Steam was hacked

[SevenSpirits]

Now you're saying something different from before. You said: "suddenly the space of all passwords becomes quite small. "

The pattern of 6 random words does not make a small space. The fact that another space is bigger is pretty irrelevant, since most people don't use totally random 36-character passwords.

[Nicolae Carpathia]

Just pick 6 different words and use them as the password. Easy to remember, and a bitch to crack.

Doesn't that open up a vulnerability to dictionary attacks?

[Profane]

Doesn't that open up a vulnerability to dictionary attacks?

Maybe it's a unique Krill dictionary.

[Mardoc]

Doesn't that open up a vulnerability to dictionary attacks?

That's what asm and SevenSpirits are arguing about

Yes and no. It depends what you're comparing it to. 6 words has a lot more room for variation than 6 random characters, and a lot less variation than 40 random characters. So it all depends on what sort of password you had before.

Also there's a bit of value in switching from the conventional wisdom, at least until the crackers catch up.

[antisocialmunky]

Now you're saying something different from before. You said: "suddenly the space of all passwords becomes quite small. "

The pattern of 6 random words does not make a small space. The fact that another space is bigger is pretty irrelevant, since most people don't use totally random 36-character passwords.

It is quite small because the space is very constrained to the total possible space. This is the difference between the true brute force attack that tries every possible combination and a dictionary attack that tries a giant list of words.

If I know that the password length is fixed then suddenly the space isn't infinite. I used 36 letters as and example. If I know that the 6 components are words from a 100,000 word dictionary then I only have to search a very small portion of 26^36.

Take for example, I have all the usernames of a website that uses a 6 length alphabetic-only minimum password. To perform a brute force attack you would have to generate at least 26^6 to even get the 6 letter combinations then 26^7 to get all the 6 letter combinations, 26^8 and so forth.

However, if I know that most people using the websites have passwords which are words, then I have to find a large dictionary and take all the words from it at least 6 letters long and try that. I guarantee this method is much much faster compared to a brute force search which is why websites tell you not to use common words.

[Krill]

Which makes you wonder how they got that information, that people are using multiple words as passwords?

Also, slightly more words than that: http://en.wikipedia.org/wiki/English_language

250,000 excluding slang, technical and scientific terms, and it ignores capitalization and number substitution. If you decide that every second vowel in the word is replaced by a number if appropriate, for example (a=4, e=3, i=1, o=0, but no change to u) then you are going to add a fair few variations.

[antisocialmunky]

I believe XKCD screwed it up for everyone a few months back.

[Brian Shanahan]

Which makes you wonder how they got that information, that people are using multiple words as passwords?

Also, slightly more words than that: http://en.wikipedia.org/wiki/English_language

250,000 excluding slang, technical and scientific terms, and it ignores capitalization and number substitution. If you decide that every second vowel in the word is replaced by a number if appropriate, for example (a=4, e=3, i=1, o=0, but no change to u) then you are going to add a fair few variations.

Not really, as then it is a case of figuring out which vowel is represented by which number, a fairly easy task cryptographically. If the cracker has a good idea of the word pattern then it is just a tiny extension of the complexity of finding the six words.

[Mardoc]

Look, there's no such thing as perfect security. All you can do is try to make it good enough that it's more trouble than it's worth to break into your stuff. And if you spend too much of your effort on just one piece (like your password), then the black hats will find an alternate route.

[antisocialmunky]

There is perfect uncrackable security except with brute force attack that wouldn't finish until after the sun explodes. For example, anything that reduces down to One-Time Pad is essentially uncrackable:

http://en.wikipedia.org/wiki/One-time_pa...n_security

And there's theoretically perfectly secure communication systems immune to interception like quantum encryption or that simple resistor trick.

But the to bypass security, you just need to find the weakest point and that's usually a human.