ashok.org.uk : Simple/complicated passwords

By Ashok Argent-Katwala

XKCD this week had a wonderful piece of commentary about the way we choose passwords.

Four randomly chosen common English words make for a remarkably good password. Randall Monroe's example uses a word-list about 2,000 words long (11 bits per word). The beauty of this suggestion is that you can choose any 2,000 different words you like and even assume that the attacker knows your word list and it will still have about 44 bits of randomness in. And 2 to the 44 is a pretty damn big number.

This is very similar suggestion to one made by Thomas Baekdal a few years ago that:

"this is fun" is 10 times more secure than "J4fS!2"

I'm pretty sure that's wrong, but in a slightly subtle way.

The literal suggestion in Baekdal's article is pretty good, almost exactly four years before the XKCD:

A usable and secure password is then not a complex one. It is one that you can remember - a simple password using 3+ words.

And the maths works out pretty well. I get similar numbers as the article for random, uncorrelated words from a 20,000 list:

20,000 / (100 / second) = 3:20 ~= 3 minutes
20,000^2 / (100 / second) = 46.3 days ~= 2 months
20,000^3 / (100 / second) = 2,535.10117 years ~= 2,537 years (from the article)

Other than the difference in the size of the word list, the two suggestions are very similar indeed.

The difficulty, however, is that all of the examples (in the article, the FAQ and a very reasonable follow-up) are actual phrases:

this is fun
green is wicked
summer hammocks are fun
floppily floors flop
yummy salted peanuts

All of these are real phrases and running English text has about 1.3 bits of entropy per letter. We should expect that if this kind of scheme were common that some attackers will be trying short English phrases.

The longest of these thus has about 30 bits of entropy and a perfect attacker trying 100 per second can break in about 116 days, far less than the tens of millions of years you get from four independent random words. (Note that Baekdal's word list is ten times larger than Monroe's.)

Whatever advice we have for people choosing passwords, it should work well even if many people follow it, and that means that some attackers will understand it very well.

Being more secure could be as simple as some wordplay from I'm Sorry I Haven't a Clue.

< #voteTO: voting for something |

Tagged: Security, Social, Technology

Posted at 07:46 EDT, 12^th August 2011.

No comments. Add one.