Main menu

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
So - Everyone is talking about this:

And I have a problem with what everyone is saying - How XKCD gets "it".

As much as I really appreciate the humor in this comic, the fact that just changing passwords to 3-5 Random words doesn't make it any harder for a computer to brute force the password, actually, it probably makes it easier - Lets think about this.

When you want to brute for a password at most you have 26 Letters (Times 2), 10 Digits, and a smattering of non-letters/numbers (we'll say about 20 or so) this gives you a total of 82 possible items times the length of the password.

Now, lets look at the "solution": Oxford Dictionaries Guesses around 250,000 words in the dictionary - I'm going to say that most people wouldn't know MOST of those words, but we'll work with that number for now.

Possible Normal "passwords" with a length of 8: 2,044,140,858,654,976
Possible Word "Passwords" with a length of 3: 15,625,000,000,000,000

While I would hazard to say that looks impressive - I can't say my self I know 250,000 words to use in my password - I'm willing to bet that number would be a lot lower for the general populace.

I'm going to predict the future here and say most password crackers will start using the already available dictionary lists, and brute forcing passwords by concatenating the words, just like we already brute force letters, numbers and special characters.

One needs to combine the two solutions - Use Multiple words, Subsitute letters and words where available and keep the length: "Gue$$MyP@ssw0rd"
Frank Breedijk (@seccubus) Made a much better and well formed reply to this article - Check it out please!