Image text – To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
This comic is saying that the password in the top frames “Tr0ub4dor&3″ is easier for password cracking software to guess than “correcthorsebatterystaple”. And this is absolutely true that people make passwords hard to remember because that means that they are “safer”.
The important thing to take away from this comic is that longer passwords are better because each additional character adds much more time to the breaking of the password.
Steve Gibson from the Security Now podcast did a lot of work in this arena and found that this password “D0g…………………” is harder to break than this password “PrXyc.N(n4k77#L!eVdAfp9″.
That’s what xkcd is trying to get through here. Complexity does not matter unless you have length in passwords. Complexity is more difficult for humans to remember. Length is not.
Interesting and useful. It makes sense about longer passwords, but I figure surely it also makes sense to use numbers and characters as well? As that is more possible things that would need to be checked wouldn’t it?
This is all very well, but as I pointed out somewhere else, if a website only allows you 8 or 10 characters (as they often do), what good is this principle?
In the context of the cartoon, which is really addressing ‘brute force’ attacks, it is only necessary that you ‘could’ use those characters, not that you ‘do’ use them. It extends the search space that the attack has to use.
I would note that despite the above, using one of the ’100 most common’ passwords is still not a good idea, since they almost always get checked first, completely negating the statistics.
Again if the password is limited to 8 or 10 characters, then it is important to use all 8 or 10. Much more so than using transpositions of characters in a 6 char password when you could have used 10.
On all my machines, 3 failed password attempts will get you blocked for 3 hours, and I mean blocked, as in the machine will not respond at all, which effectively negates any brute force attacks.
I’d also say that most passwords are compromised by ‘social engineering’ – phishing and the like, but there are still plenty of the brute force script kids out there. I get 3-10 per day per server. The persistent ones get permanently blocked for a month or so.
Since I have a lousy memory I always write my passwords down. But I encrypt them first, with a clue provided that’ll prompt my memory so that I can decrypt them.
Or, is it. The reverse could be true and this information is put out, by Them, to influence users in choosing the types of passwords that, in reality, are easier to break.
Yup, one can apply common password lists, common word lists etc, and even ‘predictive text’ type approaches to a brute force attack. Doesn’t alter the fact that without some ‘social engineering’ info, each character position could be any valid character.
Even if we force ‘real’ words only in the example above, cracking ‘correct’ as the first word does not help with the rest of them. And as I noted in my earlier comment, sysadmins should really be blocking the repeated incorrect login attempts.
The NSA types have probably the best advice – assume that the system has already been compromised, and act accordingly. Clever, hard to remember passwords or ‘security theatre’ password rules don’t feature very highly in that model.
I remember a few weeks ago someone else (Language Log?) looked at this (I think with the same cartoon). A commenter explained that a password breaker doesn’t repeatedly try to log on to a site, which would normal lead to blocking. Rather it probes the hard disk directly and nibbles the cookies to see how they react. He used more technical language, and he may not have been right, but I offer it for what it’s worth.
Yes setting up a fake website or sneaking a malicious cookie onto an existing badly secured website is very much a favoured approach to stealing passwords. However that falls under the ‘social engineering’ banner, as if someone steals the password it doesn’t really matter what length it is, or how obscure it is.
