|
|
|
|
|
|
by salmonellaeater
4268 days ago
|
|
|
Even if we entertained the XKCD comic and started training users to select four random words instead of a complex single-word password, I argue that it would not amount to a significant increase in security. People are not very creative and tend to think the same way when choosing passwords. This would lead to the exact same problem we have now, where a few passwords such as "password123" become very common. The XKCD comic[1] says to use "four random common words." There seems to be some confusion between the popular use of "random" to mean "arbitrary" and the specific information-theory meaning of "random" (better worded as "randomly chosen"). Bruce Schneier criticized[2] the XKCD method based on the "arbitrary" interpretation, and the best explanation of the problem I've seen is in an answer[3] on the cryptography Stack Exchange site: Random choices are random and uniform. This is hard to achieve with human users. You must convince them to use a device for good randomness (a coin, not a brain), and to accept the result. [...] If the users alter the choices, if only by generating another password if the one they got "does not please them", then they depart from random uniformity, and the entropy can only be lowered (maximum entropy is achieved with uniform randomness; you cannot get better, but you can get much worse). [1] http://xkcd.com/936/ [2] https://www.schneier.com/blog/archives/2014/03/choosing_secu... [3] http://security.stackexchange.com/a/6096 |
|
|