Password Strength

XKCD Comic on the Strength of Passwords

I’ve always enjoyed this particular XKCD comic, because of its simplicity.  I’ve never heard it debated in a practical setting.  The strategy it describes seems very strong, and I’d like to know if I’m missing something.

This comic is assuming a standard stupid brute-force algorithm. That would mean for this example password, each letter has a 1 in 26 chance of being correct.  In terms of entropy, we can describe this as log2(26). Because we are talking about a password that is 25 characters long, we should be able to represent this as log2(26)*25, which would mean a total of 117.5 bits of entropy.

If we assume an english word to be a ‘character’, and we assume there are 171,476 words in the english language, then we can calculate entropy based on an entire english word (no capital letters, no spaces, nothing but letters). Every random word would then have an entropy value of log2(171476) or ~17.39 bits per random word.  With 4 words, that would mean 17.39 *4, or ~69.55 bits of entropy, which would still take way too long to guess.

So I still have no idea how the comic’s author came to the conclusion of 44 bits of entropy, so I’m obviously missing something, but does anyone have anything voiding this as a possible strategy for password generation? I would be very interested to hear it.

Advertisements

3 thoughts on “Password Strength

  1. I’ve always figured brute-force attacks as sort of a last ditch effort of finding passwords because it basically tries every password. This would be a lot easier if the person only used a single word as their password, but if someone was to use multiple words like in the comic it would take much longer to guess the password. If more people today use random words and numbers, then this method would become less practical and probably used less frequently.

  2. This post reminded me of a site I visited once a twice about a year ago, the site allows you to enter a password of any sort and it then calculates how long it would take a desktop pc to hack that password and gives suggestions on what you can do in order to make your password more secure. The site is howsecureismypassword.net

    • I do love that website, but I have NO idea how they calculate their results. I always get something different when I write it out by hand.

Comments are closed.