionary might be the same as two bits from 1/3rd of a random |
| 49 |
character to a brute force cracking engine, but they aren't the same |
| 50 |
to your brain. Xkcd isn't doing a like-for-like comparison, because |
| 51 |
the two categories aren't alike. |
| 52 |
|
| 53 |
-- |
| 54 |
Rich |
Archives