Quote of the Day, There’ll Be No Living With Randall Munroe Now edition.

He made the Wall Street Journal.

In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3— a typical example of password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.

The context of this is that Bill Burr — the guy who came up with the policy where you have to change your passwords every month, preferably by smashing your head into the keyboard and using whatever shows up on the screen — has shamefacedly admitted what we all knew already.  To wit: it doesn’t work.  Heck, it makes security worse.  To be fair, the dude had to come up with the policy in 2003, wasn’t allowed to look at actual people’s passwords to get a feel for what people were doing, and didn’t have much in the way of outside info… why am I apologizing for him?  I’m not sure.  I guess that I just don’t blame him for this particular screw-up.

But, hey, at least they’re updating the parameters!


  • acat says:

    Heh. I’ve been sending “horse staple battery correct” to managers, pretty much since Munroe drew it.
    Gets the points across – shorter and complex *for humans* is not good enough..
    Surprisingly none of them have actually been, you know, *willing to change* .. but I’m gonna track down the emails I wrote, and attach this WSJ piece.
    With malice, yes. I am not a nice cat. Kind and generous, perhaps, but not nice.

  • Jeff Weimer says:

    I’ve been using various Mnemonics (first letter of phrases, with added specials when required) for over 20 years, and those are easy to remember and hard to crack.

  • BigGator5 says:

    I’ve never used those rules (unless forced to do so). So, yay forward looking me.

    • Skip says:

      The passphrase for my wifi router used to be. without quotes, but with proper capitalization, punctuation, and two spaces after the period, “This is my passphrase. There are many like it, but this one is mine.”

      But I abandoned that, because while it’s easy to type on a laptop, it’s not so easy to type on a mobile device, especially if it doesn’t let you show the password you’re typing.

  • Luke says:

    Obscurity and compartmentalization are more protection, IMO.
    Someone could theoretically brute force my passwords in X number of days, but they’d have to repeat the feat several times because different things are protected by different passwords (which rotate only within their assigned category), and I don’t link them together any more than I absolutely have to.
    Undertaking the effort to go after a random nobody without much in the way of liquid assets would take a lot more work for less payout than anyone sane is likely to consider.
    That is, unless the criminal in question has the NSA and the IRS under his thumb…
    In which case, we’re just borked.

RSS feed for comments on this post.

Site by Neil Stevens | Theme by