The XKCD comic uses the entropy of common words assuming an informed cracker is using the best tools at their disposal, that being a dictionary attack. That’s why the entroy per character of the passphrase is so low compared to that of the special character password, but the passphrase can be much longer because it’s easier to remember, so that’s what gives it its higher total entropy.
Thanks for the clarification. So I can surmise that length is everything then? Given that I use a password manager I’ll just stick to my long gibberish passwords in that case, but it’s good to keep passphrases in mind for use cases where I can’t copy/paste easily.
Oh yeah, long gibberish passwords are strong. Keepass will tell me I have 137 bits of entropy on my password for instance, and that’s proper secure.
The Tr0ub4dor or whatever example in the comic assumes again an informed hacker using long random words and common substitutions, so you don’t have the full 56+ possibilities per character, it’s constrained to a very limited set. This is a pretty common password construction
For instance when I was in IT some government agency required our company to adhere to some security requirements before we could handle their data. Everyone went from 3-letter usernames + identical passwords to having a long word + numbers + characters. HOWEVER because nobody can remember these fucking things, every single password was a home address with the exception of a handful of month or person names which I assume were birthdays or kids. How do I know these secret passwords? Well, because they STILL couldn’t remember them, we had to…
I’m so sorry.
…keep everybody’s password in our own encrypted excell spreadsheet, so if anybody forgot, the IT team could read them all in plaintext to get people logged in. One person was so bad at remembering that I had their password memorised myself, and when I stopped pretending to look it up they stopped asking. Idk if they were shamed into remembering it or they just kept it in their wallet or something.
Also we needed secure server racks and encrypted drives etc. The server rack was a doozy - the handle was an intentional weak point to prevent forcing the lock, so I accidentally ripped it clean off with my bare hands one morning when the lock was slightly stuck. It took a while to get that fixed and I was exremely lucky I managed to jimmy it open using the nub of the destroyed handle. I couldn’t close it again so it sure wasn’t secure once that happened.
Security theatre, the lot of it. We spent six figures nationwide getting ready for that contract and the work they gave us was about four figures worth.
The entire corporate world is like this. If you wonder why your data keeps getting breached, this is why.
The XKCD comic uses the entropy of common words assuming an informed cracker is using the best tools at their disposal, that being a dictionary attack. That’s why the entroy per character of the passphrase is so low compared to that of the special character password, but the passphrase can be much longer because it’s easier to remember, so that’s what gives it its higher total entropy.
Explain XKCD goes into more detail about how the calculation was done: https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
Thanks for the clarification. So I can surmise that length is everything then? Given that I use a password manager I’ll just stick to my long gibberish passwords in that case, but it’s good to keep passphrases in mind for use cases where I can’t copy/paste easily.
Oh yeah, long gibberish passwords are strong. Keepass will tell me I have 137 bits of entropy on my password for instance, and that’s proper secure.
The Tr0ub4dor or whatever example in the comic assumes again an informed hacker using long random words and common substitutions, so you don’t have the full 56+ possibilities per character, it’s constrained to a very limited set. This is a pretty common password construction
For instance when I was in IT some government agency required our company to adhere to some security requirements before we could handle their data. Everyone went from 3-letter usernames + identical passwords to having a long word + numbers + characters. HOWEVER because nobody can remember these fucking things, every single password was a home address with the exception of a handful of month or person names which I assume were birthdays or kids. How do I know these secret passwords? Well, because they STILL couldn’t remember them, we had to…
I’m so sorry.
…keep everybody’s password in our own encrypted excell spreadsheet, so if anybody forgot, the IT team could read them all in plaintext to get people logged in. One person was so bad at remembering that I had their password memorised myself, and when I stopped pretending to look it up they stopped asking. Idk if they were shamed into remembering it or they just kept it in their wallet or something.
Also we needed secure server racks and encrypted drives etc. The server rack was a doozy - the handle was an intentional weak point to prevent forcing the lock, so I accidentally ripped it clean off with my bare hands one morning when the lock was slightly stuck. It took a while to get that fixed and I was exremely lucky I managed to jimmy it open using the nub of the destroyed handle. I couldn’t close it again so it sure wasn’t secure once that happened.
Security theatre, the lot of it. We spent six figures nationwide getting ready for that contract and the work they gave us was about four figures worth.
The entire corporate world is like this. If you wonder why your data keeps getting breached, this is why.