The Horse Battery Staple is Correct
There are several circulating blog articles about password managers claiming that this XKCD comic is incorrect:
The typical analysis goes something like this:
- Users shouldn’t be choosing passwords
- Users should use a password manager
- Brute force isn’t the important attack
- Sites should have password policies
The authors of these articles invariably work or write articles for security companies that make password policy integration systems.
Full disclosure: I work for a company that makes passwordless security systems.
I’m going to pick apart these arguments one by one, without making any claims about the product I’m developing because it *isn’t relevant*.
Users shouldn’t be choosing passwords.
This is a “straw man” argument. It is correct, however, the 4th panel of the comic specifically uses the term “random”. That means the 4 words should be randomly generated. Which means the XKCD comic never claimed that users *should* be choosing them.
Fortunately there are a couple great websites that do it for you:
- http://correcthorsebatterystaple.net : Simple, effective, but limited
- http://password.optionfactory.net : Language of choice + allows you to alter the entropy with less common words
Users should use a password manager
Absolutely.
Most password managers require you to create a memorable “master password”. And there’s still no better way to do that then a selection of random words as presented in the original XKCD comic. The analysis of entropy remains correct. For a real master password, I would choose 5 words.
Brute force isn’t the important attack.
False.
Assuming the password was selected randomly, and is the master for a password manager, that password manager has some sort of database of passwords. This database is (hopefully) encrypted with a stretched hash. Stretching is a technique that makes weak passwords stronger. This manager is a “honeypot”, and the data inside of that manager can be extracted and attacked offline via a brute force technique. Thus the bits of entropy is the only relevant variable here a user can control.
If the password *wasn’t* selected randomly, then you’re ignoring the whole point of the comic in the first place.
Sites should have password policies
Absolutely.
However, these policies can only consist of a two variables: length and randomness. Passwords should be random. If the user flow cannot accommodate a random password, then they should, at least, be *long*.
Ideally websites should be using something that relies on token access via OAuth 2.0 or similar, and not passwords. Passwords are horrid, broken things that should be used as a “last resort”.
Even worse, applications and websites with limits on password length are likely broken, and are likely storing your password *in the clear* (because they should be storing a hash, which is always the same length). If you are working with a service provider that limits password length, you should complain loudly until they fix it.
