![]() So here's what I got: figure I have a bias to switch keys. It's actually kind of obvious, when you see the two side by side. I'm sure there are other characteristics, too, but those two are sufficient to throw out most human attempts at a glance. A coin, of course, changes from heads to tails 50% of the time, but a human does it more like 70% of the time. The other is to look at the page as a sequence of "HHH" and "TT" strings and estimate how many there are. Over a hundred tosses, a coin will probably do that, but humans "being random" won't. The first is to look for six or seven heads or tails in a row. I know of two tricks for detecting the students. You mean the statistics demonstration? I'm sure I've seen it in several places. Conversely, choosing "random" extra characters to add in makes it slightly longer, very slightly more random, and way, way harder to remember. If it's not random, each common English word you add adds 11 bits, and is only marginally harder for most English speakers to remember. The crucial point here is that four random words, separated by spaces, selected at random only from the 2000 most common English words - EVEN IF your attacker knows that your password is four random English words from the 2000 most common separated by spaces - already is a very long random string. It also makes the sentence harder to remember- was there a comma or not? Adding unreasonable punctuation or symbols is even worse- you get slightly more entropy at the cost of a password that is way harder to remember. All of the reasonable punctuation you could add to a sentence adds only a few bits of entropy at best. It's scary to see people - intelligent people, I'm sure - saying things like "And that goes even higher when you add punctuation!" I would trust passwords that come out of a script like this to be far more secure than passwords anyone (myself included) made up, no matter how random they're trying to be. You're probably using the same tricks everyone else is, and making the same mistakes. The lesson is this: even when you think you're being random, you probably aren't. The papers are completed and mixed and then - magically! - he is able to sort them into the two types, easily and with high accuracy. He tells one to toss a coin a hundred times and record the sequence of heads and tails, while the others are to write down a sequence they think is random using their imagination. There's a demonstration done in an early statistics class in which the professor divides the class into two groups. Human beings are really bad at creating randomness. It's to create something that is random literally a result of a throw of the dice for every new password. The key with passwords is not to create something that looks random - something that if you showed it to another human being, they'd have a hard time deciphering. The difficulty grows exponentially with each word in the phrase, and that's pretty fast. Even if an attacker knows that your password was generated via this method, and even if they know the word list you used, the password is still hard to guess. ![]() This misunderstands the math behind the situation. The same is true of the common method of typing a word with ones fingers displaced on the keyboard.Ĭonversely, I see a lot of argument that these XKCD passphrases would be easy to guess because they are made up of dictionary words. ![]() From a probabilistic perspective, these are still dictionary words, even though they look like gibberish. In this thread alone, I've seen suggestions to use a common dictionary word translated into another language, or written in l33tsp34k with some permutations. Look, we're working with big numbers here. The particular theme I am alarmed by is that people seem to think that if a password looks alien, or was difficult for them to come up with, it will be hard for a machine to guess. I find the discussion surrounding the XKCD strip alarming for the superstition it reveals about password generation. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |