Search the Community
Showing results for tags 'facts'.
Found 1 result
This comic is saying that the password in the top frames "Tr0ub4dor&3" is easier for password cracking software to guess because it has less entropy than "correcthorsebatterystaple" and also more difficult for a human to remember, leading to insecure practices like writing the password down on a post-it attached to the monitor. In simple cases the entropy of a password is calculated as a^b where a is the number of allowed symbols and b is its length. A dictionary word (however long) has an entropy of around 65000, i.e. 16 bits. A truly random string of length 11 (not like "Tr0ub4dor&3", but more like "J4I/tyJ&Acy") has 94^11 = 72.1 bits. However the comic shows that "Tr0ub4dor&3" has only 28 bits of entropy. Another way of selecting a password is to have 2048 "symbols" (common words) and select only 4 of those symbols. 2048^4 = 44 bits, much better than 28. Using such symbols was again visited in one of the tips in 1820: Security Advice. It is absolutely true that people make passwords hard to remember because they think they are "safer", and it is certainly true that length, all other things being equal, tends to make for very strong passwords and this can confirmed by using rumkin.com's password strength checker. Even if the individual characters are all limited to [a-z], the exponent implied in "we added another lowercase character, so multiply by 26 again" tends to dominate the results. In addition to being easier to remember, long strings of lowercase characters are also easier to type on smartphones and soft keyboards. xkcd's password generation scheme requires the user to have a list of 2048 common words (log2(2048) = 11). For any attack we must assume that the attacker knows our password generation algorithm, but not the exact password. In this case the attacker knows the 2048 words, and knows that we selected 4 words, but not which words. The number of combinations of 4 words from this list of words is (211)4 = 244 bits. For comparison, the entropy offered by Diceware's 7776 word list is 13 bits per word. If the attacker doesn't know the algorithm used, and only knows that lowercase letters are selected, the "common words" password would take even longer to crack than depicted. 25 random lowercase characters would have 117 bits of entropy, vs 44 bits for the common words list. Example Below there is a detailed example which shows how different rules of complexity work to generate a password with supposed 44 bits of entropy. The examples of expected passwords were generated in random.org.(*) If n is the number of symbols and L is the length of the password, then L = 44 / log2(n). a = lowercase letters A = uppercase letters 9 = digits & = the 32 special characters in an American keyboard; Randall assumes only the 16 most common characters are used in practice (4 bits) (*) The use of random.org explains why jAwwBYne has two consecutive w's, why Re-:aRo has two R's, why _@~"#^.2 has no letters, why ewpltiayq has no numbers, why "constant yield" is part of a password, etc. A human would have attempted at passwords that looked random. Source: http://www.explainxkcd.com/wiki/index.php?title=936#Explanation