If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(XKCD)   Accurate equine identifies the metal fastener of an electrochemical cell (7,5,7,6)   (xkcd.com) divider line 47
    More: Fail, maths, fasteners, Dinosaur Comics  
•       •       •

3771 clicks; posted to Geek » on 05 Nov 2013 at 10:24 AM (23 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



47 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2013-11-05 10:30:35 AM
Aaand that's why I use confusing or misleading password hints.

Somewhere in the ~1000 random items and papers scattered about my workspace, there are notes that correlate to passwords. If you think you can recognize and interpret them, have at it. Worst case, you'll leave my workspace a bit tidier than you found it.
 
2013-11-05 10:45:11 AM
Accurate equine says what?
www.pikabit.net
 
2013-11-05 10:48:26 AM

Ishidan: Accurate equine says what?


Correct Horse Battery Staple (7, 5, 7, 6)
 
2013-11-05 10:58:45 AM
jfarkinB: Aaand that's why I use confusing or misleading password hints.

I've been computing for nearly 30 years now, I don't need any damned password hints.

My passwords are based on patterns on the querty keyboard. I don't even know the actual letters of my keyboard.

Put me on a non querty input device and I will have to imagine a querty keyboard in my mind visualize the password one letter at a time.

As a result, my password hints are ... amusing.

"no, YOUR mother's maiden name".
 
2013-11-05 11:03:36 AM

Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)


Great against a brute force attack, not so good against a dictionary based attack. The bottom line is passwords suck for security.
 
2013-11-05 11:11:34 AM

Cozret: Great against a brute force attack, not so good against a dictionary based attack.


What's the difference?  Serious question.
 
2013-11-05 11:24:52 AM

Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack.


Really? Even if you know that the password is composed of four words from a dictionary, you're not going to get anywhere. Remember, you're still producing a single hash from it. Dictionary attacks based on single-word vocabulary (including simple variants like upper/lowercase, digit substitution, etc.) are marginally practical at present. Expanding to four-word sequences would raise the size of your dictionary to the fourth power. Not going to happen anytime soon.

The bottom line is passwords suck for security.

No argument there.
 
2013-11-05 11:35:38 AM
idesofmarch: What's the difference? Serious question.

Brute force is basically trying every possible combination of characters from a given set. (EX, starting with AAAAA and ending with ZZZZZ for a 5 digit alpha numeric password that's all in caps.

With brute force, you will eventually get the password, but due to the nature of brute force, it might take essentially forever to get to a given password.

A dictionary attack instead uses words from the dictionary arranged in certain orders. It's a smaller space of possible combinations so you get better results.

The hit rate even increases when you run the dictionary words through common transformations (IE, substitute 3 for E, a 1 for I, etc).

//whenever passwords are released, groups (both white and black hat) have competitions to see who can crack the largest number of passwords. There are a few interesting writeups that go through the methods that they use and what percentage of the passwords were compromised by each method.
 
2013-11-05 11:36:27 AM

Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)


I wonder how many people just use that phrase now as a password.

Maybe they also have the hint say "xkcd".

You know, to make the person who does xkcd cry.
 
2013-11-05 11:36:57 AM

jfarkinB: Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack.

Really? Even if you know that the password is composed of four words from a dictionary, you're not going to get anywhere. Remember, you're still producing a single hash from it. Dictionary attacks based on single-word vocabulary (including simple variants like upper/lowercase, digit substitution, etc.) are marginally practical at present. Expanding to four-word sequences would raise the size of your dictionary to the fourth power. Not going to happen anytime soon.


Actually, there's been some impressive cracking work using Wikipedia as a dictionary for source phrases.
 
2013-11-05 11:38:11 AM
Especially since people still use stupid passwords.

http://grahamcluley.com/2013/11/top-50-passwords-adobe-security-brea ch /
 
2013-11-05 11:39:40 AM

Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack. The bottom line is passwords suck for security.


Me thinks you're not very good at math.  With something like 176K words in the English language, that would leave 176K ** 4 = 959,512,576,000,000,000,000 (960 quintillion) possibilities.  Just for dictionary attacks, which isn't even factoring replacing characters or using a different language or using forms of slang, etc.

The fastest password crackers (using GPUs) can go at around a billion entries a second, which is impressive, but doesn't even make a dent into entropy like THAT.
 
2013-11-05 11:46:11 AM
blue_2501: Me thinks you're not very good at math. With something like 176K words in the English language, that would leave 176K ** 4 = 959,512,576,000,000,000,000 (960 quintillion) possibilities. Just for dictionary attacks, which isn't even factoring replacing characters or using a different language or using forms of slang, etc.

The problem is, people don't tend to use every possible word in the dictionary in their passwords, they mostly use common words.

If you shape the attack, you can get a high percentage of the passwords without making the target space huge.

// This is especially true if you get a large list of decrypted passwords from a given source. Because then those millions of passwords get added to the shaped attack (because they are passwords that were already known to be used in the wild ... and people love to reuse passwords).
 
2013-11-05 11:49:02 AM

Theaetetus: jfarkinB: Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack.

Really? Even if you know that the password is composed of four words from a dictionary, you're not going to get anywhere. Remember, you're still producing a single hash from it. Dictionary attacks based on single-word vocabulary (including simple variants like upper/lowercase, digit substitution, etc.) are marginally practical at present. Expanding to four-word sequences would raise the size of your dictionary to the fourth power. Not going to happen anytime soon.

Actually, there's been some impressive cracking work using Wikipedia as a dictionary for source phrases.


Pass phrases can be more secure than passwords, but you have to use them properly.

English has grammar: some words are "supposed" to follow others, and "not supposed" to follow yet others. That's why you shouldn't use sentences as pass phrases: they decrease the entropy of the password, because you can cut out large parts of the dictionary at every step. You should jumble up random words instead.

The other big thing is that you need to make sure that at least one word on your list is not among the 1500 most common English words. This is hard if you're doing it in your head: people suck at picking random words. Better to use something like Diceware, which gives the advantage of giving you a legitimate reason to keep 5d6 on your desk.
 
2013-11-05 12:15:17 PM
The magic words are 'squeamish ossifrage'.
 
2013-11-05 12:34:32 PM
How about a fairly unusual english language word, that is relatively long (lets say 9 letters) with an intentional mis-spelling, and one number and one symbol thrown in at the beginning and end?

Would that be better or worse than correct horse battery staple?

/Part of me wishes I had gone into a crypto path in college and career...always loved codes and breaking them
//Girl in 8th grade signed a buddies yearbook in some "wiccan code"...it looked like a replacement code at first glance, so I spent the next 30 minutes of class trying to crack it, with complete success
/"Sequences and Series" was far and away my favorite part of calculus
 
2013-11-05 12:36:30 PM

my_cats_breath_smells_like_cat_food: How about a fairly unusual english language word, that is relatively long (lets say 9 letters) with an intentional mis-spelling, and one number and one symbol thrown in at the beginning and end?

Would that be better or worse than correct horse battery staple?

/Part of me wishes I had gone into a crypto path in college and career...always loved codes and breaking them
//Girl in 8th grade signed a buddies yearbook in some "wiccan code"...it looked like a replacement code at first glance, so I spent the next 30 minutes of class trying to crack it, with complete success
/"Sequences and Series" was far and away my favorite part of calculus


Oh, and for the theoretical password I am describing, I guess an example would be " &7Francisko6^ " if that helps.
 
2013-11-05 01:14:03 PM
A password is "strong enough" when a hacker, thinking he's gotten enough passwords out of his stolen list, stops his cracking program before it's done with yours. You can't know when this will happen, so you've got no choice but to make your password as strong as you can, but once the process has begun, that's really what matters. You don't have to beat the cracking program, only an attacker's patience.

The RockYou breach was God's gift to people who use mediocre passwords. Its list became the go-to symbol library for password crackers, and the Adobe list will probably be merged with it or replace it entirely, and so as long as your password is not on that list (and isn't a too-easily-guessed derivative of something that is on the list), chances are you'll be safe for a long time to come.
 
2013-11-05 01:28:30 PM

my_cats_breath_smells_like_cat_food: Oh, and for the theoretical password I am describing, I guess an example would be " &7Francisko6^ " if that helps.


Formatting weakens passwords. It even weakens "correct horse battery staple," which is why it's only got 44 bits of entropy instead of 232.

Starting with an uncommon English word gets you about 19 bits of entropy, assuming /usr/share/dict/words as your symbol library (479,829 possibilities, and "Francisco" is in fact part of the list). Your symbols only get you another 6-8 bits, so you're up to 27 total.

The intentional misspelling gives you some strength: maybe more than the number/symbol pairings do, in fact. But even so, it can only give you so much: if we assume 256 credible misspellings of a word, that's still only 8 bits, giving you a total of 35. CHBS's 44 bits beats that.

(Incidentally, the reason CBHS has only 44 bits of entropy is that Munroe used a much shorter word list than mine. He seems to have used a list of 1500 common English words).
 
2013-11-05 01:31:42 PM
Millennium: The RockYou breach was God's gift to people who use mediocre passwords. Its list became the go-to symbol library for password crackers

And corporate white hats who know their stuff will have incorporated those passwords into their ban lists as well.

IE, you can't use these as passwords on the network.
 
2013-11-05 01:39:20 PM
What's wrong with very long cat-like keyboard mashings kept in an obscure text file?
 
2013-11-05 01:51:43 PM

lordargent: Especially since people still use stupid passwords.

http://grahamcluley.com/2013/11/top-50-passwords-adobe-security-brea ch /


Password #21 is the same password that I use on my luggage.
 
2013-11-05 02:18:39 PM

lordargent: Especially since people still use stupid passwords.

http://grahamcluley.com/2013/11/top-50-passwords-adobe-security-brea ch /


ctrl-F love, sex, secret, and God fail.
I guess people read the memo.
 
2013-11-05 02:34:09 PM

my_cats_breath_smells_like_cat_food: How about a fairly unusual english language word, that is relatively long (lets say 9 letters) with an intentional mis-spelling, and one number and one symbol thrown in at the beginning and end?

Would that be better or worse than correct horse battery staple?

/Part of me wishes I had gone into a crypto path in college and career...always loved codes and breaking them
//Girl in 8th grade signed a buddies yearbook in some "wiccan code"...it looked like a replacement code at first glance, so I spent the next 30 minutes of class trying to crack it, with complete success
/"Sequences and Series" was far and away my favorite part of calculus


Intentional misspellings (that aren't common misspellings) are probably good, especially if they are completely different letters instead of phonetically similar letters (plus your example is probably part of a place name so would be in a dictionary attack). Adding a couple of random characters/numbers/symbols onto the beginning/end of a word increases things somewhat in complexity, but most common combinations like that will be part of a hybrid attack (dictionary attack augmented by brute forcing different formats of additions and alterations to a single root password).

Existing phrases tend to be pretty weak passwords, as they probably show up in imdb, gutenberg, wikipedia, or wherever, so any hacker that has a dictionary farmed from such sources will break such types of password relatively quickly.

The reason for suggesting the "correct horse battery staple" style password is because it is relatively quick and reliable to type for most people that use computers regularly, and they tend to be relatively easy to remember as you are remembering four things (each word) instead of the five/six your example requires, but relatively hard for an attacker to work through all the possibilities due to multiplier effect. If we assume the hacker knows the format of our password for some reason, then your suggestion gives you about 20 possibilities for the special characters, 10 for the numbers, double it for not knowing the order, and then repeat for the end additions plus a dictionary search for the word, generally most words people use for a password (unless they get out a dictionary and go to a random page) will be hit within about 10000 tries, so you are talking about 100 million attempts to crack, plus whatever advantage your letter change gets you.

Conversely getting the first word of a non-predictable set of four words takes 10k attempts, getting the first two at the same time is 100m, getting your three words at the same time is 1 trillion and all four words at once is 10 quadrillion.

Basically the limitation of adding individual numbers and symbols is that each one doesn't add a lot of possibilities to a brute force attack for each part of the password you have to remember, whereas adding more words means an entire extra dictionary attack on each word you add.
 
2013-11-05 02:41:44 PM
If you haven't seen this yet...it's fun:
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

/my "throwaway" password takes only 0.0018 seconds to crack
//even my "good" password takes only 1 hour to crack
 
2013-11-05 02:46:31 PM
Best TOS Episode:  The correct answer is The City on the Edge of Forever.  All other opinions are incorrect.
 
2013-11-05 03:12:29 PM

FarkGrudge: If you haven't seen this yet...it's fun:
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

/my "throwaway" password takes only 0.0018 seconds to crack
//even my "good" password takes only 1 hour to crack


If I use czech words, it'll take 2 months to crack
cerny piva is "dark beer," my favorite beer

C3rnyP!va

If I used a sentence, "I hate North Carolina," that'll take around a million years to crack.  Hating on NC it is!
 
2013-11-05 04:00:30 PM
FarkGrudge: /my "throwaway" password takes only 0.0018 seconds to crack
//even my "good" password takes only 1 hour to crack


Here are mine.

Throwaway Password: It would take about 54 seconds to crack your password.
Normal Password: It would take about 121 years to crack your password.
Paranoid Password: It would take about 3902 years to crack your password.

// The paranoid password is over 15 characters - but I type 100 WPM and as per a previous post, my passwords are based on patterns on the keyboard.

// years of playing video games, entering codes, pulling off combos in fighting games, etc, my passwords are basically muscle memory. I don't even know what the actual characters are that I'm typing (since I can type, I don't look at the keyboard).
 
2013-11-05 04:02:33 PM

FarkGrudge: If you haven't seen this yet...it's fun:
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

/my "throwaway" password takes only 0.0018 seconds to crack
//even my "good" password takes only 1 hour to crack


correcthorsebatterystaple -> 144883728 years
my main PW -> 1 day
my throwaway PW -> 1 hour
 
2013-11-05 04:07:51 PM
A quick google search and I found an example.

www.geekscribes.net
There' that's a 17 character password right there.

Alternate the casing and throw an exclamation mark on the front and end and you have a 19 character password that's easy to remember, but looks like complete jibberish and isn't going to get cracked anytime soon.

!234EsZxC678uHbNjY!

"It would take about 12486848136 years to crack your password."

// alternating the casing in a predictable pattern (EX, every other char, or just vowels, etc) makes the password less secure. But these passwords are already in the realm of ridiculous cracking time (for now) so carry on.
 
2013-11-05 04:08:37 PM
Interesting.. if I use the password "MyPenisHuge" it would take about 390 years.
 
2013-11-05 04:32:15 PM

wjllope: FarkGrudge: If you haven't seen this yet...it's fun:
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

/my "throwaway" password takes only 0.0018 seconds to crack
//even my "good" password takes only 1 hour to crack

correcthorsebatterystaple -> 144883728 years
my main PW -> 1 day
my throwaway PW -> 1 hour


"CONGRATULATIONS!
It would take about 8.446555008845876e+29 years to crack your password."

AND it's a dead easy phrase to remember. I'll take it.
 
2013-11-05 05:15:46 PM
I see a lot of people posting about how their password is based on some kind of pattern. From what I've been reading lately, that probably isn't going to help. Password-cracking is getting scary-powerful. I'm questioning every password I've got. People are putting passwords into strength checkers and thinking their's is good enough if a brute force attack takes thousands of years. Nobody does naive brute force attacks anymore. Even "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" isn't safe anymore. Intel says it will take 1.2069884584481359e+57 years to crack but it has already been done.
 
2013-11-05 05:49:37 PM

lordargent: A quick google search and I found an example.

[www.geekscribes.net image 620x261]
There' that's a 17 character password right there.

Alternate the casing and throw an exclamation mark on the front and end and you have a 19 character password that's easy to remember, but looks like complete jibberish and isn't going to get cracked anytime soon.

!234EsZxC678uHbNjY!

"It would take about 12486848136 years to crack your password."

// alternating the casing in a predictable pattern (EX, every other char, or just vowels, etc) makes the password less secure. But these passwords are already in the realm of ridiculous cracking time (for now) so carry on.



Yeah, but who will be laughing when I finally crack your password in 12,486,848,136 years?!  Ha!  Gotcha!
 
2013-11-05 06:57:13 PM
downstairs: Yeah, but who will be laughing when I finally crack your password in 12,486,848,136 years?! Ha! Gotcha!

Sorry, I will have changed my password in, ohh, the next 100 or so years.

So you're aiming at a moving target, by the time you're way into your crack, the target has moved.
 
2013-11-05 07:41:38 PM
CSB

Back when I worked as a computer repair guy, I once had a laptop computer running Vista that had a password on the user account. There wasn't any contact phone number on the workorder so I couldn't call the customer to ask for her password. I had an XP password cracker that just replaced the password with whatever I wanted but I didn't have something for Vista and I didn't want to waste time.

Her password hint was "maiden name" so I Googled her current name and the first match was the wedding announcement on the New York Times website from about six years before. Along with the photo of the young couple (the person who checked it in verified it was her), there was her password in plain sight: "Mr. and Mrs. McDonald are pleased to announce the marriage of their daughter Mary to..."

I typed "mcdonald" and I was in. I fixed whatever it was that needed fixing and she picked up her laptop a day or two later none the wiser.

/CSB

// Names changed to protect the innocent, etc.
 
2013-11-05 10:28:14 PM
Reminds me of looking at a list of "hacked" Minecraft usernames and passwords. SOOOO many of them are "minecraft" "dragon" etc.
 
2013-11-06 12:19:59 AM

Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack. The bottom line is passwords suck for security.


That word isn't in the dictionary.

You're suggesting that a dictionary attack would attempt to combine English words?

OK, great idea professor. Even if we assume there to be 4 words from the start, that leaves 12117361000000000000000000000000 different combinations. (59million English words in the Webster dictionary).

Do you think that would take a little while to use a dictionary attack against, yes?
 
2013-11-06 01:09:51 AM

spawn73: Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack. The bottom line is passwords suck for security.

That word isn't in the dictionary.

You're suggesting that a dictionary attack would attempt to combine English words?

OK, great idea professor. Even if we assume there to be 4 words from the start, that leaves 12117361000000000000000000000000 different combinations. (59million English words in the Webster dictionary).

Do you think that would take a little while to use a dictionary attack against, yes?


Give this Ars Technica article a read. It was quite eye-opening: Link
 
2013-11-06 01:36:37 AM
spawn73: That word isn't in the dictionary.

Dictionary attacks don't just use 'dictionary' words anymore.

Now it's a dictionary attack because the hacker/cracker is building their own dictionary of words to attempt (for example, taking lists of words revealed from security lists and adding them to their dictionary).

// using a dictionary is just a starting point. The whole idea though is to use lists of words/phrases that people are likely to use as their passwords (which is why using "correct horse battery staple" now is actually a bad idea because that phrase has likely been entered into ever hackers dictionary.
 
2013-11-06 01:47:31 AM

Tobin_Lam: spawn73: Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack. The bottom line is passwords suck for security.

That word isn't in the dictionary.

You're suggesting that a dictionary attack would attempt to combine English words?

OK, great idea professor. Even if we assume there to be 4 words from the start, that leaves 12117361000000000000000000000000 different combinations. (59million English words in the Webster dictionary).

Do you think that would take a little while to use a dictionary attack against, yes?

Give this Ars Technica article a read. It was quite eye-opening: Link


I know the article.

I think you should read it again actually, because Horse Correct Battery Stable is not a sentence. It's 4 random words. Which brings us back to  12117361000000000000000000000000 different combinations using the English dictionary. And that's being generous and not allowing for each word to be case sensitive.

Now realise that the password is stored using a one-way hash, so you have to run the hash for each attempt. And thats if security is lax. Otherwise the hash is salted.


I'm sorry if I come across as lecturing you. I shouldn't, but rather the guy I replied to. Since you obviously read about the subject, and have a casual understanding. But the guy I replied to should know that the guy behing XKCD is a brilliant mathematician, ie. notice the subject of his comics. Attacking the logic behind his pasword suggestion is a bit, naíve.
 
2013-11-06 09:33:48 AM

spawn73: Tobin_Lam: spawn73: Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack. The bottom line is passwords suck for security.

That word isn't in the dictionary.

You're suggesting that a dictionary attack would attempt to combine English words?

OK, great idea professor. Even if we assume there to be 4 words from the start, that leaves 12117361000000000000000000000000 different combinations. (59million English words in the Webster dictionary).

Do you think that would take a little while to use a dictionary attack against, yes?

Give this Ars Technica article a read. It was quite eye-opening: Link

I know the article.

I think you should read it again actually, because Horse Correct Battery Stable is not a sentence. It's 4 random words. Which brings us back to  12117361000000000000000000000000 different combinations using the English dictionary. And that's being generous and not allowing for each word to be case sensitive.

Now realise that the password is stored using a one-way hash, so you have to run the hash for each attempt. And thats if security is lax. Otherwise the hash is salted.


I'm sorry if I come across as lecturing you. I shouldn't, but rather the guy I replied to. Since you obviously read about the subject, and have a casual understanding. But the guy I replied to should know that the guy behing XKCD is a brilliant mathematician, ie. notice the subject of his comics. Attacking the logic behind his pasword suggestion is a bit, naíve.


You keep throwing out big numbers like they matter. Sure there are lots of combinations of words but they aren't all equally probable. People are going to use words and phrases that are more familiar and that eats into your big number quite a bit.
 
rpm
2013-11-06 10:16:40 AM

spawn73: Now realise that the password is stored using a one-way hash


Or 3DES-ECB

Or plain text
 
2013-11-06 11:40:44 AM
43 comments and no reference to Data's encryption lock in "Brother"? For shame, Fark.
 
2013-11-06 07:11:27 PM

FarkGrudge: If you haven't seen this yet...it's fun:
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

/my "throwaway" password takes only 0.0018 seconds to crack
//even my "good" password takes only 1 hour to crack




Oh man! This is my new favorite game! At least for a few more minutes

My prior example came back as 1 day
CHBS came back as ridiculously long (probably already posted, hundreds of millions or billions of years)
Password came back as zero seconds, hehe
 
2013-11-06 07:16:02 PM
Ha!

96 quintillion for:

itsnotthesizeitshowyouuseit!
 
2013-11-06 07:35:01 PM

Tobin_Lam: spawn73: Tobin_Lam: spawn73: Cozret: Misch: Ishidan: Accurate equine says what?

Correct Horse Battery Staple (7, 5, 7, 6)

Great against a brute force attack, not so good against a dictionary based attack. The bottom line is passwords suck for security.

That word isn't in the dictionary.

You're suggesting that a dictionary attack would attempt to combine English words?

OK, great idea professor. Even if we assume there to be 4 words from the start, that leaves 12117361000000000000000000000000 different combinations. (59million English words in the Webster dictionary).

Do you think that would take a little while to use a dictionary attack against, yes?

Give this Ars Technica article a read. It was quite eye-opening: Link

I know the article.

I think you should read it again actually, because Horse Correct Battery Stable is not a sentence. It's 4 random words. Which brings us back to  12117361000000000000000000000000 different combinations using the English dictionary. And that's being generous and not allowing for each word to be case sensitive.

Now realise that the password is stored using a one-way hash, so you have to run the hash for each attempt. And thats if security is lax. Otherwise the hash is salted.


I'm sorry if I come across as lecturing you. I shouldn't, but rather the guy I replied to. Since you obviously read about the subject, and have a casual understanding. But the guy I replied to should know that the guy behing XKCD is a brilliant mathematician, ie. notice the subject of his comics. Attacking the logic behind his pasword suggestion is a bit, naíve.

You keep throwing out big numbers like they matter. Sure there are lots of combinations of words but they aren't all equally probable. People are going to use words and phrases that are more familiar and that eats into your big number quite a bit.




I am in no way an expert but I think part of the security is from not putting spaces between the words, so that a potential cracker can't know he is trying to hack 4 words, it is just one long ass string of letters that isn't a known word or common phrase.

Even if the computer starts with "correct" it wouldn't have any hint at the next part of the password being horse.

Of course nowadays CHBS is probably a common password and part of a dictionary attack.
 
Displayed 47 of 47 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report