Regarding password policy

A recent xkcd brings up an important tenet of password strength.

In general, when it comes to passwords:

length > complexity

A site that requires a minimum of 6 characters but enforces complexity is more likely to have some compromised accounts than a site that requires 12 character passwords regardless of complexity.  (One caveat:  The 12 character password CANNOT be a dictionary word.)

Now, a “problem” that arises with using a random passphrase like “correct horse battery staple” is that if it becomes a standard practice, the cracking programs will be changed to simply pass every dictionary word in combination with every other one.

But this isn’t actually a problem.  Say we take a dictionary of 5,000 common words.  The number of 4-word combinations would be 5,000^4, or 625 quadrillion.  Let’s suppose we pass this through a supercomputer capable of one million attempts per second.  It would still take about 20 years to go through every combination.  Of course it should find the correct one sometime before then, but nevertheless it’s a difficult task to pull off.


One response

  1. I read somewhere to use the first letters of a lyric from a favorite song. All I have to do is remember which song. Let’s say Jenn doesn’t like me any more. Jdlm4m is a pretty hard password to crack. In practice I pick longer lyric.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s