XKCD and Password Strength

Most of my blogs start when I’m annoyed by something. In this case, this article. http://www.guardian.co.uk/technology/2012/oct/05/online-security-passwords-tricks-hacking

I love XKCD, and it makes many valid points. However, when all is said and done, it’s a webcomic. I really doubt the author is actually expecting us to take it as literal life advice. He’s probably more aiming to make a point and get us thinking and/or laughing.

Which is why I’m a bit worried about how much this (http://xkcd.com/936/) is getting quoted as a serious proposal. (If you haven’t seen the cartoon, take a look – xkcd is excellent). Because it makes a very valid point, but the maths doesn’t stand up in the real world.

Why? Because hackers are people, not computers. And when their victims change tactics, so do the hackers.

The current situation is this: we’ve all been trained to use random letters, numbers, characters, a mix of upper and lower case – like “a7@!f[)d5”. And you do that, right? (Right? No, me neither). So hackers will first try a simple dictionary attack to check for people dumb enough to use a plain-English word, and then they’ll try combinations similar to words with the standard replacements (“s1mpl3r”). If that fails, they can use a brute-force attack – try every combination.

Let’s look at the maths. Suppose you choose an 8-character password made of any valid ascii characters. Then the universe of possibilities is 255^8, or about 1.8e19. That’s a lot of possibilities. Now suppose you choose any 4 English words from the Concise Oxford English dictionary – about 240,000 words, separated by spaces. The average word length is about 5, so you’ll have a 23-character password. A brute-force attack has to deal with 255^23, which is 2.2e55 possibilities – MUCH better, right? That’s 10^36 times better – or 1,000,000,000,000,000,000,000,000,000,000,000,000 times better.

So should we all switch over? Sadly, no. Because if we all switch, so will hackers. If hackers know that most people pick a string of English words, they won’t do a character-by-character attack. They’ll change their behaviour to do a word-by-word attack. Then for a 4-word password, you have 240000^4 possibilities, or about 3.3e21. A bit better than the 8-character password, but only by a factor of about 100. Not too different.

Now let’s be a bit more realistic. Assume, like most people, you usually use only letters and numbers in your passwords. Then an 8-character password has about 2.2e14 combinations. Now assume you only use words in your vocabulary rather than using a dictionary: maybe 15000^4, which is 5.1e16. Again, only a little better than the current situation.

Now you can argue that there are many more than 240,000 words in the full dictionary, and if you use the full set of words the number of possibilities go up. Which is true. On the other hand, are you really likely to pick four words at random from a full multi-volume encyclopedia or are you going to think of four words that spring to mind? 15,000 is probably an overestimate to be honest.

Then again, most people aren’t using all the full range of characters to make up their passwords now. So is the option of using words worse? No, it’s not worse. For now, it’s even a little better. But if we all switch, then it’ll be about the same.

Having good passwords is an arms race. As we discover better passwords, hackers discover better attacks. There’s no magic bullet. Choose something you can live with, and be prepared to change your strategy as the attacks change. And don’t believe everything you read, especially if it was written as a webcomic.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s