
“What about ‘correct horse battery staple’ style passwords?” has been the response to our password manager post. There is a famous xkcd comic posted above suggesting that using four ‘random words’ together would make a great password.
Here at Fractional CISO we have a view of the security of such passwords… eh. It is true that if an attacker did not know the password scheme and was trying a brute force attack that this password style would be relatively effective but let’s break down why such a scheme might not work.
A 2019 updated Correct Horse Battery Staple Review is here.
The first criticism of this password type is dictionary size. How big a vocabulary would someone use? The size of a person’s vocabulary varies. If someone who had a 50,000 word vocabulary used the whole vocabulary it would not be an issue; a determined attack would have a very difficult time attacking the password. But what if we only use the most common words in our vocabulary? A 10,000 word dictionary size coupled with someone who knew that it was a four-word password would result in the same order of magnitude of complexity as a nine character password. Evidence suggests that people use a very paired down vocabulary for passwords. Just look at any “top passwords” lists and you see that folks are not imaginative when picking dictionary type words for their password.
The second issue with using a “correct horse battery staple” style password is correlation. If the words are truly random then the difficulty is much higher. But what if the words are tightly correlated? “Log me in please” could become the new “Password” or “123456.”
The last set of concerns are related and have to do with password systems. Many password systems have tons of rules such as you have to use a capital, a number and a special character. These limits will dull the appeal of the proposed style of password as it become decidedly less easy. Additionally many systems do not allow for a space between words and limit the size of passwords. Now you might have a password like “C0rrect%horse%b” which is harder to remember.
So the answer is that “correct horse battery staple” style passwords are okay if you understand all of the caveats, don’t tell others your password scheme, pick uncorrelated words and use a broad dictionary. That seems like a lot of guidance for selecting passwords that are “easy.”
What you really want a password that no one else has and one that you have not used on another system. You are better off if you stick with a fourteen plus unrelated character password. Your passwords will be much stronger and you will be better protected. A password manager can help you achieve this goal.
Permission to reprint xkcd comic is generously provided under https://xkcd.com/license.html Thanks, xkcd.
If you would like help with your password strategy or any other Virtual CISO services then please give us a call for a complimentary consultation. We can be reached at (617) 658-3276 and our email is [email protected]. Let us help you to achieve your goals for cybersecurity!