Is this accurate?

So then how do you remember a randomly generated password? Write it down on paper and never let it get online?

I need to change mine. Right now it's a movie title and year. It's 30 characters long with numbers, upper case, lowercase, and symbols, but easy to dictionary attack

everyone know that Niggers1 is the only password you need

Not really. There are password attacks that utilize dictionary attacks that combine words and your password is faster to break if it appears in this 4-word cominations AND the attacker knows what he's dealing with

No because the comic is assuming a bruteforce attack and not a dictionary attack.

You can also add a special characters nobody has on their keyboard (alt+number combination). Like ©.
©opyright_green boson.terre

Wrong. It assumes a bruteforce attack with dictionary words.

Yeah, sure, if the attacker knows how your password is made up, you are fucked either way.

>Tell me, unless they know you personally, how the fuck would they possibly know?
If you're a retard and gloat about things on social media.

The same way you remember anything. Write it a few times, say it out loud a few times, write it from memory and start using it. It'll stick.

Last I checked correcthorsebatterystaple wasn't in any dictionary.

>dictionary attacks are where they take random dictionary words and stick them together to try and bruteforce your password

>alphanumeric passwords
Get on my level

netx level hacking son

world.std.com/~reinhold/diceware.html

This would be the effective way of using OP's comic's method.

>2016
>not using diceware

>Is this accurate?
Yes.

>Yes, but only if they don't know you are using multiple dictionary words as your password.
No, the comic assuming the attacker DOES know how your generating your passwords.

>they will do a bruteforce based on a combination of four English words and break it faster than a character bruteforce of your old password.
That's like saying that driving from Paris to Beijing is trivial, because the car is faster than walking.

>the comic is assuming a bruteforce attack and not a dictionary attack.
Where do you think the numbers in the comic came from?
random selection from 2048 words = 11 bits.
Four ordered random selections = 4*11bits = 44bits.
See? The comic assumes a dictionary attack. Against character bruteforce it's more like ~150bits.

>if the attacker knows how your password is made up, you are fucked either way.
No. The entire point of strong passwords is that an attacker can know everything about you and predict every choice you'll make when creating a password (but not the outcome of random selections), and they still won't have a hope of guessing what your password actually is.
That's why XKCD-style and Diceware passwords are actually good, and "initials of your favourite phrase" passwords aren't.

>not using diceware
The method in the comic basically IS Diceware.

The bottom half is accurate.
The top is not.
The scheme offered in top does not cover most of passwords - and in order to extend it you'd have to go well over 44 bits of entropy.

My passwords can't be cracked because they're too dank. E.g. this is my password for my Sup Forums gold account:
>leleleuFUCKINGNIGGAdiduSEEEEEEdatMEEMwithaFUCKINGFROGleleleHeeNameIsPEPEleleleXDDDDd

>your password is over a year old please change it

Why?

hυnter2

>The scheme offered in top does not cover most of passwords
Really? Randall already assumes it's one of about 16 equivalent schemes, which sounds pretty generous to me.

>and in order to extend it you'd have to go well over 44 bits of entropy.
That seems very unlikely - you would need an massive number of variations to cover the 16bit shortfall.

It'd work a lot better if you didn't insist on trying to produce an English sentence.

The idea is that it eventually revokes leaked or compromised passwords. It's debatable how much it actually help though.

>That's like saying that driving from Paris to Beijing is trivial, because the car is faster than walking.
No, it actually would be quicker though. Although the English dictionary has tens of thousands of words the most used words are only a few thousand, which will be the most likely ones people will pull from as they will remember them and how to spell them, this results in a much lower entropy.

>this password is too similar to one of your previous passwords
They're storing your previous passwords so that if they get hacked the attacker can have a history of passwords you have used instead of just one.
And better yet, not even hashed!

>Really? Randall already assumes it's one of about 16 equivalent schemes, which sounds pretty generous to me.
Show those schemes, and we'll see if any cover my password. Until they do, that's just empty words.

You definitely would need a massive number of variations to cover most passwords.

>And better yet, not even hashed!
what makes you think that

>tfw used the same email password for 15 years

They must have averaged out the amount of breaches in their system to at least 1 per year or something
D I C E W A R E

>which will be the most likely ones people will pull from as they will remember them and how to spell them,
The comic assumes random selection from a pool of the two thousand most common engish words.
That's not a very high bar to cross.
Seriously, try actually doing the maths, you don't need a terribly large pool for a handful of selections to give good entropy.

>Show those schemes, and we'll see if any cover my password.
I don't really care about your particular password. The comic is about MOST passwords.

>Until they do, that's just empty words.
As is your claim that there are more than a million common variations.

Other than intuition, why do you think that the scheme provided isn't representative of most passwords?

You can't do simillarity comparisons after any decent hash.

mine is
KappaKappaPrideKreygasmKeepoFeelsGoodManFeelsBadman

what makes you think they don't just compare the hashes?

You literally hash the new password and compare the result to the stored hash.

>Other than intuition, why do you think that the scheme provided isn't representative of most passwords?
It evidently does not match becaue the comic itself mentions this in bottom left corner. It then conveniently says just add few bits and it will match everything. You'll have to forgive me for being skeptical on this one.

And to illustrate my point further, I found some random password dump:

raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Ashley_Madison.txt

Here's an extract:
hump2020
hump357
hump4867
humpback
Humpdawg
humpee
humper
Humper1
humper1234
humper68
humper7
HUMPERDINK
humpers
humphead
humphrey
humphrey1
humpie1226
humpin6778
humping
humpingoff
humpins
humPItgiRl
humpm72
humpme
humpme1
humpmenow
humpmore
humprey

How many of those mach scheme in OP? Literally zero.

That would only test for equality, not similarity.

>It then conveniently says just add few bits and it will match everything.
Well yeah. 16 is a reasonable-sounding assumption for the number of substitution-based password schemes. It definitely agrees with what I've seen people suggest and use. Even if it's an underestimate, but pushing it up to 64 or 128 doesn't really affect the conclusion.

>You'll have to forgive me for being skeptical on this one.
You're not just being skeptical though, you also proposed an alternative number - ~1 million password schemes (20bits). Where did that number come from?

It hasn't been correct exactly since that strip was published. Makes sense?

>How many of those mach scheme in OP?
All of them?
They're words, with substitutions, and some numbers and symbols tacked on the end. The four bits Randall left in reserve would more than cover the options of not having a symbol or number, and capitalising the whole word.

>That would only test for equality, not similarity.
Oh. I missed that part. I thought we were talking about equal. You still could somewhat achieve that by trying few permutation of the new password, though.

>16 is a reasonable-sounding assumption for the number of substitution-based password schemes
No it's not. Neither us 64 nor 128

>Where did that number come from?
I'll concede that my number is bogus. Still does not stop me from doubting yours.

None of them. You can't say "let's add few bits and it'll all work out". Even more, the estimation in comic is without those added bits.

A pool of 2000 English words (assuming the same pool is used) and a combination of four of those words means 16 trillion possibilities.

Lower case + upper case + digits = 62 ^ 8 = 218 trillion possibilities.

Literally 13x more possibilities. And that's just 8 characters and no symbols.

>That would only test for equality, not similarity.
durrr. my point is, when does anyone ever check passwords for similarity?

>he thinks knowing the author's name makes him special

The person who started this discussion expressed his discontent about some services checking passwords for similarity.

A bunch of services keep your old passwords. Microsoft for one.

You cannot reuse an old password on a Microsoft service. I can't remember if they force a password that is dissimilar to a previous one as well.

It's definitely accurate. But it can be gamed.

So there are 171k words in the oxford dictionary, something like 1 million actual distinct words in the english language.

A four word password is 1 mil ^ 4 which is a number with 24 zeros after it. A fuckton big of a number.

A 4 word permutation doesn't sound hard, but if the cardinality is so huge that it's an intractable problem. Only way to make it easier is to use something like a probabilistic approach to cut down the possibilities of words following other words, or maybe cutting down the dictionary to something like 'top 1000 words used in passwords' which would then limit it to about a trillion possible passwords.

So words are actually pretty fucking good.

If you instead attack the password with character-wise bruteforce, you're fucked.
Let's say it could only be letters, and only lowercase. Let's also say the typical word is 5 letters long.

so 20 total letters.

26 letters in the english alphabet.

26^20

That number has 28 zeros. Absolutely assfucked.

You are completely missing the point of comic. I would just assume it's bait but since you wrote as much I'll grace you with a response.

It is assumed that the attacked knows the method you chose to make your password. He is not doing a per character brute force attack. The entropy estimation is assuming that he isn't doing a per character brute force attack

Read his post again, he talks about both attacks.

Are those cracked hashes or were the passwords stored in plaintext?

It could mean that they just cracked the easy ones.

>You can't say "let's add few bits and it'll all work out".
I didn't add any bits that weren't in the comic.

>Even more, the estimation in comic is without those added bits.
The comic clearly adds four bits to cover different systems.

>It is assumed that the attacked knows the method you chose to make your password. He is not doing a per character brute force attack.
It can't be though. We have already pointed out that with the commonly used words you do not get as many possible combinations as you can get with letters, numbers and symbols in an average minimum length password.

So with the number of possibilities being less the random word password cannot take 550 years longer to guess. It must be using the same brute force method.

That's not quite how dictionary attacks work. Ever password cracker will have correcthorsebatterystaple in their dictionary.

>Rainbow tables
what is salt?

It's a good mix of security and ease of remembering. I also throw in romanised foreign languages for good measure.

When I needed a really secure password I pulled a game off my shelf at random and committed the serial key to memory. If you have a good memory 25 characters of random letters and numbers do a pretty good job.

yes, i have been using correcthorsebatterystaple for all my passwords ever since i saw that comic months ago and i havent been hacked

They will now.

Shit I bet I still remember Age of Empires

>When I needed a really secure password I pulled a game off my shelf at random and committed the serial key to memory
Why? By definition that's not random or secret, and it would be no easier to remember than 25 characters that were actually randomly generated.

No he doesn't. His post is unrelated to the comic from start till end. It would make sense outside of context of discussing the comic.

You can assume anything. If you disagree with initial assumption you're free to walk away -- or to criticize the assumption. Not to enter the discussion with a different assumption.

>I didn't add any bits that weren't in the comic.
>The comic clearly adds four bits to cover different systems.
Take a closer look at the picture. Why are you making me do this?

2 step authentication. Use that for the important stuff.

Comic is right until you try and type that shit into an Xbox or phone, then you're in hell.

My method, initial a passphrase that you will remember, eg

Obligatory XKCD comic is quite controversial because I own an Xbox

OXKCDcbI0aX!

The exclamation mark is only there for shit systems that fucking insist alphanum does not have enough entropy.

I use two factor auth on my correcthorsebatterystaple-esque protected email account that has never been used for anything other than to be recovery for my two main email addresses that are used for online services and have email alerts if logged in from unusual locations.

>or phone
I imagine with swift key/swype/etc it would actually be easier than typing any regular password.

For a long time I used my age of mythology product key. I think at that point more likely I get keylogged then it gets brute forced

>So with the number of possibilities being less the random word password cannot take 550 years longer to guess. It must be using the same brute force method.
Oh, wait, you actually don't understand it. Fascinating.

It is assumed in comic that there are 2048 most common words (and attacker knows them too).
A password is built out of four of those words.
Each word in a password then adds 11 bits of entropy for a total of 44 bits or 2^44 combinations.

2^44/1000/60/60/24/30/12 = 565.59

Or roughly 550 years at a rate of 1000 guesses per second just as the comic states.

>Take a closer look at the picture. Why are you making me do this?
My mistake. I'd somehow read the four bits for punctuation as being connected to the text to the left about other formats.

>My method, initial a passphrase that you will remember
I've never seen any strong justification for thinking that picking a phrase you'll remember is actually secure. You're basically relying on coming up with something a cracker would miss, which isn't a safe assumption.

4-word password scheme is a good system. It's easy to remember and sufficiently strong, especially if you delve into foreign languages and fictional words.

The main problem with it is that not all sites will allow it. The most common errors will be 8-12 (or so) chars only, or must use at least 1 number and/or symbols.

yes

2 english dictionary words alone gives you 62 billion combinations

my password is the best of both worlds.

i use an easy to remember url.

possibly even >>

2048 common words
2048 ^ 4
17592186044416 possible combinations

12 characters. Capital letters, lower case letters, numbers, special characters.
Minimum 62 possibilities per character
62 ^ 12
3226266762397899821056

It's not rocket surgery.

You hash variants on the new password at the time of trying to create it.

forgot my code tags >>

What is the second part of your post? The comic is not talking about brute force method. Why do you keep bringing it up in a discussion about the comic?

well now i just feel dumb

That's what I was sayingsaying. A dictionary attack uses a password dictionary not the OED

>12 characters. Capital letters, lower case letters, numbers, special characters.
>wh`d%0V@S!Im
Good luck remembering that.

it's annoying to type, too.

Dadada

Write it down. This isn't 1986 when individual targets were a concern.

just put ban worthy words like

niggercuntslayer9112001

I do not understand why this shit is so important.

for the accounts i give a fuck about they will lock you out for an hour or make you call them (my bank) if you type in the wrong pass more than about 3 times

as long as you don't use the word password as your password how is someone or something going to guess it in 3 fucking tries?

you can't "brute force" or "use rainbow tables" on someones gmail pass

i get this reference

relevant example is the LinkedIn breach, where people have been using the released passwords to try other accounts, with great success. If you change up your passwords, you should be good

but then they have your fing password and it does not matter how complex and 1337

using the same pass everywhere and using super complex passes because you are worried about someone brute forcing your gmail are not the same issues

...

Yes, IF you choose the words randomly (Diceware). 6 words is preferable today. 10 words gets you enough to defeat any offline attack and any attacker without a quantum computer.
lol
yep, never reuse passwords

NO GO GREASO

No, it's meant as a joke. These long seemingly safe passwords are very easy to crack with a dictionary attack.

It's not the brute force attacks you have to worry about, it's the dictionary attacks.

>It's not the brute force attacks you have to worry about, it's the dictionary attacks.

set server to only give the guy 3 tries before he has to wait an hour to try again

problem solved forever

>NO GO GREASO

>problem solved forever
That's not how it works. Hackers steal your password hash then decrypt it offline.

>That's not how it works. Hackers steal your password hash then decrypt it offline.

how

you might as well worry about keyloggers or a camera watching you type and then you are fucked anyway

>mfw I know someone who does this

aspaceodyssey2001

I generally use a word related to the given website or program, plus a pattern of keys on the keyboard, plus a number for each of my passwords. I also use passwords plus to manage my passwords, and I have a longer password with a longer number and symbols to keep that secure.