That being said, let's see the two methods described in the comic. Additions are easier to convey graphically with little boxes, hence our using bits. If we were to use a non-logarithmic scale, we would have to multiply: 2 10 uniform choices for the first half and 2 12 uniform choices for the other half make up for 2 10♲ 12 = 2 22 uniform choices. If you have two password halves that you generate independently of each other, one with 10 bits of entropy and the other with 12 bits, then the total entropy is 22 bits. The point of using "bits" is that they add up. The definition with the average cost is more generic, in that it captures the cases where random choices taken during the password generation process (the one which usually occurs in the head of the human user) are not uniform. When the random choices are equiprobable, you have n bits of entropy when there are 2 n possible passwords, which means that the attacker will, on average, try half of them. An entropy of n bits means that, on average, the attacker will try 2 n-1 passwords before finding the right one.
We assume that the attacker knows the exact password generation method, including probability distributions for random choices in the method. Entropy is a measure of the average cost of hitting the right password in a brute force attack. The little boxes in the comic represent entropy in a logarithmic scale, i.e. Here is a thorough explanation of the mathematics in this comic: Security at the expense of usability comes at the expense of security. We should remember this more often, AKA AviD's Rule of Usability:
I think the most important part of this comic, even if it were to get the math wrong ( which it didn't), is visually emphasizing that there are two equally important aspects to selecting a strong password (or actually, a password policy, in general):Īll too often, when discussing complex passwords, strong policies, expiration, etc (and, to generalize - all security), we tend to focus overly much on the computer aspects, and skip over the human aspects.Įspecially when it comes to passwords, (and double especially for average users), the human aspect should often be the overriding concern.įor example, how often does strict password complexity policy enforced by IT (such as the one shown in the XKCD), result in the user writing down his password, and taping it to his screen? That is a direct result of focusing too much on the computer aspect, at the expense of the human aspect.Īnd I think that is the core message from the sage of XKCD - yes, Easy to Guess is bad, but Hard to Remember is equally so.Īnd that principle is a correct one.
0 kommentar(er)
