I’m working on an in-depth post on the new final cut pro x, but in the meantime, thought id post my thoughts on the new password haystacks concept recently developed by Steve Gibson @ grc.com/haystacks

The common consensus on password strength is that entropy = strength. For example, the password “noodle” is inherently less secure than the password “n6i@Dc” even though they are the same length. That much is true, but the reason the entropic password is more secure is because Noodle is in the dictionary.

Gibson began his thesis assuming the following: hackers will first use of dictionary attack (trying every word in the English language) and then move on to brute force cracking (a, ab, ac, ad, etc)

The natural conclusion here then becomes that as long as you’re not in the dictionary, length now trumps entropy.

I’ll not go into a detailed explanation on this, because Steve did an amazing job explaining it in security now episode 304, how several here’s essentially what this means

A password that’s not in the dictionary can be completely memorable, no matter the length, and still maintain the same level of security.

Practical example: if my companies it policy requires a password between 8 and 16th characters, lowercase and uppercase and at least one symbol, i can think of a password I can remember, let’s say Sandwich. Then just pad it with something else I can remember like the symbol #

So now my 16 character password is:

Sandwich########

Because this isn’t in the dictionary, the attacker will have to brute force it, and since its long, that makes my easy to remember password as secure and uncrackable as

1,6)djdb5#5%eaN’

Pretty cool, and should give people no excuse to continue using those nasty 64 character wifi passwords.

You can check out the tool at grc.com and follow Steve at @sggrc