Saturday, August 13, 2011

Passwords and XKCD

I feel as if I'm walking into a trap. Randall Munroe is sort of a folk hero among geeks, and when I saw his recent comic about password strength, I was, at first, thrilled. Here's someone who knows how to communicate to the masses exactly what they need to know: they choose poor passwords, and could just as easily (or easier) choose strong passwords that they could remember.

I understand where he's coming from, and he's right on some level, but let me explain to you what the layman heard:

If your password is a space-separated list of four English words, no one will ever be able to crack it!

Sadly, there's even solid proof that that's the case. Here's the first example I've seen of a "password" generator based on his approach: XKCD Password Generator.

All I can say is /facepalm.

OK, so those of you who might not get what's going on, here, this is what he's saying:

When you try to make a very strong password, your first inclination is often to try to maximize the complexity of the password from a human perspective. This works very well if you're willing to memorize, say, 13 completely random characters from all over your keyboard. However, most people can't reasonably memorize such a password.

So what most people do is try to come up with something that's difficult to "read" but follows an easy-to-remember pattern. As Randall correctly points out, this is a losing game, and often results in passwords which are relatively easy to guess using simple attacks.

However, his approach is to choose your password from a list of about 17,592,186,044,416 possible passwords made up of four English words. That's a pretty strong password compared to a lot of the kinds of passwords people typically use, but if you're comparing it to the gold standard (randomly selected characters from all of the 95 characters you can type on the typical U.S. keyboard), then you would only need about a 7 character password to make up the same number of possible passwords. 7 character passwords became relatively trivial to crack when I was still new in this industry, and now even 10 character passwords are looking shaky, just in terms of what it takes to crack the perfect password.

So, is Randall right? Well, yes, sort of. However, the best approach would be to combine all of the best strategies for passwords that are easy to remember, not allowing your attacker to know what kinds of passwords to try. Throw in one really odd word to your four. Change up a common saying. Make your password something that's fun to type. Take a simple phrase and censor it out by replacing a word to two with asterisks in a way that makes it sound funny. Combine the first name of a character with part of a quote they're famous for. Draw some ASCII art.

All of these are individually fairly weak strategies, but when you're creative about every password, it's nearly impossible to use any one scheme's weaknesses against you. If you are a target, specifically, this is a strong defense. If a large number of users are being targeted, then there's a larger problem you have to solve, and more attention to detail may be required to solve the problem.

Here are some examples of pass-phrases that you might use. Think of your own clever ways to twist up the keys on your keyboard and be unpredictable. There are still many useful ways to attack your passwords, but it's going to be much harder than if you choose a simple four-common-word password.

  • "David had a little ham..."
  • "d00dz, it's full of stars!"
  • "CaPsLoCkWoNtHeLpYoU"
  • "10qpalzm -- qwerty"
  • "dayO dayayayO, dayl1te come"
  • "<-- I'm with them -->"
  • "Are doomed to repeat it who fail to learn from history those"
  • "[(@)(@)(@)(@)(@)(@)(@)]"
  • "I'm mad as **** and I'm not going to **** it any more!"
  • "Q-36 Explosive Space Modulator Marvin"
  • "Just one uncommon lexeme"
  • "!!1 thousand X yes!!"
  • "._-*-_.o0O*!"
  • "Star Wars of the Roses vs. Kramer"
  • "Sufficiently large values of +/-n"
  • ">->O XKCD O<-<"