This is Fun

We’ve been a geek since age 15, although we took a decade off to explore other things before being dragged back in. (We used to blame it on buying an answering machine, which ended our Luddite Interval forever.) These days we earn a serious part of the rent by developing and maintaining websites, which means we’ve spent a serious amount of time thinking about passwords.

About which, we discovered last night, we’ve been seriously wrong.

Our derangement was caused by this XKCD cartoon that’s been making the rounds — we found it at WaPo, of all places. We’ve been very guilty of the crime described: programming requirements for gibberish passwords, for your own good. The more unusual characters, the more difficult to crack, right?

Well, not exactly:

It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.

We’ll spare you the math, but “this is fun” is eleven characters — with spaces — and, importantly, three random words. It would only take 2,537 years to crack it online.

Even better: By requiring gibberish characters — or numbers, or caps — you’re actually making the password easier to crack, by limiting the number of possible combinations.

So why the insistence on gibberish passwords?

Our guess is that it’s a combination of history and human nature. Computers have evolved very quickly, and we’re not that far from the days when systems could only handle six or eight characters — so “J4fS<2” is better than, say, “coffee”. Plus, it’s a running gag in geekdom that the most common password is “password”, so requiring gibberish is a means to save you from yourself.

And since human nature doesn’t change, an argument can still be made for the utility (if not the memorability) of gibberish. But that’s not an argument from math or logic. “This is fun” — or some three-word variation on your porn name — is perfectly secure.

It just doesn’t look that way.


Purple Monkey Dishwasher?

At a former employer, we weren’t allowed to use any recognizable english words.

BREAKING HARD: Cal Supreme Court to issue its opinion at 10 a.m. PST interpreting state law around ballot propositions, to send back to the 9th Circuit panel considering the challenge to Prop. H8, and whether the supporters of the initiative have standing to defend the law since the Governator, Moonbeam, and new AG Kamala Harris refuse to do so.

@Dodgerblue: I’m curious about the outcome. According to what I read about the hearing, at arguments the justices seemed sympathetic to the idea that people who support a new law should be able to defend or otherwise you’re giving the governor and the AG a de facto veto, OTOH I don’t see how they’re going to get around the SCOTUS decision on the Arizona Official English ballot initiative. Even if CSC says they have standing under state law in state court, why would that automatically mean they have standing in federal court? There’s a lot you can bring in CA court that you can’t bring in federal court, taxpayer petitions for a writ of mandate the one that comes to mind most quickly.

Can’t one just download free cracker software and defeat passwords in seconds?

Just asking.

@DElurker: Let’s get into the weeds…

At best, your free cracker software will be able to attempt a hundred cracks a second. (In practice, much less — the internet’s only so fast.) And there are different methods to use when cracking a password, which, depending on the method and password, yield results of different speeds.

So, doing the math, an eleven-character string consisting of three random common words will take your cracker software a millennium or two to crack.

That’s what all this is about: How to construct a sufficiently complex password to defeat automated cracks. And it turns out that “complex” doesn’t need to include comic-strip curse strings.

@SanFranLefty: Supremes’ website is down. Probably the gays’ fault.

@Dodgerblue: LA Times says Supremes agreed that Prop 8 proponents have standing under state law.

I agree with Lefty’s analysis of the barriers to Fed standing.

@Walking Still: I think that the CSC decision was a procedurally correct interpretation of state law, and as someone who advocates for access to justice and am horrified at the ever growing trend of conservative courts (and Congress) to deny access to the courts, I would feel intellectually dishonest to cheer for a different decision. I figure that the panel on the 9th is making sure to dot every i and cross every t – much like Walker did in his opinion – to make it that much harder to get SCOTUS/Justice Kennedy to wimp out.

And I still think that there’s a valid argument to be made that notwithstanding the CSC decision interpreting state law, that doesn’t mean it should be in federal court with federal Constitutional claims. The 9th could always kick them to state court, but I think the three judges want to rule on it.

Haven’t Prop 8 supporters already had their day in court?

Didn’t their attorneys humiliate themselves in an amateur hour performance in which they refused to present evidence?

Judge Walker already gave them the smack-down, so this ruling seems simply to allow the circus to go on for a few more years. Yeesh.

Noj: The thing about the xkcd strip you reference is that while it’s completely accurate, it’s not complete. It discusses password entropy, which is just one way of measuring password strength. For hash-comparison password crackers (which can run thousands or tens of thousands of attempts per second), English words make the attempt easier: big hunks of the passwords are conveniently packaged up into dictionaries to be guessed 3-7 letters at a time, instead of piecemeal.

Your savvy web haxx0r is not going to run password attempts against your account, they’re going to break in by using a known vulnerability and steal the hashed password file/database. Alternately, they’re going to aim a botnet at your account, and attempt hundreds of thousands of passwords per second, up to the limit of the server (and on, say, Amazon, that limit is pretty freakin’ huge). Either way, your underlying assumption about the speed of the attack is unrealistic.

Any hacker who decides they want into your account will get there, probably within a day or two. It’s the overwhelming volume of accounts and the vast profusion of banal worthlessness that keeps most of us safe.

Add a Comment
Please log in to post a comment