( huh? )



charmoto Charles D Aylward
Seen lots of reposts of xkcd on passwords today. It's fun but wrong. 4 words of everday English is weak, use 5. The base is words not bits.

August 10, 2011     3 retweets #

jcbarret Jeffrey Barrett
@charmoto @leonidkruglyak I think xkcd is right...he's assuming 11 bits per word (only 2048 choices needed) and 4 words, which is 2^44, no?

August 10, 2011 #

charmoto Charles D Aylward
.@jcbarret @leonidkruglyak password crackers don't use brute-force bit permutation. Even w/ naive iteration, the base is keyboard characters

August 10, 2011 #

jcbarret Jeffrey Barrett
.@charmoto Hmm...but then if the avg word length is 5, isn't that 26^20? (i.e. > num_common_words^4) Maybe I'm not getting your point.

August 10, 2011 #

charmoto Charles D Aylward
.@jcbarret yup, point is dictionary attacks. {# common words}^{# words used}. Think distinct tokens (symbols), not bits.

August 10, 2011 #

jcbarret Jeffrey Barrett
.@charmoto OK, cool, but then if you have xkcd's implied 2048 common words (which seems easy) than 2048^4 (2e13) seems pretty secure, no?

August 10, 2011 #

charmoto Charles D Aylward
.@jcbarret you can't assume such a naive adversary, this is a _well worn_ problem space. The probability distribution is not uniform.

August 10, 2011 #

jcbarret Jeffrey Barrett
.@charmoto Even if I pull 4 words randomly from dict? What does adversary have to do with it? Maybe not poss to resolve in 140 char chunks?

August 10, 2011 #

charmoto Charles D Aylward
.@jcbarret e.g. some words and sets of words are more likely. Knowledge of target can also be used. Bad guys use heuristics.

August 10, 2011 #

jcbarret Jeffrey Barrett
.@charmoto OK, now I get it, but 4 completely random words=good (two legs bad)

August 10, 2011 #

Made by @aaronsw.