So you think the chance of human beings to come up with 4 random words is pretty low?
You can't brute force millions of guesses per second through a web interface. 40 bits of entropy is already plenty for internet usage especially when the password is properly hashed with something like bcrypt.
> Secure passwords is just a tiny subset of non-default passwords
Actually the exact opposite is true. Since only low entropy and publicly known (which are mostly low entropy) passwords are insecure there are much more secure than non secure passwords.
For the sake of argument, let's say all passwords with less than 40 bits of entropy are insecure. Even if we restrict the set of possible passwords to only 10 characters of lowercase a-z we have about 47 bits of entropy. So the set of insecure passwords would only be about 1/128 or less than 1% of all allowed passwords.
> > Secure passwords is just a tiny subset of non-default passwords
> Actually the exact opposite is true. Since only low entropy and publicly known (which are mostly low entropy) passwords are insecure there are much more secure than non secure passwords.
You're confusing "passwords that are in use" with the set "passwords that are possible". We have data via password dumps that suggests of the "passwords that are in use" the set that qualifies as "secure" is indeed a tiny subset of passwords.
Well, real people won't choose any random 10 characters as a CSPRNG would do. Even when picking words from a dictionary, instead of four words, most people would probably just use one (or maybe two). For those are more inclined, they might mess with the capitalisation and sprinkle some numbers to make it "more secure" and adhere to certain password policies. This does not really contribute to the odds as you might expect.
Anyway, the point is, people are terrible at generating (and remembering) secure passwords. By ruling out the default password just means it is not going to be the most insecure one, but the chances of the custom password being secure is still pretty low.
I think most of this comes down to bad education on how to choose a secure password and not an innate inability. And for the most part we software engineers are at fault for advocating and enforcing mostly useless policies for more than two decates.
I would love for more websites to implement something like the zxcvbn password strength meter [1], but unfortunately I keep seeing new services or recently refreshed ones using outdated and hurtful policies like requiring numbers and special characters.
>So you think the chance of human beings to come up with 4 random words is pretty low?
I've always wondered how effective the random words thing is. sure, there are like 100k english words in current use according to google, but it seems like a list of the most common few hundred of those words would crack a lot of passwords.
If you assume the password to be only based on the 200 most common words you already have 30.5 bits of entropy to brute force or 1.6 billion guesses and you're assuming your attacker knows you're using this password strategy. The Wikipedia entry on Basic English [1] suggests there are about 850 core words for daily life and I could immediately think of simple words like well-known animals you would see in the zoo that are not included. So how many of these "4 words that you could draw as a picture"-passwords actually fall into even the most common 850 words?
30 bits of entropy isn't particularly secure against locally cracking a password hashed with sha256 or a similar non password hash. However at 1000 guesses per second it would already take 28 days to brute-force and 1000 guesses per second is pretty fast against any password stored with a properly configured password hash like bcrypt.
I personally auto-generate readable passwords for most websites at ~70 entropy pure brute-force and ~50 entropy if my algorithm and set of inputs would be exposed.
You also need to be aware that in this case, the attacker is/would not targeting any specific device. For brute forcing, all it takes is a dictionary of most common passwords and a list of devices that are exposed. Attackers won't spend too much time on any single device as there are so many options out there.
https://xkcd.com/936/
So you think the chance of human beings to come up with 4 random words is pretty low?
You can't brute force millions of guesses per second through a web interface. 40 bits of entropy is already plenty for internet usage especially when the password is properly hashed with something like bcrypt.
> Secure passwords is just a tiny subset of non-default passwords
Actually the exact opposite is true. Since only low entropy and publicly known (which are mostly low entropy) passwords are insecure there are much more secure than non secure passwords.
For the sake of argument, let's say all passwords with less than 40 bits of entropy are insecure. Even if we restrict the set of possible passwords to only 10 characters of lowercase a-z we have about 47 bits of entropy. So the set of insecure passwords would only be about 1/128 or less than 1% of all allowed passwords.