Xkcd and Xkcd Password site

wkleem
wkleem
Community Member

I realise that many of the Agilebits team are fond of the XKCD comic strip. Should anyone put their faith in the XKCD Password generator or any other password generator?

How much is known about these sites?

Comments

  • hawkmoth
    hawkmoth
    Community Member
    edited June 2015

    I can't speak for AgileBits, but I do believe that the XKCD method is sound.

    You may also like to read Toward Better Master Passwords. It's well worth your time. I've adopted Diceware for generating secure, but memorable, passwords as a result of reading it.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2015

    @wkleem: Really? I wasn't aware that Randall Munroe had a password generator. I only see 'XKCD-inspired password' results doing a search. Frankly, it looks like a lot of people are just tossing his comics onto their pages without asking. Do you have a link?

    Regarding the 'correct horse battery staple' comic in particular, security papers published in the past year have demonstrated that these types of passwords can be easily cracked if they are less than 5 words unless you're using random special characters as separators. Something to keep in mind. Personally, I go for 7 words, as I'd like my passwords to have a bit of future-proofed buffer.

    Ultimately, so long as the passwords are long, strong, and unique, they're as good as anything, though. Cheers! :)

  • hawkmoth
    hawkmoth
    Community Member

    @brenty - Here's your link to the XKCD password generator.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @hawkmoth: Ahh. Yes, I did see that one, but Bart is definitely not the same person as Randall. ;)

    However, those passwords are definitely sufficient -- perhaps overkill in some cases. Very cool. :)

  • RichardPayne
    RichardPayne
    Community Member

    security papers published in the past year have demonstrated that these types of passwords can be easily cracked if they are less than 5 words unless you're using random special characters as separators

    Just to clarify, which KDF did these papers test against and how many iterations?

  • hawkmoth
    hawkmoth
    Community Member

    I'd be interested too. The blog post on the AgileBits site about creating better master passwords needs updating in its recommendations about how many Diceware words there should be in a secure pass phrase if @brenty has things up-to-date.

  • wkleem
    wkleem
    Community Member
    edited June 2015

    @RichardPayne, @hawkmoth, There are login sites that have a character number limitation. Microsoft limits their passcodes to 16 characters. Most sites don't publicise the character sets for successful pass phrase creation.

  • hawkmoth
    hawkmoth
    Community Member

    @wkleem - Alas, you are correct, there are sites with character number upper limits, and those what don't reveal what their limitations are on character sets. I wouldn't have thought that it's most of them for the latter, but it's too many. And those sites are actually compromising security when they impose such limits. whether or not they reveal them.

    For me, I remember passwords for 1Password, my primary email account, and my AppleID, none of which have such restrictions. But for those that do, it's difficult to let 1Password's password generator do its best work.

  • RichardPayne
    RichardPayne
    Community Member

    @wkleem for sites with length restrictions, especially short ones (cough Microsoft cough), Diceware is noot the best option. Use a standard random password for these.

    Most sites don't publicise the character sets for successful pass phrase creation.

    That's just wrong. The vast majority of sites that have restrictions will tell you what they are right there, on the password creation screen's validation control.
    Granted, there are exceptions but they are rare.

    The best ones are when do tell you but tell you wrong. That takes a while to figure out...or, my personal favourite, where they accept anything on the creation page and then don't accept everything on the login page (cough Microsoft cough)!

  • khad
    khad
    1Password Alumni

    @wkleem, you may be interested to read this existing thread about Diceware passwords. Lots of fun stuff in there (particularly the posts from jpgoldberg, our Chief Defender Against the Dark Arts):

    https://discussions.agilebits.com/discussion/10684/password-with-real-words-like-diceware-really-safe/

    Our support article for creating strong, memorable Master Passwords recommends Diceware:

    https://support.1password.com/strong-master-password/

    But — as mentioned in that support article — for all other passwords, you might as well generate a long string of characters using the generator since 1Password remembers and fills them for you. :)

  • wkleem
    wkleem
    Community Member

    Hi

    I'll have to read the "fine print" more closely then. I find that in my case whenever I go to a certain site or sites, I don't see the password recipe up front. I will have to recheck and get back when I can.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2015

    I'll have to read the "fine print" more closely then. I find that in my case whenever I go to a certain site or sites, I don't see the password recipe up front.

    @wkleem: I'll have to agree with you here as well, as this has also been my experience. Often I'm only told of these limitations when I generate an awesomely random password and the site doesn't like it because it's got a bloody H in it or somesuch nonsense. Only then am I told of the criteria.

    Obviously this isn't the case for all sites, but I feel like the ones silly enough to make these demands tend to also be the ones which aren't particularly user-friendly in other ways as well -- including not announcing password requirements front and center. :(

This discussion has been closed.