[ObviousScience]

Linkbaity title from a PhD student with something to sell: the example cited was entirely correct about password strength, and is something the article author admits is important as it is the underpinning of using password managers.

> Even if we entertained the XKCD comic and started training users to select four random words instead of a complex single-word password, I argue that it would not amount to a significant increase in security.

> People are not very creative and tend to think the same way when choosing passwords.

He also completely strawmans the XKCD example: it's not that you should pick four words yourself, it's that you should use four randomly chosen words (using an RNG/PRNG). In this sense, we're just picking fewer random symbols we have an easier time remembering out of a larger symbol space, but this is functionally equivalent to picking passwords of random characters. That was the point of the XKCD comic - that a random chosen password is stronger than your l33tspeak choice of a word or two.

> This means that we should stop blindly classifying password strength based on the number of bits of entropy3, and should consider first and foremost how dictionary-attack resistant the passwords is.

If you look at the right number of bits of entropy, then you get this property: a lot of entropy in the password means that the subspace of passwords it lives in is large, and that a dictionary probe of the space is unlikely to find it quickly. Dictionary attacks are just a particular form of brute force that prioritizes some kinds of passwords over others. In the case you actually followed the XKCD example, you'd have good resistance to dictionary attacks: your password is randomly placed in a large subfield of possible passwords, and the randomness removes any benefit of guessing particular words over words at random.

He's still sticking to the strawman version of the XKCD comic, and attacking a much weaker idea than was actually presented.

> This means that instead of a password strength meter you should be ensuring that there is no skew in the distribution of passwords. If each password is guaranteed to be unique, the advantage of a statistical guessing attack is greatly reduced.

He even admits that the solution actually proposed by the XKCD comic would mitigate the attacks he's talking about, and only his strawman version doesn't.

The rest of the article is obvious security cliches about password managers and 2FA.

I seriously suggest that this guy stop giving security advice that's wrong and clearly just meant to market his own work.

[julie1]

I would be strongly relieved learning he failed his PhD in security: his article is a pure FUD.

Why secrets are needed? Because secrets are unpredictable and thus are the signature of a common knowledge that cannot be guessed when checked against randomness.

Every other solutions are scams especially biometry:

- measure can fail; - if something can be measured it can be captured/duplicated.

Security market is based on fear.

I so wished security efficiency was audited based on the number of security holes they cause sometimes.

[logicuce]

And may be Square should let him go as well?

[ObviousScience]

If he's working at Square as a security researcher and routinely did work of this caliber, I would be surprised.

While this wasn't a good article about security, for what may be any of several reasons that don't have anything to do with his work relationship with Square or qualifications in general, I'm not childish enough to pretend that a single bad article dictates even his merit as a security professional. We've all been there and said something silly in public.

That being said, this read like a strawman of a popular comic to sell his research/pet topic, and poor security articles like that should be called out for what they are - poor articles on security.

[logicuce]

Agreed. Square would be in best position to take that call and he might be very good at his work there. Hence my comment above was a question rather than a suggestion.

That said, this article doesn't seem to be a tongue in cheek thing. He is the lead security researcher at a payment processing company. A critical position I believe.

I am not sure if such a person can afford to have written that article where people who are not security researcher can easily find conceptual flaws.