1 |
On Mon, Feb 4, 2019 at 8:21 AM Neil Bothwick <neil@××××××××××.uk> wrote: |
2 |
> |
3 |
> On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote: |
4 |
> |
5 |
> > > https://xkcd.com/936/ |
6 |
> > |
7 |
> > Not strictly true ... the crackers would probably use rainbow tables |
8 |
> > attacks first. Also, it isn't fair to compare an 11 character passwd |
9 |
> > against a 25 character passwd. For the *same* number of characters |
10 |
> > used in any given passwd, a random lower/upper/numerical/symbol passwd |
11 |
> > will provide an exponentially higher degree of difficulty in cracking |
12 |
> > it with brute force, than one which uses only lower case dictionary |
13 |
> > words. Anyway, these days many attacks are focused on OS or hardware |
14 |
> > vulnerabilities which have been baked in by design, rather than brute |
15 |
> > force attacks. |
16 |
> |
17 |
> I'm not sure xkcd is meant to be taken that seriously... |
18 |
> |
19 |
|
20 |
IMO xkcd has treated the situation more seriously than some of the |
21 |
replies here... |
22 |
|
23 |
Obviously words from a dictionary have less entropy per character than |
24 |
random characters do, but the xkcd cartoon already takes this into |
25 |
account. |
26 |
|
27 |
For the same number of bits of ENTROPY a random password provides the |
28 |
exact same level of security as one based on words. |
29 |
|
30 |
To obtain that entropy through words requires more characters of |
31 |
course. However, the whole point of the cartoon is that our brains |
32 |
are much better at remembering words than random characters, since we |
33 |
have a big chunk of grey matter evolved to do exactly that which is |
34 |
more sophisticated than any computer on the planet so far. |
35 |
|
36 |
Now, if you have some brain-dead software which only accepts 8 |
37 |
character passwords then you would obviously do better to use random |
38 |
characters (truly random - not picking the most pleasing-looking |
39 |
random password out of a list) than to try to cram one or two words in |
40 |
there. Likewise, if you're using a password manager and want to |
41 |
maximize entropy per bit of storage/transmission then random passwords |
42 |
are better since words provide no utility. |
43 |
|
44 |
However, if you want to obtain the highest number of bits of entropy |
45 |
for a password that is memorized, xkcd makes a compelling argument |
46 |
that you're better off with a longer password composed of words, |
47 |
because they let you cram more entropy into your brain. Two bits from |
48 |
a dictionary might be the same as two bits from 1/3rd of a random |
49 |
character to a brute force cracking engine, but they aren't the same |
50 |
to your brain. Xkcd isn't doing a like-for-like comparison, because |
51 |
the two categories aren't alike. |
52 |
|
53 |
-- |
54 |
Rich |