Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not to mention:

  horsebattery -- 3 minutes
  h orsebattery -- 8 years
  ho rsebattery -- centuries
  horseb attery -- 85 years
  horsebat tery -- 54 years
Which at the very least is a little odd, even if the reason (breaking up the words into less word-like structures) is clear.

Also:

  abcde -- instant
  a b c d e -- centuries


zxcvbn's current analysis for 'correcthorsebatterystaple' vs 'correct horse battery staple' looks about right to me, it's counting each space as an extra bruteforce character.

horsebattery vs 'h orsebattery', on the other hand, shows a clear flaw -- it doesn't tolerate misspellings up to a given edit distance. edit distance is tricky because efficient word segmentation gets much harder, especially w/ support for l33t substitutions.

'abcde' vs 'a b c d e' is tricky too. i could add special case for spaces only that would allow zxcvbn to recognize 'a b c d e' as a sequence, but it wouldn't cover 'a-b-c-d-e', 'a8b8c8d8e' etc.


Also,

  pas sw ord
Will apparently take centuries to crack. I see the reasoning, but can this be correct?


Combinatorics. Yes.


Well, no. In "password" you have one common word -- let's say 1,000 options, 2^10. You have two spaces which can go in any of 9 places, for 9 * 8 / 2 = 36 different places, plus I suppose the 1 and 9 for zero and one places.

46,000 options for 15.5 bits of entropy, only. Even if we assume that there are thousands of different "strategies" by which passwords might be chosen, that only adds ~10ish bits or so, and doesn't bring it under the useful thresholds.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: