Posted Oct 18, 2011 0:02 UTC (Tue) by rgmoore
(✭ supporter ✭
In reply to: XKCD
Parent article: Enforcing password strength
I'm a bit skeptical about the password padding idea. Adding one extra random character may increase the search space by a factor of 85, but adding between 1 and 10 characters of padding with a single character only increases it by 850 fold. That's still a substantial increase in strength, but it's not even close to the 85**10 fold increase they seem to imply.
That gets back to the XKCD cartoon's idea about estimating password entropy by looking at how the password is constructed. Estimates based on (character choices)**(password length) will grossly overestimate password strength because they assume you're using a truly random password. In practice, most people use things like dictionary words with predictable permutations, numbers appended, etc. which result in passwords that can be cracked much faster than predicted using dictionary or modified dictionary attacks. To get the full strength of your password length, you need to use truly random and hence very hard to memorize passwords. If people could actually memorize 10 random characters easily, we wouldn't have all these discussions about how to make stronger passwords in the first place.
to post comments)