Picture this: A small, yellow, square paper attached to the corner of a computer monitor, with “Tr0ub4d0r&3” scribbled hastily across it. This scenario is unfortunately commonplace in offices across the world. The reason behind it is the misconception that complex passwords like “Tr0ub4d0r&3” are safer. The reality, however, is the opposite. Such passwords are easier for password cracking software to decipher and difficult for humans to remember, thus resulting in sticky note reminders. On the other hand, a password like “correct horse battery staple” is hard for computers to guess and easy for humans to remember.
The key difference between the two lies in a concept called “entropy,” which, in the context of password security, refers to the level of unpredictability in a password. Entropy can be calculated as log2(a^b) where ‘a’ is the number of allowed symbols, and ‘b’ is the length of the password.
The Complexity Fallacy
Let’s break it down further: A random string of length 11 like “J4I/tyJ&Acy” has 72.1 bits of entropy, with 94 being the total number of letters, numbers, and symbols one can choose. But when you construct a password like “Tr0ub4d0r&3”, which is essentially a dictionary word with some number and symbol substitutions, the entropy falls to around 28 bits. This pattern makes it considerably easier for a password cracking software to guess.
The Length Strength
However, if we approach password selection differently, we can improve our entropy while also making the password easier to remember. By selecting 4 common words out of a pool of 2048, we can achieve a password with 44 bits of entropy, significantly more than the 28 bits of our complex example. A password with this structure also tends to be easier for humans to remember, reducing the likelihood of insecure practices like password post-it notes.
This concept is further reinforced when we consider password typing on smartphones and soft keyboards, where longer strings of lowercase characters are easier to type.
The Misunderstood Comic
An xkcd comic popularized this method of password creation, which led to a flurry of discussions and even disagreements among both professionals and laymen alike. Some security experts misunderstood the comic’s message and either under-calculated the entropy or completely misjudged the efficacy of this method. For instance, Bruce Schneier, a well-known security technologist, incorrectly deemed dictionary attacks would make this method “obsolete.” Conversely, Steve Gibson, a software engineer, overestimated the entropy to promote his own password-checking tool.
Conclusion
The truth of the matter is, we need to reconsider our understanding of password security. The old model of forcing users to come up with complex, hard-to-remember passwords is not the safest route. Length and unpredictability, rather than complexity, yield stronger, more secure passwords.
The mantra “correct horse battery staple” should not just be seen as a meme but rather a teaching tool for an improved approach to password security. It’s time we made passwords easier for humans to remember and harder for computers to guess, thus truly securing our online lives.
Original Article: https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength