This is a terrible way to choose passwords, and in no way equivalent to the XKCD... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		epistasis on June 4, 2012 \| parent \| context \| favorite \| on: Password Rules This is a terrible way to choose passwords, and in no way equivalent to the XKCD method. It's not equivalent because additional length in your password is very predictable rather than random. To brute force your password, all somebody has to do is choose a starting word in Wikipedia and some number of consecutive words. This is log2(size of Wikipedia) + log2(entropy of your "5 or 6" distribution). This is less than 32 bits of entropy, or about a six character password in a 64 character alphabet, i.e. it's trivial to brute force this password if you have the hash.

btipling on June 4, 2012 | [–]

Yeah but it would have to be a targeted attack. In any case everyone should be using something like 1Password anyway.

jaybill on June 4, 2012 | [–]

I didn't say I picked consecutive words. You'd be right otherwise, though.

epistasis on June 5, 2012 | [–]

Why are spaces important then?

jaybill on June 5, 2012 | | [–]

For word breaks? Why are they not important?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact