From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6C44E138334 for ; Mon, 4 Feb 2019 13:43:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D5E6CE0B64; Mon, 4 Feb 2019 13:43:21 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 69D17E0B4B for ; Mon, 4 Feb 2019 13:43:21 +0000 (UTC) Received: by mail-pg1-f172.google.com with SMTP id s198so6301764pgs.2 for ; Mon, 04 Feb 2019 05:43:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=3HQAxPVBnriziUmLGCOexWUrMFi782UoXd2POLH0N/g=; b=TmHGB/fkVaaFQsdCVYOoWBOn5JOph9EhKmXBuQGt4zXMGyKo57aCiQyyG+J45zaFkj P6hyQX2EI9gRsuAzXBWHULbllict2LXafMVTPnRW8E5Ee0MbugSqNh/gnQBEPsG1WvsQ 7vkEOz/jj0jMkxLxz5humyt1rAUgaenLKpRpwIydKX6eAz5kCoBILhSbtGX8ASSR3G7P zxNWXp4O0SBr+/jrl1KXMFLITPcOyL7BD1l+W8mm4X9mBpYG8BEk7pWr5A4uZTAInxLB /2bCYSg8egugk1A/Za3PVN06PY4YBkfoVPEdNEZzeBVlnZL3HuwZOU4cIIgj/f5aXm1Y ADQw== X-Gm-Message-State: AJcUuke3d8mX4nI4mIh7VeU3RVfa1NcMrGFSEgZZSiPFgsvJyHV5obSt ssdI6ytFwWl9aM9Jbg7XFjTxztmbqGn5AjJJrnwG1NYr X-Google-Smtp-Source: ALg8bN7iaSsxlrjTi/yz/VHJjO/TbfESNI/tmlcaL1rlVKsmd87Xe+yRwI6xdgPQsXuCZDVoVgHvB8p5uO6S+g4o5AE= X-Received: by 2002:a62:36c1:: with SMTP id d184mr51507673pfa.242.1549287799438; Mon, 04 Feb 2019 05:43:19 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <8d027455-f210-c399-f5a7-bfb05692cc5f@gmail.com> <2593531.BapclQZ6Rp@peak> <20190204103703.184d5001@digimed.co.uk> <12204550.2pT58cCFQF@dell_xps> <20190204132157.37cc49bc@digimed.co.uk> In-Reply-To: <20190204132157.37cc49bc@digimed.co.uk> From: Rich Freeman Date: Mon, 4 Feb 2019 08:43:06 -0500 Message-ID: Subject: Re: [gentoo-user] Coming up with a password that is very strong. To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 147d00da-c3c1-4150-a16d-5b22a61b177b X-Archives-Hash: fe5c693be0efd516e980be8f0df921b8 On Mon, Feb 4, 2019 at 8:21 AM Neil Bothwick wrote: > > On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote: > > > > https://xkcd.com/936/ > > > > Not strictly true ... the crackers would probably use rainbow tables > > attacks first. Also, it isn't fair to compare an 11 character passwd > > against a 25 character passwd. For the *same* number of characters > > used in any given passwd, a random lower/upper/numerical/symbol passwd > > will provide an exponentially higher degree of difficulty in cracking > > it with brute force, than one which uses only lower case dictionary > > words. Anyway, these days many attacks are focused on OS or hardware > > vulnerabilities which have been baked in by design, rather than brute > > force attacks. > > I'm not sure xkcd is meant to be taken that seriously... > IMO xkcd has treated the situation more seriously than some of the replies here... Obviously words from a dictionary have less entropy per character than random characters do, but the xkcd cartoon already takes this into account. For the same number of bits of ENTROPY a random password provides the exact same level of security as one based on words. To obtain that entropy through words requires more characters of course. However, the whole point of the cartoon is that our brains are much better at remembering words than random characters, since we have a big chunk of grey matter evolved to do exactly that which is more sophisticated than any computer on the planet so far. Now, if you have some brain-dead software which only accepts 8 character passwords then you would obviously do better to use random characters (truly random - not picking the most pleasing-looking random password out of a list) than to try to cram one or two words in there. Likewise, if you're using a password manager and want to maximize entropy per bit of storage/transmission then random passwords are better since words provide no utility. However, if you want to obtain the highest number of bits of entropy for a password that is memorized, xkcd makes a compelling argument that you're better off with a longer password composed of words, because they let you cram more entropy into your brain. Two bits from a dictionary might be the same as two bits from 1/3rd of a random character to a brute force cracking engine, but they aren't the same to your brain. Xkcd isn't doing a like-for-like comparison, because the two categories aren't alike. -- Rich