Does XKCD or Jason Kendall get "it"?

This post is a reply to this blog post by Jason Kendall.

It all started with this cartoon:

This cartoon basically started a hype about how XKCD was getting “it”. Jason posted a blog post stating that he did not agree with XKCD since:
  • While four words in theory have 44 bits of entropy (244), it is actually 250,000 to the power of 4 (250,0004) since English only has 4about 250,000 words
  • Most people actually would use three words, giving 15,625,000,000,000,000 combinations
  • Most people know even less then 250,000 words

So what is my take on this? The key to “it” is at the bottom of the cartoon:

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”

This is really the “it” XKCD does get.

So why do we use password policies in the first place? What problem are we trying to tackle?

First of all we are trying to tackle the problem that users are very bad a picking good password without guidance. This tweet illustrates that:

one of my coworkers legitimatly tried explaiing to me that "password" was a good pswd because no one would expect someone to be that dumb.

If you don’t give users guidance they will often pick from a set of very well known passwords. But more recent research shows that since the average person has over 50 passwords, some with and some without password policy on it, most people need a coping strategy to deal with this.

In my talk “The Road to Hell is paved with best practices” I give this example of likely passwords for a certain password policy:
  • 7 characters: welcome
  • 7 characters + 1 capital: Welcome
  • 7 characters + 1 capital + 1 numeral: W3lc0m3
  • 7 characters + 1 capital + 1 numeral + 1 special: W3lc0m3!
  • 10 characters + 1 capital + 1 numeral + 1 special: W3lc0m3!!!
  • 10 characters + 1 capital + 1 numeral + 1 special, 30 days max, cannot reuse last 12: Welcome01!, Welcome02!, Welcome03!, etc
As security people we need to understand that each security measure will alter peoples behaviour and sometimes not for the good.

Studies have shown that even if password policies are used, probabilistic techniques can be used to aid in password cracking attacks, that password expiry is only of limited use, that password expiry policies do not meet their goal.

Experiments with an online windows password cracker showed that “hard” passwords do not take longer to crack that “easy” passwords when rainbow tables are used:
  • Empty password – 2 seconds
  • 72@Fee4S@mura! – 5 seconds
  • (689!!!<>”QTHp – 8 seconds
  • *mZ?9%^jS743:! – 5 seconds
  • T&p/E$v-O6,1@} – 11 seconds
So what is my opinion? Security policies have driven people to the top of their ability to remember passwords and as users have got increasing amounts of passwords the behavior it induced did not improve matters. We need to tune some of these measures down and replace them with education.

Passwords should be:
  • Relatively long
  • Not guessable (correcthorsebatterystaple is not o.k. anymore thanks to XKCD)
  • Your system should block guessing attempts or really slow them down
If hackers have you password hashes you are toast…


XP LM hashes are always only 7 characters strong (longer passwords get split up). Therefore these results. NTLM hashes used by windows vista and 7 are much stronger and the website given by you does not even crack "hello".
Frank Breedijk
The fact that complex passwords are in the rainbow table and weaker passwords are not underlines that, when faced with rainbow tables, complexity doesn't matter.

Yes, XP LM hashes are weak, and therefore rainbow tables for more complex passwords are bigger, less complete and more expensive.

However a SHA1 hash of a complex password or a weak password stand equal chance when attacked by rainbow tables.
Justin Elze
Part of the concept is helping users memorize passwords with out storing them on sticky notes, notepad files, etc

A lot of technologies employ password salting anyways which throws rainbow tables out the window.

Not Published

0/1000 characters
Go Top