0936: "Password Strength"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

User avatar
ucim
Posts: 5565
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 0936: "Password Strength"

Postby ucim » Tue Jun 11, 2013 10:39 pm UTC

gmalivuk wrote:If my Twitter post passphrase collides with the hash for 20 random ASCII characters, and yours is just a mangling of "trebuchet", then an attacker is orders of magnitude more likely to get your actual password than to hit upon either my Twitter post or any of the shorter strings that collide with it. Meaning my passphrase is orders of magnitude better than yours.
I think I see your (and Yakk's) point now. The shorter strings that collide with a long passphrase it are likely to be pretty random, so pretty much the only way to stumble upon them is brute force. "Tre6uch3t" itself is considerably less so, and can be reached by a dictionary attack.

So, if passwords are actually chosen randomly, then my point stands. But as long as the space from which passwords are actually chosen is significantly smaller than the space available (bits in the hash), then longer is still better even though it leads to collisions.

I agree with this. Thanks, and thanks Yakk too, who said pretty much the same thing even more clearly.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

WriteBrainedJR
Posts: 79
Joined: Tue Apr 16, 2013 3:08 pm UTC
Location: Right Behind You
Contact:

Re: 0936: "Password Strength"

Postby WriteBrainedJR » Tue Jun 11, 2013 10:49 pm UTC

And then what if my twitter-post password includes a couple of my favorite words in French, a couple in Arabic, and a couple of German curse words? Most people know a little bit of a bunch of different languages.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 25789
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Tue Jun 11, 2013 11:26 pm UTC

Yakk wrote:you'd only want to limit password length to discourage people from copy-pasting book chapters and thinking they are more secure due to length.
It should be noted, incidentally, that doing this is very insecure, in the sense that an attacker who knows how you got your password now only has to search through orders of magnitude fewer possibilities. (There are only so many chapters out there, after all, and the number is far lower than the number of possible novel Twitter posts.)
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
ucim
Posts: 5565
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 0936: "Password Strength"

Postby ucim » Wed Jun 12, 2013 1:44 am UTC

gmalivuk wrote:
Yakk wrote:you'd only want to limit password length to discourage people from copy-pasting book chapters and thinking they are more secure due to length.
It should be noted, incidentally, that doing this is very insecure, in the sense that an attacker who knows how you got your password now only has to search through orders of magnitude fewer possibilities. (There are only so many chapters out there, after all, and the number is far lower than the number of possible novel Twitter posts.)
...even accounting for all the different places one could start? (like the third letter of the fifteenth word of chapter four)?

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
Eebster the Great
Posts: 2750
Joined: Mon Nov 10, 2008 12:58 am UTC

Re: 0936: "Password Strength"

Postby Eebster the Great » Wed Jun 12, 2013 1:50 am UTC

ucim wrote:
gmalivuk wrote:
Yakk wrote:you'd only want to limit password length to discourage people from copy-pasting book chapters and thinking they are more secure due to length.
It should be noted, incidentally, that doing this is very insecure, in the sense that an attacker who knows how you got your password now only has to search through orders of magnitude fewer possibilities. (There are only so many chapters out there, after all, and the number is far lower than the number of possible novel Twitter posts.)
...even accounting for all the different places one could start? (like the third letter of the fifteenth word of chapter four)?

Jose

Such a password scheme is still not very strong. If we suppose the average book has 100,000 words and there are about 10,000 decent book choices, that gives only 1,000,000,000 possible passwords, or about 30 bits of entropy. If the attacker gets the hash and has a library which includes your book, he can easily crack it in a few seconds.

Now, if you also randomized the length of the password, you would increase the entropy somewhat, but probably not by enough.


E: Just realized you were further allowing for starting in the middle of a word. There are about five letters in an average word, so add a couple bits. 32.5 bits still isn't enough for a secure password.
Last edited by Eebster the Great on Wed Jun 12, 2013 1:56 am UTC, edited 2 times in total.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 25789
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Wed Jun 12, 2013 1:52 am UTC

There are probably more book choices than that, but even upping it to a million doesn't give you as much entropy as a decently unusual original Twitter-sized post.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
Eebster the Great
Posts: 2750
Joined: Mon Nov 10, 2008 12:58 am UTC

Re: 0936: "Password Strength"

Postby Eebster the Great » Wed Jun 12, 2013 1:54 am UTC

gmalivuk wrote:There are probably more book choices than that

Yes, but the choice of books is (generally) hardly random.

WriteBrainedJR
Posts: 79
Joined: Tue Apr 16, 2013 3:08 pm UTC
Location: Right Behind You
Contact:

Re: 0936: "Password Strength"

Postby WriteBrainedJR » Wed Jun 12, 2013 2:44 am UTC

Eebster the Great wrote:
gmalivuk wrote:There are probably more book choices than that

Yes, but the choice of books is (generally) hardly random.

It can, however, be obscure.

In the interest of random obscurity: how obscure would a chapter from A Million Random Digits with 100,000 Normal Deviates be? How secure?

User avatar
ucim
Posts: 5565
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 0936: "Password Strength"

Postby ucim » Wed Jun 12, 2013 3:04 am UTC

Eebster the Great wrote:Such a password scheme is still not very strong. If we suppose the average book has 100,000 words and there are about 10,000 decent book choices, that gives only 1,000,000,000 possible passwords, or about 30 bits of entropy.
... but you can stop anywhere too. So, that squares the number of possibilities, dividing by two to ensure the start point is before the stop point. But still, typing in two thirds of "War and Peace" in order to post "me too" is going to be daunting.

I wonder how many stretches of (n) words in a book are exact copies of stretches from how many other books.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
Copper Bezel
Posts: 2416
Joined: Wed Oct 12, 2011 6:35 am UTC
Location: Web exclusive!

Re: 0936: "Password Strength"

Postby Copper Bezel » Wed Jun 12, 2013 4:39 am UTC

Copper Bezel wrote:[Silly estimation stuff....]

So how did you do that? = )

gmalivuk wrote:I did that by remembering that written English has an entropy of about 1.1 bits per character.

Jorpho wrote:As cited in the recent Twitter What-If.

Late, but I feel the need to acknowledge that I am a silly person.
So much depends upon a red wheel barrow (>= XXII) but it is not going to be installed.

she / her / her

User avatar
Eebster the Great
Posts: 2750
Joined: Mon Nov 10, 2008 12:58 am UTC

Re: 0936: "Password Strength"

Postby Eebster the Great » Wed Jun 12, 2013 4:47 am UTC

ucim wrote:
Eebster the Great wrote:Such a password scheme is still not very strong. If we suppose the average book has 100,000 words and there are about 10,000 decent book choices, that gives only 1,000,000,000 possible passwords, or about 30 bits of entropy.
... but you can stop anywhere too. So, that squares the number of possibilities, dividing by two to ensure the start point is before the stop point. But still, typing in two thirds of "War and Peace" in order to post "me too" is going to be daunting.

Yes, that might provide enough entropy (assuming you choose a sufficiently long segment). But as you say, it's not a convenient password at all, so you'd be better off just picking eight random ASCII characters.

I wonder how many stretches of (n) words in a book are exact copies of stretches from how many other books.

Not many, for n reasonably large.


There are also separate issues with copying and pasting any password in plaintext. If this were acceptable, everybody would just have randomly generated keys sitting around in plaintext on their computer.

User avatar
orthogon
Posts: 2692
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 0936: "Password Strength"

Postby orthogon » Wed Jun 12, 2013 1:10 pm UTC

ucim wrote:...More annoying are sites that prohibit commonly used punctuation, so I can't even use "can't" in the (long) password. It becomes harder to remember whether I used "cant" or "cannot" in the passphrase, and it's too late by the time I remember that this isn't one of those sites, and I used "can't". I've already been locked out and am now a support burden as I get the password reset again, whereupon I discover that the quote is permitted, but the period is not. grrrrrr! ...

Grrr indeed. Sites should display their password policy on the login page, to help users figure out what password they would have used. For me, the cycle on a site I don't visit very often goes like this:
1. Create account
2. Create password using my normal method
3. Password rejected: must contain x digits and y punctuation marks
4. Modify password created in (2) to meet the rules
5. Enjoy
6. Log out
... time passes ...
7. Go to site
8. Attempt to login using password based on (2)
9. Password incorrect [iterate 8-9 until bored]
10. Use the "forgot my password" to reset it
11. Log in using the temporary password
12. Set password using method (2)
13. Password rejected: must contain x digits and y punctuation marks [Aha! So that's why it wasn't c0rrecth0r5ebattery5taple!]
14. Go to 4
xtifr wrote:... and orthogon merely sounds undecided.

User avatar
Eebster the Great
Posts: 2750
Joined: Mon Nov 10, 2008 12:58 am UTC

Re: 0936: "Password Strength"

Postby Eebster the Great » Wed Jun 12, 2013 2:10 pm UTC

orthogon wrote:
ucim wrote:...More annoying are sites that prohibit commonly used punctuation, so I can't even use "can't" in the (long) password. It becomes harder to remember whether I used "cant" or "cannot" in the passphrase, and it's too late by the time I remember that this isn't one of those sites, and I used "can't". I've already been locked out and am now a support burden as I get the password reset again, whereupon I discover that the quote is permitted, but the period is not. grrrrrr! ...

Grrr indeed. Sites should display their password policy on the login page, to help users figure out what password they would have used. For me, the cycle on a site I don't visit very often goes like this:
1. Create account
2. Create password using my normal method
3. Password rejected: must contain x digits and y punctuation marks
4. Modify password created in (2) to meet the rules
5. Enjoy
6. Log out
... time passes ...
7. Go to site
8. Attempt to login using password based on (2)
9. Password incorrect [iterate 8-9 until bored]
10. Use the "forgot my password" to reset it
11. Log in using the temporary password
12. Set password using method (2)
13. Password rejected: must contain x digits and y punctuation marks [Aha! So that's why it wasn't c0rrecth0r5ebattery5taple!]
14. Go to 4

For many people, step 14 is "change password to 'password1!' so I won't forget it again.

Site administrators don't understand human behavior, it seems.

User avatar
Klear
Posts: 1965
Joined: Sun Jun 13, 2010 8:43 am UTC
Location: Prague

Re: 0936: "Password Strength"

Postby Klear » Wed Jun 12, 2013 2:28 pm UTC

I had a password to use a lobby computer in college. After half a year, I had to change it. That was the last time I ever logged in there.

User avatar
Yakk
Poster with most posts but no title.
Posts: 11045
Joined: Sat Jan 27, 2007 7:27 pm UTC
Location: E pur si muove

Re: 0936: "Password Strength"

Postby Yakk » Wed Jun 12, 2013 3:27 pm UTC

ucim wrote:
Eebster the Great wrote:Such a password scheme is still not very strong. If we suppose the average book has 100,000 words and there are about 10,000 decent book choices, that gives only 1,000,000,000 possible passwords, or about 30 bits of entropy.
... but you can stop anywhere too. So, that squares the number of possibilities, dividing by two to ensure the start point is before the stop point. But still, typing in two thirds of "War and Peace" in order to post "me too" is going to be daunting.

I wonder how many stretches of (n) words in a book are exact copies of stretches from how many other books.

That only squares (then halves) the number of possibilities if we order all the books, and allow the passwords to cross from one book to another.

Nevermind typing in 2/3 of war and peace, how about typing in 2/3 of every book in English in order to type "me too".

All we square is the "location in the book". If we assume half a million characters per book, and don't include backward quotes (!), that is 36.9 bits for the locations in the books, and 13.3 for the choice of book, coming to ~50 total bits of entropy.

Or roughly the entropy of 5 randomly chosen common English words with spaces between them.
One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision - BR

Last edited by JHVH on Fri Oct 23, 4004 BCE 6:17 pm, edited 6 times in total.

User avatar
Oscaruzzo
Posts: 3
Joined: Tue Jul 02, 2013 8:21 am UTC

Re: 0936: "Password Strength"

Postby Oscaruzzo » Tue Jul 02, 2013 8:33 am UTC

I tend to use "false words" that can be pronounced (and remembered) but are not in any dictionary. Passwords like "stapped whinglood flastals". I made a "pseudo word generator" for this purpose some time ago (in 2004 more or less) which is based on an algorithm I found in "The Practice of Programming" by Kernighan and Pike. I've put it online recently, but it seems that I can't put a link to it (This message was flagged as spam and has been denied). :cry:

User avatar
SecondTalon
SexyTalon
Posts: 25660
Joined: Sat May 05, 2007 2:10 pm UTC
Location: Louisville, Kentucky, USA, Mars. HA!
Contact:

Re: 0936: "Password Strength"

Postby SecondTalon » Tue Jul 02, 2013 1:19 pm UTC

Oscaruzzo wrote:... I've put it online recently, but it seems that I can't put a link to it (This message was flagged as spam and has been denied). :cry:

Oh, hey, those rules things at the top. We kinda actually expect you to read them.
heuristically_alone wrote:I want to write a DnD campaign and play it by myself and DM it myself.
heuristically_alone wrote:I have been informed that this is called writing a book.

User avatar
Oscaruzzo
Posts: 3
Joined: Tue Jul 02, 2013 8:21 am UTC

Re: 0936: "Password Strength"

Postby Oscaruzzo » Tue Jul 02, 2013 1:52 pm UTC

SecondTalon wrote:Oh, hey, those rules things at the top. We kinda actually expect you to read them.


Sorry, I didn't see it (AND it's a perfectly reasonable policy).

User avatar
Neil_Boekend
Posts: 3215
Joined: Fri Mar 01, 2013 6:35 am UTC
Location: Yes.

Re: 0936: "Password Strength"

Postby Neil_Boekend » Tue Jul 02, 2013 2:08 pm UTC

orthogon wrote:
ucim wrote:...More annoying are sites that prohibit commonly used punctuation, so I can't even use "can't" in the (long) password. It becomes harder to remember whether I used "cant" or "cannot" in the passphrase, and it's too late by the time I remember that this isn't one of those sites, and I used "can't". I've already been locked out and am now a support burden as I get the password reset again, whereupon I discover that the quote is permitted, but the period is not. grrrrrr! ...

Grrr indeed. Sites should display their password policy on the login page, to help users figure out what password they would have used. For me, the cycle on a site I don't visit very often goes like this:
1. Create account
2. Create password using my normal method
3. Password rejected: must contain x digits and y punctuation marks
4. Modify password created in (2) to meet the rules
5. Enjoy
6. Log out
... time passes ...
7. Go to site
8. Attempt to login using password based on (2)
9. Password incorrect [iterate 8-9 until bored]
10. Use the "forgot my password" to reset it
11. Log in using the temporary password
12. Set password using method (2)
13. Password rejected: must contain x digits and y punctuation marks [Aha! So that's why it wasn't c0rrecth0r5ebattery5taple!]
14. Go to 4


I think that sites should display the rules for their passwords when the password has been entered incorrectly once. It's not safer not to display them and it's very important information to the user.
Mikeski wrote:A "What If" update is never late. Nor is it early. It is posted precisely when it should be.

patzer's signature wrote:
flicky1991 wrote:I'm being quoted too much!

he/him/his

User avatar
Yakk
Poster with most posts but no title.
Posts: 11045
Joined: Sat Jan 27, 2007 7:27 pm UTC
Location: E pur si muove

Re: 0936: "Password Strength"

Postby Yakk » Tue Jul 02, 2013 2:13 pm UTC

How is it safer not to display them other than after once? Any serious attacker knows what the rules are by either guessing a password wrong once and remembering them, or going through the account creation and getting to the part where it tells you the rules.

It could be more confusing to the casual user (seeing complex rules, instead of "Password:"), which is a reason to delay the "here are the rules" until a failed password. But security is a bad reason to delay display of the rules.
One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision - BR

Last edited by JHVH on Fri Oct 23, 4004 BCE 6:17 pm, edited 6 times in total.

User avatar
orthogon
Posts: 2692
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 0936: "Password Strength"

Postby orthogon » Tue Jul 02, 2013 2:15 pm UTC

Oscaruzzo wrote:I tend to use "false words" that can be pronounced (and remembered) but are not in any dictionary. Passwords like "stapped whinglood flastals".

Stapped whinglood flastals are absolutely the thing to be wearing this summer. I have two pairs, one with spoigals and one without.
xtifr wrote:... and orthogon merely sounds undecided.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 25789
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Tue Jul 02, 2013 6:44 pm UTC

Oscaruzzo wrote:I tend to use "false words" that can be pronounced (and remembered) but are not in any dictionary. Passwords like "stapped whinglood flastals". I made a "pseudo word generator" for this purpose some time ago (in 2004 more or less) which is based on an algorithm I found in "The Practice of Programming" by Kernighan and Pike. I've put it online recently, but it seems that I can't put a link to it (This message was flagged as spam and has been denied). :cry:

Yeah, made up words could be even safer than Diceware or a similar real-world method, though with the slight disadvantage of not being quite so easy to remember.

I took my own advice from earlier and changed my Google password to a 100-character sentence. If taken from the entire possible set of sensible sentences that long, it would have 110 bits of entropy. I'm comfortable with the security of a lower bound of 96 bits, giving an attacker the benefit of being able to somehow eliminate 99.99% of the possibilities as things I'd be unlikely to say.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
Neil_Boekend
Posts: 3215
Joined: Fri Mar 01, 2013 6:35 am UTC
Location: Yes.

Re: 0936: "Password Strength"

Postby Neil_Boekend » Wed Jul 03, 2013 6:45 am UTC

Yakk wrote:How is it safer not to display them other than after once? Any serious attacker knows what the rules are by either guessing a password wrong once and remembering them, or going through the account creation and getting to the part where it tells you the rules.

It could be more confusing to the casual user (seeing complex rules, instead of "Password:"), which is a reason to delay the "here are the rules" until a failed password. But security is a bad reason to delay display of the rules.

I agree with you wholeheartedly. Every single word of that post, I just feel you misunderstood me.
I was a bit confusing in my wording:
I wrote:It's not safer not to display them

I am still struggling with the wording, but I suppose
I should have wrote:It's not safer to hide them
would have been less confusing.

You even posted the reason I had for delaying the information on the password rules.
Mikeski wrote:A "What If" update is never late. Nor is it early. It is posted precisely when it should be.

patzer's signature wrote:
flicky1991 wrote:I'm being quoted too much!

he/him/his

User avatar
Yakk
Poster with most posts but no title.
Posts: 11045
Joined: Sat Jan 27, 2007 7:27 pm UTC
Location: E pur si muove

Re: 0936: "Password Strength"

Postby Yakk » Wed Jul 03, 2013 2:33 pm UTC

Neil_Boekend wrote:I agree with you wholeheartedly. Every single word of that post, I just feel you misunderstood me.

Yep, my excess not filter kicked in, and deleted some nots. :)
One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision - BR

Last edited by JHVH on Fri Oct 23, 4004 BCE 6:17 pm, edited 6 times in total.

User avatar
SteveMB
Posts: 35
Joined: Mon Jun 18, 2007 2:48 pm UTC

Re: 0936: "Password Strength"

Postby SteveMB » Sun Sep 08, 2013 5:09 pm UTC

enricofosaveo wrote:Many password requirements in corporate America require some mixed case, some numeric content, and some non-alphanumeric. Therefore, you need to augment with a scheme to include those characters.

I've always been a fan of the pseudo-acronym approach. Pick a lyric from your favorite tune, a verse from your favorite poem, or a line from your favorite book. Make your password the first character from each word, plus add the requisite numeric and non-alphanumeric characters. It also makes password hints easier, if supported.

Example: From "The Low Spark of High Heeled Boys" -- Traffic

"The percentage you're paying is too high priced, while you're living beyond all your means."

Password = Tpypithp,wylbaym.0
Hint = spark % nothing

Easy to type (just remember the lyric and type the first letter of each word as you recite it in your head). non-alphanumerics through punctuation is almost automatic. The digit is just there to appease the password strength checkers, but even without it this scheme will provide very, very high levels of password strengths.

If you do forget and have a password hint mechanism or if you simply have to write something down, the hint tells you everything you need to know without revealing much. What song; what verse; what numeric character...


I was curious about the bits-per-character entropy you get from the acronym approach. When my Google-fu failed me, I did my own calculation:

1. Grab some lengthy samples of English-language text (I used the Project Gutenberg texts of "The Adventures of Huckleberry Finn", "The War of the Worlds", and "Little Fuzzy" (apparently H. Beam Piper's copyrights weren't renewed after his death, thus providing a 20th-century public-domain sample)).

2. Extract the first letters of the words into one humongous acronym.

3. Count the letters and digraphs of the result.

4. Feed the results into Shannon's entropy forumula.

Results: 4.07 bits per letter, 8.08 bits per digraph. The fact that the second is within 1% of double the first confirms my guess that there is no significant correlation between consecutive characters of an acronym.

Note: The above calculation is case-insensitive. True random upper and lowercase would add 1 bit per character; pseudo-random mixing (such as preserving the case of the original word, or using a rule like "all nouns are uppercase") would add some fraction of a bit per character.

User avatar
ucim
Posts: 5565
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 0936: "Password Strength"

Postby ucim » Mon Sep 09, 2013 2:44 am UTC

Yakk wrote:Nevermind typing in 2/3 of war and peace, how about typing in 2/3 of every book in English in order to type "me too".
Mission Fucking Accomplished!

SteveMB wrote:1. Grab some lengthy samples of English-language text (I used the Project Gutenberg texts of "The Adventures of Huckleberry Finn", "The War of the Worlds", and "Little Fuzzy" (apparently H. Beam Piper's copyrights weren't renewed after his death, thus providing a 20th-century public-domain sample)).

2. Extract the first letters of the words into one humongous acronym.

3. Count the letters and digraphs of the result.

4. Feed the results into Shannon's entropy forumula.

Results: 4.07 bits per letter, 8.08 bits per digraph. The fact that the second is within 1% of double the first confirms my guess that there is no significant correlation between consecutive characters of an acronym.
... but this leads to a bias towards letters that start words. X would be underrepresented, for example.

As I see it, the object is to ensure that your password is not in any hacker's dictionary, forcing them to use brute force ("Make them fish in the ocean!")

How big is a dictionary of quotations? When you need a new password, it's much easier to come up with:
"To be, or not to be: that is the question:"
than
"With us to watch the minutes of this night;"

(Both come from Hamlet)

You'd need to use "less familiar" quotations, and start in the middle, if you want to not be in the book.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
SteveMB
Posts: 35
Joined: Mon Jun 18, 2007 2:48 pm UTC

Re: 0936: "Password Strength"

Postby SteveMB » Mon Sep 09, 2013 3:14 am UTC

ucim wrote:... but this leads to a bias towards letters that start words. X would be underrepresented, for example.

Well, yes; that's why the result is significantly less than the 4.7 (i.e. log2(26)) bits per character you'd get with true random selection. An acronym password has to be about 16% longer to have the same entropy as a true-random-character password -- but memorizing a seven-character acronym is much easier than memorizing a six-character hash.

As I see it, the object is to ensure that your password is not in any hacker's dictionary, forcing them to use brute force ("Make them fish in the ocean!")

How big is a dictionary of quotations? When you need a new password, it's much easier to come up with:
"To be, or not to be: that is the question:"
than
"With us to watch the minutes of this night;"

(Both come from Hamlet)

You'd need to use "less familiar" quotations, and start in the middle, if you want to not be in the book.

Jose

Actually, you ought to coin your own mnemonic phrase that isn't in any book; since acronyms based on common literature and quotations will probably be included in dictionary attacks.

User avatar
ucim
Posts: 5565
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 0936: "Password Strength"

Postby ucim » Tue Sep 10, 2013 7:44 pm UTC

SteveMB wrote:Actually, you ought to coin your own mnemonic phrase that isn't in any book; since acronyms based on common literature and quotations will probably be included in dictionary attacks.
Even better is to create a mnemonic phrase that helps you recall a hash that has been generated randomly. However, I don't really trust online hash generators; nothing says that the site isn't logging the input and building its own book. But I suppose you could do it three times and break it up in thirds, picking beforehand which third you'll use from each try.

e.g., we'll pick the first third from the first try, the second third from the second try...
1: q;n2T89cb
2: Wm48Nnkvy
3: cxos7N2kM

result: q;n4Nn2kM

Mnemonic: queer; no four Numbers need to kick Molpies

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 25789
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Tue Sep 10, 2013 7:47 pm UTC

Or, at least for some of them, you can simply verify for yourself that nothing in the page's source code sends any data to any servers.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
BlitzGirl
Posts: 8975
Joined: Mon Sep 20, 2010 11:48 am UTC
Location: Both Present and Past...... Schizoblitz: 115/2601 NP
Contact:

Re: 0936: "Password Strength"

Postby BlitzGirl » Tue Sep 10, 2013 7:51 pm UTC

ucim wrote:Mnemonic: queer; no four Numbers need to kick Molpies

Kick molpies? Image
Knight Temporal of the One True Comic
BlitzGirl the Pink, Mopey Molpy Mome
Spoiler:
Image
Image
Image<-Blog
~.Image~.FAQ->Image

User avatar
ucim
Posts: 5565
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 0936: "Password Strength"

Postby ucim » Tue Sep 10, 2013 8:36 pm UTC

BlitzGirl wrote:Kick molpies? Image

No four numbers need to kick molpies.
Molpies get their kicks on their own.
Take my advice - to the young ones be nice, or
they'll do you a number when grown.

Think of a password that's clever and strong
to put on the basement door
Then you won't have to fret, 'cause they never will get
to the otters you keep on that floor.

I can keep rhyming and making a code
that will keep all the hackers at bay,
but maybe the method that keeps data safe
is to give it to molpies today.

Brought to you by the Society for the Prevention of Cruelty to Molpies.

(Well, I guess that password isn't any good anymore.) :)

On a more serious note - if you think of a phrase for a mnemonic, make sure it doesn't get into any book - keep the phrase and its derivatives private too; it's integral to security!

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
Red Hal
Magically Delicious
Posts: 1445
Joined: Wed Nov 28, 2007 2:42 pm UTC

Re: 0936: "Password Strength"

Postby Red Hal » Tue Sep 10, 2013 8:55 pm UTC

Your poetry's pleasant to read,
You're a talented person indeed
The encryption strength
Of a password that length
Would make any young hacker's eyes bleed!
Lost Greatest Silent Baby X Y Z. "There is no one who loves pain itself, who seeks after it and wants to have it, simply because it is pain..."

User avatar
SteveMB
Posts: 35
Joined: Mon Jun 18, 2007 2:48 pm UTC

Re: 0936: "Password Strength"

Postby SteveMB » Tue Sep 10, 2013 10:33 pm UTC

ucim wrote:Even better is to create a mnemonic phrase that helps you recall a hash that has been generated randomly.

I used a variant on that approach for generating a keyfile for my KeePass database -- type a set of moderately long memorized phrases (so I can reconstruct the hash if I lose the file and all the backups) and then run it through a hash generator. NOTE: Either type the input as one big line with no newline character at the end, or make sure you know which flavor of newline you're using and can reproduce it faithfully later. Also remember whether your output uses uppercase or lowercase for A-F hexdigits.

However, I don't really trust online hash generators; nothing says that the site isn't logging the input and building its own book.

I just downloaded a hash generator (HashDroid, which did not require any installation permissions that would allow it to phone home) and did it locally.

User avatar
orthogon
Posts: 2692
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 0936: "Password Strength"

Postby orthogon » Sat Sep 14, 2013 12:35 pm UTC

Following up from my rant a couple of pages back about how banks have no consistency in their security policy: it now emerges that you can set up a direct debit (an automated payment) from somebody's account using only their sort code and account number. This information is printed on your card, printed on your bank statement and you give it to people if you want them to send you money. It's effectively in the public domain; there is no authentication step in the process at all.
xtifr wrote:... and orthogon merely sounds undecided.

User avatar
Jorpho
Posts: 6109
Joined: Wed Dec 12, 2007 5:31 am UTC
Location: Canada

Re: 0936: "Password Strength"

Postby Jorpho » Sat Sep 14, 2013 2:04 pm UTC

It's been that way for decades. You'll notice that the article says that "the direct debits linked to his account were set up through well-established service providers using the industry's automated service", so it's not like some shifty hobo down the street can set up a three-figure direct debit.

User avatar
orthogon
Posts: 2692
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 0936: "Password Strength"

Postby orthogon » Sat Sep 14, 2013 5:42 pm UTC

Jorpho wrote:It's been that way for decades. You'll notice that the article says that "the direct debits linked to his account were set up through well-established service providers using the industry's automated service", so it's not like some shifty hobo down the street can set up a three-figure direct debit.

I agree that it would be difficult to get money transferred to your account that way, but people were clearly able to use it to buy goods and services and charge them to somebody else. And you could certainly cause somebody significant vexation by maliciously setting up DDs on their account even if you didn't want the things you ordered (and you could have them sent to yet another address to avoid getting caught).

It just seems bizarre to me that the level of authentication required to set up a financial transaction can be weaker than that required to, say, post on this forum. Banks used to use your signature as the primary means of authentication, including for DDs; you can argue about how strong that was, in particular to what extent staff were trained to recognize forgeries, but at least there was something. It seems that people have got paranoid about online security whilst failing to apply the same standards to more established procedures, and furthermore actually relaxing the measures that were already in place.
xtifr wrote:... and orthogon merely sounds undecided.

User avatar
Eebster the Great
Posts: 2750
Joined: Mon Nov 10, 2008 12:58 am UTC

Re: 0936: "Password Strength"

Postby Eebster the Great » Sat Sep 14, 2013 7:34 pm UTC

To be fair though, there are very good reasons to take online banking security much more seriously, as it is practically easier to steal a large number of identities online than offline.

User avatar
orthogon
Posts: 2692
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 0936: "Password Strength"

Postby orthogon » Wed Sep 18, 2013 7:50 pm UTC

Eebster the Great wrote:To be fair though, there are very good reasons to take online banking security much more seriously, as it is practically easier to steal a large number of identities online than offline.

Fair point. In the end banks are happy to accept a certain level of loss on the DD scheme in return for simplicity and hence cost savings. They will eventually pay back money fraudulently removed from your account, if you notice. For the individual it's a massive hassle but for the bank it's a small overhead. Insufficient online security on the other hand could expose the bank to a risk they can't afford.
xtifr wrote:... and orthogon merely sounds undecided.

MichaelKarnerfors
Posts: 94
Joined: Sun Jan 25, 2009 3:30 am UTC
Location: Sweden
Contact:

Re: 0936: "Password Strength"

Postby MichaelKarnerfors » Wed Jul 02, 2014 1:05 am UTC

Comic referenced in a TED talk... and analyzed!

http://www.ted.com/talks/lorrie_faith_c ... ur_pa_w0rd

User avatar
Flumble
Yes Man
Posts: 1944
Joined: Sun Aug 05, 2012 9:35 pm UTC

Re: 0936: "Password Strength"

Postby Flumble » Mon Jul 07, 2014 7:05 pm UTC

I hadn't expected the syllable construction to perform >= compared to the word construction. So the default password I got from university wasn't so insecure after all. (to bad we had to change the password after a while and the policy for the new password was a lot more strict, like CMU's)


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: Bing [Bot], mscha and 41 guests