[Distutils] (no subject)
Donald Stufft
donald at stufft.io
Thu Sep 5 14:45:59 CEST 2013
Because its wrong.
1. The premise is wrong. The idea is a human should be able to remember the password. I (and most people who will see the comic) have a lot of accounts. In my case I have over 100 different accounts. I can't remember that many unique 4 word permutations.
2. It doesn't account for genuine need for password restrictions. Some banks for example require passwords to be all numerical because they are entered on the phone as well.
3. The math is wrong. It measures entropy as if each letter was chosen independently. This is fineish if the scheme is unknown but a lot of people use this scheme now. Humans are bad at random, take the 10,000 most popular words and a significant number of passwords will be comprised entirely of words in that list. Since we know the scheme the most passwords will fit into a search space of 10000^4
See also:
http://www.troyhunt.com/2011/08/im-sorry-but-were-you-actually-trying.html
http://pinetik.blogspot.com/2011/11/xkcd-936-password-strength-and-why-this.html
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
On Sep 5, 2013, at 4:09 AM, Marius Gedminas <marius at pov.lt> wrote:
> On Wed, Sep 04, 2013 at 04:38:32PM -0400, Donald Stufft wrote:
>> On Sep 4, 2013, at 3:20 PM, Dag Sverre Seljebotn <d.s.seljebotn at astro.uio.no> wrote:
>>> On 09/04/2013 04:59 PM, Antoine Pitrou wrote:
>>>> Then please add helpful guidelines as to how people can choose a safe
>>>> and easy to remember password /or passphrase/. Most people aren't password
>>>> experts, and the current one-line message isn't useful.
>>>
>>> A link here should do the trick (which succinctly sums up this entire thread):
>>>
>>> https://xkcd.com/936/
>>
>> I hate that comic :|
>
> Why?
>
> Marius Gedminas
> --
> You can't have megalomania. *I* have megalomania.
> -- Joe Bednorz
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130905/861a7e1f/attachment-0001.html>
More information about the Distutils-SIG
mailing list