Hacker Newsnew | comments | ask | jobs | submit | ChikkaChiChi's commentslogin

If you compare the number of possibilities per word versus the number of possibilities per character (94 on the commonly used ASCII spectrum for US keyboards), the benefits are clear.

That's not to say that it's impenetrable. It's just making it less convenient to crack which seems to be the name of the security game.

reply


This is a simple explanation of why passphrasing is better. Please bear with my laymen's mathematics because this isn't my forte:

Let's us XKCD as an example. Your passphrase is correcthorsebatterystaple but since you hate typing out things you abbreviate it to chbs.

In most English passwords, you are limited to the characters visible to you on your keyboard; 52 letters (caps and lowercase), 10 numbers, 32 symbols. That means each piece of your password has 94 possible options. That means there are over 78 million possible combinations to be tried to correctly guess chbs. When you realize that computers can hash through several billion attempts PER SECOND, your password starts to look like a terrible idea.

By typing out correcthorsebatterystaple, you go from 94^4 to 94^25. This is what XKCD points out and it's obvious that this is a big gain.

But it gets better than this...

Let's assume that crackers start to use rainbow tables full of common words used to build phrases like this. Instead of treating passwords by the number of characters, they start hammering on the number of words that are possible.

Instead of increasing the exponent of the perceived slot, you've gone from 94 possible options to however many words there are in the English language. So instead of 94^4, you're dealing with numbers like 250000^4.

This is why security people think passphrasing is better than passwords and why sites like Microsoft that limit you to only 20 character passwords are assholes. It's not the perfect solution, but it will help.

TL;DR: Passphrasing increases the security in your credentials in more ways than you are probably thinking. Do it. DO IT NOW.

reply

crpatino 4 days ago | link

The spirit of what you mean are right, but the details are all tangled up.

Example 1: "chbs". 94^4 is way too optimistic. Your upper bound is 26^4, though if you get a smart attacker, he will figure out that 'c', 'h', 'b' and 's' are all more likely than 'x' or 'q' (though less likely than 'e' or 't'), and prune the search tree accordingly. Honestly, it does not really matter because with just 4 chars long, he can afford to just brute-force it anyways.

Example 2: "correcthorsebatterystaple". While much, much better than "chbs", 94^25 is completely off-base. That would imply that you are using all printable ASCI characters in your passphrase. The other figure you mention, 250000^4 is closer to the mark, though it implies you are picking your samples from a 25,000 word dictionary.

XKCD does not make that assumption, it explicitly uses a small dictionary (2048 words) to let it clear that you do not depend on picking "epic words" for the scheme to stand. You can use simple, every day (e.g. easy to remember) words and still come ahead of the other approach.

reply


It can't hurt.

While a space is considered another character, I've come across more than a few instances in which blank characters are scrubbed from user input fields.

So even if you add one, it's entirely possible that it's ignored.

reply


For the sake of brevity and callback, I'll say it's a SMART wrapper over a backend service or services (commonly at this point, a relational database).

reply


For years Comic Sans has been recognized as being one of the most readable fonts. It even is considered to be a preferred font for those dealing with dyslexia (http://www.luzrello.com/Publications_files/assets2013.pdf).

This seems to be a classic case of form vs. function.

reply

judk 11 days ago | link

Unreadable fonts are preferred for dyslexic readers, because the uncomfortableness of the font inhibits scanning (error-prone for dyslexics) and promotes reading-letter-by-letter. So there is a tension.

reply


"Artificial Intelligence" seems to be a blanket term that covers an astounding number of concepts that would have to be fully realized and implemented before something like "Her" could ever be what the movie showed.

Self-awareness, self-actualization, genuine emotional response, subjectivity, etc. are not all one in the same.

-----


If they only could have added the word 'Oculus' in there somehow.

-----


Has anyone considered that the Oculus team was scared by Sony's Morpheus project and decided to cash out while they were still relevant?

I've not experienced either device, but I consider this at least plausible. Maybe Sony had already figured out solutions to problems Oculus was still toying with.

-----

damon_c 24 days ago | link

I was going to say the same thing. At GDC last week, the general feeling was that Sony's tech was more than competitive and seemingly much closer to an actual consumer product than anything from Oculus.

Fear makes people do unexpected things.

-----

ChikkaChiChi 31 days ago | link | parent | on: Moto 360

You realize that those are in opposition of one another, right?

-----

npizzolato 31 days ago | link

That doesn't make it an unreasonable request. There's always the option of not purchasing one until the technology improves enough to make it smaller while having an acceptable battery life.

Given the full color display and the current abysmal battery life for any smart watch not using e-ink, I'm pessimistic about the battery life of this product. I would be very happy to be surprised though.

-----


Right, but if their uptime monitor is internal, and they are resolving from an internal address, nothing is wrong.

-----

garindra 32 days ago | link

Yeah, but if your status page is made to be seen by external people, the right thing to do would be to monitor it just like if you were using it externally. There are whole slew of problems that wouldn't be exposed correctly if your monitoring point is internal -- like this exact problem, DNS, etc.

-----

encoderer 32 days ago | link

RIght, but since their customers are not internal, having a monitor that is not outside of their network would make for a pretty poor uptime monitor.

-----

melvinmt 32 days ago | link

There is the problem.

-----

More

Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library

Search: