Correct-Horse-Battery-Staple Is Wrong
XKCD is a fun and entertaining comic strip that is aimed at tech nerds and can at times provide bits of science and technology education. However it is not always right.
For example this comic strip provides advice for choosing a password and it is simply wrong.
The method proposed is to pick four common words, in this case: correct-horse-battery-staple and make that your password. XKCD claims that this is a very strong password but you would be wrong to think so.
XKCD Password Strength
The average vocabulary of an English speaker might be about 15,000 words. If you choose a 4 word password then you would have about 15,000 choices for each one.
The total password space is therefore 150004 = 5 x 1016 combinations.
In all honesty it is better to choose from common and easy to remember words and this is the advice that XKCD gives.
For example, no one is going to choose ecumenical-virology-assuage-malefactor as their password, it's going to be something more along the lines of apple-truck-ladder-cat.
So this will reduce that word space, possibly down to something like 2000 or so for a typical person.
The actual total password space is likely reduced down to something like 20004 = 1.6 x 1013
combinations.
Normal Password Strength
The typical advice for choosing passwords these days is to make it something like 7 or 8 characters long and to choose from the lowercase alphabet (a-z), the uppercase alphabet (A-Z), the set of numbers (0-9) and from all of the symbols on your standard keyboard (i.e. ~ @ $ % ^ & etc.).
There are 26 lowercase letters, 26 uppercase letters, 10 numbers and about 32 symbols. This all adds up to 94 characters from which to choose your password.
The total password space is therefore 948 = 6.1 x 1015 combinations.
This password space is almost 400 times larger than the XKCD password space.
If you are paranoid and you crank your passwords up to 10 characters that password space is now a very large 5.4 x 1019 passwords. This is 3.3 million times larger than the XKCD password space.
Closing Words
First, do not get your password advice from a comic strip. It is best to do the math yourself when something like this is proposed to confirm if it is indeed better.
Second, password cracking algorithms will already know about this password method and will be able to make their cracking attempts using common dictionary attacks. The password space might not be as large as boasted so this method might be something to avoid. To make it even worse there is a website that generates these passwords for you (hint: never trust an online password generator).
Third, typing in four long words is actually tedious and you will make lots of errors and then you will need to repeat the entry over and over again.
Fourth and finally, always choose good strong passwords and do not repeat them over different websites or computer accounts (for important accounts use 2-factor authentication wherever possible).
Thank you for reading my post.
Post Sources
https://www.xkcd.com/936/
http://correcthorsebatterystaple.net/
.
Well that's not the worst thing that I have been called so I will consider it to be a win.
Thanks to steemit that we are getting randomly generated loooooong password here. Its real hard to crack this kind of passwords. So I think we are safe here unless we give away our passwords to any phishing site.
Thanks for sharing the concern with us.
I agree the Steemit assigned key seems to be secure, however I know nothing about the algorithm that generates it so I am hoping it is secure.
hopefully so.
As I understand it, the type of password that Steemit automatically generates for you is the strongest possible, because it's completely random. Of course the downside is that it is almost completely impossible to remember- you need to write it down and copy paste.
Usually when I create a strong password I forget it!
I agree the Steemit assigned key seems to be secure, however I know nothing about the algorithm that generates it so I am hoping it is secure.
I have my Steemit key written down in multiple locations.
Thank you so much for clearing that up. I have long wondered about this comic strip.
I do not know anything about computers guessing passwords. Is it common for them to use full words in their tries?
I don't know. I don't think it is a smart idea for them to do so.
Now I am confused again... Sorry for bugging you...
As far as I understand it, if the computer does not use full words the amount of choices is significantly higher by using 4 random words than a shorter password with all kind of different characters, thus the comic strip being correct.
Your argument was that those choices are reduced, because using already existing words would decrease the amounts of choices.
It would appear at first glance that the XKCD technique is more secure because it is using more letters.
But a clever password hacker would know that people might be using this technique.
In this case the clever hacker will treat each word as the random unit (instead of treating each letter as a random unit as for a 'normal' password).
The example is correct-horse-battery-staple. This is 25 letters but only four words.
To crack this I would make a program that reads in a dictionary of common words. Let's say it is 2000 words long.
If your password is one word long then there are 2000 variations.
If your password is two words long then there are 20002 = 4,000,000 variations.
If your password is three words long then there are 20003 = 8,000,000,000 variations.
If your password is four words long then there are 20004 = 16,000,000,000,000 = 1.6 x 10^13 variations.
So instead of trying to test out 26 to the power of 25 = 236,773,830,007,968,000,000,000,000,000,000,000 combinations I only have to test out 2000 to the power of 4 = 16,000,000,000,000 combinations.
It all depends on if a cracker knows about this vulnerability. Well I guess now they do :)
Hope that explains my idea.
It does vey well, thank you very much for the clarification.