This post also appears here on the Identropy blog.
I never thought I would have a post on an Identity Management and Security inspired by a cartoon, but here we are.
In my earlier post about using CAPTCHA for authentication, I referenced a blog post by Thomas Baekdal. A large part of his post was devoted to the idea that one should use a password comprised of a few relatively uncommon English words, rather than 8 – 10 characters of mixed case, punctuation, and numbers.
Randall Munroe was able to sum it all up in today’s xkcd cartoon:
It may sound counterintuitive to some, but we can break it down:
- According to Webster’s, there are about 475,000 words in the English language.
- To brute force a 3 word password would take on the average ((475,000) ^ 3 / 2) = 5.35e16 attempts
- At 1000 attempts per second, that amounts to about 1.7 million years, on average, to brute strength crack the password.
Even if you limit it to the 50,000 most common English words, you are still talking about it taking 1,980 years to crack, and that doesn’t even take into account that you could still capitalize a letter here and there.
Using short pass phrases of 3 of the top 50,000 English words is not only more secure than your typical password, it is also more memorable. That means it is less likely someone will write it down or need to call the help desk to have it reset.
Why aren’t more organizations pushing for pass phrases over passwords?