top | item 38629490

(no title)

ylere | 2 years ago

> If you know a site has a 4-words policy, the xkcd pw has very low entropy, but if you use this strategy on a "any pw goes" site, a bruteforcer would have to test all lengths upto 25 chars before finding yours (sort of).

How so? Iirc, the entropy calculations assume that the attacked is aware passphrases are used. The eff-long word list often used for xkcd-style passphrases has 7776 words. So on average it would take 7776^4/2 attempts to guess one (randomly generated) 4-word passphrase, comparable to a truly random 8-9 character password with special chars. As the comic points out, people tend to be pretty bad at remembering random sequences of characters and therefore often often use combinations of common words and apply non-random substitutions and patterns, resulting in much lower entropy for those passwords.

Of course, everyone should use a password manager in the first place, but for cases where people don't or they need to reliably remember it (master passwords and critical ones), xkcd-style passphrases are a good and secure option.

discuss

mediumsmart|2 years ago

And then comes the rails/whathaveyou tutorial for authentication permitting a reasonable min 5 char password and max 256 char username limit example.