For a complex structure, the sum of the pieces alone is often sufficient to give an "excellent" rating.It's difficult to formulate a sound model for structural entropy statistically, I don't happen to know what structures people choose most, so I'd rather do the safe thing and underestimate.Considering correcthorsebatterystaple, word-word-word-word, an attacker running a program like L0phtCrack or John the Ripper would typically try many simpler structures first, such as word, word-number, or word-word, before reaching word-word-word-word. This is a significant underestimation for complex structures. By disregarding the "configuration entropy" - the entropy from the number and arrangement of the pieces - zxcvbn is purposely underestimating, by giving a password's structure away for free: It assumes attackers already know the structure (for example, surname-bruteforce-keypad), and from there, it calculates how many guesses they'd need to iterate through. That a password's entropy is the sum of its parts is a big assumption. I picked Troubadour to be the base word of the second column, not Troubador as occurs in xkcd, which is an uncommon spelling.I don't know the details behind the other meters, but a scoring checklist is another common approach (which also doesn't check for many patterns). This mostly has the same only-works-for-brute-force problem, although it also checked against a common passwords dictionary. Dropbox used to add points for each unique lowercase letter, uppercase letter, number, and symbol, up to a certain cap for each group. Few of these meters appear to use the naive estimation I opened with otherwise correcthorsebatterystaple would have a high rating from its long length.eBay doesn't allow passwords over 20 characters either. Passwords can contain some symbols, but not & or !, disallowing the other two passwords. Bank of America doesn't allow passwords over 20 characters, disallowing correcthorsebatterystaple.Speculation, but that might be because it detects spatial patterns too. The PayPal meter considers weak but aaAA11!! strong.It adds extra entropy for each turn and shifted character. zxcvbn considers weak because it's a short QWERTY pattern.(Twitter gives about the same score for each, but if you squint, the scores are slightly different.) The rest either consider it the weakest or disallow it. zxcvbn considers correcthorsebatterystaple the strongest password of the 3.I needed to crop the bar from the gmail signup form to make it fit in the table, making the difference in relative width more pronounced than on the form itself. I took these screenshots on April 3rd, 2012.A naive strength estimation goes like this: Strength is best measured as entropy, in bits: it's the number of times a space of possible passwords can be cut in half. But right now, with a few closed-source exceptions, I believe they mostly hurt. So I do think these meters could help, by encouraging stronger password decisions through direct feedback. For the rest, I'd wager a large percentage are still predictable enough to be susceptible to a modest online attack. These are only the really easy-to-guess passwords. The methodology and bias is an important qualifier - for example, since these passwords mostly come from cracked hashes, the list is biased towards crackable passwords to begin with. Burnett ran a more recent study last year, looking at 6 million passwords, and found an insane 99.8% occur in the top 10,000 list, with 91% in the top 1,000. These passwords include some real stumpers: password1, compaq, 7777777, merlin, rosebud. According to Mark Burnett's 2006 book, Perfect Passwords: Selection, Protection, Authentication, which counted frequencies from a few million passwords over a variety of leaks, one in nine people had a password in this top 500 list. I'm convinced these meters have the potential to help.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |