6 comments

[ 3.4 ms ] story [ 26.1 ms ] thread
Yep. And yet many many many people are taught the holy triad of "at least one uppercase one lowercase and one special character!"

Since most strings following these rules are hard to remember, and humans being humans, we get passwords that follow simple, predictable, and easily guessable patterns like

    aAbBcCdD1234!
Follows every rule in the holy triad and is likely to be cracked in seconds from some rainbow table.
If anyone needs to generate cryptographically safe passwords that are easy to remember, I recommend this cool app that runs on dice:

https://en.wikipedia.org/wiki/Diceware

This is about the worst imaginable way to generate entropy for password, unless the goal is to waste lots of time.
Diceware is the source of the method suggested by xkcd. Both versions are easily implemented in a wide variety of password generation programs.
There are two points to add: (1) If you use a randomly generated password of upper/lower/punctuation that's 63^length; (2) Four words is vocabulary^4.

One breakeven point is 63^10 (9.8e17) ~ 20000^4 (1.6e17).

This is being quite generous to the four words as the likelyhood of word selection from the vocabulary would be far from uniform. Also offset by the fact that shorter length passwords are brute-forced. If four-words became the dominant meta then we could instead have brute force applied to the word dictionary forms.

Use shuf(1) to pick words reliably randomly from /use/share/dict/ dictionaries. It is not a mistake to misspell the words proposed, but not necessary. Preserving capitalization is not necessary.