Difference between revisions of "Talk:936: Password Strength"

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
Line 13: Line 13:
  
 
Followup: The results of extracting the first letters of words in sample texts (the {{w|Project_Gutenberg|Project Gutenberg}} texts of ''The Adventures of Huckleberry Finn'', ''The War of the Worlds'', and ''Little Fuzzy'') and applying a {{w|Entropy_(information_theory)|Shannon entropy calculation}} were 4.07 bits per letter (i.e. first letter in word) and 8.08 bits per digraph (i.e. first letters in two consecutive words). These results suggest that first-letter-of-phrase passwords have approximately 4 bits per letter of entropy. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:21, 4 September 2013 (UTC)
 
Followup: The results of extracting the first letters of words in sample texts (the {{w|Project_Gutenberg|Project Gutenberg}} texts of ''The Adventures of Huckleberry Finn'', ''The War of the Worlds'', and ''Little Fuzzy'') and applying a {{w|Entropy_(information_theory)|Shannon entropy calculation}} were 4.07 bits per letter (i.e. first letter in word) and 8.08 bits per digraph (i.e. first letters in two consecutive words). These results suggest that first-letter-of-phrase passwords have approximately 4 bits per letter of entropy. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:21, 4 September 2013 (UTC)
 +
 +
Addendum: The above test was case-insensitive (all letters converted to lowercase before feeding them to the [[http://millikeys.sourceforge.net/freqanalysis.html frequency counter]]). Thus, true-random use of uppercase and lowercase would have 5 bits per letter of entropy, and any variation in case (e.g. preserving the case of the original first letter) would fall between 4 and 5 bits per letter. --[[User:SteveMB|SteveMB]] ([[User talk:SteveMB|talk]]) 14:28, 4 September 2013 (UTC)

Revision as of 14:28, 4 September 2013

You still have to vary the words with a bit of capitalization, punctuation and numbers a bit, or hackers can just run a dictionary attack against your string of four words. Davidy²²[talk] 09:12, 9 March 2013 (UTC)

No you don't. Hackers cannot run a dictionary attack against a string of four randomly picked words. Look at the number of bits displayed in the image: 11 bits for each word. That means he's assuming a dictionary of 2048 words, from which each word is picked randomly. The assumption is that the cracker knows your password scheme. 86.81.151.19 20:17, 28 April 2013 (UTC) Willem

Sometimes this is not possible. (I'm looking at you, local banks with 8-12 character passwords and PayPal) If I can, I use a full sentence. A compound sentence for the important stuff. This adds the capitalization, punctuation and possibly the use of numbers while it's even easier to remember then Randall's scheme. I think it might help against the keyloggers too, if your browser/application autofills the username filed, because you password doesn't stand out from the feed with being gibberish. 195.56.58.169 09:01, 30 August 2013 (UTC)

The basic concept can be adapted to limited-length passwords easily enough: memorize a phrase and use the first letter of each word. It'll require about a dozen words (you're only getting 4.7 bits per letter at best, actually less because first letters of words are not truly random, though they are weakly if at all correlated with their neighbors -- based on the frequencies of first letters of words in English, and assuming no correlation between each first letter and the next, I calculate about 4 bits per character of Shannon entropy). SteveMB 18:35, 30 August 2013 (UTC)

Followup: The results of extracting the first letters of words in sample texts (the Project Gutenberg texts of The Adventures of Huckleberry Finn, The War of the Worlds, and Little Fuzzy) and applying a Shannon entropy calculation were 4.07 bits per letter (i.e. first letter in word) and 8.08 bits per digraph (i.e. first letters in two consecutive words). These results suggest that first-letter-of-phrase passwords have approximately 4 bits per letter of entropy. --SteveMB (talk) 14:21, 4 September 2013 (UTC)

Addendum: The above test was case-insensitive (all letters converted to lowercase before feeding them to the [frequency counter]). Thus, true-random use of uppercase and lowercase would have 5 bits per letter of entropy, and any variation in case (e.g. preserving the case of the original first letter) would fall between 4 and 5 bits per letter. --SteveMB (talk) 14:28, 4 September 2013 (UTC)