0

As XKCD (and many others) have explained so clearly, and proved with some simple combinatrics, password length is significantly more important to security than complexity.

However, long passwords are hard to remember so it is often easier to use a phrase or a quotation from a favourite book or poem meaning a password can often hit 40-50 characters. Should this be considered secure or are there known attacks that use large dictionaries of quotations as an attack vector?

ScottishTapWater
  • 164
  • 9
  • 2
    P.S. Actually, what XKCD and others are explaining that it is NOT about the length, but about the strength. As XKCD 936 explains, one way to measure the strength of the password - assuming it is a completely random password - is *entropy*. Common phrases or quotations have very low entropy, and in fact doesn't even work that way because it is not random. But yes, of course password crackers use quotation dictionaries, which eases the crackability. – AviD Feb 14 '17 at 08:28

1 Answers1

-1

Not true actually, crackers these days include dictionaries, combinations of words, common replacement strategies (l33tsp34k) and classic suffixes and prefixes (e.g. "staplebattery!"). The 'correcthorsebatterystaple' or whatever it was won't work anymore as it isn't complex enough. So if you must use quotations, add some symbols between words or better yet (cliche alert) use a password manager that provides more secure passwords by default.

See this post by Bruce Schneier (already from 2014 mind you!): https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

And this previous answer: Is "the oft-cited XKCD scheme [...] no longer good advice"?

Community
  • 1
user3244085
  • 1,173
  • 6
  • 13
  • 4
    The answer to that question you linked disproves the rest of your answer (and Mr. Schneier was widely blasted for his very wrong post - saying this as a huge fan.). The whole point of the xkcd is that complexity is irrelevant - and the math proves it will never change. The only difference now really is that 4 words is not enough - so use 5, or 6, or whatever. But the concept stays the same. – AviD Feb 14 '17 at 08:30
  • 1
    Ok, so apparently I am not correctly informed. I'll leave my answer for reference as I think I'm not the only one with this misconception. – user3244085 Feb 14 '17 at 08:46
  • Sure, that is a good idea. – AviD Feb 14 '17 at 09:00