Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> passwords are either easy for computers to crack or hard for humans to remember

Obligatory xkcd comic: https://xkcd.com/936/



I loathe whenever people post that comic for one simple reason.

Although mathematically the password given in the comic has a higher entropy and would take more time to crack under normal circumstances, the problem is that it follows a very simple and easily describable pattern: smash (four) dictionary words together into a combination.

Crackers will simply start using wordlist rules to generate large lists of meshed together dictionary words and use them if they have good reason to believe you're using this pattern (pretty sure it's simple with tools like Crunch). Whether they'll guess the proper order is unknown, but as with any other case people will use certain permutations and combinations more than others.


The point is you're supposed to use truly random word combinations since those are at least memorable.

  $ wc -l /usr/share/dict/words
  119095
  $ python -c 'print(119095 ** 4)'
  201175048646341950625
  $ python -c 'print(85 ** 10)'
  19687440434072265625
So, even if your target is known to be using this scheme in pure form, this has more entropy than a completely random 10-digit password (assuming ~85 characters) -- and who would actually be using such a thing, except someone using a password management program - who could just as easily be using a 20-character random password?

So even if it becomes known, it's an improvement on what users are doing now.


Can never turn down an opportunity for a one-liner.

  $ perl -E 'open(my $fh, "<", "/usr/share/dict/words"); my @words = map {chomp; $_} <$fh>; close $fh; say join " ", map {$words[int rand @words]} 1..4'
  menu chemists administrative seeps
Might have to run it a couple of times before you get something that you can memorize.


You shouldn't use a non-cryptographically secure random number generator (perl's rand) in the context of password generation. It's too risky.


Ew.

    shuf -n 4 /usr/share/dict/words | tr -dc 'A-Za-z0-9'


You can use a dictionary of the most common 10000 words, you'd still have loads of entropy.


The whole point of the comic is that even with that known "simple pattern," you still get higher entropy than a normal password.

Obviously a random 64 character string would beat either of them, but if you're expecting a human to memorize a password, correct horse battery staple is clearly preferable.


I think you've missed the point.

There are more possible permutations of four words than permutations of 10 upper/lowercase letters, digits, and common symbols. The four random word approach is harder to crack.


I also add digits, some punctuation, a misspelling or two and the words are not in English. Oh, and I've got different passwords everywhere.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: