XKCD and Password Strength

Most of my blogs start when I’m annoyed by something. In this case, this article. http://www.guardian.co.uk/technology/2012/oct/05/online-security-passwords-tricks-hacking

I love XKCD, and it makes many valid points. However, when all is said and done, it’s a webcomic. I really doubt the author is actually expecting us to take it as literal life advice. He’s probably more aiming to make a point and get us thinking and/or laughing.

Which is why I’m a bit worried about how much this (http://xkcd.com/936/) is getting quoted as a serious proposal. (If you haven’t seen the cartoon, take a look – xkcd is excellent). Because it makes a very valid point, but the maths doesn’t stand up in the real world.

Why? Because hackers are people, not computers. And when their victims change tactics, so do the hackers.

The current situation is this: we’ve all been trained to use random letters, numbers, characters, a mix of upper and lower case – like “a7@!f[)d5”. And you do that, right? (Right? No, me neither). So hackers will first try a simple dictionary attack to check for people dumb enough to use a plain-English word, and then they’ll try combinations similar to words with the standard replacements (“s1mpl3r”). If that fails, they can use a brute-force attack – try every combination.

Let’s look at the maths. Suppose you choose an 8-character password made of any valid ascii characters. Then the universe of possibilities is 255^8, or about 1.8e19. That’s a lot of possibilities. Now suppose you choose any 4 English words from the Concise Oxford English dictionary – about 240,000 words, separated by spaces. The average word length is about 5, so you’ll have a 23-character password. A brute-force attack has to deal with 255^23, which is 2.2e55 possibilities – MUCH better, right? That’s 10^36 times better – or 1,000,000,000,000,000,000,000,000,000,000,000,000 times better.

So should we all switch over? Sadly, no. Because if we all switch, so will hackers. If hackers know that most people pick a string of English words, they won’t do a character-by-character attack. They’ll change their behaviour to do a word-by-word attack. Then for a 4-word password, you have 240000^4 possibilities, or about 3.3e21. A bit better than the 8-character password, but only by a factor of about 100. Not too different.

Now let’s be a bit more realistic. Assume, like most people, you usually use only letters and numbers in your passwords. Then an 8-character password has about 2.2e14 combinations. Now assume you only use words in your vocabulary rather than using a dictionary: maybe 15000^4, which is 5.1e16. Again, only a little better than the current situation.

Now you can argue that there are many more than 240,000 words in the full dictionary, and if you use the full set of words the number of possibilities go up. Which is true. On the other hand, are you really likely to pick four words at random from a full multi-volume encyclopedia or are you going to think of four words that spring to mind? 15,000 is probably an overestimate to be honest.

Then again, most people aren’t using all the full range of characters to make up their passwords now. So is the option of using words worse? No, it’s not worse. For now, it’s even a little better. But if we all switch, then it’ll be about the same.

Having good passwords is an arms race. As we discover better passwords, hackers discover better attacks. There’s no magic bullet. Choose something you can live with, and be prepared to change your strategy as the attacks change. And don’t believe everything you read, especially if it was written as a webcomic.


Google founder says internet freedom under threat

Internet freedom under threat” – Google founder Sergey Brin (Guardian article)

I was going to fire off a quick tweet about this, then had second thoughts. It’s a bit more complicated than it seems. Let’s just review what Brin is arguing.

The “threats” Sergey Brin talks about in the article are:

  • governments trying to control information and access
  • entertainment industry crackdowns on piracy
  • “restrictive walled gardens” such as Facebook and Apple

So, on (i) and (ii), I’m going to broadly agree with him. Whether it’s the UK government trying to get access to all our online conversations, or China or Iran restricting what their citizens can see, I’m against it. Although even here there’s grey area, as when Germany tries to restrict the sale of Nazi memorabilia on eBay. Remember that? Pro or con? You can make good arguments both ways.

However, let’s talk about his third point. Brin’s criticizing Facebook for being too restrictive with access to the users and data it has. Well, maybe. But what does this actually mean? In Brin’s world, Facebook is evilly sitting on data it’s collected, and refusing to share, locking away information that Google could use. But in another version, Facebook is trying to protect data that users have entered on Facebook but chose NOT to share publicly. Remember, Facebook gets regularly slammed for not protecting privacy enough.

So, when Brin complains that Facebook is restricting internet freedoms, is he talking about restricting your freedom to share what you want with who you want? Or his freedom to get any information he wants about you to make profits selling advertising?

I’m not a huge Facebook fan, although I am a frequent Facebook user. There are many issues with Facebook. And there are good arguments for avoiding monocultures where everyone is locked in to using one company. But I don’t necessarily think that Facebook should have to open up my data because Sergey Brin wants it. Sorry, Sergey.

UPDATE: I’ve just been reminded what Google did when it tried to start a Facebook-a-like, Google Buzz. It began by making all your GMail contacts public.