New password announce missed the point?

I get that companies still insist on not using far superior pass phrases for security. What I find bizarre is using an example which tells you to do the opposite as a reason for a policy change. Sure requiring 8 characters instead of four adds a more entropy, but is easily subject to brute force.

+ Have at characters from least two of the following categories: upper
case, lower case, digits, and everything else (symbols, punctuation,
spaces, etc.). Note that spaces are now allowed.
+ Not contain your character name. (Same as before.)

The point of the cartoon is that these types of rules are bad math. It gives the illusion of protection and if not required could provide some actual protection. However, when required, it makes passwords substantially more predicable and less secure. Why? Because far too many people will use the password they wanted in the first place and slap your 'additions' on the end of their password.

http://xkcd.com/936/

«1

Comments

  • edited February 2014
    What? I don't get the point of this post. Requiring at least 8 characters is more secure than 4. Not using login name is more secure than using it. Nothing wrong with this. Who cares what comic from what website is used to support these changes? Who cares if that comic is relevant or not? That comic could be Garfield talking about his lasagna for all I care - the changes raise the minimum level of security more than what it used to be - that's the point of the changes, that's the point of the announce.

    "New password announce missed the point?" The point is: make your passwords more secure. End of story.

  • Lerad said:
    What? I don't get the point of this post. Requiring at least 8 characters is more secure than 4. Not using login name is more secure than using it. Nothing wrong with this. Who cares what comic from what website is used to support these changes? Who cares if that comic is relevant or not? That comic could be Garfield talking about his lasagna for all I care - the changes raise the minimum level of security more than what it used to be - that's the point of the changes, that's the point of the announce.

    "New password announce missed the point?" The point is: make your passwords more secure. End of story.
    The point is it really doesn't. The point of the comic is those requirements make for less secure passwords. You can argue that 8 is more secure than 4, but as the comic explains, you can just brute force those. Not to mention I opened the post conceding that 8 is more entropy and that my issue with with the rest, which arguably, as the link in the announce itself argues, makes passwords less and not secure.
  • LavinyaLavinya Queen of Snark Australia
    I think the comic was intended as a lighthearted anecdote. The point of the post was to let us know we can (and should) make our passwords more complex because the system can handle it now. Awesome.



  • Lavinya said:
    I think the comic was intended as a lighthearted anecdote. The point of the post was to let us know we can (and should) make our passwords more complex because the system can handle it now. Awesome.
    I think part of the problem here is that people are hearing comic and fail to understand that the person behind this particular strip knows their stuff.

    The writer is conveying why you should not implement passwords the way it was done here and is normally done. Anyone who has ever looked over a list of leaked passwords knows how useless it is to require categories.

    Moving from 4 to 8 is insufficient and can be brute forced. If the point is only to make it harder than you don't need the other rules.

    The other rules far too often result in common substitutions which add negligible complexity and even worse penalize those who use natural pass phrases.

    As written it doesn't seem like an anecdote, but as an example. Or to draw from the announce and comic combined, you don't need to require, "I love Lusternia more than Angry Birds", when "ilovelusterniamorethanangrybirds" is far more than sufficient.

    So what's the harm? It turns out that the more you require the less secure passwords become generally become. That is the point of the comic.
  • I'm sorry, you're just blowing a big volcano out of a molehill.

    Requiring more minimum letters does not make passwords less secure.

    If my password was lerad1111111111 instead of lerad1, it would be more secure. Maybe it would be more secure "by a negligible amount", but it would be more secure.

    It would be more secure.

    It would be more secure.

    End of story.

  • Lerad said:
    I'm sorry, you're just blowing a big volcano out of a molehill.

    Requiring more minimum letters does not make passwords less secure.

    If my password was lerad1111111111 instead of lerad1, it would be more secure. Maybe it would be more secure "by a negligible amount", but it would be more secure.

    It would be more secure.

    It would be more secure.

    End of story.
    This is the second sentence of the first post:

    Sure requiring 8 characters instead of four adds a more entropy, but is easily subject to brute force.

    I get this isn't intuitive.
  • @Steingrim, I get your point, adding a few extra numbers is a security illusion, just like how people think they are safer with a second lock on the door. If both locks are poor quality, someone can enter your house in seconds, maybe it takes a few seconds extra to break both locks but it will still be ridiculously easy. 

    It is a step in the right direction, but in the end you can only protect people from themselves so much as they want to. If someone feels it is ok that their password has a few extra 1's tacked to it, let them. If they get hacked it is their own damn fault. Sure it is more work for the admin, but they can eventually decide that if a player willingly picks too easy passwords they should for example no longer be allowed to log in because they get hacked every other month and it is a gigantic headache. You can lead the horse to the water, but you cannot make it drink. Letting people suffer for their poor choices sometimes is the only way to get them to change.
    image
    You have received a new honour! Congratulations! On this day, you have shown your willingness to ensure a bug-free Lusternia for everyone to enjoy. The face of Iosai the Anomaly unfolds before you, and within you grows the knowledge that you have earned the elusive and rare honour of membership in Her Order.
    Curio Exchange - A website to help with the trading of curio pieces in Lusternia.
  • Rialorm said:
    @Steingrim, I get your point, adding a few extra numbers is a security illusion, just like how people think they are safer with a second lock on the door. If both locks are poor quality, someone can enter your house in seconds, maybe it takes a few seconds extra to break both locks but it will still be ridiculously easy. 

    It is a step in the right direction, but in the end you can only protect people from themselves so much as they want to. If someone feels it is ok that their password has a few extra 1's tacked to it, let them. If they get hacked it is their own damn fault. Sure it is more work for the admin, but they can eventually decide that if a player willingly picks too easy passwords they should for example no longer be allowed to log in because they get hacked every other month and it is a gigantic headache. You can lead the horse to the water, but you cannot make it drink. Letting people suffer for their poor choices sometimes is the only way to get them to change.
    Adding length is a step in the right direction. Adding the ability to use pass phrases is a major step in the right direction. The announcement doesn't say what the new max length for passwords is, so for now let's assume it is quite long, The example would suggest that new passwords can be very long.

    So what am I babbling about? The comic makes the case that pass phrases are better than standard passwords. That's really the main the point of the comic. Yet the actual implementation makes it so that you cannot use a pass phrases of the form the comic uses. So even though correcthorsebatterystaple would take 550 years to brute force solve, it isn't a good enough password for the new schema Lusternia uses.
  • All you need to do is to add a single 1 to your passphrase, whatever you want it to be. correcthorsebatterystaple is not good enough for the schema, but correcthorsebatterystaple1 WILL. Is that so disagreeable? Will adding a single digit make the passphrase now so difficult that you cannot remember it? Is it going against the spirit of the comic? Will it ruin the entire point of increasing the minimum? Will I get hacked tomorrow if they don't change the requirements so that a single passphrase without the digit 1 is a possible choice?

    Is it worth a discussion about?

  • Or you could use "correct horse battery staple", or even "CorrectHorseBatteryStaple" and both of those are acceptable.
  • XenthosXenthos Shadow Lord
    All I'm getting from you, Steingrim, is that you feel "CorrectHorseBatteryStaple" is going to be more hackable than "correcthorsebatterystaple".  I'm a little dubious in that regard.

    The new system does not even require a number, you can use capitalization instead. :)
    image
  • CyndarinCyndarin used Flamethrower! It was super effective.
    edited February 2014
    Stop. Creating. Threads. Steingrim. Also an excellent password suggestion! Edit: frankly if someone wants to spend three years hacking my password just to play Celina, have at it. I won't hate you for that kind of dedication.
    image
  • Xenthos said:
    All I'm getting from you, Steingrim, is that you feel "CorrectHorseBatteryStaple" is going to be more hackable than "correcthorsebatterystaple".  I'm a little dubious in that regard.

    The new system does not even require a number, you can use capitalization instead. :)
    It turns out is can be easier to hack. As I said some of this is counter intuitive. Now before your brain explodes with you thinking I don't understand basic math. Refer back to the first, third and fifth panels.

    Your example passes panel 5, 'Difficultly to Guess', but it fails, 'Difficulty to Remember', as any non-standard implementation automatically fails this test. The problem is not that this schema doesn't allow difficult passwords, it clearly does. The problem is that being a non-standard implementation it adds Difficulty to Remember,

    The great thing about pass phrases are their simplicity. Once additional rules are lumped on then that simplicity goes largely out the window. The problem with a complex schema is two-fold. Firstly, it makes passwords harder for humans to remember, the result of that often is anything from dumbing down the password to writing it down for others to see. Dumbing down your password or writing it down arguably equals less secure. Secondly, a complex unique schema has the effect of people not using it. If someone has to remember the special rules for a site they're less likely to to opt using the stronger schema and default back to the less secure and more familiar one.
  • What? I'm sorry, in a strictly technical sense, more complex and less simple requirements make passwords more secure. This is not "counter-intuitive". This is a fact. "ler4d" is more secure than "lerad". Simple as that. CorrectHorseBatteryStaple is more secure than correcthorsebatterystaple. Brute-forcing the former will require MORE resources, especially if these requirements are common knowledge. If I am a hacker, and I know for sure that all passwords in this site must have at least 1 character outside of lower-case alphabets, then my brute-forcing software absolutely must take that into account and try those combinations as well. This results in a significantly higher resource load and entropy rating.

    I get that you're trying to say that any additional requirements make the passphrase difficult to remember, and thus force users to write it down or dumb it down. And that this compromises security because hackers using social hacking (detective style hacking where they don't brute force the passwords, but gather clues from other sources like social networking or public information to deduce passphrases) then yes, you're absolutely correct. However, this is very simply countered by making the passphrase common, unrelated and random words, something that you yourself acknowledge is the best choice in the first place. Adding a single digit, capitalising one of the letters, or adding a single space will make your passphrase acceptable with these requirements. And if you're going to claim that you will have to write it down just because you added one of those above options, then I have to say that there is no possibility of such a person being able to remember a passphrase in the first place.

    Please don't insult everyone in general by claiming that such requirements will "lower the security" of the passphrases used. It doesn't, plain and simple, unless the user is so stupid as to be unable to remember a single digit or space in their passphrase.

    This is a non-issue, plain and simple.

  • XenthosXenthos Shadow Lord
    Steingrim said:
    Xenthos said:
    All I'm getting from you, Steingrim, is that you feel "CorrectHorseBatteryStaple" is going to be more hackable than "correcthorsebatterystaple".  I'm a little dubious in that regard.

    The new system does not even require a number, you can use capitalization instead. :)
    It turns out is can be easier to hack. As I said some of this is counter intuitive. Now before your brain explodes with you thinking I don't understand basic math. Refer back to the first, third and fifth panels.

    Your example passes panel 5, 'Difficultly to Guess', but it fails, 'Difficulty to Remember', as any non-standard implementation automatically fails this test. The problem is not that this schema doesn't allow difficult passwords, it clearly does. The problem is that being a non-standard implementation it adds Difficulty to Remember,

    The great thing about pass phrases are their simplicity. Once additional rules are lumped on then that simplicity goes largely out the window. The problem with a complex schema is two-fold. Firstly, it makes passwords harder for humans to remember, the result of that often is anything from dumbing down the password to writing it down for others to see. Dumbing down your password or writing it down arguably equals less secure. Secondly, a complex unique schema has the effect of people not using it. If someone has to remember the special rules for a site they're less likely to to opt using the stronger schema and default back to the less secure and more familiar one.
    Uhh... capitalizing the first letter of each word does not make it "more difficult to remember".  :/  It's actually a very easy way to combine upper and lower case letters in a passphrase.
    image
  • edited February 2014
    Xenthos said:
    Steingrim said:
    Xenthos said:
    All I'm getting from you, Steingrim, is that you feel "CorrectHorseBatteryStaple" is going to be more hackable than "correcthorsebatterystaple".  I'm a little dubious in that regard.

    The new system does not even require a number, you can use capitalization instead. :)
    It turns out is can be easier to hack. As I said some of this is counter intuitive. Now before your brain explodes with you thinking I don't understand basic math. Refer back to the first, third and fifth panels.

    Your example passes panel 5, 'Difficultly to Guess', but it fails, 'Difficulty to Remember', as any non-standard implementation automatically fails this test. The problem is not that this schema doesn't allow difficult passwords, it clearly does. The problem is that being a non-standard implementation it adds Difficulty to Remember,

    The great thing about pass phrases are their simplicity. Once additional rules are lumped on then that simplicity goes largely out the window. The problem with a complex schema is two-fold. Firstly, it makes passwords harder for humans to remember, the result of that often is anything from dumbing down the password to writing it down for others to see. Dumbing down your password or writing it down arguably equals less secure. Secondly, a complex unique schema has the effect of people not using it. If someone has to remember the special rules for a site they're less likely to to opt using the stronger schema and default back to the less secure and more familiar one.
    Uhh... capitalizing the first letter of each word does not make it "more difficult to remember".  :/  It's actually a very easy way to combine upper and lower case letters in a passphrase.
    Which sites make you capitalize and which ones don't. How do you know and how would you remember?

    Edit: That's not meant to be some curt answer. People have to manage all their passwords. That's the objection to non-standard schema, that they add a burden to the user to track what is required.
  • XenthosXenthos Shadow Lord
    Steingrim said:
    Xenthos said:
    Steingrim said:
    Xenthos said:
    All I'm getting from you, Steingrim, is that you feel "CorrectHorseBatteryStaple" is going to be more hackable than "correcthorsebatterystaple".  I'm a little dubious in that regard.

    The new system does not even require a number, you can use capitalization instead. :)
    It turns out is can be easier to hack. As I said some of this is counter intuitive. Now before your brain explodes with you thinking I don't understand basic math. Refer back to the first, third and fifth panels.

    Your example passes panel 5, 'Difficultly to Guess', but it fails, 'Difficulty to Remember', as any non-standard implementation automatically fails this test. The problem is not that this schema doesn't allow difficult passwords, it clearly does. The problem is that being a non-standard implementation it adds Difficulty to Remember,

    The great thing about pass phrases are their simplicity. Once additional rules are lumped on then that simplicity goes largely out the window. The problem with a complex schema is two-fold. Firstly, it makes passwords harder for humans to remember, the result of that often is anything from dumbing down the password to writing it down for others to see. Dumbing down your password or writing it down arguably equals less secure. Secondly, a complex unique schema has the effect of people not using it. If someone has to remember the special rules for a site they're less likely to to opt using the stronger schema and default back to the less secure and more familiar one.
    Uhh... capitalizing the first letter of each word does not make it "more difficult to remember".  :/  It's actually a very easy way to combine upper and lower case letters in a passphrase.
    Which sites make you capitalize and which ones don't. How do you know and how would you remember?
    Easy solution: Do it everywhere, have a more secure password that is every bit as easy to remember. ;)
    image
  • Lerad said:
    What? I'm sorry, in a strictly technical sense, more complex and less simple requirements make passwords more secure. This is not "counter-intuitive". This is a fact. "ler4d" is more secure than "lerad". Simple as that. CorrectHorseBatteryStaple is more secure than correcthorsebatterystaple. Brute-forcing the former will require MORE resources, especially if these requirements are common knowledge. If I am a hacker, and I know for sure that all passwords in this site must have at least 1 character outside of lower-case alphabets, then my brute-forcing software absolutely must take that into account and try those combinations as well. This results in a significantly higher resource load and entropy rating.

    I get that you're trying to say that any additional requirements make the passphrase difficult to remember, and thus force users to write it down or dumb it down. And that this compromises security because hackers using social hacking (detective style hacking where they don't brute force the passwords, but gather clues from other sources like social networking or public information to deduce passphrases) then yes, you're absolutely correct. However, this is very simply countered by making the passphrase common, unrelated and random words, something that you yourself acknowledge is the best choice in the first place. Adding a single digit, capitalising one of the letters, or adding a single space will make your passphrase acceptable with these requirements. And if you're going to claim that you will have to write it down just because you added one of those above options, then I have to say that there is no possibility of such a person being able to remember a passphrase in the first place.

    Please don't insult everyone in general by claiming that such requirements will "lower the security" of the passphrases used. It doesn't, plain and simple, unless the user is so stupid as to be unable to remember a single digit or space in their passphrase.

    This is a non-issue, plain and simple.
    I am not insulting anyone by conveying what studies show and the current consensus of security experts. The natural reaction to complexity for humans is to simplify, to ignore, or even to write down passwords.

    There is an average length to passwords used by the general public. If your schema dictates certain patterns, there are already algorithms out there to exploit this weakness.

    You keep going on about it being a non-issue. I never said it was an issue. All I have said is it appears that a major point of the comic seems to have been overlooked or failing that possibly dismissed.

    It isn't just that I'm "trying to say that any additional requirements make the passphrase difficult to remember, and thus force users to write it down or dumb it down.". it is also that they're far more likely to stick with their old crappy password than to adopt another password scheme they have to remember. Wait that site, I can put a symbol at the beginning, but this other site it can't be the first character. This one requires a number, that one, doesn't.

    When something is made non-standard it runs the real risk people won't use it. If they don't use it, its potential security is meaningless. True, passphrases are new enough that most people don't yet care much about usability and I am sure people will jump in an embrace the ability to do so here and benefit from the added security of doing so.

    Pass phrases simply don't need the extra rules. I don't think you disagree with this last bit?
  • XenthosXenthos Shadow Lord
    edited February 2014
    Every single site I have ever signed up for allows for mixed case.

    Just use mixed case for your passphrases and you are set.  It will work for Lusternia, no tweaking needed.  Unfortunately some other sites require more hoops (and for those sites, yes, you are right- you are making it needlessly more complex), but I don't see anything wrong with encouraging people to use mixed case as a standard for their passphrases.  It is not an extra burden on memory at all.  Capitalize the first letter of each word as you are typing it.

    Edit: You basically seem to be arguing against bad password policies on other sites, but what you are arguing isn't applicable here since it does not have rules as strenuous.  I fully agree with the gist of what you are saying, on sites where they have really weird requirements which are basically designed to make you need something much harder to remember, but that's just not the case with the change implemented on Lusternia.
    image
  • I'm mind bogglingly confused by this argument. The passphrase schema that you're arguing for is allowed under the new rules, as whitespace is now accepted. And if the issue is the requirements then frankly Celina's jab is a perfect example of an easy to remember passphrase.


    .oO---~---Oo.

    "Perfect. Please move quickly to the next post, as the effects of prolonged exposure to the signature are not part of this test."

    NARF!

  • Steingrim said:
    I am not insulting anyone by conveying what studies show and the current consensus of security experts. The natural reaction to complexity for humans is to simplify, to ignore, or even to write down passwords.
    Even if the "natural reaction to complexity" for every single human out there (read that again, by the way, I'm sure you meant no insult whatsoever, but you need to realize that you actually are, when you generalize like that) is to ignore or even write down passwords, the new requirements does not actually make it complex enough to cause any issues of the sort.

    Steingrim said:
    There is an average length to passwords used by the general public. If your schema dictates certain patterns, there are already algorithms out there to exploit this weakness.

    You keep going on about it being a non-issue. I never said it was an issue. All I have said is it appears that a major point of the comic seems to have been overlooked or failing that possibly dismissed.
    The new IRE schema doesn't dictate any "certain pattern". It dictates a certain requirement, but it dictates absolutely nothing of what you have to do with it. If the schema said, "you must have at least 8 characters, of which every third character must be of a different type, ie. "ab1cd@ef3" then that's a pattern that's being dictated. This is not the case here. Yes, when your schema dictates extra requirements, there are different algorithms for it, and - did you actually read my previous post? - these are less resource efficient than one that doesn't need to take into account those additional requirements. They add security, period. This is not arguable on a technical level. Algorithms that assume "this guy likes cakes, so he might have the brand name of cake shops in his neighbourhood used in his passwords, we can narrow our algorithm down based on that" is not brute-forcing - that's social hacking. Again, read my post.

    If it is not an issue, then there's nothing to be said. If the "major point of the comic" is "overlooked or failing that possibly dismissed", then it is an issue. Make up your mind. Which is it?

    Assuming the latter, I would also like to point out that the major point of the comic is neither overlooked nor dismissed. They could have changed up the requirements and said nothing about the concept behind "passphrases > gibberish symbols". If they did that, the vast majority of players who are not familiar with that concept will continue to use tr0ub4dour&3 as their passwords. The fact that they mentioned the concept is a nudge that players should consider the merits of a passphrase over the gibberish symbols they are used to, and make adjustments based on the new requirements: which allow for very secure passphrases.

    If they wanted to "overlook" or "dismiss" the point in the comic, they wouldn't link it in the first place. That's not very difficult to understand, unless you're trying to imply that the admin are too stupid to have the reading comprehension needed to decode that comic.
    Steingrim said:
    Pass phrases simply don't need the extra rules. I don't think you disagree with this last bit?
    No, I don't disagree with that. Here's an extra bit of information for you: the extra rules of the new IRE passwords? They don't disallow pass phrases. "Wow, what a shocker! You mean I can use pass phrases with the new rules?" Yes, you can. "Extra rules" and "pass phrases" are not mutually exclusive. You might want to spend some time to think about that.

    In the mean time, let me tell you what I disagree with: you telling me what I should do with my password.

    I might be wrong, of course (I've been wrong about how pointless this thread is for every of my previous posts: every time you reply to clarify your position, I feel it is even more pointless) but I think you're just pissed off about the fact that it is possible to still use difficult to remember, easy to hack passwords. You want the schema to require "at least 8 characters, with no special characters or spaces allowed, only lower-case alphabets" so that people will be forced to switch to passphrases. Maybe, as icing on the cake, you also want to have an additional line saying "your passphrases must be made up of common, random, irrelevant words, as that is the new standard that is more secure". Any schema that still allows someone to enter tr0ub4dour&3 as a password is a schema that should not exist.

    Well, my reply to that is, I'm very happy with l3r4d as my password, thank you. Please don't dictate to me what I must or must not use. You're neither my parent nor my security adviser. The day I want to employ you to replace my adviser (which is myself, obviously), I'll let you know and send a contract your way. Until then, please kindly take your so-called "disagreements" elsewhere.

  • ZouviqilZouviqil Queen of Uberjerkiness
    Lerad said:
    Well, my reply to that is, I'm very happy with l3r4d as my password, thank you. Please don't dictate to me what I must or must not use. You're neither my parent nor my security adviser. The day I want to employ you to replace my adviser (which is myself, obviously), I'll let you know and send a contract your way. Until then, please kindly take your so-called "disagreements" elsewhere.
    Quick, everyone! Log into Lerad's account!
  • XenthosXenthos Shadow Lord
    I already did, but then I immediately got kicked off by someone else who cracked the code as well.  :(

    Next time I get in I am going to change it to d4r3l.  Nobody will ever guess that one!
    image
  • TarkentonTarkenton Traitor Bear
    Breaking news, Lerad's real name is Darel.  :D
    image
  • Lerad said:

    No, I don't disagree with that. Here's an extra bit of information for you: the extra rules of the new IRE passwords? They don't disallow pass phrases. "Wow, what a shocker! You mean I can use pass phrases with the new rules?" Yes, you can. "Extra rules" and "pass phrases" are not mutually exclusive. You might want to spend some time to think about that.

    In the mean time, let me tell you what I disagree with: you telling me what I should do with my password.

    Are you just trolling? The new password policy as per the announce specifically disallows the passphrase illustrated in the comic.

    No where have I said or even suggested what you should do with your password.
  • Maellio said:

    I'm mind bogglingly confused by this argument. The passphrase schema that you're arguing for is allowed under the new rules, as whitespace is now accepted. And if the issue is the requirements then frankly Celina's jab is a perfect example of an easy to remember passphrase.

    The passphrase in the comic doesn't use symbols, uppercase, or spaces. This is possibly why some here are expressing some confusion.
  • Lerad said:
    The new IRE schema doesn't dictate any "certain pattern". It dictates a certain requirement, but it dictates absolutely nothing of what you have to do with it. If the schema said, "you must have at least 8 characters, of which every third character must be of a different type, ie. "ab1cd@ef3" then that's a pattern that's being dictated. This is not the case here. Yes, when your schema dictates extra requirements, there are different algorithms for it, and - did you actually read my previous post? - these are less resource efficient than one that doesn't need to take into account those additional requirements. They add security, period. This is not arguable on a technical level. 

    Seems like more rules would make you more vulnerable to a dictionary attack though. Who cares if the dictionary takes longer to make.

    Really, these kind of rules are purely made to prevent social engineering and easily guessed passwords ('password', '123456', etc), which, with no evidence what so ever, I imagine is the biggest cause of compromised passwords. When you see a big list of compromised passwords with all the fancy rules, again, with no evidence at all, I don't think all these were brute force attacked - the data was otherwise comprised. In which case, passphrases aren't going to help you any either. Also, I don't think lusternia is exceptionally vulnerable to brute force attacks - don't you get locked out after some amount of attempts? Or maybe I remember wrong.

    And I liked the comic :D
  • edited February 2014
    Steingrim said:
    Maellio said:

    I'm mind bogglingly confused by this argument. The passphrase schema that you're arguing for is allowed under the new rules, as whitespace is now accepted. And if the issue is the requirements then frankly Celina's jab is a perfect example of an easy to remember passphrase.

    The passphrase in the comic doesn't use symbols, uppercase, or spaces. This is possibly why some here are expressing some confusion.
    Then it's a matter of parsing it differently, as I did read it as having spaces. ~themightiestofshrugs~

    Edit: It's a cripplingly specific emote. It's a valid password. It's a crippling specific emote -and- a valid password. 

    Bonus likes to anyone who isn't @Everiine who knows what I'm referencing

    .oO---~---Oo.

    "Perfect. Please move quickly to the next post, as the effects of prolonged exposure to the signature are not part of this test."

    NARF!


  • Maellio said:
    Steingrim said:
    Maellio said:

    I'm mind bogglingly confused by this argument. The passphrase schema that you're arguing for is allowed under the new rules, as whitespace is now accepted. And if the issue is the requirements then frankly Celina's jab is a perfect example of an easy to remember passphrase.

    The passphrase in the comic doesn't use symbols, uppercase, or spaces. This is possibly why some here are expressing some confusion.
    Then it's a matter of parsing it differently, as I did read it as having spaces. ~themightiestofshrugs~

    Edit: It's a cripplingly specific emote. It's a valid password. It's a crippling specific emote -and- a valid password. 

    Bonus likes to anyone who isn't @Everiine who knows what I'm referencing
    Two, two, two things in one.

    During his company's periodic password audit, a employee was found to be using this password:

    GoofyHueyLouieDeweyDaisyDonaldMickeyMinniePhoenix

    When he was asked why he had such a long password, he said, "The boss said that my password had to be at least eight characters long and have at least one capital."

    I can see why someone might see it that way. The brackets are there for readability and more importantly to indicate the dictionary elements. The form of the math is dictionary attacks, or put another way, 'word lists'. 11bits is per word, not per character, per character would be even harder to crack, something along the lines of 117bits. 11bits x 4 for the 44bits of entropy. As an aside, did you also see the first password as having a space?
Sign In or Register to comment.