Bruce Schneier, Choosing Secure PasswordsĮxcuse me, Bruce, but the entropy calculation for this password scheme is based on the absolute worst case scenario: that the attackers knows exactly which words you have to choose from, and attempts to guess every possible combinations from the known dictionary. The password crackers are on to this trick. This is why the oft-cited XKCD scheme for generating passwords - string together individual words like "correcthorsebatterystaple" - is no longer good advice. Modern password crackers combine different words from their dictionaries: Is it?īruce Schneier completely missed the point: If you are paranoid and want to feel better, use five.īruce Schneier says this password scheme is broken. It is unlikely that your attacker can reach anywhere close to a million guesses a second, and so a four word password (from the large list) is probably sufficient in real life. In practice, most real life systems use secure password hashing algorithms, captchas, and other mechanisms to stop password cracking. If you have to, you can simply add more words. Unless you possess highly valuable secrets that makes this sort of effort worthwhile (you should use something more secure than passwords in such a case), you don't have to worry about this hypothetical scenario. Running this sort of attack is prohibitively expensive. Even then, this scheme will resist the cracking attempt for over a year. Let us consider the absolute worst case, assuming the attacker knows your password is generated by this site, knowing that it has 65 bits of entropy, your password was insecurely hashed, and your enemy has GPUs to run 500 billion attempts every second. To increase security, we can always add more words.ĥ words from the large list, or 6 words from the small list is sufficient for all reasonable threats. The point is that, correcthorsebatterystaple is more memorable than n98idhi3n, for approximately equal security. This is true if your 9 character password is truly random, such as n98idhi3n, and not say, Tr0ub4d0r. There are also claims that correcthorsebatterystaple is as secure as a 9 character password, which sounds fairly bad. However, most of them fail to get the actual point. There is a lot of criticism on the internet about this password scheme.
RANDOM PASSWORD GENERATOR XKCD CRACKED
The core idea is that while using a single dictionary as a password is horribly insecure and can be cracked in seconds, each additional word makes cracking exponentially harder. Another way is to make the password longer, but keeping it simple, as the following xkcd comic shows: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize. One way of increasing entropy is to make passwords more complicated. The higher the entropy, the harder it is to guess the password. We make password difficult to guess by increasing entropy - the degree of uncertainty in the password. We tend to associate secure passwords with complicated and hard-to-remember passwords.
0 kommentar(er)
