[Noisebridge-discuss] Fw: continuing adventures in the brave new world.

Seth David Schoen schoen at loyalty.org
Wed Apr 4 22:19:00 UTC 2012

William Sargent writes:

> http://howsecureismypassword.net/

Does anyone know the author of that site?  I'm simultaneously impressed
and a bit concerned because I'm not very confident about their threat model.
It seems like the threat model includes offline attacks but it has -- in
the scheme of things -- very little test for structure so it doesn't really
know the difference between passwords built Diceware-style out of words and
completely random strings.

A notion of the strength of a password ought to be calculated relative
to a model of an attacker who will try to guess the password.  However,
this attacker won't necessarily use the strategy of pure uneducated
brute force.  Instead, the attacker will probably start with an attempt
to model the person who created the password, or the software (if any)
that that person would have used.  Usually a good assumption is that the
password-guesser can do this reasonably well, or at least that there is
some password-guesser out there who can do this reasonably well.  This
assumption, in Claude Shannon's riff on Kerckhoffs is "the enemy knows
the system".

For example, xkcd's suggestion "correct horse battery staple" probably has
50 to 80 bits of entropy if we assume that "the enemy knows the system"
and that the attacker knows the general way that the password was chosen
but not the particular random numbers that went into choosing it.  But if
I enter it into this tester, it says "it would take a desktop PC About 2
nonillion years to hack your password", and "Your password is over 16
characters long. It should be pretty safe.".

However, it's hard for me to find even the most extraordinarily optimistic
assumptions under which it would take a desktop PC more than 9 billion years
to crack "correct horse battery staple" if the adversary knows the system,
and I believe that around 9 (!) years is a more plausible estimate based on
how the password was probably generated.

I also tried using a famous song lyric (with no changes at all) and got
an estimate in the septendecillions of years.  But even an attacker who
tried enumerating all grammatical English sentences lexicographically
would have succeeded in well under decillions of years, and probably
much faster.  Basically, I worry that the site is giving a false sense of
precision in its time estimates and that in reality the estimates are
almost always too optimistic (from the defender's point of view) once
the passwords get above about 10 characters in length, assuming there is
_any_ internal structure that the attacker might know or guess.

Seth David Schoen <schoen at loyalty.org>      |  No haiku patents
     http://www.loyalty.org/~schoen/        |  means I've no incentive to
  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |        -- Don Marti

More information about the Noisebridge-discuss mailing list