Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Passwords Don't Suck — It's Your Policies

Posted by timothy on from the all-birthdays-all-the-time dept.

First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"

3 of 487 comments (clear)

  1. Re:This is too simple to fix by The+Raven · · Score: 4, Informative

    The reason to avoid understandable sentences is they have extremely low entropy per character. Or, put another way, they are easier to hack than their length would indicate. An xkcd password has about 1.5 bits per character of entropy; a normal English sentence has as low as 0.6 to 1.3 bits per letter, according to one study. Given the simple and trite short sentences people would use for passwords, it's likely closer to 0.6, or about 20 bits of entropy for your example 'chicken' password, compared to 44 bits for a shorter xkcd password.

    --
    "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
  2. Re:XKCD by spazdor · · Score: 4, Informative

    Sure, its 28 characters, but its still lowercase only.
    That makes it a lot weaker, no?

    It makes it weaker by a factor of about 2^28.
    Which sounds like a lot, but when the lowercase password space is already 26^28, it's not much.

    XKCD's math is sound.

    --
    DRM: Terminator crops for your mind!
  3. Re:Wrong by wrook · · Score: 4, Informative

    The average adult that has been to University knows 20,000 head words. A head word is a group of words with essentially the same meaning. For example, expect, expectation, is expecting, etc are all one head word. 26^7 is a little bit over 8x10^9. If a user picks 4 headwords for their passphrase, the search space is 20000^4 or 1.6x10^17. And that's if we just use headwords. If the user uses variations the search space is rather huge.

    You might say that 20,000 headwords includes a lot of strange vocabulary. But for instance, to get 95% vocabulary coverage in reading a newspaper you need just under 16,000 headwords. However, even if we restrict vocabulary to the most common 5,000 headwords (the average vocabulary of a 5 year old) we get a search space of 6.25x10^14.

    XKCD style passphrases are dramatically more robust than a 7 character alphabetic password.