Get Distracted with the silly Password Game

We’ve all faced that account creation box that forces us to select password with seemingly arbitrary requirements in the name of SECURITY (which is serious, yes).

See how far this can go with the Neal.fun Password game. It starts off simple, and just keeps added more difficult rules (note 10 is easy)

Screen Shot 5171538×1592 175 KB

Now you know my email password (just kidding).

The farthest I got was 16, and I thought I was clever getting past the moon phase emoji and the google streetview random location.

Screen Shot 5161160×1590 188 KB

I am counting on the cleverness of this community to break my best game. I wonder how far it goes?

Yes, it makes for a fun challenge, but maybe at least for the first few steps, does it work as a password generation activity?

This called for a new OEG tag

We can always count on the wisdom of XKCD and worth noting all of Munroe’s comics bear a Creative Commons CC BY-NC license.

I’ve been using the correct horse battery staple method for a long while.

A bank officer suggested once having a memorable list of numbers and phrases, so I don’t even have to write down the long phrase, just have note like 3GST for a password 301GeorgeSunnysideTuba that is a reminder of the phrase strings (these are not my real ones) 301=my second childhood home phone area code, George=favorite uncle, S=Sunnyside Elementary School and T=Tuba was the instrument I played in band.

I was 15 when I spent NYE, unchaperoned with my band mates, in New Orleans’ French Quarter. The next day I carried my sousaphone in the Sugar Bowl Parade.

Haha, I clicked to post exactly this (XKCD) – correct horse battery staple FTW!

I only remember three complex passwords: 1) one for decrypting the hard drive on the primary computer (entered before the computer boots up), 2) another one for the user account on the primary computer, 3) master password for the password manager.

I don’t even aspire to memorize anything else. Over the years I have accumulated thousands of passwords and passphrases. Almost 100% of them are unique for each service, each beyond the hope of remembering.

So what’s your password for (1)

The point XKCD makes and other readings is that a longer phrase of words is better than just a jumble of gobbled mixed characters, regardless if it’s memorizable, is this true?

I started writing a reply explaining how this works and then I remembered there’s GPT-4, so I outsourced the job (emphasis mine):

The rationale behind this is that the strength of a password is mainly determined by its entropy, which is a measure of its unpredictability. Entropy increases with length and complexity. While a string of random characters may seem more complex, a sufficiently long string of random words can actually have more possible combinations, thus higher entropy.

For example, consider a 10-character password with a mix of uppercase and lowercase letters, numbers, and symbols. There are about 72^10 possible combinations (if we consider around 26 lowercase letters, 26 uppercase letters, 10 digits, and 10 symbols). On the other hand, if you pick four random common words from a list of 2048 (a number chosen because it’s roughly the number of words a person could easily remember), there are about 2048^4 possible combinations, which is a much larger number.

Furthermore, a string of words can be easier for humans to remember than a string of random characters. In the xkcd comic, the memorable password phrase is “correct horse battery staple”, which might be easier to remember because it tells a weird little story.

That being said, this does not mean that simply stringing together common words is the best approach. If the words are not chosen randomly (for example, if they form a common phrase or are related to each other in an obvious way), then this reduces the number of possible combinations and makes the password easier to guess. The words must be truly random, and they must not be guessable based on what an attacker knows or can find out about you.

In addition, there are other factors to consider when creating a strong password, such as not reusing passwords across multiple sites and changing your passwords regularly. Using a password manager can help with these tasks. It’s also increasingly common to use two-factor authentication, which provides an additional layer of security.

And after pasting the GPT-4 answer I remembered there’s Explain XKCD:

Should have thought of this sooner!

You bring up another important point about security discussed in XKCD #538, @cogdog (CC-BY-NC 2.5):

@jan Your replies are as usual very thorough. A thing I enjoy in this work is the accidental discovery of something amazing, and it was a curiosity click on the Explain xkcd wiki https://www.explainxkcd.com/ that made me stop and say (at least) “wow”.

Here is an old web style community effort, done in a wiki to add much meaning behind a public (CC licensed work). That something like 99% of Munroe’s comics have an entry, and rich discussion is just profound as an atypical example of openness.

Thanks.

Yep, Explain XKCD is awesome! And so are Munroe’s “What if” books (#1, #2).

Wait But Why by Tim Urban is another favorite (not open or a community effort, though). Funny and insightful (his “Road to superintelligence” is particularly noteworthy). And his TED talk is just hilarious! (And it’s CC-NC-ND, unlike his other works, which seem to be “all rights reserved”.)

One last thought about the passwords: to further increase entropy, you can mangle wurds in the passphrassee or introduce ExtraCAPSinDifferentPLACES. But this may be too much overengineering, and needlessly complicate passwords (á la the game you posted in the beginning of the thread) without meaningfully increasing security in the real world, as XKCD #538 linked above explains.

Security is all about trade-offs and threat modeling.