The short XKCD password is based on a dictionary word, making it vulnerable to i... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

nitrogen on June 9, 2012 | parent | context | favorite | on: Change your Last.fm password

The short XKCD password is based on a dictionary word, making it vulnerable to intelligent brute force (oxymoron of the day).

I imagine the calculation goes something like this:

  1/50000     Likelihood of a particular uncommon word
  1/8         Substitute up to three letters for numbers
  1/2         Initial capital or initial lowercase
  1/32        Add a punctuation character at the end
  1/10        Add a digit at the end
  1/2         Possibly swap punctuation and digit at the end
  ----------------------------------------------------------
  1/512000000 Resulting probability
  -28.93157   log2(1/512000000) -- number of bits of entropy

So, if e.g. XKCD assumed only 25000 uncommon words to choose from, that would give ~28 bits of entropy.

presto8 on June 9, 2012 [–]

Thanks for the thorough answer! I originally missed the part about using a real word as the base.

For my passwords, I use 8 character random strings so hopefully I am a little safer. Although, as I'm learning from all of these password leak debacles, you are only as secure as the systems using those passwords.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact