The ongoing discussion about password security has reignited around the implementation of XKCD-style password generators, highlighting both the evolution of password security needs and the challenges faced in modern cryptographic environments.
The XKCD Password Philosophy
The XKCD-style password approach, which suggests using multiple random words as a password (like correct horse battery staple), was initially proposed as a more memorable alternative to complex character combinations. This method aimed to balance security with usability by leveraging the large pool of possible words rather than relying on special characters and numbers.
Modern Security Challenges
Community discussions reveal that while the XKCD approach remains valuable, modern computing power has shifted the security landscape significantly. As one security expert in the community notes:
The XKCD comic assumes the attacker has 1000 guesses per second, but a single GPU box on a stolen hash can easily hit a couple billion guesses per second. So the security model of the comic is extremely optimistic compared to some completely reasonable and common threat models.
Common Password Attack Speeds:
- Remote server (basic): ~1,000 attempts/second
- bcrypt hashed: ~70,000 attempts/second
- md5crypt: ~75 million/second
- Modern GPU (stolen hash): ~350 billion attempts/second
Implementation and Adaptation
The community has developed various implementations of this password generation concept, from simple shell commands to sophisticated applications. Many password managers, including 1Password and Bitwarden, have incorporated this approach into their feature sets. However, developers are increasingly adding options for higher entropy and additional security measures to address modern threats.
Key Password Generator Features:
- Word dictionary selection
- Configurable word count
- Custom separators
- Word length limits
- Entropy calculation
- Multiple password generation
Practical Considerations
A significant challenge highlighted by users is the conflict between theoretical security and real-world requirements. Many websites enforce specific password rules that may not align with the pure XKCD approach, such as requiring special characters or imposing length limitations. This has led to various adaptations, such as adding standard special characters to otherwise secure word combinations.
The Evolution of Password Security
The discussion demonstrates how password security continues to evolve. While the basic principles of the XKCD approach remain valid for certain use cases, particularly where remote attack vectors are the primary concern, higher-entropy solutions may be necessary for scenarios where offline attacks are possible, such as protecting encrypted drives or defending against stolen password hashes.
Reference: Introduction