
The Sophisticate’s Guide to Passwords - francoisdelame
https://medium.com/policygenius-stories/the-sophisticates-guide-to-passwords-4bb6b5d9ecb5?utm_content=buffer0b492&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer#.uymfhi6p1
======
DanielStraight
Despite admitting that...

> Attackers use programs that try all words in a password dictionary, which is
> typically just a file of commonly used words in a given written language.
> These programs will even use combinations of these words, and permutations
> based on common replacements of letters with numbers or symbols

The author then goes on to say...

> Compare the password "B5s9z-Qx" with the password
> "SophisticatedpwsRock!!".... The first would be 72⁸, or 722,204,136,308,736
> possible passwords. This would take a desktop PC roughly 3 days to crack.
> Compare that with our second password, which would be 72²² or
> 72,663,267,215,268,556,211,671,874,973,277,863,542,784, that’s a lot of
> possibilities.

This is a contradiction. A 10-letter word does not add as much entropy as 10
random characters. If you assume it does, you will cripple your security.

Do not follow this advice on passwords.

~~~
thembones
Seems like you decided to quote the article, yet ignore the actual advice.

>Password length is 99% of password security. Password complexity is a distant
second when it comes to modern password security.

He doesn't say to use a common 10 letter word with no complexity, which you
infer with your comment. It's also comparing 72^8 with 72^22. The point of the
article is that length trumps complexity. Not sure how you came to your
conclusion.

~~~
DanielStraight
My point is that 72^8 and 72^22 is an invalid comparison to determine the
relative strength of those passwords.

B5s9z-Qx is 72^8

SophisticatedpwsRock!! is something like number_of_common_words^2 + 26^3 +
10^2. In other words, two common words, three lowercase letters and two
symbols.

You can put each of these passwords in Dropbox's zxcvbn
([https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.ht...](https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html))
to see this more clearly.

They give a guesses_log10 of 8 for "B5s9z-Qx" and 12.76155 for
"SophisticatedpwsRock!!". In other words, the latter is stronger, but it's not
72^14 times stronger. That's where the article messes up.

An attacker isn't going to crack "SophisticatedpwsRock!!" by trying 72^22
options. Just like an attacker isn't going to crack "password" by trying 72^8
or even 26^8 options. They're going to try 1000 or so options of super common
passwords for "password" and some combination of dictionary words,
abbreviations, symbols, common transformations, etc for
"SophisticatedpwsRock!!". This makes the search space much, MUCH smaller than
72^22.

~~~
thembones
>My point is that 72^8 and 72^22 is an invalid comparison to determine the
relative strength of those passwords.

That's fair, but you're talking about directly attempting to crack as opposed
to rainbow tables, which I believe was the authors intention, mapping the full
key space. In this case, the exponents still hold.

>Do not follow this advice on passwords.

Additionally, maybe your first comment's point wasn't well articulated, since
the author's work has proven true in your own tests for the passwords given,
length trumps complexity. I would also argue that he doesn't say anywhere do
not use complexity, he specifically points out however that banks use
complexity as a mask of security while limiting length.

~~~
DanielStraight
Length does not trump complexity.

"Internationalization" is 20 letters long, but it will be cracked in seconds
by even a moderately sophisticated attacker. (zxcvbn gives it guesses_log10 of
4.34708)

The only way to measure password strength is to estimate the number of guesses
necessary to crack the password. That means figuring out how many possible
passwords could have been chosen for whatever method you are using to pick
your password. In the case of "SophisticatedpwsRock!!", the method is
something like: common adjective with a common transformation
(capitalization), relatively common abbreviation, common noun with a common
transformation, common punctuation, common punctuation. The number of possible
passwords using that pattern is what you should be interested in, because that
is how the attacked is going to get your password, not by trying every
possible combination of characters.

For a simple example, the passwords "i like salt" and "you like pepper" should
be considered equally strong (or equally weak as the case may be) since they
follow the same pattern for generation. Any system of determining password
strength which gives them significantly different strengths is misleading. In
this case, if we followed the method the author used, we would say "you like
pepper" is 26^4 times stronger, which is absurd. (zxcvbn by comparison gives
them both almost the same rating: guesses_log10 of approximately 8.)

You cannot take a password picked by one method (common words) and score based
on another method (characters). Passwords are only as strong as the easiest
possible way to guess them. If you generate 8 random characters and they
happen to spell "password", your password is still weak because it can be
guessed by a much easier method than going through every combination of 8
characters.

Find the easiest way to approach guessing a password and see how many tries it
would take using that method. That will give you the strength of the password.
Counting characters will not.

~~~
thembones
>"Internationalization" is 20 letters long, but it will be cracked in seconds
by even a moderately sophisticated attacker. (zxcvbn gives it guesses_log10 of
4.34708)

Literally nothing to do with the article and an absurd choice for a password
to make your (misguided) point. Length does trump complexity, however once
again I'll repeat, the article doesn't say complexity doesn't matter. It does.
It says it does.

Sorry my man, I think you missed the point of the article entirely. I also
think your knowledge about how passwords are cracked in the wild is off base.
Your theoretical thought experiment here isn't how it's done. Also the Dropbox
password calculator you provided proves it. Every single character added to a
decent password adds guesses_log10 assuming moderate complexity.

