bad security advice: Steve Gibson's password haystacks

Steve Gibson is recommending long, low-entropy passwords. He's assuming a simple method of exhaustive key search, specifically lexical order. This can give an advantage of convenience only in the short term. If there is a significant advantage to the password user, attackers will optimize for this type of low-entropy password by changing the search order.

Any gain in convenience you get by using long passwords with low entropy is lost when the attack methods change. Attackers adopt heuristics to target patterns in passwords, and you're back to relying on entropy. Now Steve Gibson's approach just means uselessly typing more characters. The convenience gain is reversed.

Worse, if you were really benefiting from dumb lexical order brute force attack by using lower entropy than you should, you have to change your passwords to compensate for the loss of safety as the attack methods are adjusted to neutralize the length advantage.

It's very hard to estimate how fast the advantage is lost. You should assume it's too fast to gain a real advantage. Stick with entropy.


It's conventional to search short keys first. If attackers haven't already learnt to search low-entropy keys first with a lower priority on shortness, they soon will.

the current version of this page at Branchable: bad security advice: Steve Gibson's password haystacks

tags: security, netsecfail