Your Passwords Don't Suck — It's Your Policies

First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"

XKCD

[Anonymous Coward]

The problem I have with that comic is that the "strong" password is lowercase only.

Sure, its 28 characters, but its still lowercase only.
That makes it a lot weaker, no? I personally use a 17 character long password (for anything important) at this time, being somewhat random and including lowercase, uppercase, numbers and special characters. If there is one thing I have seen from hashtables, its that adding in special characters makes it a lot harder, and sometimes outside the realm of possible.
Never mind that if you know the person is using special characters, you still gonna have a lot longer time cracking, if you know he is only using words, with the help of dictionary attacks you gonna run through them a lot faster.

Oh, and the way I manage to remember my long password is that I take the short, I assume random, passwords that I have been forced to remember for a few years, like for school, and add those together with a special character in between. Makes it very doable to remember.

Re:This is too simple to fix

[The Raven]

The reason to avoid understandable sentences is they have extremely low entropy per character. Or, put another way, they are easier to hack than their length would indicate. An xkcd password has about 1.5 bits per character of entropy; a normal English sentence has as low as 0.6 to 1.3 bits per letter, according to one study [wikipedia.org]. Given the simple and trite short sentences people would use for passwords, it's likely closer to 0.6, or about 20 bits of entropy for your example 'chicken' password, compared to 44 bits for a shorter xkcd password [xkcd.com].

What puzzles me...

[jbwolfe]

...is why is it all so difficult to come up with some scheme to secure internet accessible resources. Corporate policy for me require password changes every 90 days and disallows any of the last eight passwords, and the use of letters and numbers. Effectively, I'm forced to write it down, negating all their efforts at obscurity. When will some bright CS geek invent a real solution to this problem. Is it that hard? Can't it be as simple as probing me for dynamic info that only I would know? How about visual methods- ask me who's in this picture of my co-workers or what is this family snapshot from my past, etc.?

Re:XKCD

[spazdor]

Sure, its 28 characters, but its still lowercase only.
That makes it a lot weaker, no?

It makes it weaker by a factor of about 2^28.
Which sounds like a lot, but when the lowercase password space is already 26^28, it's not much.

XKCD's math is sound.

Re:XKCD

[Zocalo]

Well, you can probably blame Little Bobby Tables [xkcd.com] for that. Depending on the programming language there are plenty of "control characters" in the ASCII 32-126 range, and it's much easier when deadlines are pressing to just restrict input to alphanumerics than try and sanitize against passwords that contain some variant of "'); drop table students;"

Re:Wrong

[wrook]

The average adult that has been to University knows 20,000 head words. A head word is a group of words with essentially the same meaning. For example, expect, expectation, is expecting, etc are all one head word. 26^7 is a little bit over 8x10^9. If a user picks 4 headwords for their passphrase, the search space is 20000^4 or 1.6x10^17. And that's if we just use headwords. If the user uses variations the search space is rather huge.

You might say that 20,000 headwords includes a lot of strange vocabulary. But for instance, to get 95% vocabulary coverage in reading a newspaper you need just under 16,000 headwords. However, even if we restrict vocabulary to the most common 5,000 headwords (the average vocabulary of a 5 year old) we get a search space of 6.25x10^14.

XKCD style passphrases are dramatically more robust than a 7 character alphabetic password.
 

Re:This is too simple to fix

[sexconker]

Funny.

  According to the Passfault demo (that's the link in the summary above) it would take 18384672610116790 centuries to crack "This chicken tastes like shit!"

Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

That estimate is generated by assuming brute force and a specific character set that contains all of your input characters.
No one cracks passwords starting with brute force.

Re:This is too simple to fix

[wisnoskij]

Well you simply cannot memorise all the passwords that a modern computer user has to use no matter what style you use if you are not taking risks or a memory expert. That is why you need password vaults, or post it notes.