To anyone who understands information theory and security and is in an infuriating argument with someone who does not

(possibly involving mixed case), I sincerely apologize.

::Plurk Frontpage Promotion::

So true, thanks!

this is interesting.

such a trip

changes all his passwords

wait ... "53cr3t" isn't good?

ArminWeatherwax: Not anymore it isn't.

ArminWeatherwax: See also #792 You're screwed

I forgot the correct horse battery staple since the last time I read that strip

ⁿ⁰⁰⁰⁰⁰⁰

uses the password 'password' I figure it is so obvious nobody will guess it!

problem: rainbow table using that algorithm

next problem: you aren't using all the bits of the 44 bits. you're only using a-zA-Z which is 52 combinations out of the 256 per character

other problem: what's your favorite color, animal, child, car? if i can find that out, i know your PW

actually I use a password manager which generates and remembers long random passwords for me

if your password manager has a password...?

xkcd: 1234

just like my pin!

Spaceballs 12345

and yes it has a password - and its very much chosen like you suggest

memory palace

also, awake at 5:30am?

I've long argued against case sensitivity in passwords. If your app doesn't lowercase() before hashing, you're doing it wrong.

amusingly, i thought of this strip the other day... I couldn't remember the four words, so I guess I hadn't already memorised it.

but that's not an argument against passphrases. They're the Right Thing To Do.

Brilliant

bokuwakyuu: or combine it with your own natural typo-ese and you have an unbreakable phrase!

I have ranted about this exact same thing for /years/. This right here was my biggest irritation when I was in computer security.

lost productivity through case sensitive passwords vs losing up to 1 bit/character security in passwords is hard to quantify.

but increasing password min length by 1/7th and using lowercase() should cancel out the min bits of security in the password.

so caseless passwords feels like something with no cost, to me.

[A, Z] maps to [41, 5A], [a, z] maps to [61, 7A] A: 1000001, a: 1100001. the difference is the 32 bit. so don't trust your gut

however, i'm pretty sure you'd have to double the length of your pw to take care of losing that bit.

it adds at most one bit of entropy per character. Generally fewer, since 1) not all password chars are alpha;

2) most people don't capitalise randomly, but rather at the beginning/end of words.

for a brute force: [a, z] requires 26 digits per loop, [a, Z] requires 52. you'd need 2 lc characters to require as many passes a 1 un lced

That's right: twice as many possibilities per character = one bit of entropy per character.

what is the most restricted character set we use? the one on our cell phone

entropy is not possibility - not meaning to nit pick & certainly could be wrong

a random lowercase password has 26^n possibilities: a little over 4 entropy bits/character. Uppercase has 52^n: a little over 5 bits.

BigRedTruck is not random (lots of entropy), AzQdtNvw is more random (possibly not) - possibly using the wrong words here

So if your min password length was 4, you'd have 52^4 possibilities (7.3M).

make it case insensitive, raise the min length to 5, get 26^5 = 11M possibilities.

i think we're agreed on the math - base 26 vs base 52

in my mind, possibility does not equal entropy

https://secure.wikimedia... It's just the standard way to measure it.

having never done the attack, i've never tried to find an optimal mapping

once again failing to communicate well

Llog(n)/log(2) gives the Shannon entropy of the password *space

using an underlying pattern for your password restricts the amount of that space you are utilizing

there's a reasonable likelihood that we're actually argumentatively agreeing with each other

that if you're going by shannon's ~1 bit per letter for English, then case sensitivity appears to double that entropy for passphrases...

but randomly capitalising maybe 50% of the letters rather destroys the memorability of a passphrase.

so in fact, people tend to capitalise specific words, or initials, where they can remember them. And as you say, that's a pattern

sorta, kinda - we're saying similar things, but sleepy me didn't grasp the need to point it out

MyKidsAge lives in 9log(52)/log(2), mykidsage lives in 9log(26)/log(2). plenty of entropy in both spaces, but a crapy password

because it's susceptible to a logic attack - it's going to be on the list of things i try before hauling out the for loop

plus, when i haul out the for loop, i'm not going to do it stupidly - once i've generated mykidsage with my brute force

capitalization with a set pattern is a simple and operation. that's not making it hard on the attacker

does that make more sense?

exactly! Which is why I argue for case insensitive passwords: case sensitivity is merely the illusion of security.

sure, it can be used such that it adds a whole bit/character, but most of your users won't get that advantage, just the disadvantage.

the disadvantage being that they call you for a password reset every time they hit caps lock by accident

i dont like password. i like passsentence

or that customers just leave and don't come back when their password "stops working".