Xkcd was dead staple horse wrong about passwords


xkcd is freaking awesome!

I love xkcd. What's not to love about Randall's brilliant work?

The fan base is so huge, and his witty so obscure, he got this fanbased site explaining his comics. Do click here to read the very funny Bobby Tables. At least I think any progammer* would find it funny. Certainly you need to know more than a bit about coding software to get it anyway.


While he does spread very witty and intelligent comments, I should have been more careful about taking his wise words for granted.

Authentication in general have always bothered me. So much I just started making a wiki about this topic (and this is how the cregox's wiki category was born!).

And even today we are still lagging behind finding good ways of properly implementing it with computers. In general, anyway - of course ssh keys have been around for a long time, but not even most DevOps use it as often as they should. Or would anyone bother to argue otherwise?

My LastPass security challenge says I've got at least 800 sites with some password issue. Digital passwords should be something to worry programmers, not users.

Digressing some more...

Here's how all this was brought to my attention:

@wilsontp's message also made me realize the importance of keep changing passwords often even if you have one that you'll never tell anyone and nobody can guess. A password which is stored somewhere (if it's digital, it is stored) can be leaked and most likely unscrambled due to our amazing computational power today (which is unfortunately never used to create a strong hash).

Now, allow me to rationalize it a little, because there is a lot more to be said there...

Dictionary attacks are indeed very relevant, even if only when databases are leaked or access to it is easily compromisable, which I'd guess is the case for 99% of all computers. If you have access somehow to whatever the machine uses to check your password against, it is only a matter of computational time to crack the password, and then all your calculations do make sense.

Reason why brute forcing (it is still brute forcing) do make digital passwords mostly an outdated concept adapted from the non-computational world, but... I still think pass words can and should still be staple horsed. And free to be a big as you want. Make it a phrase filled with words (harder to have them in dictionaries if it's complex enough for complexity usually doesn't organically spread well among humans), or a paragraph. Characters length isn't the point.

I guess the real point is if you want it to be a good one it should be one that only you can easily remember.

In my vision of an "ideal world that would be possible today" we would have OS'es which were password managers for everything themselves, only to handle legacy web services that still use passwords (instead of openID and, yes, I was confusing it with oAuth up to now), so the only place your only password would be stored is locally in your machine (much harder to leak, very easy to set a really strong hash) and you would only need to type it after you lock your machine somehow. It could be easily remotely locked through another machine of yours or by sending in a message with a secondary password to lock. And it could be easily unlocked with U2F, of course. Lost your phone which have no lock? Ask for anyone's phone to send in an SMS with your lockin code and done. If it has no internet for over 5 minutes or so, auto lock, request your local password.

Maybe the technical aspects of solving this whole thing isn't really the issue, though.

On a side note, one big still unstated reason I'm in favor of xkcd there is swype - the only keyboard on android that allows you to swype over password fields. Makes typing passwords on smartphone a breeze (unlike with the 127bits ASCII table 16+ digit long pass that I also do use myself).

My current rule of thumb

Ok, so "correct horse battery staple" is all wrong. Then what?

Basically, and ideally, have 1 central place with 1 huge unique passphrase only you can remember, which could go unchanged for a long time, and 2 factor auth. Store all your passwords and authentication methods there. That "simple".

In more detail:

  • This should go without saying: use ssh keys (or equivalents such as oAuth, openid, etc) always.
  • For everything else (which are still most things out there) use at least 1 password manager (mine is LastPass, but 1Password or KeePass are equally fine) and as many random characters as possible.
  • By all means, go on using weak / whatever passwords where data won't matter to you. Keep it practical.
  • Pray for iOS or Android developers to better realize how authentication should be done there.

Not much can be done on mobile today. BioMetrics are just wrong, even that cardio id thing. There are many smarter approaches.

Password strength
Are you a programmer? Do you want to create a *login* registration form? Do you want it to be good?