[colug-432] password survey

Bill Baker bill_chris at earthlink.net
Fri May 23 19:57:51 EDT 2014


Thanks for the articles.  I glanced through the second link, the one you
said references XKCD, and the password examples they gave that their
crackers were able to decipher were terrible.  If they weren't too
short, the words they used were related to each other, not random
dictionary words.  And the article points out, correctly, that you
should not use the example in the XKCD comic because -- duh! -- the
crackers added that one to their list on the day the comic came out.

So what do we do?  It's already known that short passwords are easy to
crack.  Long passwords with complexity are hard to remember, and
apparently easier to crack now.  Additionally, most companies have
policies in place where you have to change your password every 60 to 90
days, so people are more likely to choose a crackable password.  I still
maintain that the password in the joke (if it was not already a
well-known joke) would be practically Fort Knox secure.

On 05/23/2014 07:31 PM, Rob Funk wrote:
> On Friday, May 23, 2014 07:11:27 PM Bill Baker wrote:
>> I don't know about that.  According to howsecureismypassword.net, it
>> would take a desktop PC about a tresvigintillion years to crack that
>> password.  Plus, Randall Munroe pointed out at http://xkcd.com/936/ that
>> a password consisting of four random dictionary words would take a long
>> time for a computer to guess.  So nine would presumably take even longer.
> A few years ago (probably even when Judd's friend's joke was invented) I
> would've been right there with ya. But your information is out of date. Ars
> Technica has done a bunch of good articles about why and how, e.g.:
>
> http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
> http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ (in-depth, and references that XKCD)
> http://arstechnica.com/security/2012/08/passwords-under-assault/
> http://arstechnica.com/security/2013/07/how-elite-security-ninjas-choose-and-safeguard-their-passwords/
>



More information about the colug-432 mailing list