An updated discussion of “XKCD” passwords.

Security professionals almost universally want to teach better password selection.

The evaluation that an “XKCD” type (two words, a number or two, and a third word,) password is strong/secure, relies on a dictionary with 20,000 words or so. [see “Pass Phrase Strength” table half-way down the column.] However, when people select their actual password, they tend to use only 3 and 4 letter words – so a crack using 3 and 4 letter words is very effective. Nevertheless, the scheme remains viable, if you use three or four digit numbers between the second and third word, or four words (in conjunction with numbers,) instead. Non-dictionary words also reinforce the security of the scheme, without making the password(s) too arduous to recall.

The reason people do not endorse pass-phrases universally, is that the chance of “losing” a pass-phrase is similar to the chance of losing a password. If we place too many eggs in one pass-phrase basket, we worry that they’ll all be broken in a single password stealing incident.


About James Johnson

I am an amateur mathematician & political theorist who enjoys (occasionally cerebral) humor.
Link | This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s