The short XKCD password is based on a dictionary word, making it vulnerable to i... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

nitrogen on June 9, 2012 | parent | context | favorite | on: Change your Last.fm password

The short XKCD password is based on a dictionary word, making it vulnerable to intelligent brute force (oxymoron of the day).

I imagine the calculation goes something like this:

  1/50000     Likelihood of a particular uncommon word
  1/8         Substitute up to three letters for numbers
  1/2         Initial capital or initial lowercase
  1/32        Add a punctuation character at the end
  1/10        Add a digit at the end
  1/2         Possibly swap punctuation and digit at the end
  ----------------------------------------------------------
  1/512000000 Resulting probability
  -28.93157   log2(1/512000000) -- number of bits of entropy

So, if e.g. XKCD assumed only 25000 uncommon words to choose from, that would give ~28 bits of entropy.

presto8 on June 9, 2012 [–]

Thanks for the thorough answer! I originally missed the part about using a real word as the base.

For my passwords, I use 8 character random strings so hopefully I am a little safer. Although, as I'm learning from all of these password leak debacles, you are only as secure as the systems using those passwords.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact