The random word is rated to 16 bits by the comic, meaning uniform selection in a list of 65536 words (or non-uniform in a longer list). These traditional substitutions can be, for instance: "o" -> "0", "a" -> "4", "i" -> "!", "e" -> "3", "l" -> "1" (the rules give a publicly known exhaustive list). For the letters which are eligible to "traditional substitutions", apply or not apply the substitution (decide randomly for each letter).Decide randomly whether to capitalize the first letter, or not.Select a random word in a given big list of meaningful words.The "troubador" methodįor this one, the rules are more complex: The total entropy is then 44 bits, matching the 44 boxes in the comic. Since humans are not good at all at doing random choices in their head, we have to assume that the random word selection is done with a physical device (dice, coin flips, computers.). Concatenate all four words together, and voila! you have your password.Įach random word selection is worth 11 bits, because 2 11 = 2048, and, crucially, each word is selected uniformly (all 2048 words have the same probability of 1/2048 of being selected) and independently of the other words (you don't choose a word so that it matches or non-matches the previous words, and, in particular, you do not reject a word if it happens to be the same choice as a previous word). Choose four random words in this list, uniformly and independently of each other: select one word at random, then select again a word at random (which could be the same as the first word), and so on for a third and then a fourth words.
Easy to remember password generator 4 words password#
The password generation process for this method is: take a given (public) list of 2048 words (supposedly common words, easy to remember). We'll begin with the second one, which is easier to analyze. That being said, let's see the two methods described in the comic. Additions are easier to convey graphically with little boxes, hence our using bits. If we were to use a non-logarithmic scale, we would have to multiply: 2 10 uniform choices for the first half and 2 12 uniform choices for the other half make up for 2 10♲ 12 = 2 22 uniform choices. If you have two password halves that you generate independently of each other, one with 10 bits of entropy and the other with 12 bits, then the total entropy is 22 bits. The point of using "bits" is that they add up. The definition with the average cost is more generic, in that it captures the cases where random choices taken during the password generation process (the one which usually occurs in the head of the human user) are not uniform. When the random choices are equiprobable, you have n bits of entropy when there are 2 n possible passwords, which means that the attacker will, on average, try half of them. An entropy of n bits means that, on average, the attacker will try 2 n-1 passwords before finding the right one.
We assume that the attacker knows the exact password generation method, including probability distributions for random choices in the method. Entropy is a measure of the average cost of hitting the right password in a brute force attack. The little boxes in the comic represent entropy in a logarithmic scale, i.e. Here is a thorough explanation of the mathematics in this comic: Security at the expense of usability comes at the expense of security. We should remember this more often, AKA AviD's Rule of Usability: I think the most important part of this comic, even if it were to get the math wrong ( which it didn't), is visually emphasizing that there are two equally important aspects to selecting a strong password (or actually, a password policy, in general):Īll too often, when discussing complex passwords, strong policies, expiration, etc (and, to generalize - all security), we tend to focus overly much on the computer aspects, and skip over the human aspects.Įspecially when it comes to passwords, (and double especially for average users), the human aspect should often be the overriding concern.įor example, how often does strict password complexity policy enforced by IT (such as the one shown in the XKCD), result in the user writing down his password, and taping it to his screen? That is a direct result of focusing too much on the computer aspect, at the expense of the human aspect.Īnd I think that is the core message from the sage of XKCD - yes, Easy to Guess is bad, but Hard to Remember is equally so.Īnd that principle is a correct one.
0 kommentar(er)
