explain xkcd - User contributions [en]

936: Password Strength

2020-05-24T09:32:29Z

162.158.34.130: update dead link to version from internet archive

{{comic
| number = 936
| date = August 10, 2011
| title = Password Strength
| image = password strength.png
| titletext = To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
}}

==Explanation==
This comic says that a password such as "Tr0ub4dor&3" is bad because it is easy for password cracking software and hard for humans to remember, leading to insecure practices like writing the password down on a post-it attached to the monitor. On the other hand, a password such as "correcthorsebatterystaple" is hard for computers to guess due to having more entropy but quite easy for humans to remember.

In simple cases the {{w|Entropy (information theory)|entropy}} of a password is calculated as ''a^b'' where ''a'' is the number of allowed symbols and ''b'' is its length. A dictionary word (however long) has a password space of around 65000, i.e. 16 bits. A truly random string of length 11 (not like "Tr0ub4dor&3", but more like "J4I/tyJ&Acy") has 94^11 = 72.1 bits. However the comic shows that "Tr0ub4dor&3" has only 28 bits of entropy. Another way of selecting a password is to have 2048 "symbols" (common words) and select only 4 of those symbols. 2048^4 = 44 bits, much better than 28. Using such symbols was again visited in one of the tips in [[1820: Security Advice]].

It is absolutely true that people make passwords hard to remember because they think they are "safer", and it is certainly true that length, all other things being equal, tends to make for very strong passwords and this can be confirmed by using [http://rumkin.com/tools/password/passchk.php rumkin.com's password strength checker]. Even if the individual characters are all limited to [a-z], the exponent implied in "we added another lowercase character, so multiply by 26 again" tends to dominate the results.

In addition to being easier to remember, long strings of lowercase characters are also easier to type on smartphones and {{w|Virtual keyboard|soft keyboards}}.

xkcd's password generation scheme requires the user to have a list of 2048 common words (log2(2048) = 11). For any attack we must assume that the attacker knows our password generation algorithm, but not the exact password. In this case the attacker knows the 2048 words, and knows that we selected 4 words, but not which words. The number of combinations of 4 words from this list of words is (211)4 = 244, i.e. 44 bits. For comparison, the [http://world.std.com/~reinhold/dicewarefaq.html#calculatingentropy entropy offered by Diceware's 7776 word list is 13 bits per word]. If the attacker doesn't know the algorithm used, and only knows that lowercase letters are selected, the "common words" password would take even longer to crack than depicted. 25 ''random'' lowercase characters would have [http://www.wolframalpha.com/input/?i=log2%2826^25%29 117 bits of entropy], vs 44 bits for the common words list.

;Example
Below there is a detailed example which shows how different rules of complexity work to generate a password with supposed 44 bits of entropy. The examples of expected passwords were generated in random.org.(*)

If ''n'' is the number of symbols and ''L'' is the length of the password, then ''L'' = 44 / log2(n).

{|class="wikitable"
!Symbols
!Number of symbols
!Minimum length
!colspan="2"|Examples of expected passwords
!Example of an actual password
!Actual bits of entropy
!Comment
|-
|a||26||9.3||mdniclapwz||jxtvesveiv||troubadorx||16+4.7 = 20.7||Extra letter to meet length requirement; log2(26) = 4.7
|-
|rowspan="2"|a 9
|rowspan="2"|36
|rowspan="2"|8.5
|rowspan="2"|qih7cbrmd
|rowspan="2"|ewpltiayq
|tr0ub4d0r||16+3=19||3 = common substitutions in the comic
|-
|troubador1||16+3.3=19.3||log2(10) = 3.3
|-
|a A||52||7.7||jAwwBYne||NeTvgcrq||Troubador||16+1=17||1 = caps? in the comic
|-
|a &||58||7.5||j.h?nv),||c/~/fg\:||troubador&||16+4=20||4 = punctuation in the comic
|-
|a A 9||62||7.3||cDe8CgAf||RONygLMi||Tr0ub4d0r||16+1+3=20||1 = caps?; 3 = common substitutions
|-
|a 9 &||68||7.2||_@~"#^.2||un$l|!f]||tr0ub4d0r&||16+3+4=23||3 = common substitutions; 4 = punctuation
|-
|a A 9 &||94||6.7||Re-:aRo||^$rV{3?||Tr0ub4d0r&||16+1+3+4=24||1 = caps?; 3 = common substitutions; 4 = punctuation
|-
|rowspan="2"|common words
|rowspan="2"|2048
|rowspan="2"|4
|rowspan="2"|reasonableretailsometimespossibly
|rowspan="2"|constantyieldspecifypriority||reasonableretailsometimespossibly||11×4=44||Go to random.org and select 4 random integers between 1 and 2048; then go to your list of common words
|-
|correcthorsebatterystaple
|1
|Thanks to this comic, this is now one of the first passwords a hacker will try. The only entropy left is a boolean statement: "Is this password correcthorsebatterystaple, yes or no?"
|}

:a = lowercase letters
:A = uppercase letters
:9 = digits
:& = the 32 special characters in an American keyboard; Randall assumes only the 16 most common characters are used in practice (4 bits)

:(*) The use of random.org explains why <code>jAwwBYne</code> has two consecutive w's, why <code>Re-:aRo</code> has two R's, why <code>_@~"#^.2</code> has no letters, why <code>ewpltiayq</code> has no numbers, why "constant yield" is part of a password, etc. A human would have attempted at passwords that looked random.

==People who don't understand information theory and security==

The title text likely refers to the fact that this comic could cause people who understand information theory and agree with the message of the comic to get into an infuriating argument with people who do not — and disagree with the comic.

If you're confused, don't worry; you're in good company; even security "experts" don't understand the comic:

* Bruce Schneier thinks that dictionary attacks make this method "obsolete", despite the comic ''assuming'' perfect knowledge of the user's dictionary from the get-go. He advocates his own low-entropy "first letters of common plain English phrases" method instead: [https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html#!s!xkcd Schneier original article] and rebuttals: [https://web.archive.org/web/20160305001236/http://robinmessage.com/2014/03/why-bruce-schneier-is-wrong-about-passwords/ 1] [http://security.stackexchange.com/a/62881/10616 2] [http://www.reddit.com/r/technology/comments/1yxgqo/bruce_schneier_on_choosing_a_secure_password/cfp2z9k 3] [http://www.reddit.com/r/YouShouldKnow/comments/232uch/ysk_how_to_properly_choose_a_secure_password_the/cgte7lp 4] [http://www.reddit.com/r/YouShouldKnow/comments/232uch/ysk_how_to_properly_choose_a_secure_password_the/cgszp62 5] [http://www.reddit.com/r/YouShouldKnow/comments/232uch/ysk_how_to_properly_choose_a_secure_password_the/cgt6ohq 6]
* Steve Gibson basically gets it, but calculates entropy incorrectly in order to promote his own method and upper-bound password-checking tool: [https://www.grc.com/sn/sn-313.htm#!s!math%20is%20wrong Steve Gibson Security Now transcript] and [https://subrabbit.wordpress.com/2011/08/26/how-much-entropy-in-that-password/ rebuttal]
* Computer security consultant Mark Burnett ''almost'' understands the comic, but then advocates adding numerals and other crud to make passphrases less memorable, which completely defeats the point (that it is human-friendly) in the first place: [https://web.archive.org/web/20150319220514/https://xato.net/passwords/analyzing-the-xkcd-comic/ Analyzing the XKCD Passphrase Comic]
* Ken Grady incorrectly thinks that user-selected sentences like "I have really bright children" have the same entropy as randomly-selected words: [https://www.hellersearch.com/blog/bid/141527/is-your-password-policy-stupid Is Your Password Policy Stupid?]
* Diogo Mónica is correct that a truly random 8-character string is still stronger than a truly random 4-word string (52.4 vs 44), but doesn't understand that the words have to be truly random, not user-selected phrases like "let me in facebook": [https://diogomonica.com/posts/password-security-why-the-horse-battery-staple-is-not-correct/ Password Security: Why the horse battery staple is not correct]
* Ken Munro confuses entropy with permutations and undermines his own argument that "correct horse battery staple" is weak due to dictionary attacks by giving an example "strong" password that still consists of English words. He also doesn't realize that using capital letters in predictable places (first letter of every word) does not increase password strength: [https://www.pentestpartners.com/security-blog/correcthorsebatterystaple-isnt-a-good-password-heres-why/ CorrectHorseBatteryStaple isn’t a good password. Here’s why.]

Sigh. 🤦‍♂️

==Transcript==
:The comic illustrates the relative strength of passwords assuming basic knowledge of the system used to generate them.
:A set of boxes is used to indicate how many bits of entropy a section of the password provides.
:The comic is laid out with 6 panels arranged in a 3x2 grid.
:On each row, the first panel explains the breakdown of a password, the second panel shows how long it would take for a computer to guess, and the third panel provides an example scene showing someone trying to remember the password.

:[The password "Tr0ub4dor&3" is shown in the center of the panel. A line from each annotation indicates the word section the comment applies to.]

:Uncommon (non-gibberish) base word
:[Highlighting the base word - 16 bits of entropy.]
:Caps?
:[Highlighting the first letter - 1 bit of entropy.]
:Common Substitutions
:[Highlighting the letters 'a' (substituted by '4') and both 'o's (the first of which is substituted by '0') - 3 bits of entropy.]
:Punctuation
:[Highlighting the symbol appended to the word - 4 bits of entropy.]
:Numeral
:[Highlighting the number appended to the word - 3 bits of entropy.]
:Order unknown
:[Highlighting the appended characters - 1 bit of entropy.]
:(You can add a few more bits to account for the fact that this is only one of a few common formats.)

:~28 bits of entropy
:228 = 3 days at 1000 guesses/sec
:(Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about.)
:Difficulty to guess: Easy

:[Cueball stands scratching his head trying to remember the password.]
:Cueball: Was it trombone? No, Troubador. And one of the O's was a zero?
:Cueball: And there was some symbol...
:Difficulty to remember: Hard

:[The passphrase "correct horse battery staple" is shown in the center of the panel.]
:Four random common words {Each word has 11 bits of entropy.}

:~44 bits of entropy
:244 = 550 years at 1000 guesses/sec
:Difficulty to guess: Hard

:[Cueball is thinking, in his thought bubble a horse is standing to one side talking to an off-screen observer. An arrow points to a staple attached to the side of a battery.]
:Horse: That's a battery staple.
:Observer: Correct!
:Difficulty to remember: You've already memorized it

:Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

==External links==
*An [https://en.wikipedia.org/wiki/Request_for_Comments RFC], RFC7997 ''The Use of Non-ASCII Characters in RFCs'', uses "Correct Horse Battery Staple" in ''Table 3: A sample of legal passwords'' on page 10.[https://www.rfc-editor.org/rfc/pdfrfc/rfc7997.txt.pdf#page=10]
*Some info was used from the highest voted answer given to the question of "how accurate is this XKCD comic" at StackExchange [http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase].
*Similarly, a question of "how right this comic is" was made at AskMetaFilter [http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so] and [[Randall]] responded [http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so#2779020 there].
*Also the Wikipedia article on '{{w|Passphrase}}' is useful.
*In case you missed it in the explanation, GRC's Steve Gibson has a fantastic page [https://www.grc.com/haystack.htm] about this (and may have prompted this comic, as his podcast [http://www.grc.com/sn/sn-303.htm] about this was posted the month before this comic).
* This comic inspired [http://blog.acolyer.org/2015/10/29/how-to-memorize-a-random-60-bit-string/ How to memorize a random 60-bit string] scientific paper (link is to the article about paper, wth paper itself linked)
* [https://github.com/dropbox/zxcvbn zxcvbn password strength estimator] thanks this comic for the inspiration in acknowledgements.
* CMU paper: [http://cups.cs.cmu.edu/soups/2012/proceedings/a7_Shay.pdf Correct horse battery staple: Exploring the usability of system-assigned passphrases]
* [http://research.microsoft.com/pubs/265143/Microsoft_Password_Guidance.pdf Microsoft Password Guidance] (page 8)
* [http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987 The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time], August 8, 2017 (this comic is reproduced in the article).

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Math]]
[[Category:Computers]]
[[Category:Psychology]]
[[Category:Computer security]]

Talk:76: Familiar

2020-05-05T09:16:52Z

162.158.34.130: /* Comic rotation */

What do you reckon is missing from the explanation? ––[[User:St.nerol|St.nerol]] ([[User talk:St.nerol|talk]]) 14:26, 2 July 2013 (UTC)
:I'm running through the first comics and when I feel that something is missing it just gets the incomplete tag. Everyone is welcome to fix and remove this tag. The most worse error here was :) instead of :(.--[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 15:22, 2 July 2013 (UTC)
::The happy smiley was ''after'' the sentence dryly ''explaining'' the fairly obvious thing that a sad smiley means sadness. It was totally intentional, meant as a joke, funny or not! It could have been ;) though. –[[User:St.nerol|St.nerol]] ([[User talk:St.nerol|talk]]) 07:55, 3 July 2013 (UTC)
:::The title text shows :( not more or less. If you have ideas beyond of this explain it, but do not change the original text.--[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 20:14, 7 July 2013 (UTC)
::::This is confused. How do you mean, I changed the original text? –[[User:St.nerol|St.nerol]] ([[User talk:St.nerol|talk]]) 09:36, 10 July 2013 (UTC)
:::::Go here: [[http://www.explainxkcd.com/wiki/index.php?title=76:_Familiar&diff=prev&oldid=43148]], you did change the ":(" to ";)" and a few edits before you did ":)". I just did edit this to the correct sadness symbol. When Randall talks about apples you can't explain bananas.--[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 10:44, 10 July 2013 (UTC)
::::::I'm removing the sentence. It was just a joke, but it wasn't appreciated. :( ––[[User:St.nerol|St.nerol]] ([[User talk:St.nerol|talk]]) 19:19, 21 July 2013 (UTC)
:::::::What the hell you are doing? We need an explain for the title text, even when it's simple.--[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 19:32, 21 July 2013 (UTC)
::::::::No. You don't need to explain what a smiley is. Everybody knows. Especially on the internet. There's got to be a limit; we don't, for example, explain the meaning of common english words. –[[User:St.nerol|St.nerol]] ([[User talk:St.nerol|talk]]) 08:18, 22 July 2013 (UTC)
Is this the shortest title text? [[User:Fabian42|Fabian42]] ([[User talk:Fabian42|talk]]) 10:56, 11 June 2018 (UTC)
:If you don't count comics without any title text at all, then yeah, I'm pretty sure it is. [[User:SuperSupermario24|SuperSupermario24]] 06:32, 1 June 2019 (UTC)

== Comic rotation ==

Anyone else notice the comic is rotated 90 degrees clockwise for them on the xkcd website? I’m using Safari on an iPhone. {{unsigned|172.68.142.209}}
:It's fine in Chrome on Android and Debian. [[User:Fabian42|Fabian42]] ([[User talk:Fabian42|talk]]) 01:13, 12 May 2019 (UTC)
::Exif.Image.Orientation is set to rotate the image. [[Special:Contributions/108.162.219.238|108.162.219.238]] 21:10, 13 February 2020 (UTC)
::Also rotated in Chrome as of May 2020

2150: XKeyboarCD

2019-05-15T17:45:53Z

162.158.34.130: /* Explanation */

{{comic
| number = 2150
| date = May 15, 2019
| title = XKeyboarCD
| image = xkeyboarcd.png
| titletext = The key caps use LCD displays for all the vowels, so they can automatically adjust over the years to reflect ongoing vowel shifts while allowing you to keep typing phonetically.
}}

==Explanation==
{{incomplete|Created by a KEY BOAR USING AN XKEYBOARCD. Title Text not yet explained. Please mention here why this explanation isn't complete. Do NOT delete this tag too soon.}}

In the same vein as the [[:Category:xkcd Phones|xkcd Phone series]], the XKeyboarCD seems to be an overly inventive and borderline ludicrous keyboard intended for some unknown audience. It has an assortment of features (some fairly normal, some more exotic) which give it a..."diverse skill set".

*'''54 Configurable Rubik's Keys'''
The smaller cubes on a {{w|Rubik's cube}} resemble computer keys, so this feature makes fun of that by adding a spinnable Rubik's cube above the keyboard.

*'''Hardcoded Plastic Keys for the 5 Most Useful Emoji'''
This feature parodies the feature of some laptop-keyboards where it is possible to dynamically assign emojis to a small touchscreen area. Which Emojis would be "the most useful" is highly subjective. For example in the comic it shows the quite popular laughing with tears emoji, along the octopus emoji and others. Notably, the "aerial tramway" was once the least-used emoji, and remains very rarely used.
The large size and central position of the keys make their usefulness even more questionable.
{| class="wikitable"
|-
! Emoji
! Name
|-
| 😰
| [https://emojipedia.org/face-with-open-mouth-and-cold-sweat/ Anxious Face With Sweat]
|-
| 😂
| [https://emojipedia.org/face-with-tears-of-joy/ Face With Tears of Joy]
|-
| 🐙
| [https://emojipedia.org/octopus/ Octopus]
|-
| 🏇
| [https://emojipedia.org/horse-racing/ Horse Racing]
|-
| 🚡
| [https://emojipedia.org/aerial-tramway/ Aerial Tramway]
|}

*'''Serif Lock'''
{{w|Serifs}} are small lines on the ends of certain characters in fonts such as Times New Roman and Georgia. It is dependent on the font, not on the key pressed; "A" is represented by the same code regardless of its font. Since a given font almost always either has or doesn't have serifs, this key seems challenging to implement. This key could be implemented, however, by simply changing between a pair of fonts when it is pressed. What's more, the button is placed roughly where left Shift is on most keyboards, liable to cause frustration.

*'''Unlimited Key Travel'''
On a keyboard, key travel refers to the distance the key moves between its unpressed and pressed states. In reality, laptop keys only move a few millimeters before bottoming out, and conventional keyboards up to about a centimeter. An increased key travel may make typing more comfortable. However, the usefulness of having unlimited key travel is unclear, and the question of how this would be physically possible in the keyboard depicted remains unanswered.

*'''Diagonal Spacebar'''
A diagonal spacebar wouldn't be very useful, as many typists are used to having a spacebar at the bottom, and there's no reason to change it.

*'''Arrow Key (Rotate to Adjust Direction)'''
Most computers have four arrow keys: up, left, right, and down. However, the XKeyboarCD just has one that can be rotated. This has the added bonus of allowing the arrow keys to point more than four different directions. While theoretically useful and innovative, this comes at the cost of compatibility with certain programs, such as older video games.

*'''15 Puzzle-Style Numberpad'''
A 15 Puzzle is a square containing fifteen smaller squares and one blank spot, which allows the squares to be moved around. The squares are shuffled and then reassembled as a game or pastime, and are usually labelled 1-15 (as is the case here) or, when assembled properly, create a picture. A numberpad in this style would be frustrating to use for typing numbers, as they could shift (or be shifted) around, but could provide a fun feature to use as a game. How this would be used to generate numeric input is unclear, but the presence of 16 positions suggests {{w|hexadecimal}} input is possible.

*'''Ergonomic Design'''

The cylindrical portion of the keyboard is advertised as being an ergonomic design. Ergonomic keyboards do tend to be curved, to follow natural arm and finger movements more closely, and some ergonomic keyboards come in unconventional form factors, such as vertical keyboards, to allow the user's hands to rest in more neutral positions or to change positions throughout the day. However, the cylinder shape presented here requires the user to lift and twist his arms to reach certain keys, which would be an even more strenuous motion than typing on a standard keyboard.

*'''Title Text'''

==Transcript==
{{incomplete transcript|Do NOT delete this tag too soon.}}
Introducing the
XKeyboarCD
A keyboard for powerful users and their powerful fingers

[Arrow to the various features of a keyboard labelling them.]

54 Configurable Rubik's Keys

Hardcoded Plastic Keys for the 5 Most Useful Emoji

Serif Lock

Unlimited Key Travel

Diagonal Spacebar

Arrow Key (Rotate to Adjust Direction)

15 Puzzle-Style Numberpad

Ergonomic Design
{{comic discussion}}