Skip Menu |

This queue is for tickets about the Crypt-XkcdPassword CPAN distribution.

Report information
The Basics
Id: 98864
Status: open
Priority: 0/
Queue: Crypt-XkcdPassword
People
Owner: Nobody in particular
Requestors: KENTNL [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 0.007
Fixed in: (no value)

History Show all quoted text
  Sat Sep 13 13:59:26 2014 KENTNL [...] cpan.org - Ticket created
Subject: May wish to link to this article

Some security people seem to think that this approach to passwords is ill advised and may leave you vulnerable to different kinds of attacks.

http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase

Though it seems *purely* random phrases like the one generated by this module are indeed stronger than idiomatic sentence-like phrases, and you can swing that to your advantange. =)

 

Also, obvious thing to mention: If this tool becomes known, and an attacker suspects you're using it to make your password, or your attacker is attacking a website they suspect there would be a rewarding percentage of users using this system, they may just use this tool to seed their dictionary, which would prove a MUCH easier attack compared to plain brute force.

  Sat Sep 13 18:30:59 2014 perl [...] toby.ink - Correspondence added
Show quoted text
> a MUCH easier attack compared to plain brute force.
A four word phrase generated from the "EN" dictionary has 1e16 possible combinations. If you assume that a powerful attacker can make a million guesses per second, then it's still going to take them an average of 150 years to crack the password. Personally I have a policy of changing my passwords every century.
  Sat Sep 13 18:31:00 2014 The RT System itself - Status changed from 'new' to 'open'
  Sun Sep 14 10:58:29 2014 KENTNL [...] cpan.org - Correspondence added

On 2014-09-14 10:30:59, TOBYINK wrote:
> > a MUCH easier attack compared to plain brute force.

By that I mean, if you had a 4 word password at 5 words per word, a naive brute force would be  against 2 ^ 120 permutations at minimum. ( 20 characters at 64 symbols )

Knowing users have this tool in employ means they can cut the brute force down to

2 ^ 52 permutations. ( 4 "characters"(each word) with 10000 "symbols"(each permutation of word))

As I said, that's probably an acceptable compromise for the convenience it poses.

Either way, I just figured it would be cool to like to more related reading to let people decicde for themselves =)

  Mon Sep 15 08:35:31 2014 perl [...] toby.ink - Correspondence added
10000^4 is actually a bigger search space than, say, the search space for eight character passwords made up of random ASCII printable characters (96^8). And many services won't even accept arbitrary ASCII characters; some restrict the allowed punctuation. 10000^4 is orders of magnitude bigger than the search space for eight character passwords made of random case-sensitive alphanumeric characters (62^8).
  Mon Sep 15 08:38:45 2014 perl [...] toby.ink - Correspondence added
Or to put it another way, you're comparing a, say 20 character password generated using Crypt::XkcdPassword with a 20 character random string. It's not surprising that the random string wins. But a more realistic comparison would be to compare it with an 8 character random string, because virtually nobody would use a 20 character random string as a password - it's too long to remember.